diff --git a/advisories/feed.json b/advisories/feed.json index 71a4511..8ce4ede 100644 --- a/advisories/feed.json +++ b/advisories/feed.json @@ -1,6 +1,6 @@ { "version": "0.0.3", - "updated": "2026-05-16T22:02:27Z", + "updated": "2026-05-24T18:52:13Z", "description": "Community-driven security advisory feed for ClawSec. Automatically updated with OpenClaw-related CVEs from NVD and community-reported security incidents.", "advisories": [ { @@ -96,7 +96,7 @@ "https://github.com/openclaw/openclaw/security/advisories/GHSA-q8ff-7ffm-m3r9", "https://www.vulncheck.com/advisories/openclaw-webhook-route-secret-cache-not-invalidated-after-rotation" ], - "cvss_score": 6.0, + "cvss_score": 6, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45005", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.0); network accessible", @@ -168,7 +168,7 @@ "https://github.com/openclaw/openclaw/security/advisories/GHSA-55cf-xx38-4p9p", "https://www.vulncheck.com/advisories/openclaw-connector-endpoint-host-override-via-workspace-dotenv-files" ], - "cvss_score": 5.0, + "cvss_score": 5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45003", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.0); requires local access", @@ -276,7 +276,7 @@ "https://github.com/openclaw/openclaw/commit/e90c89cf8b1459f2aa1f3a665be67392b6c03fdf", "https://github.com/openclaw/openclaw/security/advisories/GHSA-j4c5-89f5-f3pm" ], - "cvss_score": 5.0, + "cvss_score": 5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45000", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.0); network accessible; SSRF affects agents making external requests", @@ -564,7 +564,7 @@ "https://github.com/openclaw/openclaw/security/advisories/GHSA-h2vw-ph2c-jvwf", "https://www.vulncheck.com/advisories/openclaw-minimax-api-host-override-via-workspace-dotenv" ], - "cvss_score": 5.0, + "cvss_score": 5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44992", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.0); requires local access", @@ -4508,7 +4508,7 @@ "https://github.com/openclaw/openclaw/security/advisories/GHSA-jp4j-q5fc-58gv", "https://www.vulncheck.com/advisories/openclaw-policy-enforcement-bypass-in-discord-component-interactions" ], - "cvss_score": 5.0, + "cvss_score": 5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41367", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.0); network accessible; RCE is critical in agent deployments", @@ -5654,7 +5654,7 @@ "https://github.com/openclaw/openclaw/security/advisories/GHSA-rm5c-4rmf-vvhw", "https://www.vulncheck.com/advisories/openclaw-time-of-check-time-of-use-toctou-vulnerability-in-sandbox-file-operations" ], - "cvss_score": 5.0, + "cvss_score": 5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41338", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.0); requires local access", @@ -6493,6 +6493,140 @@ "exploit_sources": [] } }, + { + "id": "GHSA-mr34-9552-qr95", + "ghsa_id": "GHSA-mr34-9552-qr95", + "cve_id": null, + "status": "active", + "stale": false, + "stale_after_days": 60, + "severity": "medium", + "type": "path_traversal", + "nvd_category_id": "CWE-22", + "title": "Webchat media embedding enforces local-root containment for tool-result files", + "description": "Summary Webchat tool-result media normalization could pass local and UNC-style file paths into the host-side media embedding path without applying the configured local-root containment policy. Impact A crafted tool-result media reference could cause the host to attempt local file reads or Windows UNC/network path access while preparing webchat media blocks. This could disclose allowed host files or trigger network credential exposure on affected Windows deployments. Severity remains medium because exploitation depends on a tool-result media path reaching the webchat embedding path, but the sink is a host-side file read before the user sees the rendered result. Affected versions - Affected: = 2026.4.7, < 2026.4.15 - Patched: 2026.4.15 Fix OpenClaw 2026.4.15 hardens the webchat media path and the shared media resolver. Remote-host file:// URLs and Windows network paths are rejected before filesystem access, and audio embedding now enforces configured localRoots containment before stat or read operations. Verified in v2026.4.15: - src/gateway/server-methods/chat-webchat-media.ts uses safe file-URL parsing, rejects Windows network paths, and calls assertLocalMediaAllowed before probing local audio files. - src/media/web-media.ts rejects remote-host file:// URLs, Windows network paths, and local-root bypasses on the shared media path. - src/gateway/server-methods/chat-webchat-media.test.ts covers both remote-host file:// rejection and local-root denial before filesystem access. Fix commits included in v2026.4.15 and absent from v2026.4.14: - 1470de5d3e0970856d86cd99336bb8ada3fe87da via PR #67293 - 6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde via PR #67298 - 52ef42302ead9e183e6c8810e0a04ee4ef8ae9fc via PR #67303 as defense-in-depth for trusted media passthrough anchoring Thanks to @Kherrisan for reporting this issue.", + "affected": [ + "openclaw@>= 2026.4.7, < 2026.4.15" + ], + "patched": [ + "openclaw@2026.4.15" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-04-16T23:40:33Z", + "updated": "2026-04-16T23:40:33Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-mr34-9552-qr95" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mr34-9552-qr95", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-22", + "CWE-73" + ], + "credits": [ + "Kherrisan" + ], + "aliases": [ + "GHSA-mr34-9552-qr95" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-536q-mj95-h29h", + "ghsa_id": "GHSA-536q-mj95-h29h", + "cve_id": null, + "status": "active", + "stale": false, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": null, + "title": "Browser press/type interaction routes missed complete navigation guard coverage", + "description": "Summary Browser press/type interaction routes missed complete navigation guard coverage. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: < 2026.4.10 - Patched versions: = 2026.4.10 Impact Some browser press/type style interactions could trigger navigation without complete post-action SSRF policy enforcement. Technical Details The fix applies a three-phase interaction navigation guard to navigation-capable interactions, including pressKey and type submit flows. Fix The issue was fixed in #62023 and #63226 and #63889. The first stable tag containing the fix is v2026.4.10, and openclaw@2026.4.14 includes the fix. Fix Commit(s) - 049acf23cb03e1b92f5c71cd99c6ec5f35cc56fe - 5f5b3d733bdd791cb457f838514179e1288b10b3 - e0b8ddc1a55185aff1cf9e0e095014d2e4f1d894 - PR: #62023, #63226, #63889 Release Process Note Users should upgrade to openclaw 2026.4.10 or newer. The latest npm release, 2026.4.14, already includes the fix. Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.", + "affected": [ + "openclaw@< 2026.4.10" + ], + "patched": [ + "openclaw@>= 2026.4.10" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-04-16T15:19:51Z", + "updated": "2026-04-16T15:19:52Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-536q-mj95-h29h" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-536q-mj95-h29h", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [], + "credits": [ + "zsxsoft", + "KeenSecurityLab", + "qclawer" + ], + "aliases": [ + "GHSA-536q-mj95-h29h" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-53vx-pmqw-863c", + "ghsa_id": "GHSA-53vx-pmqw-863c", + "cve_id": null, + "status": "active", + "stale": false, + "stale_after_days": 60, + "severity": "high", + "type": "server_side_request_forgery", + "nvd_category_id": "CWE-918", + "title": "Browser SSRF policy default allowed private-network navigation", + "description": "Summary Browser SSRF policy default allowed private-network navigation. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: < 2026.4.14 - Patched versions: = 2026.4.14 Impact Browser SSRF protection could allow private-network navigation by default in paths where restrictive behavior was expected, exposing internal services or metadata endpoints through browser-driven requests. Technical Details The fix preserves strict SSRF configuration semantics, keeps private-network access disabled unless explicitly opted in, and updates loopback CDP readiness handling for the stricter default. Fix The issue was fixed in #66354 and #66386. The first stable tag containing the fix is v2026.4.14, and openclaw@2026.4.14 includes the fix. Fix Commit(s) - 024f4614a1a1831406e763adc40ef226e3d5e9ed - 1dabfef28db523e7de81edeb3dd689e9171236a2 - 213c36cf51121ef6c05cfccd78037371f968f31a - 7eecfa411df3d12e6b810e6ca5df47254fc3db3f - PR: #66354, #66386 Release Process Note Users should upgrade to openclaw 2026.4.14 or newer. The latest npm release, 2026.4.14, already includes the fix. Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.", + "affected": [ + "openclaw@< 2026.4.14" + ], + "patched": [ + "openclaw@>= 2026.4.14" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-04-16T15:19:27Z", + "updated": "2026-04-16T15:19:27Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-53vx-pmqw-863c" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-53vx-pmqw-863c", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-918", + "CWE-1188" + ], + "credits": [ + "dhyabi2" + ], + "aliases": [ + "GHSA-53vx-pmqw-863c" + ], + "source_feed": "ghsa-without-cve" + }, { "id": "CVE-2026-3691", "severity": "medium", @@ -8608,6 +8742,94 @@ "exploit_sources": [] } }, + { + "id": "GHSA-jf56-mccx-5f3f", + "ghsa_id": "GHSA-jf56-mccx-5f3f", + "cve_id": null, + "status": "active", + "stale": false, + "stale_after_days": 60, + "severity": "high", + "type": "github_security_advisory", + "nvd_category_id": "CWE-501", + "title": "Authenticated /hooks/wake and mapped wake payloads are promoted into the trusted System: prompt channel", + "description": "Impact Authenticated /hooks/wake and mapped wake payloads are promoted into the trusted System: prompt channel. An authenticated wake hook or mapped wake payload could be promoted into the trusted System prompt channel instead of an untrusted event. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.2 - Patched versions: 2026.4.8 Fix The issue was fixed on main and is available in the patched npm version listed above. The verified fixed tree is commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5. Verification The fix was re-checked against main before publication, including targeted regression tests for the affected security boundary. Credits Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.4.2" + ], + "patched": [ + "openclaw@2026.4.8" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-04-08T05:33:37Z", + "updated": "2026-04-08T05:33:37Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-jf56-mccx-5f3f" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jf56-mccx-5f3f", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-501" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-jf56-mccx-5f3f" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-gfmx-pph7-g46x", + "ghsa_id": "GHSA-gfmx-pph7-g46x", + "cve_id": null, + "status": "active", + "stale": false, + "stale_after_days": 60, + "severity": "high", + "type": "github_security_advisory", + "nvd_category_id": "CWE-501", + "title": "Lower-trust background runtime output is injected into trusted System: events, and local async exec completion misses the intended exec-event downgrade", + "description": "Impact Lower-trust background runtime output is injected into trusted System: events, and local async exec completion misses the intended exec-event downgrade. Lower-trust runtime/background output could be promoted into trusted System events, allowing prompt-injection into later agent turns. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.2 - Patched versions: 2026.4.8 Fix The issue was fixed on main and is available in the patched npm version listed above. The verified fixed tree is commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5. Verification The fix was re-checked against main before publication, including targeted regression tests for the affected security boundary. Credits Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.4.2" + ], + "patched": [ + "openclaw@2026.4.8" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-04-08T05:33:36Z", + "updated": "2026-04-08T05:33:36Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-gfmx-pph7-g46x" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gfmx-pph7-g46x", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-501" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-gfmx-pph7-g46x" + ], + "source_feed": "ghsa-without-cve" + }, { "id": "CVE-2026-34511", "severity": "medium", @@ -8644,6 +8866,48 @@ "exploit_sources": [] } }, + { + "id": "GHSA-846p-hgpv-vphc", + "ghsa_id": "GHSA-846p-hgpv-vphc", + "cve_id": null, + "status": "active", + "stale": false, + "stale_after_days": 60, + "severity": "high", + "type": "github_security_advisory", + "nvd_category_id": null, + "title": "QQ Bot structured payloads could read arbitrary local files", + "description": "Summary Before OpenClaw 2026.4.2, QQ Bot structured media payloads could read local files from attacker-chosen paths. A crafted structured payload could escape QQ Bot-owned media roots and cause arbitrary file reads on the host. Impact Prompt-influenced structured payload output could exfiltrate any host file readable by the OpenClaw process through the QQ Bot media-send path. This was a real confidentiality bug on the host filesystem boundary. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.1 - Patched versions: = 2026.4.2 - Latest published npm version: 2026.4.1 Fix Commit(s) - 2c45b06afdd6f7c621038b5419d8e661cff34a7f — restrict QQ Bot structured payload local paths Release Process Note The fix is present on main and is staged for OpenClaw 2026.4.2. Publish this advisory after the 2026.4.2 npm release is live. Thanks @feiyang666 of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.", + "affected": [ + "openclaw@<= 2026.4.1" + ], + "patched": [ + "openclaw@>= 2026.4.2" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-04-02T19:21:36Z", + "updated": "2026-04-03T01:33:55Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-846p-hgpv-vphc" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-846p-hgpv-vphc", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [], + "credits": [ + "feiyang666" + ], + "aliases": [ + "GHSA-846p-hgpv-vphc" + ], + "source_feed": "ghsa-without-cve" + }, { "id": "CVE-2026-34426", "severity": "high", @@ -8752,6 +9016,51 @@ "exploit_sources": [] } }, + { + "id": "GHSA-cwq8-6f96-g3q4", + "ghsa_id": "GHSA-cwq8-6f96-g3q4", + "cve_id": null, + "status": "active", + "stale": false, + "stale_after_days": 60, + "severity": "low", + "type": "github_security_advisory", + "nvd_category_id": "CWE-636", + "title": "Security Scan Failure Does Not Block Plugin Installation (Fail-Open)", + "description": "Summary Security Scan Failure Does Not Block Plugin Installation (Fail-Open) Current Maintainer Triage - Status: open - Normalized severity: low - Assessment: Real in shipped v2026.3.28 plugin install flow, but low severity fits because it still requires an operator to choose installation of an untrusted package and the scan failure was visible rather than silent. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version: 2026.3.31 - Vulnerable version range: <=2026.3.28 - Patched versions: = 2026.3.31 - First stable tag containing the fix: v2026.3.31 Fix Commit(s) - 7a953a52271b9188a5fa830739a4366614ff9916 — 2026-03-30T15:36:08+01:00 - 44b993613601280d46a5b88190e46669fc13d669 — 2026-03-31T23:16:11+09:00 - 0d7f1e2c84eca65df7dee890d9c30e2a841c030a — 2026-03-31T23:27:20+09:00 - bf96c67fd1954740aeabfadc7cfe3098bcfc6b68 — 2026-03-31T15:53:29+01:00 Release Process Note - The fix is already present in released version 2026.3.31. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @davidluzsilva for reporting.", + "affected": [ + "openclaw@<=2026.3.28" + ], + "patched": [ + "openclaw@>= 2026.3.31" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-31T21:45:37Z", + "updated": "2026-03-31T21:45:37Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-cwq8-6f96-g3q4" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cwq8-6f96-g3q4", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-636", + "CWE-754" + ], + "credits": [ + "davidluzsilva" + ], + "aliases": [ + "GHSA-cwq8-6f96-g3q4" + ], + "source_feed": "ghsa-without-cve" + }, { "id": "CVE-2026-34504", "severity": "high", @@ -9733,7 +10042,7 @@ "https://github.com/openclaw/openclaw/security/advisories/GHSA-qc36-x95h-7j53", "https://www.vulncheck.com/advisories/openclaw-approval-bypass-via-unrecognized-script-runners" ], - "cvss_score": 8.0, + "cvss_score": 8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32978", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.0); network accessible", @@ -10133,13 +10442,101 @@ "exploit_sources": [] } }, + { + "id": "GHSA-39mp-545q-w789", + "ghsa_id": "GHSA-39mp-545q-w789", + "cve_id": null, + "status": "active", + "stale": false, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-285", + "title": "Non-owner command-authorized sender can change the owner-only /send session delivery policy", + "description": "Fixed in OpenClaw 2026.3.24, the current shipping release. Title Non-owner command-authorized sender can change the owner-only /send session delivery policy CWE CWE-285 Improper Authorization CVSS v3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L Base score: 5.4 (Medium) Severity Assessment Medium. This is a real owner-only authorization bypass, but the demonstrated impact is limited to persistent mutation of the current session’s delivery policy rather than direct code execution, sandbox escape, or cross-host compromise. Impact A non-owner sender who is allowed to run commands can invoke /send on|off|inherit and persistently change the current session’s sendPolicy, even though OpenClaw documents /send as owner-only. That lets a lower-trust participant: - disable reply delivery for the current session (/send off), suppressing future replies in that chat; - re-enable reply delivery (/send on) after the owner intentionally disabled it; - remove the session override (/send inherit). Affected Component Verified against the latest published GitHub release tag v2026.3.23 (ccfeecb6887cd97937e33a71877ad512741e82b2), published 2026-03-23T23:15:50Z. Exact vulnerable path on the shipped tag: - src/auto-reply/reply/commands-session.ts:212-239 - handleSendPolicyCommand(...) checks only params.command.isAuthorizedSender. - when true, it mutates params.sessionEntry.sendPolicy and persists the session entry. Authorization behavior that makes this reachable: - src/auto-reply/command-auth.ts:401-407 - senderIsOwner is computed separately from general command authorization. - src/auto-reply/command-auth.ts:420-429 - command authorization can succeed even when senderIsOwner === false. - src/auto-reply/command-auth.owner-default.test.ts:10-47 - existing coverage confirms a sender can be command-authorized while not treated as owner. Documented owner-only contract: - docs/tools/slash-commands.md:112 - /send on|off|inherit is documented as owner-only. - docs/concepts/session-tool.md:156 - sendPolicy is documented as settable via sessions.patch or owner-only /send on|off|inherit. Related privilege model: - src/gateway/method-scopes.ts:131-133 - sessions.patch is admin-scoped, which reinforces that session-delivery-policy mutation is treated as privileged state. Version history: - The vulnerable handler exists in release history going back at least to commit ea018a68ccb92dbc735bc1df9880d5c95c63ca35 (refactor(auto-reply): split reply pipeline). - Earliest released affected tag found: v2026.1.14-1 - Latest released affected tag verified: v2026.3.23 Technical Reproduction 1. Check out the shipped release tag v2026.3.23. 2. Configure a channel where: - a non-owner sender is allowed to run commands, for example through commands.allowFrom; - the owner identity is distinct, for example via commands.ownerAllowFrom. 3. Start or reuse a session with a live sessionEntry and sessionStore. 4. Send /send off as the non-owner but command-authorized sender. 5. Confirm the resolved command context has: - isAuthorizedSender === true - senderIsOwner === false 6. Observe that the handler still accepts the command, mutates sessionEntry.sendPolicy, and persists the session entry. Demonstrated Impact The vulnerable handler performs a real persistent session-state change: - src/auto-reply/reply/commands-session.ts:232-238 - /send inherit deletes sessionEntry.sendPolicy - other modes assign sessionEntry.sendPolicy = sendPolicyCommand.mode - the handler then calls persistSessionEntry(params) The mutation is not gated by owner status, only by general command authorization. That changes subsequent delivery behavior for the current session, which matches the documented meaning of sendPolicy. Environment - Product: OpenClaw - Verified shipped tag: v2026.3.23 - Shipped tag commit: ccfeecb6887cd97937e33a71877ad512741e82b2 - Published GitHub release time: 2026-03-23T23:15:50Z - Verification date: 2026-03-24 Duplicate Check I did not find an existing GHSA for /send. This is distinct from: - GHSA-r7vr-gr74-94p8 - that advisory covered owner-only authorization bypasses for /config and /debug, not /send. This is the same authorization class, but a different privileged command surface that still lacks the owner check. In Scope Check This report is in scope under SECURITY.md because: - it does not rely on adversarial operators sharing one gateway host or config; - it does not rely on trusted local state tampering; - SECURITY.md:151-152 explicitly says non-owner sender status matters for owner-only tools and commands; - /send is explicitly documented as owner-only, so this is a direct owner-only authorization bypass, not a complaint about normal shared-agent steering. This is therefore a concrete authorization flaw against a documented product boundary. Remediation Advice 1. Change /send to require owner status, not just command authorization. 2. Reuse the same owner-only rejection pattern already used by privileged command surfaces such as /config, /debug, and owner-only /plugins writes. 3. Add regression coverage for the exact case where: - a non-owner sender is command-authorized; - /send must still be rejected unless senderIsOwner === true. 4. Verify that the owner can still use /send on|off|inherit normally.", + "affected": [ + "openclaw@<= 2026.3.22" + ], + "patched": [ + "openclaw@>= 2026.3.24" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-27T15:52:20Z", + "updated": "2026-03-27T15:52:20Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-39mp-545q-w789" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-39mp-545q-w789", + "nvd_url": null, + "cvss_score": 5.4, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", + "cwe_ids": [ + "CWE-285" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-39mp-545q-w789" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-vqvg-86cc-cg83", + "ghsa_id": "GHSA-vqvg-86cc-cg83", + "cve_id": null, + "status": "active", + "stale": false, + "stale_after_days": 60, + "severity": "medium", + "type": "missing_authorization", + "nvd_category_id": "CWE-862", + "title": "Mutating internal /allowlist chat commands missed operator.admin scope enforcement", + "description": "Fixed in OpenClaw 2026.3.24, the current shipping release. Title Mutating internal /allowlist chat commands missed operator.admin scope enforcement CWE CWE-862 Missing Authorization CVSS v3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Base score: 6.5 (Medium) Severity Assessment Medium. This is a real authorization flaw in OpenClaw’s internal control plane. The issue does not require host access, trusted local state tampering, or multi-tenant assumptions, but exploitation does require an already authenticated internal Gateway caller with operator.write. Impact An authenticated internal Gateway caller limited to operator.write can perform state-changing /allowlist actions without operator.admin, even though comparable mutating internal chat commands already require operator.admin. The reachable effects are persistent changes to config-backed allowFrom entries and pairing-store-backed allowlist entries. This is not a semantic-modeling complaint and not a generic “trusted operator can do things” claim. It is a missing authorization check inside OpenClaw’s own internal scope model, where peer mutating command surfaces already distinguish operator.write from operator.admin. Affected Component Verified against the latest published GitHub release tag v2026.3.23 (ccfeecb6887cd97937e33a71877ad512741e82b2), published 2026-03-23T23:15:50Z. Exact vulnerable path on the shipped tag: - src/auto-reply/reply/commands-allowlist.ts:251-254 - /allowlist authorization uses only rejectUnauthorizedCommand(...). - src/auto-reply/reply/commands-allowlist.ts:386-524 - mutating config and pairing-store writes happen here, but there is no requireGatewayClientScopeForInternalChannel(..., operator.admin, ...). Reachability and scope model: - src/gateway/method-scopes.ts:94-109 - chat.send is a write-scoped method. - src/gateway/server.chat.gateway-server-chat.test.ts:539-559 - existing runtime coverage proves chat.send routes slash commands without an agent run. - src/auto-reply/command-auth.ts:574-577 - internal callers become senderIsOwner only when GatewayClientScopes includes operator.admin. Comparable internal mutating command paths already enforce operator.admin: - src/auto-reply/reply/commands-config.ts:64-73 - src/auto-reply/reply/commands-mcp.ts:89-96 - src/auto-reply/reply/commands-plugins.ts:387-394 - src/auto-reply/reply/commands-acp.ts:98-106 Version history: - Introduced by commit 555b2578a8cc6e1b93f717496935ead97bfbed8b (feat: add /allowlist command) - Earliest released affected tag found: v2026.1.20 - Latest released affected tag verified: v2026.3.23 Technical Reproduction 1. Check out the shipped release tag v2026.3.23. 2. Use an internal command context with: - Provider = \"webchat\" - Surface = \"webchat\" - GatewayClientScopes = [\"operator.write\"] - params.command.channel = \"webchat\" 3. Route a slash command through chat.send. 4. Execute either of these mutating commands: - /allowlist add dm channel=telegram 789 - /allowlist add dm --store channel=telegram 789 5. Confirm the command context is authorized but not owner-equivalent: - isAuthorizedSender === true - senderIsOwner === false 6. Observe that the commands still succeed and perform persistent writes. Demonstrated Impact The vulnerable handler performs real state mutation for a low-scope internal caller: - Config-backed mutation path: - src/auto-reply/reply/commands-allowlist.ts:398-503 - reads the config snapshot, applies the edit, validates, and writes the updated config to disk. - Store-backed mutation path: - src/auto-reply/reply/commands-allowlist.ts:479-485 - src/auto-reply/reply/commands-allowlist.ts:513-518 - updates the pairing-store allowlist without any admin-scope gate. The result is successful persistence, not just a misleading success message. Environment - Product: OpenClaw - Verified shipped tag: v2026.3.23 - Shipped tag commit: ccfeecb6887cd97937e33a71877ad512741e82b2 - Published GitHub release time: 2026-03-23T23:15:50Z - Verification date: 2026-03-24 Duplicate Check This is not a duplicate of: - GHSA-pjvx-rx66-r3fg - that advisory covered cross-account scoping in /allowlist ... --store, not missing internal operator.admin enforcement. - GHSA-hfpr-jhpq-x4rm - that advisory covered /config writes through chat.send, not /allowlist. - GHSA-3w6x-gv34-mqpf - same authorization class, but different command path (/acp, not /allowlist). In Scope Check This report is in scope under SECURITY.md because: - it does not rely on adversarial operators sharing one gateway host or config; - it does not target the HTTP compatibility endpoints that SECURITY.md explicitly treats as full operator-access surfaces; - it demonstrates a real authorization mismatch inside OpenClaw’s own internal control-plane scope model (operator.write vs operator.admin); - peer mutating internal chat commands already enforce operator.admin, so this is not a request for a new boundary but a missing check on an existing one. This is therefore a concrete authorization bug, not a trusted-operator hardening suggestion. Remediation Advice 1. Add requireGatewayClientScopeForInternalChannel(..., allowedScopes: [\"operator.admin\"], ...) to the mutating internal /allowlist paths. 2. Add regression coverage for both mutation modes: - internal operator.write must be rejected; - internal operator.admin must be allowed. 3. Cover both config-backed and store-backed writes. 4. Audit other mutating internal chat-command paths for the same missing-scope pattern.", + "affected": [ + "openclaw@<= 2026.3.22" + ], + "patched": [ + "openclaw@>= 2026.3.24" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-27T15:52:18Z", + "updated": "2026-03-27T15:52:18Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-vqvg-86cc-cg83" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vqvg-86cc-cg83", + "nvd_url": null, + "cvss_score": 6.5, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", + "cwe_ids": [ + "CWE-862" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-vqvg-86cc-cg83" + ], + "source_feed": "ghsa-without-cve" + }, { "id": "CVE-2026-32846", "severity": "high", "type": "path_traversal", "nvd_category_id": "CWE-22", - "title": "OpenClaw through 2026.3.23 (fixed in commit 4797bbc) contains a path traversal vulnerability in medi...", - "description": "OpenClaw through 2026.3.23 (fixed in commit 4797bbc) contains a path traversal vulnerability in media parsing that allows attackers to read arbitrary files by bypassing path validation in the isLikelyLocalPath() and isValidMedia() functions. Attackers can exploit incomplete validation and the allowBareFilename bypass to reference files outside the intended application sandbox, resulting in disclosure of sensitive information including system files, environment files, and SSH keys.", + "title": "OpenClaw before 2026.3.28 contains a path traversal vulnerability in media parsing that allows attac...", + "description": "OpenClaw before 2026.3.28 contains a path traversal vulnerability in media parsing that allows attackers to read arbitrary files by bypassing path validation in the isLikelyLocalPath() and isValidMedia() functions. Attackers can exploit incomplete validation and the allowBareFilename bypass to reference files outside the intended application sandbox, resulting in disclosure of sensitive information including system files, environment files, and SSH keys.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" @@ -10169,6 +10566,139 @@ "exploit_sources": [] } }, + { + "id": "GHSA-cfp9-w5v9-3q4h", + "ghsa_id": "GHSA-cfp9-w5v9-3q4h", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "incorrect_authorization", + "nvd_category_id": "CWE-863", + "title": "Image tool bypassed tools.fs.workspaceOnly and could read mounted files outside the workspace", + "description": "Summary The image tool did not fully honor the tools.fs.workspaceOnly filesystem boundary. In affected releases, image-path resolution could still traverse sandbox bridge mounts outside the workspace and read files from mounted directories that the other file tools would reject. Affected Packages / Versions - Package: openclaw (npm) - Affected: < 2026.3.2 - Fixed: = 2026.3.2 - Latest released tags checked: v2026.3.23 (ccfeecb6887cd97937e33a71877ad512741e82b2) and v2026.3.23-2 (630f1479c44f78484dfa21bb407cbe6f171dac87) - Latest published npm version checked: 2026.3.23-2 Fix Commit(s) - dd9d9c1c609dcb4579f9e57bd7b5c879d0146b53 - 14baadda2c456f3cf749f1f97e8678746a34a7f4 Release Status The complete fix shipped in v2026.3.2 and remains present in v2026.3.23 and v2026.3.23-2. Code-Level Confirmation - src/agents/openclaw-tools.ts now passes fsPolicy into createImageTool, so the image tool receives the same workspace-only policy input as the other filesystem tools. - src/agents/tools/image-tool.ts, src/agents/tools/media-tool-shared.ts, and src/agents/sandbox-media-paths.ts now restrict local roots and sandbox-bridge resolution to the workspace when tools.fs.workspaceOnly is enabled. Thanks @YLChen-007 for reporting.", + "affected": [ + "openclaw@< 2026.3.2" + ], + "patched": [ + "openclaw@>= 2026.3.2" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-24T18:07:14Z", + "updated": "2026-03-24T18:07:14Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-cfp9-w5v9-3q4h" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cfp9-w5v9-3q4h", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-863" + ], + "credits": [ + "YLChen-007" + ], + "aliases": [ + "GHSA-cfp9-w5v9-3q4h" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-vfg3-pqpq-93m4", + "ghsa_id": "GHSA-vfg3-pqpq-93m4", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "incorrect_authorization", + "nvd_category_id": "CWE-863", + "title": "Tlon cite expansion happened before channel and DM authorization completed.", + "description": "Summary Tlon cite expansion happened before channel and DM authorization completed, allowing cite work and content handling before the final auth decision. Affected Packages / Versions - Package: openclaw (npm) - Affected: < 2026.3.22 - Fixed: = 2026.3.22 - Latest released tag checked: v2026.3.23-2 (630f1479c44f78484dfa21bb407cbe6f171dac87) - Latest published npm version checked: 2026.3.23-2 Fix Commit(s) - 3cbf932413e41d1836cb91aed1541a28a3122f93 - ebee4e2210e1f282a982c7ef2ad79d77a572fc87 Release Status The fix shipped in v2026.3.22 and remains present in v2026.3.23 and v2026.3.23-2. Code-Level Confirmation - extensions/tlon/src/monitor/index.ts now defers cite expansion until after authorization and preserves explicit empty-allowlist semantics. - extensions/tlon/src/monitor/utils.ts and extensions/tlon/src/security.test.ts ship the deferred cite expansion behavior and regressions. Thanks @zpbrent for reporting.", + "affected": [ + "openclaw@< 2026.3.22" + ], + "patched": [ + "openclaw@>= 2026.3.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-24T17:37:07Z", + "updated": "2026-03-24T17:37:07Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-vfg3-pqpq-93m4" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vfg3-pqpq-93m4", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-863" + ], + "credits": [ + "zpbrent" + ], + "aliases": [ + "GHSA-vfg3-pqpq-93m4" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-h3x4-hc5v-v2gm", + "ghsa_id": "GHSA-h3x4-hc5v-v2gm", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-40", + "title": "Windows media loaders accepted remote-host file URLs before local path validation", + "description": "Summary Windows local-media handling accepted remote-host file URLs and UNC-style paths before local-path validation, so network-hosted file targets could be treated as local content. Affected Packages / Versions - Package: openclaw (npm) - Affected: < 2026.3.22 - Fixed: = 2026.3.22 - Latest released tag checked: v2026.3.23-2 (630f1479c44f78484dfa21bb407cbe6f171dac87) - Latest published npm version checked: 2026.3.23-2 Fix Commit(s) - 4fd7feb0fd4ec16c48ed983980dba79a09b3aaf5 - 93880717f1cd34feaa45e74e939b7a5256288901 Release Status The fix shipped in v2026.3.22 and remains present in v2026.3.23 and v2026.3.23-2. Code-Level Confirmation - src/infra/local-file-access.ts now rejects remote-host file: URLs and UNC/network paths as non-local input. - src/media/web-media.ts, src/media-understanding/attachments.normalize.ts, and src/agents/sandbox-paths.ts all route through the shared local-file guard. Thanks @RacerZ-fighting, @Fushuling for reporting.", + "affected": [ + "openclaw@< 2026.3.22" + ], + "patched": [ + "openclaw@>= 2026.3.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-24T17:36:44Z", + "updated": "2026-03-24T17:36:44Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-h3x4-hc5v-v2gm" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h3x4-hc5v-v2gm", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-40" + ], + "credits": [ + "RacerZ-fighting", + "Fushuling" + ], + "aliases": [ + "GHSA-h3x4-hc5v-v2gm" + ], + "source_feed": "ghsa-without-cve" + }, { "id": "CVE-2026-32913", "severity": "critical", @@ -11337,7 +11867,7 @@ "https://github.com/openclaw/openclaw/commit/b34097f62df9d1960cc22600269cd3f3284e2124", "https://github.com/openclaw/openclaw/security/advisories/GHSA-w76h-8m22-hpgh" ], - "cvss_score": 6.0, + "cvss_score": 6, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32037", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.0); network accessible; SSRF affects agents making external requests", @@ -12164,7 +12694,7 @@ "https://github.com/openclaw/openclaw/security/advisories/GHSA-r65x-2hqr-j5hf", "https://www.vulncheck.com/advisories/openclaw-node-reconnect-metadata-spoofing-via-unsigned-platform-fields" ], - "cvss_score": 8.0, + "cvss_score": 8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32014", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.0); network accessible", @@ -12738,7 +13268,7 @@ "https://github.com/openclaw/openclaw/security/advisories/GHSA-q399-23r3-hfx4", "https://www.vulncheck.com/advisories/openclaw-executable-rebind-via-unbound-path-token-in-system-run-approvals" ], - "cvss_score": 6.0, + "cvss_score": 6, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31997", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.0); requires local access", @@ -14230,6 +14760,319 @@ "exploit_sources": [] } }, + { + "id": "GHSA-3h2q-j2v4-6w5r", + "ghsa_id": "GHSA-3h2q-j2v4-6w5r", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-184", + "title": "system.run allowlist approval parsing missed PowerShell encoded-command wrappers", + "description": "OpenClaw's system.run shell-wrapper detection did not recognize PowerShell -EncodedCommand forms as inline-command wrappers. In allowlist mode, a caller with access to system.run could invoke pwsh or powershell using -EncodedCommand, -enc, or -e, and the request would fall back to plain argv analysis instead of the normal shell-wrapper approval path. This could allow a PowerShell inline payload to execute without the approval step that equivalent -Command invocations would require. Latest published npm version: 2026.3.2 Fixed on main on March 7, 2026 in 1d1757b16f48f1a93cd16ab0ad7e2c3c63ce727d by recognizing PowerShell encoded-command aliases during shell-wrapper parsing, so allowlist mode continues to require approval for those payloads. Normal approved PowerShell wrapper flows continue to work. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.3.2 - Patched version: = 2026.3.7 Fix Commit(s) - 1d1757b16f48f1a93cd16ab0ad7e2c3c63ce727d Release Process Note npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.3.2" + ], + "patched": [ + "openclaw@>= 2026.3.7" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-08T14:26:58Z", + "updated": "2026-03-08T14:26:58Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-3h2q-j2v4-6w5r" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3h2q-j2v4-6w5r", + "nvd_url": null, + "cvss_score": 5, + "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", + "cwe_ids": [ + "CWE-184", + "CWE-863" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-3h2q-j2v4-6w5r" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-9q2p-vc84-2rwm", + "ghsa_id": "GHSA-9q2p-vc84-2rwm", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-436", + "title": "system.run allow-always persistence included shell-commented payload tails", + "description": "OpenClaw's system.run allowlist analysis did not honor POSIX shell comment semantics when deriving allow-always persistence entries. A caller in security=allowlist mode who received an allow-always decision could submit a shell command whose tail was commented out at runtime, for example by using an unquoted # before a chained payload. The runtime shell would execute only the pre-comment portion, but allowlist persistence could still analyze and store the non-executed tail as a trusted follow-up command. Latest published npm version: 2026.3.2 Fixed on main on March 7, 2026 in 939b18475d734ed75173f59507e3ebbdfe1992b7 by teaching shell tokenization and chain/pipeline analysis to stop at unquoted shell comments, so allow-always persistence now tracks only commands that the shell can actually execute. Normal real chained commands and quoted # literals continue to work. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.3.2 - Patched version: = 2026.3.7 Fix Commit(s) - 939b18475d734ed75173f59507e3ebbdfe1992b7 Release Process Note npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.3.2" + ], + "patched": [ + "openclaw@>= 2026.3.7" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-08T14:26:57Z", + "updated": "2026-03-08T14:26:57Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-9q2p-vc84-2rwm" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9q2p-vc84-2rwm", + "nvd_url": null, + "cvss_score": 5, + "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", + "cwe_ids": [ + "CWE-436", + "CWE-863" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-9q2p-vc84-2rwm" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-hfpr-jhpq-x4rm", + "ghsa_id": "GHSA-hfpr-jhpq-x4rm", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "incorrect_authorization", + "nvd_category_id": "CWE-863", + "title": "operator.write chat.send could reach admin-only config writes", + "description": "Summary A gateway client authenticated with operator.write could route /config set or /config unset through chat.send and reach persistent config mutation even though direct config RPC methods are admin-scoped. Affected Packages / Versions - Package: openclaw (npm) - Latest published vulnerable version: 2026.3.2 - Affected range: <= 2026.3.2 - Patched in: 2026.3.7 Details Before the fix, chat.send ran slash commands in an internal gateway-chat context with CommandAuthorized: true, and /config write paths only checked command authorization plus commands.config / channels.= 2026.3.7" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-08T14:26:56Z", + "updated": "2026-03-08T14:26:56Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-hfpr-jhpq-x4rm" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hfpr-jhpq-x4rm", + "nvd_url": null, + "cvss_score": 4.3, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "cwe_ids": [ + "CWE-863" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-hfpr-jhpq-x4rm" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-j425-whc4-4jgc", + "ghsa_id": "GHSA-j425-whc4-4jgc", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-15", + "title": "system.run env override filtering allowed dangerous helper-command pivots", + "description": "Summary system.run env override sanitization allowed dangerous override-only helper-command pivots to reach subprocesses. A caller who could invoke system.run with env overrides could bypass allowlist/approval intent by steering an allowlisted tool through helper-command or config-loading environment variables such as GITSSHCOMMAND, editor/pager hooks, and GITCONFIG / NPMCONFIG. Affected Packages / Versions - Package: openclaw (npm) - Latest published vulnerable version: 2026.3.2 - Affected range: <= 2026.3.2 - Patched in: 2026.3.7 Details Before the fix, src/infra/host-env-security.ts blocked only a narrow set of override-only environment variables. Dangerous request-scoped overrides such as GITSSHCOMMAND and prefix families such as GITCONFIG and NPMCONFIG could still survive sanitizeSystemRunEnvOverrides(...) / sanitizeHostExecEnv(...) and reach the spawned process. That mattered for system.run allowlist and approval flows because approval evaluation was tied to the reviewed binary/argv, while the launched process could still inherit attacker-controlled env overrides that changed helper-command execution or config resolution. For allowlisted tools such as git, this allowed behavior outside the reviewed command semantics. The fix extends the shared TypeScript and macOS policy to block dangerous override-only exact keys and prefixes while preserving trusted inherited base-environment behavior. Impact This is a real protection-bypass issue, but exploitation requires an already tool-enabled caller who can invoke system.run and supply env overrides. In affected deployments, that caller could bypass allowlist/approval intent and trigger helper-command execution or config-loading behavior that is not represented by the approved command line. Maintainer severity is set to medium because the bug still requires that existing execution capability; the vulnerability is the mismatch between reviewed command semantics and the actual spawned-process behavior. Fix Commit(s) - e27bbe4982439da6864160fd1b66445058f74801 Release Process Note npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package. Thanks @tdjackey and @SnailSploit for reporting.", + "affected": [ + "openclaw@<= 2026.3.2" + ], + "patched": [ + "openclaw@>= 2026.3.7" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-08T14:26:56Z", + "updated": "2026-03-08T14:26:56Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-j425-whc4-4jgc" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-j425-whc4-4jgc", + "nvd_url": null, + "cvss_score": 6.3, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "cwe_ids": [ + "CWE-15", + "CWE-693" + ], + "credits": [ + "tdjackey", + "SnailSploit", + "zpbrent" + ], + "aliases": [ + "GHSA-j425-whc4-4jgc" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-pjvx-rx66-r3fg", + "ghsa_id": "GHSA-pjvx-rx66-r3fg", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-639", + "title": "Cross-account sender authorization expansion in /allowlist ... --store account scoping", + "description": "Summary /allowlist ... --store resolved the selected channel accountId for reads, but store writes still dropped that accountId and wrote into the legacy unscoped pairing allowlist store. Because default-account reads still merge legacy unscoped entries, a store entry intended for one account could silently authorize the same sender on the default account. This is a real cross-account sender-authorization scoping bug. Severity is set to medium because exploitation requires an already-authorized user who can run /allowlist edits. Affected Packages / Versions - Package: openclaw (npm) - Latest published version checked: 2026.3.2 - Affected versions: <= 2026.3.2 - Fixed on main: March 7, 2026 in 70da80bcb5574a10925469048d2ebb2abf882e73 - Patched release: 2026.3.7 Details The affected path was: - src/auto-reply/reply/commands-allowlist.ts:386-393 resolved accountId and read store state with it - src/auto-reply/reply/commands-allowlist.ts:697-702 and src/auto-reply/reply/commands-allowlist.ts:730-733 wrote store state without passing accountId - src/pairing/pairing-store.ts:231-234 and src/pairing/pairing-store.ts:534-554 still merged legacy unscoped allowlist entries into the default account The fix scopes /allowlist ... --store writes to the resolved account and clears legacy default-account store entries on removal so legacy reads no longer create cross-account authorization bleed-through. Impact - Vulnerability class: improper authorization scoping / incorrect authorization - Exploitation requires: an already-authorized sender who can run /allowlist edits - Security effect: unintended authorization expansion from one channel account into default Fix Commit(s) - 70da80bcb5574a10925469048d2ebb2abf882e73 — scope /allowlist ... --store writes by account and clean up legacy default-account removals Release Process Note npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.3.2" + ], + "patched": [ + "openclaw@>= 2026.3.7" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-08T14:26:55Z", + "updated": "2026-03-08T14:26:55Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-pjvx-rx66-r3fg" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-pjvx-rx66-r3fg", + "nvd_url": null, + "cvss_score": 5.4, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", + "cwe_ids": [ + "CWE-639", + "CWE-863" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-pjvx-rx66-r3fg" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-6rmx-gvvg-vh6j", + "ghsa_id": "GHSA-6rmx-gvvg-vh6j", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-307", + "title": "hooks count non-POST requests toward auth lockout", + "description": "OpenClaw's hooks HTTP handler counted hook authentication failures before rejecting unsupported HTTP methods. An unauthenticated client could send repeated non-POST requests (for example GET) with an invalid token to consume the hook auth failure budget and trigger the temporary lockout window for that client key. The fix moves the hook method gate ahead of auth-failure accounting so unsupported methods return 405 Method Not Allowed without incrementing the hook auth limiter. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.3.2 - Patched version: 2026.3.7 - Latest published npm version at patch time: 2026.3.2 Impact An unauthenticated network client that could reach /hooks/ could temporarily lock out legitimate webhook delivery when requests collapsed to the same hook auth client key, such as shared proxy or NAT topologies. Impact is limited to temporary availability loss for hook-triggered wake or automation delivery. Fix Commit(s) - 44820dceadac65ac7c0ce8fc0ffba8c2bd9fae89 Verification - pnpm check passed - pnpm test:fast passed - focused hook regression tests passed - pnpm exec vitest run --config vitest.gateway.config.ts still has unrelated current-main failures in src/gateway/server-channels.test.ts and src/gateway/server-methods/agents-mutate.test.ts Release Process Note npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package. Thanks @JNX03 for reporting.", + "affected": [ + "openclaw@<= 2026.3.2" + ], + "patched": [ + "openclaw@>= 2026.3.7" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-08T14:26:54Z", + "updated": "2026-03-08T14:26:54Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-6rmx-gvvg-vh6j" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6rmx-gvvg-vh6j", + "nvd_url": null, + "cvss_score": 5.3, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cwe_ids": [ + "CWE-307", + "CWE-799" + ], + "credits": [ + "JNX03" + ], + "aliases": [ + "GHSA-6rmx-gvvg-vh6j" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-rchv-x836-w7xp", + "ghsa_id": "GHSA-rchv-x836-w7xp", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "github_security_advisory", + "nvd_category_id": null, + "title": "Dashboard leaked gateway auth material via browser URL/query and localStorage", + "description": "OpenClaw's macOS Dashboard flow exposed Gateway authentication material to browser-controlled surfaces. Before the fix, the macOS app appended the shared Gateway token and password to the Dashboard URL query string when opening the Control UI in the browser. The Control UI then imported the token and persisted it into browser localStorage under openclaw.control.settings.v1. This expanded exposure of reusable Gateway admin credentials into browser address-bar/query surfaces and persistent script-readable storage. Affected Packages / Versions - Package: openclaw (npm) - Latest published version verified vulnerable: 2026.3.2 - Affected range: <= 2026.3.2 - Patched version: = 2026.3.7 Impact An attacker with access to browser-controlled surfaces or persistent browser storage could recover a valid Gateway admin token and reuse it against the OpenClaw management interface. The exposure chain was: 1. macOS Open Dashboard constructed a URL with auth material. 2. The browser received that credential-bearing URL. 3. The Control UI imported the token from the URL. 4. The Control UI persisted the token in localStorage. Fix The fix aligns the macOS Dashboard flow with the safer existing CLI/bootstrap pattern and removes persistent browser token storage: - macOS Dashboard now passes the Gateway token via URL fragment instead of query parameters. - macOS Dashboard no longer propagates the shared Gateway password into browser URLs. - Control UI keeps Gateway tokens in memory only for the current tab. - Control UI scrubs legacy persisted tokens from openclaw.control.settings.v1 on load. - Regression tests cover fragment transport, password omission, and token-scrubbing behavior. Fix Commit(s) - 10d0e3f3ca92326df0ca071fabffe463742f263c (March 7, 2026) Release Process Note npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package. Thanks @whiter6666 for reporting.", + "affected": [ + "openclaw@<= 2026.3.2" + ], + "patched": [ + "openclaw@>= 2026.3.7" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-08T14:26:54Z", + "updated": "2026-03-08T14:26:54Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-rchv-x836-w7xp" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rchv-x836-w7xp", + "nvd_url": null, + "cvss_score": 7.1, + "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", + "cwe_ids": [], + "credits": [ + "whiter6666" + ], + "aliases": [ + "GHSA-rchv-x836-w7xp" + ], + "source_feed": "ghsa-without-cve" + }, { "id": "CVE-2026-29613", "severity": "medium", @@ -15890,6 +16733,317 @@ "exploit_sources": [] } }, + { + "id": "GHSA-474h-prjg-mmw3", + "ghsa_id": "GHSA-474h-prjg-mmw3", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "github_security_advisory", + "nvd_category_id": "CWE-269", + "title": "Sandboxed sessionsspawn(runtime=\"acp\") bypassed sandbox inheritance and allowed host ACP initialization", + "description": "Summary Sandboxed sessionsspawn(runtime=\"acp\") could bypass sandbox inheritance and initialize host-side ACP runtime. The fix now fail-closes ACP spawn from sandboxed requester sessions and rejects sandbox=\"require\" for runtime=\"acp\". Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version at triage time: 2026.3.1 (March 2, 2026) - Vulnerable range: <=2026.3.1 - Patched release: 2026.3.2 (released) Technical Details - Root cause: runtime=\"subagent\" enforced sandbox inheritance, while runtime=\"acp\" did not enforce equivalent sandbox/runtime checks. - Security impact: sandbox-boundary bypass into host-side ACP initialization. - Fixed behavior: - deny ACP spawn when requester runtime is sandboxed - deny sessionsspawn with runtime=\"acp\", sandbox=\"require\" - align sandboxed prompt guidance to avoid advertising blocked ACP paths Fix Commit(s) - ac11f0af731d41743ba02d8595f4d0fe747336e3 - c703aa0fe92df9fb71cf254fc46991e05fba2114", + "affected": [ + "openclaw@<=2026.3.1" + ], + "patched": [ + "openclaw@>= 2026.3.2" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-03T04:14:22Z", + "updated": "2026-03-03T04:14:22Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-474h-prjg-mmw3" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-474h-prjg-mmw3", + "nvd_url": null, + "cvss_score": 8, + "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", + "cwe_ids": [ + "CWE-269" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-474h-prjg-mmw3" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-v865-p3gq-hw6m", + "ghsa_id": "GHSA-v865-p3gq-hw6m", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-288", + "title": "Encoded-path auth bypass in plugin /api/channels route classification", + "description": "Summary (Updated March 2, 2026) Encoded alternate-path requests could bypass plugin route auth checks for /api/channels/ due to canonicalization depth mismatch in vulnerable builds. Affected Packages / Versions - Package: openclaw (npm) - Latest published vulnerable version: 2026.3.1 - Affected range: <= 2026.3.1 - Patched release: 2026.3.2 (patchedversions: = 2026.3.2) Technical Details In affected versions, plugin auth-path classification and route-path canonicalization could diverge for deeply encoded slash variants (for example multi-encoded %2f). That mismatch allowed alternate encoded paths to evade protected-prefix auth checks while still resolving to /api/channels/... in plugin route handling. The fix set hardens this class of issue by: - canonicalizing route paths to a bounded fixpoint, - failing closed on malformed or unresolved canonicalization depth, - requiring explicit plugin-route auth contracts (no implicit auth default), - enforcing route ownership/conflict guards for duplicate route registrations, and - using shared webhook route lifecycle registration to avoid stale/conflicting route surfaces. Affected Deployments Deployments exposing plugin HTTP routes and relying on gateway auth for /api/channels/ protection. Fix Commit(s) - 93b07240257919f770d1e263e1f22753937b80ea - 2fd8264ab03bd178e62a5f0c50d1c8556c17f12d - d74bc257d8432f17e50b23ae713d7e0623a1fe0f - 7a7eee920a176a0043398c6b37bf4cc6eb983eeb", + "affected": [ + "openclaw@<= 2026.3.1" + ], + "patched": [ + "openclaw@>= 2026.3.2" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-03T04:14:18Z", + "updated": "2026-03-03T04:14:18Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-v865-p3gq-hw6m" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v865-p3gq-hw6m", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-288" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-v865-p3gq-hw6m" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-2858-xg23-26fp", + "ghsa_id": "GHSA-2858-xg23-26fp", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "server_side_request_forgery", + "nvd_category_id": "CWE-918", + "title": "Node camera URL payload host-binding bypass allowed gateway fetch pivots", + "description": "Summary OpenClaw accepted camera.snap / camera.clip node payload url fields and downloaded them on the gateway/agent host without binding downloads to the resolved node host. In OpenClaw's documented trust model, paired nodes are in the same operator trust boundary, so this is scoped as medium-severity hardening. A malicious or compromised paired node could still steer gateway-host fetches during camera URL retrieval. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: = 2026.2.13 <= 2026.3.1 - Latest vulnerable published version at time of update: 2026.3.1 - Patched versions: = 2026.3.2 (released) Technical Details Vulnerable flows accepted URL payloads and downloaded directly from the provided URL: - src/cli/nodes-camera.ts (writeUrlToFile) fetched URL payloads without node-host binding. - src/cli/nodes-cli/register.camera.ts passed camera.snap / camera.clip payload URLs into that downloader. - src/agents/tools/nodes-tool.ts did the same for camerasnap / cameraclip tool actions. Impact A malicious/compromised paired node could cause gateway-host URL fetches to off-node destinations reachable from the host network. This could be used for internal network probing/fetch pivots in deployments where paired nodes are not fully trusted. Remediation The fix introduces fail-closed node-host binding and guarded fetch for camera URL payload downloads: - Require resolved node host metadata for URL payload downloads. - Enforce hostname match between payload URL and resolved node host. - Use SSRF-guarded fetch with redirect host/protocol checks. - Apply the same enforcement across CLI and agent tool camera paths. Fix Commit(s) - 3bf19d6f40a0aaa55818b96eede3d05130c02533", + "affected": [ + "openclaw@>= 2026.2.13 <= 2026.3.1" + ], + "patched": [ + "openclaw@>= 2026.3.2" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-03T04:14:15Z", + "updated": "2026-03-03T04:14:15Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-2858-xg23-26fp" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2858-xg23-26fp", + "nvd_url": null, + "cvss_score": 5.5, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", + "cwe_ids": [ + "CWE-918" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-2858-xg23-26fp" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-8m9v-xpgf-g99m", + "ghsa_id": "GHSA-8m9v-xpgf-g99m", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "incorrect_authorization", + "nvd_category_id": "CWE-863", + "title": "Unauthorized sender bypass in stop triggers and /models command authorization", + "description": "Summary Unauthorized senders could trigger two command paths without sender authorization checks: 1. stop-like natural-language abort triggers 2. /models command output Impact An unauthorized sender could disrupt active sessions and view model/auth metadata that should be authorization-gated. Fix Sender authorization is now enforced for stop-like abort triggers and /models listings. Affected and Patched Versions - Affected: <= 2026.2.26 - Patched: 2026.3.1", + "affected": [ + "openclaw@<= 2026.2.26" + ], + "patched": [ + "openclaw@>= 2026.3.1" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-02T05:46:05Z", + "updated": "2026-03-02T05:46:05Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-8m9v-xpgf-g99m" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8m9v-xpgf-g99m", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-863" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-8m9v-xpgf-g99m" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-7xmq-g46g-f8pv", + "ghsa_id": "GHSA-7xmq-g46g-f8pv", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-59", + "title": "Sandbox media TOCTOU could read files outside sandbox root", + "description": "Summary Sandbox media handling had a time-of-check/time-of-use gap: media paths could be validated first and read later through a separate path. A symlink retarget between those steps could cause reads outside sandboxRoot. Impact Affected versions could permit host file reads outside the intended sandbox root in media attachment/image flows. Fix Media reads now use consolidated root-scoped, boundary-safe read paths at use time, removing check/use drift across call sites. Affected and Patched Versions - Affected: <= 2026.2.26 - Patched: 2026.3.1", + "affected": [ + "openclaw@<= 2026.2.26" + ], + "patched": [ + "openclaw@>= 2026.3.1" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-02T05:46:04Z", + "updated": "2026-03-02T05:46:04Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-7xmq-g46g-f8pv" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7xmq-g46g-f8pv", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-59", + "CWE-367" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-7xmq-g46g-f8pv" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-x82f-27x3-q89c", + "ghsa_id": "GHSA-x82f-27x3-q89c", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-59", + "title": "TOCTOU symlink race in writeFileWithinRoot could create or truncate files outside root boundaries", + "description": "Summary A symlink-retarget TOCTOU race in writeFileWithinRoot could point an attacker-controlled path alias outside the configured root between resolution and write operations. Impact Affected versions could cause out-of-root write side effects (including file creation or truncation) before final boundary validation. Fix Root-scoped write flow now opens existing files without pre-truncation, creates missing files with exclusive create semantics, truncates only after post-open identity/boundary checks, and removes out-of-root artifacts when a race is detected. Affected and Patched Versions - Affected: <= 2026.2.26 - Patched: 2026.3.1", + "affected": [ + "openclaw@<= 2026.2.26" + ], + "patched": [ + "openclaw@>= 2026.3.1" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-02T05:46:04Z", + "updated": "2026-03-02T05:46:04Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-x82f-27x3-q89c" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-x82f-27x3-q89c", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-59", + "CWE-367" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-x82f-27x3-q89c" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-392f-ggf5-fp3c", + "ghsa_id": "GHSA-392f-ggf5-fp3c", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-176", + "title": "Unicode canonicalization drift in node metadata policy classification could broaden node allowlists", + "description": "Summary A paired node could supply Unicode-confusable platform or deviceFamily metadata that passed metadata pinning but classified differently for command policy resolution, broadening default node command allowlists. Impact This is a policy-bypass issue within the paired-node trust boundary and can expand node command availability beyond intended defaults. Fix Node metadata canonicalization was hardened against confusables, and unknown platform defaults were made conservative (excluding system.run and system.which unless explicitly allowlisted). Affected and Patched Versions - Affected: <= 2026.2.26 - Patched: 2026.3.1", + "affected": [ + "openclaw@<= 2026.2.26" + ], + "patched": [ + "openclaw@>= 2026.3.1" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-02T05:46:02Z", + "updated": "2026-03-02T05:46:02Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-392f-ggf5-fp3c" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-392f-ggf5-fp3c", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-176", + "CWE-436" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-392f-ggf5-fp3c" + ], + "source_feed": "ghsa-without-cve" + }, { "id": "CVE-2026-28363", "severity": "critical", @@ -15924,6 +17078,1951 @@ "exploit_sources": [] } }, + { + "id": "GHSA-gp3q-wpq4-5c5h", + "ghsa_id": "GHSA-gp3q-wpq4-5c5h", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "incorrect_authorization", + "nvd_category_id": "CWE-863", + "title": "LINE group allowlist scope mismatch with DM pairing-store entries", + "description": "Summary In specific LINE configurations, sender IDs approved through DM pairing could also satisfy group allowlist checks when operators expected group sender access to be scoped only to explicit group allowlists. Affected Packages / Versions - Package: openclaw (npm) - Latest published version at triage/update time: 2026.2.25 - Affected: <= 2026.2.25 - Patched: = 2026.2.26 (planned next release) Impact This is a group-authorization scope mismatch. DM pairing-store entries could influence group sender authorization in allowlist mode. Technical Details Root cause: group allowlist composition inherited pairing-store entries intended for DM approvals. Under default DM pairing policy, a DM-paired sender could match group allowlist checks. Fixes on main: - isolate group allowlist composition from pairing-store entries - centralize shared DM/group allowlist composition to preserve DM-only pairing behavior - add regression coverage for LINE and Mattermost policy paths Fix Commit(s) - 8bdda7a651c21e98faccdbbd73081e79cffe8be0 - 892a9c24b0f6118729ab5b5f5499b1a7e792dd15 (follow-up refactor hardening) Release Process Note patchedversions is pre-set to = 2026.2.26 so once npm 2026.2.26 is published, this advisory can be published directly without additional version-field edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.25" + ], + "patched": [ + "openclaw@>= 2026.2.26" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-26T22:40:37Z", + "updated": "2026-02-26T22:40:37Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-gp3q-wpq4-5c5h" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gp3q-wpq4-5c5h", + "nvd_url": null, + "cvss_score": 7.1, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", + "cwe_ids": [ + "CWE-863" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-gp3q-wpq4-5c5h" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-qcc4-p59m-p54m", + "ghsa_id": "GHSA-qcc4-p59m-p54m", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "github_security_advisory", + "nvd_category_id": "CWE-59", + "title": "Sandbox dangling-symlink alias handling could bypass workspace-only write boundary", + "description": "Summary A sandbox boundary-validation gap in symlink alias handling allowed certain workspace-only write paths to be treated as in-boundary even when they could resolve outside the workspace/sandbox root. Affected Packages / Versions - Package: npm openclaw - Affected versions: <= 2026.2.25 - Latest published npm version included in affected range: 2026.2.25 (checked on February 26, 2026) - Patched version (pre-set for release): 2026.2.26 Technical Details In affected versions, dangling symlink hops could be accepted during boundary checks under missing-target conditions. For workspace-only write flows (including applypatch), this could allow writes to resolve outside the configured workspace/sandbox boundary. The fix resolves symlink targets through existing ancestors and fails closed when canonical resolution escapes the configured boundary. Impact - Boundary-confined write operations could be redirected outside the configured workspace/sandbox root. - Primary impact is integrity of host-side files reachable from that path resolution. Fix Commit(s) - 4fd29a35bb85a1898ebff518364c467058b50e14 Release Process Note patchedversions is pre-set to the planned next release (2026.2.26) so once npm 2026.2.26 is published, the advisory can be published without further field edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<=2026.2.25" + ], + "patched": [ + "openclaw@>= 2026.2.26" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-26T22:40:37Z", + "updated": "2026-02-26T22:40:37Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-qcc4-p59m-p54m" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qcc4-p59m-p54m", + "nvd_url": null, + "cvss_score": 7, + "cvss_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "cwe_ids": [ + "CWE-59", + "CWE-367" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-qcc4-p59m-p54m" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-7qf6-h84j-8fq4", + "ghsa_id": "GHSA-7qf6-h84j-8fq4", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-367", + "title": "Microsoft Teams media fetch SSRF hardening: unified guarded fetch across Graph and attachment paths", + "description": "Impact Microsoft Teams media handling used mixed fetch paths for Graph metadata/content and attachment auth-retry flows. Some paths bypassed the shared SSRF guard model and created inconsistent host/DNS enforcement across redirect/fetch hops. Affected Packages / Versions - Package: openclaw (npm) - Latest published vulnerable version: 2026.2.25 - Affected range: <= 2026.2.25 - Planned patched version for next release: 2026.2.26 Technical Details The Microsoft Teams attachment/media code previously relied on plugin-local fetch behavior in parts of the flow, instead of uniformly using shared guarded fetch logic with pinned DNS + policy checks. This could allow policy drift and SSRF boundary inconsistency between channel/plugin paths. The fix unifies this path by: - routing Microsoft Teams Graph message/hosted-content/attachment fetches through shared SSRF-guarded fetch paths, - routing auth-scope fallback attachment downloads through the same guarded policy model, - centralizing hostname-suffix allowlist policy helpers in plugin-sdk so channel/plugins use the same allowlist normalization and policy construction behavior. Fix Commit(s) - 57334cd7d85174d5f951de01114fd5801b063564 Release Process Note patchedversions is pre-set to the planned next release (2026.2.26) so once npm openclaw@2026.2.26 is published, the advisory is ready to publish without further field edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<=2026.2.25" + ], + "patched": [ + "openclaw@>= 2026.2.26" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-26T22:40:33Z", + "updated": "2026-02-26T22:40:33Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-7qf6-h84j-8fq4" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7qf6-h84j-8fq4", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-367", + "CWE-918" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-7qf6-h84j-8fq4" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-gcj7-r3hg-m7w6", + "ghsa_id": "GHSA-gcj7-r3hg-m7w6", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "low", + "type": "github_security_advisory", + "nvd_category_id": "CWE-294", + "title": "voice-call Twilio replay dedupe now bound to authenticated webhook identity", + "description": "Summary The voice-call Twilio webhook path accepted replay/dedupe identity from unsigned request metadata (i-twilio-idempotency-token), enabling replayed signed requests to bypass replay detection and manager dedupe by mutating only that header. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.25 (latest published npm version at triage time) - Fixed on main: commit 1aadf26f9acc399affabd859937a09468a9c5cb4 - Planned patched npm version: 2026.2.26 Impact Deployments using the optional voice-call Twilio webhook path could accept replayed webhook events as fresh events when an attacker had one valid signed request and changed only the unsigned idempotency header. Technical Details The fix removes unsigned-header trust from Twilio replay/dedupe identity and binds replay/manager dedupe to authenticated request material. It also threads a verified request identity through provider parsing so dedupe uses verification-derived identity rather than mutable headers. Fix Commit(s) - 1aadf26f9acc399affabd859937a09468a9c5cb4 Release Process Note patchedversions is pre-set to the planned next release (2026.2.26). After the npm release is published, this advisory can be published without additional version-field edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<=2026.2.25" + ], + "patched": [ + "openclaw@>= 2026.2.26" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-26T22:40:32Z", + "updated": "2026-02-26T22:40:32Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-gcj7-r3hg-m7w6" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gcj7-r3hg-m7w6", + "nvd_url": null, + "cvss_score": 3.7, + "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cwe_ids": [ + "CWE-294", + "CWE-345" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-gcj7-r3hg-m7w6" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-f7ww-2725-qvw2", + "ghsa_id": "GHSA-f7ww-2725-qvw2", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-59", + "title": "Node system.run approval bypass via parent-symlink cwd rebind", + "description": "Summary For host=node executions, approval context could be bypassed after approval-time by rebinding a writable parent symlink in cwd while preserving the visible cwd string. Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.2.25 - Fixed: = 2026.2.26 (planned next npm release) Impact A command approved for one filesystem location could execute from a different location if a mutable parent symlink changed between approval and execution. Fix - Added immutable approval-time plan preparation (system.run.prepare) and systemRunPlanV2 canonical fields (argv, cwd, agentId, sessionKey). - Enforced canonical plan values through approval request storage and forwarding-time sanitization. - Rejected mutable parent-symlink path components during approval-plan building to block symlink rebind bypass. - Follow-up refactors centralized command catalogs and approval context/error handling to reduce future drift. Fix Commit(s) - 78a7ff2d50fb3bcef351571cb5a0f21430a340c1 - d82c042b09727a6148f3ca651b254c4a677aff26 - d06632ba45a8482192792c55d5ff0b2e21abb0a7 - 4e690e09c746408b5e27617a20cb3fdc5190dbda - 4b4718c8dfce2e2c48404aa5088af7c013bed60b Release Process Note patchedversions is pre-set to the planned next release (2026.2.26). Once npm openclaw@2026.2.26 is published, publish this advisory directly without further version-field edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.25" + ], + "patched": [ + "openclaw@>= 2026.2.26" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-26T22:40:31Z", + "updated": "2026-02-26T22:40:31Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-f7ww-2725-qvw2" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f7ww-2725-qvw2", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-59", + "CWE-367" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-f7ww-2725-qvw2" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-j26j-7qc4-3mrf", + "ghsa_id": "GHSA-j26j-7qc4-3mrf", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-639", + "title": "MS Teams fileConsent/invoke missing conversation binding allowed cross-conversation pending-upload consumption", + "description": "Summary In openclaw MS Teams file-consent flow, pending uploads were authorized by uploadId alone. fileConsent/invoke did not verify the invoke conversation against the conversation that created the pending upload. Impact An attacker who obtained a valid uploadId within TTL could trigger cross-conversation upload completion (accept path) or cancel a victim pending upload (decline path). Technical Details - Pending uploads stored conversationId, but invoke handling consumed by uploadId only. - The invoke path did not enforce conversation binding before uploadToConsentUrl(...) and pending-upload removal. - Fix binds accept/decline handling to normalized conversation id match before consuming pending upload state. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version (as of February 26, 2026): 2026.2.24 - Vulnerable range: <= 2026.2.24 - Patched in release: 2026.2.25 Remediation Upgrade to openclaw 2026.2.25 (or later) once published. Fix Commit(s) - 347f7b9550064f5f5b33c6e07f64e85b9657b6f1 Release Process Note patchedversions is pre-set to the release (2026.2.25). Advisory published with npm release 2026.2.25. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.24" + ], + "patched": [ + "openclaw@>= 2026.2.25" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-26T03:58:32Z", + "updated": "2026-02-26T03:58:32Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-j26j-7qc4-3mrf" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-j26j-7qc4-3mrf", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-639", + "CWE-862" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-j26j-7qc4-3mrf" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-xmv6-r34m-62p4", + "ghsa_id": "GHSA-xmv6-r34m-62p4", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "path_traversal", + "nvd_category_id": "CWE-22", + "title": "Sandbox media fallback tmp symlink alias bypass allows host file reads outside sandboxRoot", + "description": "Summary A sandbox path validation bypass in openclaw allows host file reads outside sandboxRoot via the media path fallback tmp flow when the fallback tmp root is a symlink alias. Affected Packages / Versions - Package: npm openclaw - Affected versions: <= 2026.2.24 - Latest published npm version at triage time (February 26, 2026): 2026.2.24 - Patched version : 2026.2.25 Details When /tmp/openclaw is unavailable or unsafe, resolvePreferredOpenClawTmpDir() in src/infra/tmp-openclaw-dir.ts fell back to os.tmpdir()/openclaw-= 2026.2.25" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-26T03:58:31Z", + "updated": "2026-02-26T03:58:31Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-xmv6-r34m-62p4" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xmv6-r34m-62p4", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-22", + "CWE-59" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-xmv6-r34m-62p4" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-3jx4-q2m7-r496", + "ghsa_id": "GHSA-3jx4-q2m7-r496", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "github_security_advisory", + "nvd_category_id": "CWE-59", + "title": "Hardlink alias checks could bypass workspace-only file boundaries in specific configurations", + "description": "Summary In certain workspace-restricted configurations, OpenClaw could follow hardlink aliases inside the workspace that reference files outside the workspace boundary. By default, tools.fs.workspaceOnly is off. This primarily affects deployments that intentionally enable workspace-only filesystem restrictions (and workspace-only applypatch checks). Impact - Confidentiality: out-of-workspace files could be read through in-workspace hardlink aliases. - Integrity: out-of-workspace files could be modified through in-workspace hardlink aliases. Affected Packages / Versions - Package: openclaw (npm) - Latest published version at triage time: 2026.2.24 - Affected range: <= 2026.2.24 - Planned patched version: 2026.2.25 Fix Commit(s) - 04d91d0319b82fd4de91ed05e9fc5219ff2ab64e (main) Remediation OpenClaw now rejects hardlinked final-file aliases during workspace boundary validation for: - workspace-only path checks (read / write / edit) - workspace-only applypatch read/write paths - sandbox mount-root path-safety checks Regression tests were added for applypatch, workspace fs tools, and sandbox fs bridge hardlink alias escapes. Release Process Note patchedversions is pre-set to the release (2026.2.25) so the advisory can be published after npm release with no further version-field edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.24" + ], + "patched": [ + "openclaw@>= 2026.2.25" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-26T03:58:27Z", + "updated": "2026-02-26T03:58:27Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-3jx4-q2m7-r496" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3jx4-q2m7-r496", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-59", + "CWE-668" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-3jx4-q2m7-r496" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-qj22-xqjr-v83v", + "ghsa_id": "GHSA-qj22-xqjr-v83v", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "incorrect_authorization", + "nvd_category_id": "CWE-863", + "title": "Telegram messagereaction authorization bypass allows unauthorized system-event injection", + "description": "A missing sender-authorization check in Telegram messagereaction handling allowed unauthorized users to trigger reaction-derived system events. Affected Packages / Versions - Package: openclaw (npm) - Introduced: 2026.2.17 - Affected: = 2026.2.17 and <= 2026.2.24 - Latest published at patch time: 2026.2.24 - Patched in release: 2026.2.25 Impact When reaction notifications are enabled, unauthorized Telegram senders could inject reaction system events despite configured DM/group authorization controls (dmPolicy, allowFrom, groupPolicy, groupAllowFrom). Fix Commit(s) - e56b0cf1a04f992ac6ebc775899f48ea31687640 Release Process Note patchedversions is pre-set to the release (2026.2.25) so once npm release 2026.2.25 is published, this advisory can be published without further edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.24" + ], + "patched": [ + "openclaw@>= 2026.2.25" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-26T03:58:21Z", + "updated": "2026-02-26T03:58:21Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-qj22-xqjr-v83v" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qj22-xqjr-v83v", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-863" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-qj22-xqjr-v83v" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-h97f-6pqj-q452", + "ghsa_id": "GHSA-h97f-6pqj-q452", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "low", + "type": "server_side_request_forgery", + "nvd_category_id": "CWE-918", + "title": "IPv6 multicast SSRF classifier bypass", + "description": "Summary OpenClaw's SSRF IP classifier did not treat IPv6 multicast literals (ff00::/8) as blocked/private-internal. This allowed literal multicast hosts to pass SSRF preflight checks. Impact A bypass in address classification existed for IPv6 multicast literals. OpenClaw's network fetch/navigation paths are constrained to HTTP/HTTPS and this was triaged as low-severity defense-in-depth hardening. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.24 - Patched versions: = 2026.2.25 Technical Details The IPv6 private/internal range set omitted multicast, so addresses like ff02::1 and ff05::1:3 were not classified as blocked by the shared SSRF classifier. Fix Commit(s) - baf656bc6fd7f83b6033e6dbc2548ec75028641f Release Process Note patchedversions is pre-set to the planned next npm release (2026.2.25). Once that release is published on npm, the advisory is published. Thanks @zpbrent for reporting.", + "affected": [ + "openclaw@<= 2026.2.24" + ], + "patched": [ + "openclaw@>= 2026.2.25" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-26T03:58:14Z", + "updated": "2026-02-26T03:58:14Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-h97f-6pqj-q452" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h97f-6pqj-q452", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-918" + ], + "credits": [ + "zpbrent" + ], + "aliases": [ + "GHSA-h97f-6pqj-q452" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-9f72-qcpw-2hxc", + "ghsa_id": "GHSA-9f72-qcpw-2hxc", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "exposure_of_sensitive_information", + "nvd_category_id": "CWE-200", + "title": "Native prompt image auto-load did not honor tools.fs.workspaceOnly in sandboxed runs", + "description": "Summary In sandboxed runs, native prompt image auto-load did not honor tools.fs.workspaceOnly=true. This optional hardening setting is not enabled by default. When operators enabled it, prompt text could still reference mounted out-of-workspace image paths (for example /agent/secret.png) and load those image bytes for vision-capable model input. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version at triage time: 2026.2.23 - Vulnerable version range: <= 2026.2.23 - Patched version (planned next release): 2026.2.24 Conditions Required This issue required all of the following: - sandbox mode enabled, - tools.fs.workspaceOnly=true configured, - an out-of-workspace mount path reachable from the sandbox (for example /agent), - vision-capable model path active for native prompt image loading. Technical Details Native prompt image ingestion (detectAndLoadPromptImages / loadImageFromRef) resolved and read sandbox paths but did not apply the same workspace-root assertion used by file tools when tools.fs.workspaceOnly was set. Fix Commit(s) - 370d115549c0dadace0902775eea0d5094aedfdc Verification - pnpm check - pnpm exec vitest run --config vitest.gateway.config.ts - pnpm test:fast Release Process Note patchedversions is pre-set to the planned next release (2026.2.24) so once npm release is available, this advisory only needs publish action. Thanks @tdjackey for reporting. Publication Update (2026-02-25) openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks = 2026.2.24 as patched.", + "affected": [ + "openclaw@<= 2026.2.23" + ], + "patched": [ + "openclaw@>= 2026.2.24" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-25T04:37:41Z", + "updated": "2026-02-25T04:37:41Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-9f72-qcpw-2hxc" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9f72-qcpw-2hxc", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-200", + "CWE-284" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-9f72-qcpw-2hxc" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-h656-5vcf-cm23", + "ghsa_id": "GHSA-h656-5vcf-cm23", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "improper_access_control", + "nvd_category_id": "CWE-284", + "title": "Telegram: Unauthorized Senders Trigger Media Download and Disk Write Before Access Check", + "description": "Impact In Telegram DM mode, inbound media was downloaded and written to disk before sender authorization checks completed. An unauthorized sender could trigger inbound media download/write activity (including media groups) even when DM access should be denied. Affected Packages / Versions - Package: openclaw (npm) - Latest published version currently affected: 2026.2.23 - Vulnerable range: <= 2026.2.23 - Patched in planned next release: 2026.2.24 Fix Commit(s) - 9514201fb9b51de5d0b23151110d0ff5d9c8bd67 Technical Details The Telegram handler flow now enforces DM authorization before media download/write paths execute, including media-group handling. Inbound channel activity tracking was also moved to run after DM authorization in the Telegram message context path. Release Process Note patchedversions is pre-set to the planned next release (2026.2.24). After npm publish, the advisory can be published without further version-field edits. Thanks @v8hid for reporting. Publication Update (2026-02-25) openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks = 2026.2.24 as patched.", + "affected": [ + "openclaw@<=2026.2.23" + ], + "patched": [ + "openclaw@>= 2026.2.24" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-25T04:37:39Z", + "updated": "2026-02-25T04:37:39Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-h656-5vcf-cm23" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h656-5vcf-cm23", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-284", + "CWE-404", + "CWE-406", + "CWE-770" + ], + "credits": [ + "v8hid" + ], + "aliases": [ + "GHSA-h656-5vcf-cm23" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-33hm-cq8r-wc49", + "ghsa_id": "GHSA-33hm-cq8r-wc49", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "path_traversal", + "nvd_category_id": "CWE-22", + "title": "Temporary path handling could write outside OpenClaw temp boundary", + "description": "Summary Sandbox media local-path validation accepted absolute paths under host tmp, even when those paths were outside the active sandbox root. Affected Packages / Versions - Package: openclaw (npm) - Latest published version verified during triage: 2026.2.23 - Affected versions: <= 2026.2.23 - Patched versions (planned next release): = 2026.2.24 Details In affected versions, sandbox media path resolution allowed absolute host tmp paths as trusted media inputs when they were under os.tmpdir(), without requiring that the path stay within the active sandboxRoot. Because outbound attachment hydration consumed these paths as already validated, this enabled out-of-sandbox host tmp file reads and exfiltration through attachment delivery. Impact - Confidentiality impact: high for deployments relying on sandboxRoot as a strict local filesystem boundary. - Practical impact: attacker-controlled media references could read and attach host tmp files outside the sandbox workspace boundary. Remediation - Restrict sandbox tmp-path acceptance to OpenClaw-managed temp roots only. - Default SDK/extension temp helpers to OpenClaw-managed temp roots. - Add CI guardrails to prevent broad tmp-root regressions in messaging/channel code paths. Fix Commit(s) - d3da67c7a9b463edc1a9b1c1f7af107a34ca32f5 - 79a7b3d22ef92e36a4031093d80a0acb0d82f351 - def993dbd843ff28f2b3bad5cc24603874ba9f1e Release Process Note The advisory is pre-set with patched version 2026.2.24 so it is ready for publication once that npm release is available. Thanks @tdjackey for reporting. Publication Update (2026-02-25) openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks = 2026.2.24 as patched.", + "affected": [ + "openclaw@<= 2026.2.23" + ], + "patched": [ + "openclaw@>= 2026.2.24" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-25T04:37:35Z", + "updated": "2026-02-25T04:37:35Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-33hm-cq8r-wc49" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-33hm-cq8r-wc49", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-22", + "CWE-284" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-33hm-cq8r-wc49" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-534w-2vm4-89xr", + "ghsa_id": "GHSA-534w-2vm4-89xr", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "improper_access_control", + "nvd_category_id": "CWE-284", + "title": "Zalo group sender allowlist bypass permits unauthorized GROUP dispatch", + "description": "A missing group-sender authorization check in the Zalo plugin allowed unauthorized GROUP messages to enter agent dispatch paths in configurations intended to restrict group traffic. Impact When Zalo group handling was configured with allowlist-style controls, a sender not present in the intended group allowlist could still trigger agent processing through the GROUP message path. Root Cause Group access checks were not consistently enforced before dispatch for Zalo GROUP messages. The fix adds explicit runtime group-policy evaluation (groupPolicy, groupAllowFrom, fallback to allowFrom) and fail-closed behavior for missing provider config. Affected Packages / Versions - Package: openclaw (npm) - Latest published vulnerable version: 2026.2.23 (as of 2026-02-24) - Affected range: <= 2026.2.23 - Planned patched version: 2026.2.24 Fix Commit(s) - b4010a0b627025c809c0e5dbdbd4770f3bc59ef8 Release Process Note patchedversions is pre-set to the planned next release (2026.2.24). Once that npm release is published, this advisory should only need to be published. Thanks @tdjackey for reporting. Publication Update (2026-02-25) openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks = 2026.2.24 as patched.", + "affected": [ + "openclaw@<= 2026.2.23" + ], + "patched": [ + "openclaw@>= 2026.2.24" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-25T04:37:33Z", + "updated": "2026-02-25T04:37:33Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-534w-2vm4-89xr" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-534w-2vm4-89xr", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-284", + "CWE-863" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-534w-2vm4-89xr" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-r294-2894-92j3", + "ghsa_id": "GHSA-r294-2894-92j3", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "cross_site_scripting", + "nvd_category_id": "CWE-79", + "title": "Stored XSS in exported session HTML viewer via markdown/raw-HTML rendering", + "description": "Summary The exported session HTML viewer allowed stored XSS when untrusted session content included raw HTML markdown tokens or unescaped metadata fields. Impact Opening a crafted exported HTML session could execute attacker-controlled JavaScript in the viewer context. This can expose session content in the page and enable phishing or UI spoofing in the trusted export view. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.22-2 - Patched version (released): = 2026.2.23 Technical Details The exporter rendered markdown with marked.parse(...) and inserted HTML via innerHTML, but did not override the html renderer token path. Raw HTML (for example = 2026.2.23" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-24T05:27:23Z", + "updated": "2026-02-24T05:27:23Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-r294-2894-92j3" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-r294-2894-92j3", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-79" + ], + "credits": [ + "allsmog" + ], + "aliases": [ + "GHSA-r294-2894-92j3" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-7ff8-xjh3-mgh6", + "ghsa_id": "GHSA-7ff8-xjh3-mgh6", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-266", + "title": "non-default autoAllowSkills setting could bypass on-miss exec prompt", + "description": "Summary In openclaw versions up to and including 2026.2.22-2, a non-default exec-approval configuration could allow a skill-name collision to bypass an ask=on-miss prompt. When autoAllowSkills=true, a path-scoped executable such as ./skill-bin could resolve to basename skill-bin, satisfy the skills allowlist segment, and run without prompting for approval. Affected Packages / Versions - Package: npm openclaw - Affected versions: <= 2026.2.22-2 - Patched versions: = 2026.2.23 (released) Configuration Scope (Not Default) This behavior requires non-default settings and does not affect default installs. Required conditions: - autoAllowSkills=true (default is false) - system.run with security=allowlist - ask=on-miss Technical Details The allowlist evaluator accepted skills satisfaction by bin-name match, so ./skill-bin could match skillBins.has(\"skill-bin\") after resolution. The fix hardens skill auto-allow matching by requiring: - a pathless invocation token (no / or \\\\), and - a trusted resolved executable path for that skill bin on the machine where skills run. This preserves normal skill-bin ... behavior while preventing ./=2026.2.23" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-24T05:27:21Z", + "updated": "2026-02-24T05:27:21Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-7ff8-xjh3-mgh6" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7ff8-xjh3-mgh6", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-266", + "CWE-863" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-7ff8-xjh3-mgh6" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-2j9j-gf59-p4p5", + "ghsa_id": "GHSA-2j9j-gf59-p4p5", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "low", + "type": "github_security_advisory", + "nvd_category_id": null, + "title": "iOS deep link (openclaw://agent) can trigger gateway agent requests without local confirmation", + "description": "Summary A crafted openclaw://agent deep link could cause OpenClaw iOS to forward an agent.request event to a connected Gateway without local confirmation on iOS. Affected Packages / Versions - Advisory package metadata: openclaw (swift ecosystem). - Latest published npm openclaw at triage time: 2026.2.22-2. - Affected practical surface: internal preview iOS builds only (not publicly distributed). - Structured advisory range is set to <= 2026.2.22-2 and patched version is pre-set to 2026.2.23 and is now public. Impact - External deep-link trigger could cause unintended agent action initiation in an already-connected iOS node context. - This is a user-interaction deep-link abuse issue, not unauthenticated server takeover. - Severity is set to Low because iOS distribution is internal preview/super-alpha and not public/TestFlight release. Remediation The iOS deep-link path now requires local confirmation unless a trusted deep-link key is provided, and unkeyed deep links have delivery-routing fields stripped before submission. Fix Commit(s) - ff4e6ca0d942ef52330dcbe116321ae4fed21749 Release Process Note patchedversions is pre-set to the released version (2026.2.23). This advisory now reflects released fix version 2026.2.23. Thanks @GCXWLP for reporting.", + "affected": [ + "openclaw@<= 2026.2.22-2" + ], + "patched": [ + "openclaw@2026.2.23" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-24T05:27:20Z", + "updated": "2026-02-24T05:27:20Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-2j9j-gf59-p4p5" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2j9j-gf59-p4p5", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [], + "credits": [ + "GCXWLP" + ], + "aliases": [ + "GHSA-2j9j-gf59-p4p5" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-6x2m-hqfw-hvpj", + "ghsa_id": "GHSA-6x2m-hqfw-hvpj", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-285", + "title": "Node exec approvals could be replayed across nodes", + "description": "Summary exec.approval requests for host=node were not explicitly bound to the target nodeId, so an approval intended for one node could be replayed for a different node under the same operator-controlled gateway fleet. Impact An operator approval for a system.run request could be reused across nodes if the request payload did not carry node identity through approval and execution checks. Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.2.22-2 - Fixed: 2026.2.23 (released) Mitigation Upgrade to 2026.2.23 or later once published. Fix Details The fix requires and persists nodeId for host=node approval requests and rejects execution when the approving node binding does not match the invoking node. Fix Commit(s) - 4a3f8438e527ac371a67fe7ac68a287f0dbe6063 Release Process Note patchedversions is pre-set to the released version (2026.2.23). This advisory now reflects released fix version 2026.2.23. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.22-2" + ], + "patched": [ + "openclaw@>= 2026.2.23" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-24T05:27:18Z", + "updated": "2026-02-24T05:27:18Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-6x2m-hqfw-hvpj" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6x2m-hqfw-hvpj", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-285", + "CWE-863" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-6x2m-hqfw-hvpj" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-2ch6-x3g4-7759", + "ghsa_id": "GHSA-2ch6-x3g4-7759", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-639", + "title": "commands.allowFrom sender authorization accepted conversation identifiers via ctx.From", + "description": "Summary commands.allowFrom is documented as a sender authorization allowlist for commands/directives, but command authorization could include ctx.From (conversation identity) as a sender candidate. When commands.allowFrom contained conversation-like identifiers (for example Discord channel:= 2026.2.23" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-24T05:27:14Z", + "updated": "2026-02-24T05:27:14Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-796m-2973-wc5q" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-796m-2973-wc5q", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-436" + ], + "credits": [ + "jiseoung" + ], + "aliases": [ + "GHSA-796m-2973-wc5q" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-8j9w-9pm5-pv8m", + "ghsa_id": "GHSA-8j9w-9pm5-pv8m", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-184", + "title": "DUPLICATE of GHSA-3c6h-g97w-fg78: safeBins denied flags can be bypassed via GNU long-option abbreviations", + "description": "Duplicate Notice This draft advisory duplicates GHSA-3c6h-g97w-fg78. Canonical advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-3c6h-g97w-fg78 Use GHSA-3c6h-g97w-fg78 for tracking/publication. This advisory is published as a duplicate notice. Summary OpenClaw safeBins argument validation allowed denied flags to be bypassed via GNU long-option abbreviations. The validator matched denied long flags by exact string and treated unknown long options as allowed, creating a policy/runtime mismatch: commands could be approved as safe-bin usage while runtime behavior reached denied options. Impact - Default safe-bin wc: unauthorized file-read behavior via abbreviated --files0-fro (runtime resolves to --files0-from). - Configured safe-bin sort: external program invocation via abbreviated --compress-prog (runtime resolves to --compress-program). - Additional hardening gap: unknown or ambiguous long options in safe-bin mode were not rejected fail-closed. Technical Details Affected paths included safe-bin argv validation and allowlist evaluation: - src/infra/exec-safe-bin-policy.ts - src/infra/exec-approvals-allowlist.ts Affected Packages / Versions - Ecosystem: npm - Package: openclaw - Affected versions: <= 2026.2.22-2 - Fixed in code on main: 2026.2.23 (released) Remediation - Canonicalize long options using GNU-style unique-prefix matching. - Reject unknown and ambiguous long options in safe-bin mode (fail-closed). - Reject inline values for non-value long flags. - Deny additional sort filesystem-dependent flags in safe-bin mode: --random-source, --temporary-directory, -T. - Add regression tests for denied-flag abbreviations and fail-closed long-option handling. Fix Commit(s) - 3b8e33037ae2e12af7beb56fcf0346f1f8cbde6f Release Process Note Patched in 2026.2.23 and published. Thanks @jiseoung for reporting.", + "affected": [ + "openclaw@<= 2026.2.22-2" + ], + "patched": [ + "openclaw@>=2026.2.23" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-24T05:27:13Z", + "updated": "2026-02-24T05:27:13Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-8j9w-9pm5-pv8m" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8j9w-9pm5-pv8m", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-184" + ], + "credits": [ + "jiseoung" + ], + "aliases": [ + "GHSA-8j9w-9pm5-pv8m" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-4cqv-h74h-93j4", + "ghsa_id": "GHSA-4cqv-h74h-93j4", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "improper_authentication", + "nvd_category_id": "CWE-287", + "title": "Discord allowFrom slug-collision authorization bypass", + "description": "OpenClaw supports Discord allowlists using either user IDs or names/tags. Name/tag matching depends on slug normalization, so different user tags can collide to the same slug and unintentionally satisfy a name-based allowlist entry. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.21-2 - Patched versions: = 2026.2.22 What Changed - openclaw security audit now warns on Discord name/tag allowlist entries (DM allowlists, guild/channel users, and pairing-store entries). - Runtime authorization now prefers resolved user IDs when a configured name/tag can be resolved, without rewriting config files on disk. - Name-based entries remain supported for compatibility. Recommendations - Prefer stable Discord user IDs for security-sensitive allowlists. - Run openclaw security audit and address warnings where practical. Fix Commit(s) - f97c45c5b5e0698b6667bb5f6badc0cac7dabd12 - 747bb581b3f2264495e1fec5a0727d9f2ca1b6f1 Release Process Note Patched version fields now point to 2026.2.22 and fixes are merged on main. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.21-2" + ], + "patched": [ + "openclaw@>= 2026.2.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-23T00:52:17Z", + "updated": "2026-02-23T00:52:17Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-4cqv-h74h-93j4" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4cqv-h74h-93j4", + "nvd_url": null, + "cvss_score": 6.5, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "cwe_ids": [ + "CWE-287" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-4cqv-h74h-93j4" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-jxrq-8fm4-9p58", + "ghsa_id": "GHSA-jxrq-8fm4-9p58", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-59", + "title": "Zip extraction symlink traversal could write outside destination", + "description": "Summary A path confinement bypass in OpenClaw ZIP extraction allowed writes outside the intended destination when a pre-existing symlink was present under the extraction root. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version at triage time: 2026.2.21-2 - Affected versions: <= 2026.2.21-2 - Planned patched version for next release: 2026.2.22 Technical Details The vulnerable path was in src/infra/archive.ts ZIP extraction logic. Output-path checks were lexical, but writes could still traverse an existing symlink in destination path segments. The fix blocks this by: - rejecting symlink traversal in destination path segments, - validating resolved destination paths remain inside the extraction root, - using no-follow file opens for ZIP output writes where supported, - adding a regression test for pre-seeded destination symlink traversal. Impact - Type: Arbitrary file write outside extraction root via symlink traversal during ZIP extraction. - Preconditions: attacker-controlled archive extraction plus pre-existing symlink in destination path. Fix Commit(s) - 4b226b74f5fd3b106a83a6347fd404172e2fd246 Release Process Note Patched version is pre-set to the planned next release (2026.2.22). Once npm release 2026.2.22 is published, the advisory can be published without further field edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.21-2" + ], + "patched": [ + "openclaw@>= 2026.2.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-23T00:52:17Z", + "updated": "2026-02-23T00:52:17Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-jxrq-8fm4-9p58" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jxrq-8fm4-9p58", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-59" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-jxrq-8fm4-9p58" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-jwf4-8wf4-jf2m", + "ghsa_id": "GHSA-jwf4-8wf4-jf2m", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "incorrect_authorization", + "nvd_category_id": "CWE-863", + "title": "BlueBubbles (optional plugin) pairing/allowlist mismatch when allowFrom is empty", + "description": "Summary BlueBubbles is an optional OpenClaw channel plugin. A configuration-sensitive access-control mismatch allowed DM senders to be treated as authorized when dmPolicy was pairing or allowlist and allowFrom was empty/unset. Severity Rationale (Medium) Severity is set to medium because: - this affects an optional plugin, not core messaging surfaces; - many deployments use owner-controlled/private BlueBubbles identities with limited external reachability; - practical exploitability depends on an untrusted sender being able to reach that specific BlueBubbles account identifier. In typical personal/self-hosted BlueBubbles setups, the mapped Apple identity is single-owner and not broadly reachable, so this is usually low practical risk. Risk is higher in deployments where the identifier is publicly reachable and/or agent tool permissions are broad. Technical Details 1. BlueBubbles DM policy defaults to pairing (dmPolicy ?? \"pairing\"). 2. Effective allowlist can be empty (effectiveAllowFrom). 3. DM/reaction authorization called isAllowedBlueBubblesSender(...). 4. That delegated to shared isAllowedParsedChatSender(...), which previously returned true for empty allowlists. 5. Result: unknown senders could bypass intended pairing/allowlist gating when allowFrom was empty. Affected Packages / Versions - Package: openclaw (npm) - Vulnerable versions: <= 2026.2.21-2 - Planned fixed version: 2026.2.22 Fix The shared parsed-chat allowlist helper now fails closed on empty allowlists, restoring expected BlueBubbles DM gating behavior. BlueBubbles inbound gating was also refactored to use one shared DM/group decision helper for both message and reaction paths to reduce future drift. Fix Commit(s) - 9632b9bcf032c5f2280c3103961fde912ab1f920 - 2ba6de7eaad812e5e8603018e14e54e96bdd57dd - 51c0893673de8e5cea64e64351dbfa4680ba0dec - 4540790cb62412676f7b61cfc6e47443f84a251e Release Process Note patchedversions is pre-set to the planned next release (2026.2.22). Once npm release 2026.2.22 is published, this advisory is ready to publish without additional field edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.21-2" + ], + "patched": [ + "openclaw@2026.2.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-23T00:52:16Z", + "updated": "2026-02-23T00:52:16Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-jwf4-8wf4-jf2m" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jwf4-8wf4-jf2m", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-863" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-jwf4-8wf4-jf2m" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-659f-22xc-98f2", + "ghsa_id": "GHSA-659f-22xc-98f2", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "code_injection", + "nvd_category_id": "CWE-94", + "title": "Hook transform path containment missed symlink-resolved escapes", + "description": "Vulnerability Webhook transform modules were validated with lexical path checks only. A symlink under the allowed hooks transform tree could resolve outside the intended directory and be dynamically imported. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.21-2 - Patched version (planned next release): 2026.2.22 Impact When an attacker can cause a transform module path to reference a symlinked entry that resolves outside the trusted transform directory, the gateway may import and execute unintended JavaScript with gateway-process privileges. Attack Preconditions - Hook transforms are enabled and reachable. - Attacker can influence transform path resolution (for example via privileged config access and/or writable filesystem path in the transform tree). - A symlink escape exists to attacker-controlled code. Remediation - Enforce realpath-aware containment for existing path ancestors before dynamic import. - Keep lexical containment checks for traversal and absolute-path escapes. - Add regression coverage for: - transform module symlink escape rejection, - hooks.transformsDir symlink escape rejection, - in-root symlink allow-case. Fix Commit(s) - f4dd0577b055f77af783105bd65eae32f3d5e6a1 Release Process Note patchedversions is pre-set to the planned next release (2026.2.22). After npm release is published, advisory publication can proceed without further version edits. Thanks @aether-ai-agent for reporting.", + "affected": [ + "openclaw@<=2026.2.21-2" + ], + "patched": [ + "openclaw@2026.2.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-23T00:52:09Z", + "updated": "2026-02-23T00:52:09Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-659f-22xc-98f2" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-659f-22xc-98f2", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-94" + ], + "credits": [], + "aliases": [ + "GHSA-659f-22xc-98f2" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-5847-rm3g-23mw", + "ghsa_id": "GHSA-5847-rm3g-23mw", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": null, + "title": "Hook auth rate limiter bypass via IPv4-mapped IPv6 client key variants", + "description": "Vulnerability The hook authentication throttle keyed failed attempts by raw socket remoteAddress text. IPv4 and IPv4-mapped IPv6 forms of the same client (for example 1.2.3.4 and ::ffff:1.2.3.4) were treated as different clients, allowing separate rate-limit buckets. Impact An attacker could split failed hook-auth attempts across both address forms and effectively double the brute-force budget from 20 to 40 attempts per 60-second window. Affected Components - src/gateway/server-http.ts - src/gateway/auth-rate-limit.ts Affected Packages / Versions - Package: openclaw (npm) - Vulnerable versions: <= 2026.2.21-2 - Patched version (planned next release): 2026.2.22 Remediation Centralize and reuse canonical client-IP normalization for auth rate-limiting, and use that canonical key for hook auth throttling. Fix Commit(s) - 3284d2eb227e7b6536d543bcf5c3e320bc9d13c5 Release Process Note patchedversions is pre-set to the planned next release (2026.2.22) so once npm release 2026.2.22 is published, this advisory can be published directly. Thanks @aether-ai-agent for reporting.", + "affected": [ + "openclaw@<=2026.2.21-2" + ], + "patched": [ + "openclaw@>= 2026.2.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-23T00:52:08Z", + "updated": "2026-02-23T00:52:08Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-5847-rm3g-23mw" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5847-rm3g-23mw", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [], + "credits": [], + "aliases": [ + "GHSA-5847-rm3g-23mw" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-9mph-4f7v-fmvh", + "ghsa_id": "GHSA-9mph-4f7v-fmvh", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": null, + "title": "Agent avatar symlink traversal in gateway session metadata", + "description": "Summary A crafted local avatar path could follow a symlink outside the agent workspace and return arbitrary file contents as a base64 data: URL in gateway responses. Impact - Confidentiality impact: local file read in the gateway process context. - Exfiltration path: agents.list can return the resulting avatarUrl payload. Affected Components - src/gateway/session-utils.ts (resolveIdentityAvatarUrl) Affected Packages / Versions - Package: openclaw (npm) - Introduced: v2026.1.21 - Affected published versions: <= 2026.2.21-2 - Planned patched version: 2026.2.22 Remediation - Resolve workspace and avatar paths with realpath and enforce realpath containment. - Open files with ONOFOLLOW when available. - Compare pre-open and opened file identity (dev/ino) to block swap races. - Add regression tests for outside-workspace symlink rejection and in-workspace symlink allowance. Fix Commit(s) - 3d0337504349954237d09e4d957df5cb844d5e77 Release Process Note The advisory patchedversions field is pre-set to the planned next release (2026.2.22). After that npm release is published, the remaining step is to publish this advisory. Thanks @aether-ai-agent for reporting.", + "affected": [ + "openclaw@<= 2026.2.21-2" + ], + "patched": [ + "openclaw@>= 2026.2.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-23T00:52:08Z", + "updated": "2026-02-23T00:52:08Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-9mph-4f7v-fmvh" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9mph-4f7v-fmvh", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [], + "credits": [], + "aliases": [ + "GHSA-9mph-4f7v-fmvh" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-5h2c-8v84-qpvr", + "ghsa_id": "GHSA-5h2c-8v84-qpvr", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-15", + "title": "Shell-env fallback trusted startup env and could execute attacker-influenced login-shell paths", + "description": "Summary OpenClaw shell-env fallback trusted startup environment values and could execute attacker-influenced login-shell startup paths before loading env keys. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: = 2026.1.5 and <= 2026.2.21-2 - Fixed on main: 9363c320d8ffe29290906752fab92621da02c3f7 - Planned patched release version (pre-set): 2026.2.22 Details The vulnerable chain was in the shell-env fallback path: 1. src/infra/shell-env.ts - resolveShell(env) trusted env.SHELL when set. - execLoginShellEnvZero(...) executed ${SHELL} -l -c \"env -0\" with inherited runtime env. 2. src/config/io.ts - Config env values were applied before shell fallback execution. 3. src/config/env-vars.ts / env policy coverage - SHELL handling was hardened, but startup-path selectors (HOME, ZDOTDIR) still needed explicit blocking in config env ingestion and sanitization for shell fallback execution. With env/config influence, this could trigger unintended command execution in shell startup processing on the OpenClaw host process context. Fix Mainline hardening now: - blocks SHELL, HOME, and ZDOTDIR during config env ingestion used by runtime fallback, - sanitizes shell fallback execution env, pinning HOME to the real user home and dropping ZDOTDIR + dangerous startup vars, - adds regression tests for config env ingestion and shell fallback/path-probe sanitization. Fix Commit(s) - 9363c320d8ffe29290906752fab92621da02c3f7 Impact - Local code-execution risk in environments where attacker-controlled env/config input can reach shell-env fallback. - Under OpenClaw trust assumptions (SECURITY.md), this is not a public-remote issue and depends on crossing local trusted-operator boundaries. Release Process Note patchedversions is intentionally pre-set to the planned next release (2026.2.22) so once npm release is out, maintainers can publish advisory immediately. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<=2026.2.21-2" + ], + "patched": [ + "openclaw@>= 2026.2.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-23T00:52:06Z", + "updated": "2026-02-23T00:52:06Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-5h2c-8v84-qpvr" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5h2c-8v84-qpvr", + "nvd_url": null, + "cvss_score": 5.3, + "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "cwe_ids": [ + "CWE-15", + "CWE-78" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-5h2c-8v84-qpvr" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-8mf7-vv8w-hjr2", + "ghsa_id": "GHSA-8mf7-vv8w-hjr2", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "low", + "type": "os_command_injection", + "nvd_category_id": "CWE-78", + "title": "tools.exec.safeBins generic fallback allowed interpreter-style inline payload execution in allowlist mode", + "description": "Summary When tools.exec.safeBins contained a binary without an explicit safe-bin profile, OpenClaw used a permissive generic fallback profile. In allowlist mode, that could let interpreter-style binaries (for example python3, node, ruby) execute inline payloads via flags like -c. This requires explicit operator configuration to add such binaries to safeBins, so impact is limited to non-default/misconfigured deployments. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.21-2 - Patched in code: = 2026.2.22 (planned next npm release) Fix - Remove generic safe-bin fallback during allowlist evaluation. - Require explicit safe-bin profiles for safeBins entries. - Add configurable tools.exec.safeBinProfiles (global + per-agent) for safe custom binaries. - Update docs to clearly separate safeBins from command allowlist semantics. Fix Commit(s) - 47c3f742b6c488be26dd7b9636dbbb8676089154 Release Process Note patchedversions is pre-set to the planned next release (= 2026.2.22) so once that npm release is published, the advisory can be published directly without further metadata edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.21-2" + ], + "patched": [ + "openclaw@>= 2026.2.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-23T00:52:06Z", + "updated": "2026-02-23T00:52:06Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-8mf7-vv8w-hjr2" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8mf7-vv8w-hjr2", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-78", + "CWE-693" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-8mf7-vv8w-hjr2" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-4rqq-w8v4-7p47", + "ghsa_id": "GHSA-4rqq-w8v4-7p47", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "low", + "type": "github_security_advisory", + "nvd_category_id": null, + "title": "Incomplete IPv4 special-use SSRF blocking in web fetch guard", + "description": "Summary isPrivateIpv4() in bundled SSRF guard code missed several IPv4 special-use/non-global ranges, so webfetch could allow targets that should be blocked by SSRF policy. Affected Packages / Versions - Package: openclaw (npm) - Latest published affected version: 2026.2.21-2 (published 2026-02-21) - Structured vulnerable range: <= 2026.2.21-2 - Planned patched version (pre-set): = 2026.2.22 Impact Low severity. Exploitation requires network reachability to the relevant special-use ranges and a request path that reaches webfetch URL fetching. Technical Details Affected releases used narrow IPv4 private-range checks that omitted multiple RFC special-use/non-global ranges. This allowed requests such as http://198.18.0.1/... through SSRF validation in affected releases. Follow-up hardening consolidates local-host/tailnet range checks so gateway/browser/tailnet paths share one canonical IP classification flow. Fix Commit(s) - 71bd15bb4294d3d1b54386064d69cd0f5f731bd8 - 44dfbd23df453e51b71ef79a148c28c53e89168c - 333fbb86347998526dd514290adfd5f727caa6d9 - f14ebd743cfc73f667fae80af70043d0ab1f88bd Release Process Note patchedversions is intentionally pre-set to the planned next release (= 2026.2.22) so once npm 2026.2.22 is published, maintainers can publish this advisory without further metadata edits. Thanks @princeeismond-dot for reporting.", + "affected": [ + "openclaw@<= 2026.2.21-2" + ], + "patched": [ + "openclaw@>= 2026.2.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-23T00:52:05Z", + "updated": "2026-02-23T00:52:05Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-4rqq-w8v4-7p47" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4rqq-w8v4-7p47", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [], + "credits": [ + "princeeismond-dot" + ], + "aliases": [ + "GHSA-4rqq-w8v4-7p47" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-f6h3-846h-2r8w", + "ghsa_id": "GHSA-f6h3-846h-2r8w", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-639", + "title": "Elevated allowFrom matching tightened for sender-scoped authorization", + "description": "Summary In certain elevated-mode configurations, tools.elevated.allowFrom accepted broader identity signals than intended. The fix tightens matching to sender-scoped identity by default and makes mutable metadata matching explicit. Context OpenClaw is commonly used in 1:1 chats or trusted group chats. In that intended model, this issue is best treated as authorization hardening / defense-in-depth for elevated sender approval. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version at triage: 2026.2.21-2 - Affected versions: <= 2026.2.21-2 - Planned patched version (pre-set for publish-ready advisory): 2026.2.22 Details Elevated sender authorization now matches sender-scoped identity values only by default (SenderId, From, SenderE164) and no longer considers recipient routing fields such as ctx.To. Mutable sender metadata (SenderName, SenderUsername, SenderTag) now requires explicit allowlist prefixes (name:, username:, tag:). Explicit identity prefixes are also supported (id:, from:, e164:). Fix Commit(s) - 6817c0ec7b4fa830123d4f5c340f075a4bd04ee2 Release Process Note The advisory patchedversions is pre-set to the planned next release (2026.2.22). Once npm openclaw@2026.2.22 is published, this advisory can be published without additional content edits. Thanks @jiseoung for reporting.", + "affected": [ + "openclaw@<= 2026.2.21-2" + ], + "patched": [ + "openclaw@>= 2026.2.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-23T00:52:03Z", + "updated": "2026-02-23T00:52:03Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-f6h3-846h-2r8w" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f6h3-846h-2r8w", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-639" + ], + "credits": [ + "jiseoung" + ], + "aliases": [ + "GHSA-f6h3-846h-2r8w" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-qhrr-grqp-6x2g", + "ghsa_id": "GHSA-qhrr-grqp-6x2g", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-426", + "title": "tools.exec.safeBins trusted PATH directories allowed binary shadowing in allowlist mode", + "description": "Summary In openclaw allowlist mode, tools.exec.safeBins trusted PATH-derived directories for safe-bin resolution. A same-name binary placed in a trusted PATH directory could satisfy safe-bin checks and execute. Impact This is an allowlist bypass in exec policy that can lead to command execution in the OpenClaw runtime context when allowlist mode relies on safe bins and an attacker can influence trusted binary locations. Affected Packages / Versions - Package: openclaw (npm) - Vulnerable versions: <= 2026.2.21-2 - Patched versions: = 2026.2.22 (planned next release) - Latest published npm version at triage time (2026-02-22): 2026.2.21-2 Root Cause - Safe-bin trust accepted PATH-derived directories instead of explicit trusted directories. - Safe-bin execution used shell command tokens that could resolve to shadowed binaries. Remediation - Stop trusting PATH-derived directories for safe-bin trust. - Add explicit tools.exec.safeBinTrustedDirs for opt-in extra trusted paths. - Pin safe-bin shell execution to resolved absolute executable paths. Fix Commit(s) - 64b273a71cf0b2f2419c974832cede1fc2158729 Release Process Note patchedversions is pre-set to the planned next release (2026.2.22). After npm release, this advisory is ready for publish without additional field edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.21-2" + ], + "patched": [ + "openclaw@>= 2026.2.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-23T00:52:00Z", + "updated": "2026-02-23T00:52:00Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-qhrr-grqp-6x2g" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qhrr-grqp-6x2g", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-426" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-qhrr-grqp-6x2g" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-cjv3-m589-v3rx", + "ghsa_id": "GHSA-cjv3-m589-v3rx", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "cross_site_scripting", + "nvd_category_id": "CWE-79", + "title": "Canvas route hardening for mixed-trust deployments", + "description": "Summary This advisory tracks a defense-in-depth hardening for canvas routes. In mixed-trust or network-visible deployments, prior canvas auth/fallback behavior could broaden access beyond intended boundaries. Deployment Context OpenClaw’s default model is trusted host + loopback-first access. Some operators intentionally expose canvas routes on LAN/tailnet. This update is aimed at those broader deployment patterns. What Changed - Require explicit token or session-capability authorization for canvas routes. - Remove shared-IP fallback paths for canvas access. - Tighten bind/fallback behavior to fail closed. Impact Risk was highest in non-loopback or mixed-trust environments. In strict single-operator trusted-host setups, practical exposure is lower. Affected Packages / Versions - Package: openclaw (npm) - Vulnerable: <= 2026.2.19-2 - Patched: 2026.2.21 (next release target) Fix Commit(s) - c45f3c5b004c8d63dc0e282e2176f8c9355d24f1 - 08a7967936cfc0b2af6b27ec1f9272542648ad6c Release Process Note Fix is already on main. Publish this advisory after npm release 2026.2.21 ships. Thanks @NucleiAv for reporting.", + "affected": [ + "openclaw@<= 2026.2.19-2" + ], + "patched": [ + "openclaw@>=2026.2.21" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T18:16:09Z", + "updated": "2026-02-21T18:16:09Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-cjv3-m589-v3rx" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cjv3-m589-v3rx", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-79", + "CWE-1021" + ], + "credits": [ + "NucleiAv" + ], + "aliases": [ + "GHSA-cjv3-m589-v3rx" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-w9cg-v44m-4qv8", + "ghsa_id": "GHSA-w9cg-v44m-4qv8", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-15", + "title": "BASHENV / ENV startup-file injection into spawned shell commands", + "description": "Summary BASHENV / ENV startup-file injection could lead to unintended pre-command shell execution when attacker-controlled environment values were admitted and then inherited by host command execution paths. Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.2.19-2 - Fixed on main: 2cdbadee1f8fcaa93302d7debbfc529e19868ea4 - Planned patched release version: 2026.2.21 Details The fix hardens environment handling across all relevant execution paths: - Blocks dangerous startup/runtime env keys and prefixes in shared host env sanitization. - Sanitizes inherited ambient environment even when no per-request overrides are provided. - Blocks dangerous config-driven env injection before values enter process environment. - Uses the same sanitizer in macOS host execution paths. - Aligns skill env override sanitization with the shared dangerous-env policy. Impact Medium. Exploitation requires local/privileged influence over configuration or environment inputs; there is no standalone remote unauthenticated trigger from this issue alone. Fix Commit(s) - 2cdbadee1f8fcaa93302d7debbfc529e19868ea4 Release Process Note patchedversions is pre-set to the planned next release (2026.2.21). Once npm openclaw@2026.2.21 is published, the advisory can be published without further field edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.19-2" + ], + "patched": [ + "openclaw@>=2026.2.21" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T18:16:03Z", + "updated": "2026-02-21T18:16:03Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-w9cg-v44m-4qv8" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w9cg-v44m-4qv8", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-15", + "CWE-78" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-w9cg-v44m-4qv8" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-w7j5-j98m-w679", + "ghsa_id": "GHSA-w7j5-j98m-w679", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "github_security_advisory", + "nvd_category_id": "CWE-250", + "title": "Multiple E2E/test Dockerfiles run all processes as root", + "description": "Three Dockerfiles in scripts/docker/ and scripts/e2e/ lack a USER directive, meaning all processes run as uid 0 (root). If any process is compromised, the attacker has root inside the container, making container breakout significantly easier. Partial fix (2026-02-08): Commit 28e1a65e added USER sandbox to Dockerfile.sandbox and Dockerfile.sandbox-browser. The E2E/test Dockerfiles listed below remain unpatched. Affected components: - scripts/e2e/Dockerfile - scripts/e2e/Dockerfile.qr-import - scripts/docker/install-sh-e2e/Dockerfile - scripts/docker/install-sh-nonroot/Dockerfile (runs as app but with NOPASSWD sudo — see related advisory) Technical Reproduction: 1. Open each Dockerfile listed above and search for a USER directive — none found. 2. Run any of these containers: docker run --rm -it = 2026.2.21" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T10:42:51Z", + "updated": "2026-02-21T10:42:51Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-w7j5-j98m-w679" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w7j5-j98m-w679", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-250" + ], + "credits": [ + "TerminalsandCoffee" + ], + "aliases": [ + "GHSA-w7j5-j98m-w679" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-82g8-464f-2mv7", + "ghsa_id": "GHSA-82g8-464f-2mv7", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-15", + "title": "Skill env override host env injection", + "description": "Summary applySkillConfigEnvOverrides previously copied skills.entries..env values into the host process.env without applying the host env safety policy. Impact In affected versions, dangerous process-level variables such as NODEOPTIONS could be injected when unset, which can influence runtime/child-process behavior. Required attacker capability An attacker must be able to modify OpenClaw local state/config (for example ~/.openclaw/openclaw.json) to set skills.entries.= 2026.2.21" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T10:42:37Z", + "updated": "2026-03-02T06:53:28Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-82g8-464f-2mv7" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-82g8-464f-2mv7", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-15", + "CWE-94", + "CWE-1341" + ], + "credits": [ + "nedlir" + ], + "aliases": [ + "GHSA-82g8-464f-2mv7" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-jjgj-cpp9-cvpv", + "ghsa_id": "GHSA-jjgj-cpp9-cvpv", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "path_traversal", + "nvd_category_id": "CWE-22", + "title": "Local File Exfiltration via MCP Tool Result MEDIA: Directive Injection", + "description": "Summary A malicious or compromised MCP (Model Context Protocol) tool server can exfiltrate arbitrary local files from the host system by injecting MEDIA: directives into tool result text content. OpenClaw's tool result processing pipeline extracts file paths from MEDIA: tokens without source-level validation, passes them through a localRoots allowlist check that includes os.tmpdir() by default (covering /tmp on Linux/macOS and %TEMP% on Windows), and then reads and delivers the file contents to external messaging channels such as Discord, Slack, Telegram, and WhatsApp. Affected Component OpenClaw (all versions up to and including latest as of 2026-02-19) Vulnerability Details Root Cause The vulnerability exists across multiple files in the media processing pipeline: 1. Unvalidated extraction (src/agents/pi-embedded-subscribe.tools.ts, lines 143-202): extractToolResultMediaPaths() parses MEDIA: tokens from MCP tool result text content blocks using a regex. It accepts any file path (absolute, relative, Windows drive, UNC, file:// URI) without validating the source is trusted or the path is within expected boundaries. 2. Overly broad default allowlist (src/media/local-roots.ts, lines 7-16): buildMediaLocalRoots() includes os.tmpdir() in the default allowed directory list. On Linux/macOS this is /tmp (world-readable, often containing application secrets, database dumps, SSH keys, session tokens), and on Windows it is %TEMP% (user's temp directory containing application caches, credentials, and temporary secrets). 3. Delivery to external channels (src/agents/pi-embedded-subscribe.handlers.tools.ts, lines 380-392): After extraction, media paths are delivered via ctx.params.onToolResult({ mediaUrls: mediaPaths }), which flows through the outbound delivery pipeline to send file contents as attachments to Discord, Slack, Telegram, and other configured messaging channels. Attack Flow Secondary Attack Vector: details.path Fallback When an MCP tool result contains type: \"image\" content blocks, extractToolResultMediaPaths() falls back to reading result.details.path (lines 192-199). A malicious tool can return: This bypasses the MEDIA: token parsing entirely and directly injects arbitrary file paths. Third Attack Vector: file:// URI Scheme The loadWebMediaInternal() function (line 228-233) converts file:// URIs to local paths via fileURLToPath(): This provides an alternative syntax for targeting files. Impact - File exfiltration: Any file within os.tmpdir() (or the OpenClaw state directory) can be read and sent to external messaging channels - Secret theft: Temporary files often contain API keys, database credentials, SSH keys, session tokens, and application secrets - Cross-application data theft: Other applications' temp files (browser caches, build artifacts, CI/CD secrets) are accessible - Silent exfiltration: The file content is sent as a media attachment to messaging channels the attacker can monitor, with no user-visible indication - Automated exploitation: If auto-reply is enabled, the malicious tool can be triggered without user interaction Reproduction Steps Prerequisites - Node.js 18+ installed - No OpenClaw installation required (PoC is self-contained) Steps 1. Save the PoC script below as poc-media-exfil.js 2. Run: node poc-media-exfil.js 3. Observe: All 21 assertions pass, confirming the vulnerability PoC Script Expected Output Affected Code Locations | File | Lines | Function | Role | |------|-------|----------|------| | src/media/parse.ts | 7 | MEDIATOKENRE | Regex that matches MEDIA: directives in text | | src/agents/pi-embedded-subscribe.tools.ts | 143-202 | extractToolResultMediaPaths() | Extracts file paths from MCP tool results without source validation | | src/agents/pi-embedded-subscribe.handlers.tools.ts | 380-392 | handleToolExecutionEnd() | Delivers extracted media paths to messaging channels | | src/media/local-roots.ts | 7-16 | buildMediaLocalRoots() | Includes os.tmpdir() in default allowed roots | | src/web/media.ts | 60-117 | assertLocalMediaAllowed() | Validates paths against overly broad localRoots | | src/web/media.ts | 212-381 | loadWebMediaInternal() | Reads validated files into memory for delivery | Suggested Remediation 1. Validate MEDIA: source trust: Only accept MEDIA: directives from OpenClaw's own internal tools (TTS, image generation). Reject or flag MEDIA: directives from external MCP tool results. 2. Remove os.tmpdir() from default localRoots: The temp directory is too broad. Replace with a narrow OpenClaw-specific subdirectory (e.g., path.join(os.tmpdir(), \"openclaw-media\")). 3. Add source tagging to tool results: Tag each tool result with its source (internal vs. MCP external) and enforce different media access policies for each. 4. Require explicit opt-in for file media delivery: When a tool result contains MEDIA: directives referencing local files, require user confirmation before reading and sending the file. Differentiation from Existing Advisories This vulnerability is distinct from all existing OpenClaw security advisories. Below is an explicit comparison against every advisory or commit that could appear superficially related: Not a duplicate of path traversal advisories (apply-patch, workspace escape, etc.) The existing path traversal advisories (e.g., those targeting apply-patch tool workspace containment via assertSandboxPath(), or resolveFileWithinRoot() in the canvas host file resolver) are about preventing filesystem access outside a sandbox boundary. This vulnerability is fundamentally different: - Different attack surface: The attack enters through MCP tool result text content (extractToolResultMediaPaths() in pi-embedded-subscribe.tools.ts), not through tool arguments, HTTP paths, or patch file contents. - Different code path: The vulnerable pipeline is extractToolResultMediaPaths() → handleToolExecutionEnd() → onToolResult() → loadWebMedia() → assertLocalMediaAllowed(). None of these functions are involved in the existing path traversal fixes. - The validation passes by design: This is not a bypass of assertLocalMediaAllowed(). The function works correctly. The problem is that os.tmpdir() is included in the default localRoots allowlist (src/media/local-roots.ts:10), making the entire system temp directory readable by any MCP tool that returns a MEDIA: directive. Not a duplicate of SSRF advisories The existing SSRF advisories cover fetchWithSsrFGuard() and resolvePinnedHostnameWithPolicy() in src/infra/net/. This vulnerability does not involve any HTTP fetching or DNS resolution. Instead, it reads local files from disk and delivers them outbound to messaging channels. The MEDIA: path is a local filesystem path, not a URL. Not a duplicate of canvas host file disclosure The canvas host file disclosure advisory covers the HTTP serving side (resolveFileWithinRoot() in src/canvas-host/file-resolver.ts), where path traversal in the URL could escape the canvas root directory. This vulnerability is about outbound file exfiltration through the agent messaging pipeline, not about the canvas host HTTP server. Not a duplicate of inbound attachment root policy (1316e57) Commit 1316e57 (\"enforce inbound attachment root policy across pipelines\") added src/media/inbound-path-policy.ts to restrict inbound media paths from messaging channels (e.g., iMessage attachment roots). This vulnerability is about outbound media delivery, where files are read from disk and sent to external channels via MEDIA: directives in MCP tool results. Different direction, different code, different policy layer. Not a duplicate of any webhook/messaging auth bypass The webhook auth bypass and messaging platform allowlist bypass advisories cover authentication between OpenClaw and external services. This vulnerability assumes the MCP tool is already configured and trusted. The issue is that tool results can inject MEDIA: directives that cause unintended local file reads and exfiltration. Verification: zero prior fixes for this code path A git log search for commits touching localRoots, local-roots, tmpdir, or extractToolResultMediaPaths returns zero results, confirming this vulnerability has never been reported or addressed. References - OpenClaw MCP tool integration documentation - OWASP Path Traversal - CWE-22: Improper Limitation of a Pathname to a Restricted Directory - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor Credit Anmol Vats (@NucleiAv)", + "affected": [ + "openclaw@<= 2026.2.19-2" + ], + "patched": [ + "openclaw@>= 2026.2.21" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T10:42:36Z", + "updated": "2026-02-21T10:42:36Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-jjgj-cpp9-cvpv" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jjgj-cpp9-cvpv", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-22", + "CWE-200" + ], + "credits": [ + "NucleiAv" + ], + "aliases": [ + "GHSA-jjgj-cpp9-cvpv" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-3x3x-h76w-hp98", + "ghsa_id": "GHSA-3x3x-h76w-hp98", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-184", + "title": "OpenClaw exec allowlist safeBins short-option bypass could permit arbitrary file write", + "description": "Summary OpenClaw exec allowlist/safeBins policy could be bypassed with attached short-option payloads (for example sort -o/tmp/poc), enabling file-write operations while still satisfying safeBins checks. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.17 - Latest published vulnerable version: 2026.2.17 - Patched in: 2026.2.19 Impact When tools.exec.security=allowlist and tools.exec.safeBins included affected binaries, attached short-option payloads could bypass safeBins argument validation and permit file-write behavior that should have been denied. Fix Commit(s) - cfe8457a0f4aae5324daec261d3b0aad1461a4bc - bafdbb6f112409a65decd3d4e7350fbd637c7754 - fec48a5006eab37c6a5821726ccaeec886486b13 Thanks @FailButWin and @Redgrave961 for reporting.", + "affected": [ + "openclaw@<=2026.2.17" + ], + "patched": [ + "openclaw@>= 2026.2.19" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T10:34:16Z", + "updated": "2026-02-21T10:39:23Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-3x3x-h76w-hp98" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3x3x-h76w-hp98", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-184" + ], + "credits": [ + "FailButWin", + "Redgrave961" + ], + "aliases": [ + "GHSA-3x3x-h76w-hp98" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-2hm8-rqrm-xfjq", + "ghsa_id": "GHSA-2hm8-rqrm-xfjq", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "low", + "type": "github_security_advisory", + "nvd_category_id": "CWE-269", + "title": "Owner-only gateway tool access checks were incomplete in specific authenticated DM flows", + "description": "Summary In authenticated non-owner DM sessions, a narrow tool-invocation path could reach broader-than-intended owner-only gateway actions. Impact This requires an authenticated non-owner sender in a DM session and a specific tool invocation path. No unauthenticated access is involved, and this does not provide direct code execution by itself. Root Cause - Some gateway call paths were still using broader default scopes instead of method-level least-privilege scopes. - Owner-only enforcement depended on tool-name checks and was not consistently metadata-driven across all call paths. Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.2.17 (latest published npm version as of February 19, 2026) - Patched: 2026.2.19 Remediation - Refactored gateway method scope mapping to a data-driven table and added guard tests to ensure all exposed core gateway methods stay classified. - Centralized owner-only enforcement in tool policy wrappers and tool metadata. - Marked owner-only tools explicitly (cron, gateway, whatsapplogin) and removed duplicated per-tool owner checks. - Refactored gateway call path internals into smaller helpers while preserving behavior and coverage. Fix Commit(s) - a40c10d3e24568b1e2947c104484be74bf66b8d2 - 2777d8ad91ef1e8a7c6f5b4b18f8507be7d02914 - 3d7ad1cfca4daaa84cd553e843e0e08fa6201349 Thanks @Adam55A-code for reporting.", + "affected": [ + "openclaw@<= 2026.2.17" + ], + "patched": [ + "openclaw@>= 2026.2.19" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T10:34:15Z", + "updated": "2026-02-21T10:40:02Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-2hm8-rqrm-xfjq" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2hm8-rqrm-xfjq", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-269", + "CWE-863" + ], + "credits": [ + "Adam55A-code" + ], + "aliases": [ + "GHSA-2hm8-rqrm-xfjq" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-ff98-w8hj-qrxf", + "ghsa_id": "GHSA-ff98-w8hj-qrxf", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "low", + "type": "os_command_injection", + "nvd_category_id": "CWE-78", + "title": "Plugin runtime command execution is part of trusted plugin boundary", + "description": "Summary OpenClaw plugins/extensions run in-process and are treated as trusted code. This advisory tracks trust-boundary clarification around plugin runtime command execution (runtime.system.runCommandWithTimeout). Impact Plugins already execute with the same OS privileges as the OpenClaw process. Exposing runtime command helpers does not cross an additional sandbox boundary. Affected Packages / Versions - Package: openclaw (npm) - Latest published version reviewed: 2026.2.17 - Affected range for this advisory record: <= 2026.2.17 - Planned patched version metadata: 2026.2.19 (next release line) Fix Commit(s) - 2e421f32dfc589c02706265fd3c3137ffc06c4b1 Remediation - Install only trusted plugins. - Use plugins.allow to pin explicit trusted plugin IDs. - SECURITY.md now explicitly documents that plugin runtime helpers are convenience APIs, not a sandbox boundary. Thanks @markmusson for reporting.", + "affected": [ + "openclaw@<= 2026.2.17" + ], + "patched": [ + "openclaw@>= 2026.2.19" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T10:34:13Z", + "updated": "2026-02-21T10:39:21Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-ff98-w8hj-qrxf" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-ff98-w8hj-qrxf", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-78" + ], + "credits": [ + "markmusson" + ], + "aliases": [ + "GHSA-ff98-w8hj-qrxf" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-vj3g-5px3-gr46", + "ghsa_id": "GHSA-vj3g-5px3-gr46", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "path_traversal", + "nvd_category_id": "CWE-22", + "title": "Path traversal in Feishu media temp-file naming allows writes outside os.tmpdir()", + "description": "Summary OpenClaw’s Feishu media download flow used untrusted Feishu media keys (imageKey / fileKey) when building temporary file paths in extensions/feishu/src/media.ts. Because those keys were interpolated directly into temp-file paths, traversal segments could escape the temp directory and redirect writes outside os.tmpdir(). Impact This is an arbitrary file write issue (within the OpenClaw process file permissions). If an attacker can control Feishu media key values returned to the client (for example via compromised upstream response path), they can influence where downloaded bytes are written. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version at triage: 2026.2.17 - Affected versions: <= 2026.2.17 - Fixed version: 2026.2.19 Fix Commit(s) - c821099157a9767d4df208c6b12f214946507871 - cdb00fe2428000e7a08f9b7848784a0049176705 - ec232a9e2dff60f0e3d7e827a7c868db5254473f Remediation The fix removes key-derived temp-file naming and keeps downloads in safe temp locations. Additional hardening isolates SDK writeFile calls in per-download temp directories (mkdtemp) with deterministic cleanup, enforces Feishu key trust-boundary validation, and adds a repository guard test against dynamic path.join(os.tmpdir(), \\...${...}\\) patterns in runtime code. Thanks @allsmog for reporting.", + "affected": [ + "openclaw@<= 2026.2.17" + ], + "patched": [ + "openclaw@>= 2026.2.19" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T10:34:11Z", + "updated": "2026-02-21T10:39:20Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-vj3g-5px3-gr46" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vj3g-5px3-gr46", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-22" + ], + "credits": [ + "allsmog" + ], + "aliases": [ + "GHSA-vj3g-5px3-gr46" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-2mc2-g238-722j", + "ghsa_id": "GHSA-2mc2-g238-722j", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "os_command_injection", + "nvd_category_id": "CWE-78", + "title": "iMessage remote attachment SCP hardening (strict host-key checks and remoteHost validation)", + "description": "Summary Remote iMessage attachment fetches used SCP with trust-on-first-use host-key behavior and accepted unvalidated remote host tokens. Before the fix: - SCP used StrictHostKeyChecking=accept-new in the remote attachment path. - channels.imessage.remoteHost was not validated as a strict SSH host token. Impact In remote iMessage deployments that use SCP attachment fetching, a first-connection MITM/DNS-poisoning scenario could cause the wrong host key to be trusted. Unsafe remote host token values could also alter SCP argument semantics. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version currently affected: 2026.2.17 - Vulnerable range (structured field): <= 2026.2.17 - Patched version (pre-set for next release): = 2026.2.19 Fix The fix hardens remote attachment SSH/SCP handling by: - requiring StrictHostKeyChecking=yes for SCP and SSH tunnel paths, - adding strict remoteHost normalization/validation, - adding -- argument barrier for SCP remote source parsing, - validating channels.imessage.remoteHost in config schema, - rejecting unsafe auto-detected host tokens at runtime. Fix Commit(s) - Pushed to main: 49d0def6d1e88f002026b1d2a35aa615d48a751a Thanks @allsmog for reporting.", + "affected": [ + "openclaw@<= 2026.2.17" + ], + "patched": [ + "openclaw@>= 2026.2.19" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T10:34:10Z", + "updated": "2026-02-21T10:39:20Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-2mc2-g238-722j" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2mc2-g238-722j", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-78", + "CWE-295" + ], + "credits": [ + "allsmog" + ], + "aliases": [ + "GHSA-2mc2-g238-722j" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-8cp7-rp8r-mg77", + "ghsa_id": "GHSA-8cp7-rp8r-mg77", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "server_side_request_forgery", + "nvd_category_id": "CWE-918", + "title": "SSRF guard bypass via IPv6 transition over ISATAP", + "description": "Summary OpenClaw's SSRF hostname/IP guard did not detect ISATAP embedded IPv4 addresses (...:5efe:w.x.y.z). A crafted URL containing an ISATAP IPv6 literal could embed a private IPv4 target (for example loopback) and bypass private-address filtering in URL-fetching paths. Severity Assessment Rated medium: the bug weakens SSRF protections in URL fetch flows, but impact depends on reaching a URL-fetching path with attacker-controlled input and is generally constrained to internal network access attempts. Affected Packages / Versions - Package: openclaw (npm) - Affected: =2026.1.20 <=2026.2.17 - Latest published at patch time: 2026.2.17 - Patched release: 2026.2.19 Security Policy Context Per SECURITY.md, OpenClaw's web/gateway surface is intended for local use by default, public internet exposure is out-of-scope, and prompt-injection reports are out-of-scope for bounty handling. This advisory tracks a core SSRF-guard bypass in fetch protections. Impact This can permit SSRF-style access attempts to internal/private network targets through URL ingestion/fetch paths that rely on shared hostname/IP blocking. Fix - Added RFC 5214 ISATAP embedded-IPv4 detection to the shared SSRF classifier. - Centralized hostname/IP blocking through isBlockedHostnameOrIp and routed relevant validators to that shared path. - Added regression tests for ISATAP private vs public embedded IPv4 handling. Fix Commit(s) - d51929ecb52fe65e90bf36795f4247feb29eb8aa Thanks @zpbrent for reporting.", + "affected": [ + "openclaw@>=2026.1.20 <=2026.2.17" + ], + "patched": [ + "openclaw@>= 2026.2.19" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T10:34:08Z", + "updated": "2026-02-21T10:39:19Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-8cp7-rp8r-mg77" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8cp7-rp8r-mg77", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-918" + ], + "credits": [ + "zpbrent" + ], + "aliases": [ + "GHSA-8cp7-rp8r-mg77" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-pfv7-rr5m-qmv6", + "ghsa_id": "GHSA-pfv7-rr5m-qmv6", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": null, + "title": "Auth inconsistency on local Browser Extension Relay /extension endpoint", + "description": "Summary When the optional Chrome extension relay is enabled, /extension accepted unauthenticated WebSocket upgrades while /json/ and /cdp required auth. Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.2.17 - Latest published npm version at triage time: 2026.2.17 Impact This is a local-only issue on loopback (127.0.0.1) and only applies when the extension relay feature is in use. A local process on the same machine could connect to /extension without the token and interfere with extension-relay behavior. No remote network exploit path is involved. Fix - Require gateway-token auth on both /extension and /cdp relay WebSocket endpoints. - Keep loopback/origin checks as defense-in-depth, not as authentication. - Use one token path in setup: gateway.auth.token / OPENCLAWGATEWAYTOKEN. Fix Commit(s) - 7e54b6c96feb1a5c30884f2b32037b8dadd0e532 Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.17" + ], + "patched": [ + "openclaw@>= 2026.2.19" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T10:34:07Z", + "updated": "2026-02-21T10:39:18Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-pfv7-rr5m-qmv6" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-pfv7-rr5m-qmv6", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-pfv7-rr5m-qmv6" + ], + "source_feed": "ghsa-without-cve" + }, { "id": "CVE-2026-27576", "severity": "medium", @@ -15945,7 +19044,7 @@ "https://github.com/openclaw/openclaw/commit/8ae2d5110f6ceadef73822aa3db194fb60d2ba68", "https://github.com/openclaw/openclaw/commit/ebcf19746f5c500a41817e03abecadea8655654a" ], - "cvss_score": 4.0, + "cvss_score": 4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27576", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (4.0); requires local access; RCE is critical in agent deployments", @@ -16896,6 +19995,50 @@ "exploit_sources": [] } }, + { + "id": "GHSA-6c9j-x93c-rw6j", + "ghsa_id": "GHSA-6c9j-x93c-rw6j", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-203", + "title": "OpenClaw safeBins file-existence oracle information disclosure", + "description": "An information disclosure vulnerability in OpenClaw's tools.exec.safeBins approval flow allowed a file-existence oracle. When safe-bin validation examined candidate file paths, command allow/deny behavior could differ based on whether a path already existed on the host filesystem. An attacker could probe for file presence by comparing outcomes for existing vs non-existing filenames. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.17 - Latest published vulnerable version at triage time: 2026.2.17 - Planned patched version: 2026.2.18 Impact Attackers with access to this execution surface could infer whether specific files exist (for example secrets/config files), enabling filesystem enumeration and improving follow-on attack planning. Fix The safe-bin policy was changed to deterministic argv-only validation without host file-existence checks. File-oriented flags are blocked for safe-bin mode (for example sort -o, jq -f, grep -f), and trusted-path checks remain enforced. Fix Commit(s) - bafdbb6f112409a65decd3d4e7350fbd637c7754 Found using MCPwner Thanks @nedlir for reporting.", + "affected": [ + "openclaw@<=2026.2.17" + ], + "patched": [ + "openclaw@>= 2026.2.18" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-19T16:03:56Z", + "updated": "2026-02-26T07:11:44Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-6c9j-x93c-rw6j" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6c9j-x93c-rw6j", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-203" + ], + "credits": [ + "nedlir" + ], + "aliases": [ + "GHSA-6c9j-x93c-rw6j" + ], + "source_feed": "ghsa-without-cve" + }, { "id": "CVE-2026-25474", "severity": "high", @@ -16968,6 +20111,450 @@ "exploit_sources": [] } }, + { + "id": "GHSA-mmpf-jwf4-h3qv", + "ghsa_id": "GHSA-mmpf-jwf4-h3qv", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "low", + "type": "github_security_advisory", + "nvd_category_id": "CWE-77", + "title": "Option injection in pre-commit hook can stage ignored files", + "description": "Summary A maliciously-named file (for example, --force) can trigger option injection in the repository's git-hooks/pre-commit hook when a contributor uses the built-in git hook setup (git config core.hooksPath git-hooks). This can cause unintended staging of ignored files. Details The hook collected staged filenames and piped them through xargs into git add without a -- separator. Filenames beginning with - could be interpreted as flags. This issue only affects contributors who: - use the repo's git-hooks/ hook mechanism (not the pre-commit framework), and - run commits in a working directory that contains sensitive ignored files. Impact Under specific circumstances, ignored files (for example .env) can be added to git history. Affected Packages / Versions - Repository versions: <= 2026.2.14 - Fixed in: 2026.2.15 Note: the npm package does not ship git-hooks/; the impact is on contributors working from the repository checkout/source release. Fix The hook now: - uses NUL-delimited file lists (git diff ... -z) to safely handle whitespace, and - passes paths to git add after -- to prevent option injection. Fix Commit(s) - b88f37762f5b6d7ec0f589eb761815e466e4ef4b - ba84b1253967143692166023f9e174c149b6f2ed Thanks @mrthankyou for reporting.", + "affected": [ + "openclaw@<=2026.2.14" + ], + "patched": [ + "openclaw@>=2026.2.15" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-18T03:39:01Z", + "updated": "2026-02-21T10:37:07Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-mmpf-jwf4-h3qv" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mmpf-jwf4-h3qv", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-77" + ], + "credits": [ + "mrthankyou" + ], + "aliases": [ + "GHSA-mmpf-jwf4-h3qv" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-h9g4-589h-68xv", + "ghsa_id": "GHSA-h9g4-589h-68xv", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "missing_authentication_for_critical_function", + "nvd_category_id": "CWE-306", + "title": "Authentication bypass in sandbox browser bridge server", + "description": "Summary openclaw could start the sandbox browser bridge server without authentication. When the sandboxed browser is enabled, openclaw runs a local (loopback) HTTP bridge that exposes browser control endpoints (for example /profiles, /tabs, /tabs/open, /agent/). Due to missing auth wiring in the sandbox initialization path, that bridge server accepted requests without requiring gateway auth. CVSS - CVSS v3.1: 7.1 - Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Impact A local attacker (any process on the same machine) could access the bridge server port and: - enumerate open tabs and retrieve CDP WebSocket URLs - open/close/navigate tabs - execute JavaScript in page contexts via CDP - exfiltrate cookies/session data and page contents from authenticated sessions This is a localhost-only exposure (CVSS AV:L), but provides full browser-session compromise for sandboxed browser usage. Affected Versions - Introduced in: 2026.1.29-beta.1 (first npm release that shipped the sandbox browser bridge) - Affected range: =2026.1.29-beta.1 <2026.2.14 Patched Versions - 2026.2.14 Mitigation - Upgrade to 2026.2.14 (recommended). - Or disable the sandboxed browser (agents.defaults.sandbox.browser.enabled=false). Fix Details - The sandbox browser bridge server now always requires auth and enforces the same gateway browser control auth (token/password) that loopback browser clients already use. - Additional hardening: bridge server refuses non-loopback binds; local helper servers are bound to loopback. - Added regression tests (including unit coverage for per-port bridge auth fallback). Fix commits: - openclaw/openclaw@4711a943e30bc58016247152ba06472dab09d0b0 - openclaw/openclaw@6dd6bce997c48752134f2d6ed89b27de01ced7e3 - openclaw/openclaw@cd84885a4ac78eadb7bf321aae98db9519426d67 Credits Thanks to Adnan Jakati (@jackhax) of Praetorian for reporting this issue.", + "affected": [ + "openclaw@>=2026.1.29-beta.1 <2026.2.14" + ], + "patched": [ + "openclaw@2026.2.14" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-16T01:37:15Z", + "updated": "2026-02-16T01:45:52Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-h9g4-589h-68xv" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h9g4-589h-68xv", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-306" + ], + "credits": [ + "jackhax" + ], + "aliases": [ + "GHSA-h9g4-589h-68xv" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-chm2-m3w2-wcxm", + "ghsa_id": "GHSA-chm2-m3w2-wcxm", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "low", + "type": "github_security_advisory", + "nvd_category_id": "CWE-290", + "title": "Google Chat spoofing access with allowlist authorized mutable email principal despite sender-ID mismatch", + "description": "Summary Google Chat allowlisting supports matching by sender email in addition to immutable sender resource name (users/=2026.2.14" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-16T00:31:29Z", + "updated": "2026-02-21T10:40:48Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-chm2-m3w2-wcxm" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-chm2-m3w2-wcxm", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-290", + "CWE-863" + ], + "credits": [ + "vincentkoc" + ], + "aliases": [ + "GHSA-chm2-m3w2-wcxm" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-w5c7-9qqw-6645", + "ghsa_id": "GHSA-w5c7-9qqw-6645", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": null, + "title": "Inter-session prompts could be treated as direct user instructions", + "description": "Summary Inter-session messages sent via sessionssend could be interpreted as direct end-user instructions because they were persisted as role: \"user\" without provenance metadata. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.12 (i.e. < 2026.2.13) - Fixed in: 2026.2.13 (patched versions = 2026.2.13) Impact A delegated or internal session could inject instructions into another session that appeared equivalent to externally-originated user input. This is an instruction-provenance confusion issue (confused-deputy style), which can lead to unintended privileged behavior in workflows that trust role: \"user\" as a sole authority signal. Technical details Before the fix, routed inter-session prompts were stored as regular user turns without a verifiable source marker. As a result, downstream workers and transcript readers could not distinguish: - External user input - Internal inter-session routed input Fix OpenClaw now carries explicit input provenance end-to-end for routed prompts. Key changes: - Added structured provenance model (inputProvenance) with kind values including intersession. - sessionssend and agent-to-agent steps now set inter-session provenance when invoking target runs. - Provenance is persisted on user messages as message.provenance.kind = \"intersession\" (role remains user for provider compatibility). - Transcript readers and memory helpers were updated to respect provenance and avoid treating inter-session prompts as external user-originated input. - Runtime context rebuilding now annotates inter-session turns with an explicit in-memory marker ([Inter-session message]) for clearer model-side disambiguation. - Regression tests were added for transcript parsing, session tools flow, runner sanitization, and memory hook behavior. Fix Commit(s) - 85409e401b6586f83954cb53552395d7aab04797 Workarounds If immediate upgrade is not possible: - Disable or restrict sessionssend in affected environments. - Do not use role alone as an authority boundary; require provenance-aware checks in orchestration logic. Credit Reported by @anbecker. Thanks @anbecker for reporting.", + "affected": [ + "openclaw@<2026.2.13" + ], + "patched": [ + "openclaw@>=2026.2.13" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-15T23:31:43Z", + "updated": "2026-02-21T10:37:10Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-w5c7-9qqw-6645" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w5c7-9qqw-6645", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [], + "credits": [ + "anbecker" + ], + "aliases": [ + "GHSA-w5c7-9qqw-6645" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-fhvm-j76f-qmjv", + "ghsa_id": "GHSA-fhvm-j76f-qmjv", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "github_security_advisory", + "nvd_category_id": "CWE-285", + "title": "Potential access-group authorization bypass if channel type lookup fails", + "description": "Summary When Telegram webhook mode is enabled without a configured webhook secret, OpenClaw may accept unauthenticated HTTP POST requests at the Telegram webhook endpoint and trust attacker-controlled update JSON. This can allow forged Telegram updates that spoof message.from.id / chat.id, potentially bypassing sender allowlists and executing privileged bot commands. Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.1.30 - Patched: = 2026.2.1 Impact An attacker who can reach the webhook endpoint can forge Telegram updates and impersonate allowlisted/paired senders by spoofing fields in the webhook payload (for example message.from.id). Impact depends on enabled commands/tools and the deployment’s network exposure. Mitigations / Workarounds - Configure a strong channels.telegram.webhookSecret and ensure your reverse proxy forwards the X-Telegram-Bot-Api-Secret-Token header unchanged. Fix Commit(s) - ca92597e1f9593236ad86810b66633144b69314d (config validation: webhookUrl requires webhookSecret) Defense-in-depth / supporting fixes: - 5643a934799dc523ec2ef18c007e1aa2c386b670 (default webhook listener bind host to loopback) - 3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930 (bound webhook request body size/time) - 633fe8b9c17f02fcc68ecdb5ec212a5ace932f09 (runtime guard: reject webhook startup when secret is missing/empty) Thanks @yueyueL for reporting.", + "affected": [ + "openclaw@<=2026.2.1" + ], + "patched": [ + "openclaw@>=2026.2.2" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-14T21:15:31Z", + "updated": "2026-02-21T10:37:22Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-fhvm-j76f-qmjv" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fhvm-j76f-qmjv", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-285" + ], + "credits": [ + "simecek", + "stanislavfortaisle" + ], + "aliases": [ + "GHSA-fhvm-j76f-qmjv" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-g27f-9qjv-22pm", + "ghsa_id": "GHSA-g27f-9qjv-22pm", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "low", + "type": "github_security_advisory", + "nvd_category_id": "CWE-117", + "title": "OpenClaw log poisoning (indirect prompt injection) via WebSocket headers", + "description": "Summary In openclaw versions prior to 2026.2.13, OpenClaw logged certain WebSocket request headers (including Origin and User-Agent) without neutralization or length limits on the \"closed before connect\" path. If an unauthenticated client can reach the gateway and send crafted header values, those values may be written into core logs. Under workflows where logs are later read or interpreted by an LLM (for example via AI-assisted debugging), this can increase the risk of indirect prompt injection (log poisoning). Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.2.12 - Fixed: = 2026.2.13 Details - Component: src/gateway/server/ws-connection.ts - Trigger: WebSocket connection closes before completing the connect/handshake; header values are included in the log message and structured context. Impact This issue is primarily an indirect prompt injection risk and depends on downstream log consumption behavior. If you do not feed logs into an LLM or other automation, impact is limited. Fix Header values written to gateway logs are now sanitized and truncated (including removal of control/format characters and length limiting). - Fix commits: d637a263505448bf4505b85535babbfaacedbaac, e84318e4bcdc948d92e57fda1eb763a65e1774f0 (PR #15592) Workarounds - Upgrade to openclaw@2026.2.13 or later. - Treat logs as untrusted input when using AI-assisted debugging (sanitize/escape, and do not auto-execute instructions derived from logs). - Restrict gateway network exposure; apply reverse-proxy limits on header size where applicable. Thanks @pkerkhofs for reporting.", + "affected": [ + "openclaw@<= 2026.2.12" + ], + "patched": [ + "openclaw@2026.2.13" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-14T20:19:44Z", + "updated": "2026-02-14T20:19:44Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-g27f-9qjv-22pm" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g27f-9qjv-22pm", + "nvd_url": null, + "cvss_score": 3.1, + "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", + "cwe_ids": [ + "CWE-117" + ], + "credits": [ + "pkerkhofs" + ], + "aliases": [ + "GHSA-g27f-9qjv-22pm" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-56f2-hvwg-5743", + "ghsa_id": "GHSA-56f2-hvwg-5743", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "server_side_request_forgery", + "nvd_category_id": "CWE-918", + "title": "SSRF in Image Tool Remote Fetch", + "description": "Summary A server-side request forgery (SSRF) vulnerability in the Image tool allowed attackers to force OpenClaw to make HTTP requests to arbitrary internal or restricted network targets. Affected Versions - npm: openclaw <= 2026.2.1 Patched Versions - npm: openclaw 2026.2.2 and later Fix Commits - 81c68f582d4a9a20d9cca9f367d2da9edc5a65ae (guard remote media fetches with SSRF checks) - 9bd64c8a1f91dda602afc1d5246a2ff2be164647 (expand SSRF guard coverage) Details The Image tool accepts file paths, file:// URLs, data: URLs, and http(s) URLs. In vulnerable versions, http(s) URLs were fetched without SSRF protections, enabling requests to localhost, RFC1918, link-local, and cloud metadata targets. This was fixed by routing remote media fetching through the SSRF guard (private/internal IP + hostname blocking, redirect hardening, DNS pinning). Exploitability Notes - Requires attacker-controlled invocation of the Image tool (direct tool access, or a gateway/channel surface that forwards untrusted image arguments into tool calls). - The image tool expects the fetched content to be an image. Many high-value SSRF targets return text/JSON (for example cloud metadata endpoints), which will typically fail media-type validation. In practice, the most direct confidentiality impact comes from internal endpoints that actually return images (screenshots/renderers, camera snapshots, chart exports, etc.). - Remote fetches are GET-only with no custom headers. Some metadata services require special headers or session tokens (for example GCP Metadata-Flavor, AWS IMDSv2 token), which can further reduce the likelihood of direct credential theft in some environments. - Despite the above constraints, SSRF remains a powerful primitive: it can enable internal network probing and access to unauthenticated/internal HTTP endpoints, and can chain with other weaknesses if present. Related - Duplicate / broader writeup: GHSA-9vf6-3vcv-rpj2 (closed). Thanks @p80n-sec for reporting.", + "affected": [ + "openclaw@<=2026.2.1" + ], + "patched": [ + "openclaw@2026.2.2" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-14T17:21:19Z", + "updated": "2026-02-14T17:21:19Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-56f2-hvwg-5743" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-56f2-hvwg-5743", + "nvd_url": null, + "cvss_score": 7.6, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", + "cwe_ids": [ + "CWE-918" + ], + "credits": [ + "p80n-sec" + ], + "aliases": [ + "GHSA-56f2-hvwg-5743" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-hv93-r4j3-q65f", + "ghsa_id": "GHSA-hv93-r4j3-q65f", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "github_security_advisory", + "nvd_category_id": "CWE-330", + "title": "Hook Session Key Override Enables Targeted Cross-Session Routing", + "description": "Summary The issue is not deterministic session keys by itself. The exploitable path was accepting externally supplied sessionKey values on authenticated hook ingress, allowing a hook token holder to route messages into chosen sessions. Affected Behavior - POST /hooks/agent accepted payload sessionKey and used it directly for session routing. - Common session-key shapes (for example agent:main:dm:= 2.0.0-beta3, < 2026.2.12" + ], + "patched": [ + "openclaw@>= 2026.2.12" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-14T13:36:56Z", + "updated": "2026-02-21T14:11:04Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-hv93-r4j3-q65f" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hv93-r4j3-q65f", + "nvd_url": null, + "cvss_score": 7.1, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", + "cwe_ids": [ + "CWE-330", + "CWE-639" + ], + "credits": [ + "alpernae" + ], + "aliases": [ + "GHSA-hv93-r4j3-q65f" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-gv46-4xfq-jv58", + "ghsa_id": "GHSA-gv46-4xfq-jv58", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "critical", + "type": "github_security_advisory", + "nvd_category_id": "CWE-20", + "title": "Remote Code Execution via Node Invoke Approval Bypass in Gateway", + "description": "Summary A remote code execution (RCE) vulnerability in the gateway-to-node invocation path allowed an authenticated gateway client to bypass node-host exec approvals by injecting internal control fields into node.invoke parameters. Affected Component - Gateway method: node.invoke for node command system.run - Node host runner: exec approval gating for system.run Impact If an attacker can authenticate to a gateway (for example via a leaked/shared gateway token or a paired device token with operator.write), they could execute arbitrary commands on connected node hosts that support system.run. This can lead to full compromise of developer workstations, CI runners, and servers running the node host. Technical Details The gateway forwarded user-controlled params to node hosts without sanitizing internal approval fields. The node host treated params.approved === true and/or params.approvalDecision as sufficient to skip the approval workflow. Fix Patched in OpenClaw 2026.2.14. - Commits: - 318379cdb8d045da0009b0051bd0e712e5c65e2d - a7af646fdab124a7536998db6bd6ad567d2b06b0 - c1594627421f95b6bc4ad7c606657dc75b5ad0ce - 0af76f5f0e93540efbdf054895216c398692afcd - Gateway strips untrusted approval control fields from system.run user input. - Gateway only re-attaches approval flags when params.runId references a valid exec.approval.request record and the request context matches. Approval IDs are bound to the requesting device identity (stable across reconnects), preventing replay by other clients. - Gateway forwards only an allowlisted set of system.run parameters, preventing future control-field smuggling. Mitigations - Upgrade to 2026.2.14 or later. - Restrict access to the gateway (do not expose it to untrusted networks/users). - Rotate gateway credentials if you suspect token/password exposure. - Disable remote command execution on nodes by blocking system.run at the gateway (gateway.nodes.denyCommands) and/or by configuring node exec security to deny. Credits Thanks to @222n5 for reporting this issue.", + "affected": [ + "openclaw@< 2026.2.14" + ], + "patched": [ + "openclaw@>= 2026.2.14" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-14T12:06:43Z", + "updated": "2026-02-14T12:32:18Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-gv46-4xfq-jv58" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gv46-4xfq-jv58", + "nvd_url": null, + "cvss_score": 9.9, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", + "cwe_ids": [ + "CWE-20", + "CWE-441", + "CWE-863" + ], + "credits": [ + "222n5" + ], + "aliases": [ + "GHSA-gv46-4xfq-jv58" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-943q-mwmv-hhvh", + "ghsa_id": "GHSA-943q-mwmv-hhvh", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "os_command_injection", + "nvd_category_id": "CWE-78", + "title": "OC-02: Gateway /tools/invoke tool escalation + ACP permission auto-approval", + "description": "Summary OpenClaw Gateway exposes an authenticated HTTP endpoint (POST /tools/invoke) intended for invoking a constrained set of tools. Two issues could combine to significantly increase blast radius in misconfigured or exposed deployments: - The HTTP gateway layer did not deny high-risk session orchestration tools by default, allowing a caller with Gateway auth to invoke tools like sessionsspawn / sessionssend and pivot into creating or controlling agent sessions. - ACP clients could auto-approve permission requests for risky tools with insufficient user interaction/guardrails, reducing the friction that should normally prevent silent execution or mutation. Impact If the Gateway is reachable by an attacker and they obtain a valid Gateway token, they may be able to: - Escalate from single-tool invocation to spawning/controlling sessions and reach command execution capabilities depending on tool policy and runtime environment. - Perform cross-session message injection via sessionssend. - In ACP-integrated scenarios, obtain unintended approvals for non-read/search tool permissions. CVSS - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8) Affected versions - openclaw < 2026.2.14 Fixed in - openclaw = 2026.2.14 Remediation The default behavior is now hardened: - PR #15390: deny high-risk tools over HTTP /tools/invoke by default (with gateway.tools.{allow,deny} overrides) and harden ACP permission handling. - Commit bb1c3dfe1: ACP clients now prompt for any non-read/search permission request (fail closed for mutating/execution/fetch operations). - Commit 539689a2f: security audit warns when gateway.tools.allow re-enables default-denied HTTP tools, since this can increase RCE blast radius if the Gateway is reachable. - Commit 153a7644e: ACP safe-kind inference is stricter to avoid accidental auto-approval due to substring matches (still auto-approves only confident read/search). Mitigations / deployment guidance - Keep the Gateway loopback-only unless you have a strong reason not to: gateway.bind=\"loopback\" / openclaw gateway run --bind loopback. - Avoid exposing the Gateway directly to the public internet. Use an SSH tunnel or Tailscale to access a loopback-bound Gateway. - Treat opting in to default-denied HTTP tools (via gateway.tools.allow) as high-risk and audit such configurations carefully. Credits Thanks to @aether-ai-agent for reporting this issue and contributing remediation work.", + "affected": [ + "openclaw@<2026.2.14" + ], + "patched": [ + "openclaw@>=2026.2.14" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-14T11:55:07Z", + "updated": "2026-02-14T12:19:32Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-943q-mwmv-hhvh" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-943q-mwmv-hhvh", + "nvd_url": null, + "cvss_score": 8.8, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "cwe_ids": [ + "CWE-78" + ], + "credits": [ + "aether-ai-agent" + ], + "aliases": [ + "GHSA-943q-mwmv-hhvh" + ], + "source_feed": "ghsa-without-cve" + }, { "id": "CVE-2026-25593", "severity": "high", diff --git a/advisories/feed.json.sig b/advisories/feed.json.sig index 6cd65a6..960fdd9 100644 --- a/advisories/feed.json.sig +++ b/advisories/feed.json.sig @@ -1 +1 @@ -0XMKs0QnzZYtU1YeMVNVpqzLecu8buTcBx+60hi7puHKARdshGlOSHZ8E27fo6qhz6MJx6/7zoIjCz6y+q1zBA== \ No newline at end of file +ie4iZN7vM+097ZsWnz+YExEB6fMbB2fWsrlmtF7+mJh5uhy7qzYmIgJ0wLWatl38mgNRutHT2PwIc7F5RzeaDA== \ No newline at end of file diff --git a/advisories/ghsa-without-cve.json b/advisories/ghsa-without-cve.json index da512f1..03e5332 100644 --- a/advisories/ghsa-without-cve.json +++ b/advisories/ghsa-without-cve.json @@ -1,6 +1,6 @@ { "version": "0.1.0", - "updated": "2026-05-24T07:39:08Z", + "updated": "2026-05-24T18:52:16Z", "description": "Provisional ClawSec advisory feed for public GitHub Security Advisories that do not yet have CVE identifiers.", "stale_after_days": 60, "semantics": { @@ -35,5 +35,3512 @@ "url": "https://github.com/sipeed/picoclaw/security/advisories" } ], - "advisories": [] + "advisories": [ + { + "id": "GHSA-mr34-9552-qr95", + "ghsa_id": "GHSA-mr34-9552-qr95", + "cve_id": null, + "status": "active", + "stale": false, + "stale_after_days": 60, + "severity": "medium", + "type": "path_traversal", + "nvd_category_id": "CWE-22", + "title": "Webchat media embedding enforces local-root containment for tool-result files", + "description": "Summary Webchat tool-result media normalization could pass local and UNC-style file paths into the host-side media embedding path without applying the configured local-root containment policy. Impact A crafted tool-result media reference could cause the host to attempt local file reads or Windows UNC/network path access while preparing webchat media blocks. This could disclose allowed host files or trigger network credential exposure on affected Windows deployments. Severity remains medium because exploitation depends on a tool-result media path reaching the webchat embedding path, but the sink is a host-side file read before the user sees the rendered result. Affected versions - Affected: = 2026.4.7, < 2026.4.15 - Patched: 2026.4.15 Fix OpenClaw 2026.4.15 hardens the webchat media path and the shared media resolver. Remote-host file:// URLs and Windows network paths are rejected before filesystem access, and audio embedding now enforces configured localRoots containment before stat or read operations. Verified in v2026.4.15: - src/gateway/server-methods/chat-webchat-media.ts uses safe file-URL parsing, rejects Windows network paths, and calls assertLocalMediaAllowed before probing local audio files. - src/media/web-media.ts rejects remote-host file:// URLs, Windows network paths, and local-root bypasses on the shared media path. - src/gateway/server-methods/chat-webchat-media.test.ts covers both remote-host file:// rejection and local-root denial before filesystem access. Fix commits included in v2026.4.15 and absent from v2026.4.14: - 1470de5d3e0970856d86cd99336bb8ada3fe87da via PR #67293 - 6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde via PR #67298 - 52ef42302ead9e183e6c8810e0a04ee4ef8ae9fc via PR #67303 as defense-in-depth for trusted media passthrough anchoring Thanks to @Kherrisan for reporting this issue.", + "affected": [ + "openclaw@>= 2026.4.7, < 2026.4.15" + ], + "patched": [ + "openclaw@2026.4.15" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-04-16T23:40:33Z", + "updated": "2026-04-16T23:40:33Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-mr34-9552-qr95" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mr34-9552-qr95", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-22", + "CWE-73" + ], + "credits": [ + "Kherrisan" + ], + "aliases": [ + "GHSA-mr34-9552-qr95" + ] + }, + { + "id": "GHSA-536q-mj95-h29h", + "ghsa_id": "GHSA-536q-mj95-h29h", + "cve_id": null, + "status": "active", + "stale": false, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": null, + "title": "Browser press/type interaction routes missed complete navigation guard coverage", + "description": "Summary Browser press/type interaction routes missed complete navigation guard coverage. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: < 2026.4.10 - Patched versions: = 2026.4.10 Impact Some browser press/type style interactions could trigger navigation without complete post-action SSRF policy enforcement. Technical Details The fix applies a three-phase interaction navigation guard to navigation-capable interactions, including pressKey and type submit flows. Fix The issue was fixed in #62023 and #63226 and #63889. The first stable tag containing the fix is v2026.4.10, and openclaw@2026.4.14 includes the fix. Fix Commit(s) - 049acf23cb03e1b92f5c71cd99c6ec5f35cc56fe - 5f5b3d733bdd791cb457f838514179e1288b10b3 - e0b8ddc1a55185aff1cf9e0e095014d2e4f1d894 - PR: #62023, #63226, #63889 Release Process Note Users should upgrade to openclaw 2026.4.10 or newer. The latest npm release, 2026.4.14, already includes the fix. Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.", + "affected": [ + "openclaw@< 2026.4.10" + ], + "patched": [ + "openclaw@>= 2026.4.10" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-04-16T15:19:51Z", + "updated": "2026-04-16T15:19:52Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-536q-mj95-h29h" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-536q-mj95-h29h", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [], + "credits": [ + "zsxsoft", + "KeenSecurityLab", + "qclawer" + ], + "aliases": [ + "GHSA-536q-mj95-h29h" + ] + }, + { + "id": "GHSA-53vx-pmqw-863c", + "ghsa_id": "GHSA-53vx-pmqw-863c", + "cve_id": null, + "status": "active", + "stale": false, + "stale_after_days": 60, + "severity": "high", + "type": "server_side_request_forgery", + "nvd_category_id": "CWE-918", + "title": "Browser SSRF policy default allowed private-network navigation", + "description": "Summary Browser SSRF policy default allowed private-network navigation. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: < 2026.4.14 - Patched versions: = 2026.4.14 Impact Browser SSRF protection could allow private-network navigation by default in paths where restrictive behavior was expected, exposing internal services or metadata endpoints through browser-driven requests. Technical Details The fix preserves strict SSRF configuration semantics, keeps private-network access disabled unless explicitly opted in, and updates loopback CDP readiness handling for the stricter default. Fix The issue was fixed in #66354 and #66386. The first stable tag containing the fix is v2026.4.14, and openclaw@2026.4.14 includes the fix. Fix Commit(s) - 024f4614a1a1831406e763adc40ef226e3d5e9ed - 1dabfef28db523e7de81edeb3dd689e9171236a2 - 213c36cf51121ef6c05cfccd78037371f968f31a - 7eecfa411df3d12e6b810e6ca5df47254fc3db3f - PR: #66354, #66386 Release Process Note Users should upgrade to openclaw 2026.4.14 or newer. The latest npm release, 2026.4.14, already includes the fix. Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.", + "affected": [ + "openclaw@< 2026.4.14" + ], + "patched": [ + "openclaw@>= 2026.4.14" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-04-16T15:19:27Z", + "updated": "2026-04-16T15:19:27Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-53vx-pmqw-863c" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-53vx-pmqw-863c", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-918", + "CWE-1188" + ], + "credits": [ + "dhyabi2" + ], + "aliases": [ + "GHSA-53vx-pmqw-863c" + ] + }, + { + "id": "GHSA-jf56-mccx-5f3f", + "ghsa_id": "GHSA-jf56-mccx-5f3f", + "cve_id": null, + "status": "active", + "stale": false, + "stale_after_days": 60, + "severity": "high", + "type": "github_security_advisory", + "nvd_category_id": "CWE-501", + "title": "Authenticated /hooks/wake and mapped wake payloads are promoted into the trusted System: prompt channel", + "description": "Impact Authenticated /hooks/wake and mapped wake payloads are promoted into the trusted System: prompt channel. An authenticated wake hook or mapped wake payload could be promoted into the trusted System prompt channel instead of an untrusted event. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.2 - Patched versions: 2026.4.8 Fix The issue was fixed on main and is available in the patched npm version listed above. The verified fixed tree is commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5. Verification The fix was re-checked against main before publication, including targeted regression tests for the affected security boundary. Credits Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.4.2" + ], + "patched": [ + "openclaw@2026.4.8" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-04-08T05:33:37Z", + "updated": "2026-04-08T05:33:37Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-jf56-mccx-5f3f" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jf56-mccx-5f3f", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-501" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-jf56-mccx-5f3f" + ] + }, + { + "id": "GHSA-gfmx-pph7-g46x", + "ghsa_id": "GHSA-gfmx-pph7-g46x", + "cve_id": null, + "status": "active", + "stale": false, + "stale_after_days": 60, + "severity": "high", + "type": "github_security_advisory", + "nvd_category_id": "CWE-501", + "title": "Lower-trust background runtime output is injected into trusted System: events, and local async exec completion misses the intended exec-event downgrade", + "description": "Impact Lower-trust background runtime output is injected into trusted System: events, and local async exec completion misses the intended exec-event downgrade. Lower-trust runtime/background output could be promoted into trusted System events, allowing prompt-injection into later agent turns. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.2 - Patched versions: 2026.4.8 Fix The issue was fixed on main and is available in the patched npm version listed above. The verified fixed tree is commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5. Verification The fix was re-checked against main before publication, including targeted regression tests for the affected security boundary. Credits Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.4.2" + ], + "patched": [ + "openclaw@2026.4.8" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-04-08T05:33:36Z", + "updated": "2026-04-08T05:33:36Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-gfmx-pph7-g46x" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gfmx-pph7-g46x", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-501" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-gfmx-pph7-g46x" + ] + }, + { + "id": "GHSA-846p-hgpv-vphc", + "ghsa_id": "GHSA-846p-hgpv-vphc", + "cve_id": null, + "status": "active", + "stale": false, + "stale_after_days": 60, + "severity": "high", + "type": "github_security_advisory", + "nvd_category_id": null, + "title": "QQ Bot structured payloads could read arbitrary local files", + "description": "Summary Before OpenClaw 2026.4.2, QQ Bot structured media payloads could read local files from attacker-chosen paths. A crafted structured payload could escape QQ Bot-owned media roots and cause arbitrary file reads on the host. Impact Prompt-influenced structured payload output could exfiltrate any host file readable by the OpenClaw process through the QQ Bot media-send path. This was a real confidentiality bug on the host filesystem boundary. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.1 - Patched versions: = 2026.4.2 - Latest published npm version: 2026.4.1 Fix Commit(s) - 2c45b06afdd6f7c621038b5419d8e661cff34a7f — restrict QQ Bot structured payload local paths Release Process Note The fix is present on main and is staged for OpenClaw 2026.4.2. Publish this advisory after the 2026.4.2 npm release is live. Thanks @feiyang666 of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.", + "affected": [ + "openclaw@<= 2026.4.1" + ], + "patched": [ + "openclaw@>= 2026.4.2" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-04-02T19:21:36Z", + "updated": "2026-04-03T01:33:55Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-846p-hgpv-vphc" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-846p-hgpv-vphc", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [], + "credits": [ + "feiyang666" + ], + "aliases": [ + "GHSA-846p-hgpv-vphc" + ] + }, + { + "id": "GHSA-cwq8-6f96-g3q4", + "ghsa_id": "GHSA-cwq8-6f96-g3q4", + "cve_id": null, + "status": "active", + "stale": false, + "stale_after_days": 60, + "severity": "low", + "type": "github_security_advisory", + "nvd_category_id": "CWE-636", + "title": "Security Scan Failure Does Not Block Plugin Installation (Fail-Open)", + "description": "Summary Security Scan Failure Does Not Block Plugin Installation (Fail-Open) Current Maintainer Triage - Status: open - Normalized severity: low - Assessment: Real in shipped v2026.3.28 plugin install flow, but low severity fits because it still requires an operator to choose installation of an untrusted package and the scan failure was visible rather than silent. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version: 2026.3.31 - Vulnerable version range: <=2026.3.28 - Patched versions: = 2026.3.31 - First stable tag containing the fix: v2026.3.31 Fix Commit(s) - 7a953a52271b9188a5fa830739a4366614ff9916 — 2026-03-30T15:36:08+01:00 - 44b993613601280d46a5b88190e46669fc13d669 — 2026-03-31T23:16:11+09:00 - 0d7f1e2c84eca65df7dee890d9c30e2a841c030a — 2026-03-31T23:27:20+09:00 - bf96c67fd1954740aeabfadc7cfe3098bcfc6b68 — 2026-03-31T15:53:29+01:00 Release Process Note - The fix is already present in released version 2026.3.31. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @davidluzsilva for reporting.", + "affected": [ + "openclaw@<=2026.3.28" + ], + "patched": [ + "openclaw@>= 2026.3.31" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-31T21:45:37Z", + "updated": "2026-03-31T21:45:37Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-cwq8-6f96-g3q4" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cwq8-6f96-g3q4", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-636", + "CWE-754" + ], + "credits": [ + "davidluzsilva" + ], + "aliases": [ + "GHSA-cwq8-6f96-g3q4" + ] + }, + { + "id": "GHSA-39mp-545q-w789", + "ghsa_id": "GHSA-39mp-545q-w789", + "cve_id": null, + "status": "active", + "stale": false, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-285", + "title": "Non-owner command-authorized sender can change the owner-only /send session delivery policy", + "description": "Fixed in OpenClaw 2026.3.24, the current shipping release. Title Non-owner command-authorized sender can change the owner-only /send session delivery policy CWE CWE-285 Improper Authorization CVSS v3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L Base score: 5.4 (Medium) Severity Assessment Medium. This is a real owner-only authorization bypass, but the demonstrated impact is limited to persistent mutation of the current session’s delivery policy rather than direct code execution, sandbox escape, or cross-host compromise. Impact A non-owner sender who is allowed to run commands can invoke /send on|off|inherit and persistently change the current session’s sendPolicy, even though OpenClaw documents /send as owner-only. That lets a lower-trust participant: - disable reply delivery for the current session (/send off), suppressing future replies in that chat; - re-enable reply delivery (/send on) after the owner intentionally disabled it; - remove the session override (/send inherit). Affected Component Verified against the latest published GitHub release tag v2026.3.23 (ccfeecb6887cd97937e33a71877ad512741e82b2), published 2026-03-23T23:15:50Z. Exact vulnerable path on the shipped tag: - src/auto-reply/reply/commands-session.ts:212-239 - handleSendPolicyCommand(...) checks only params.command.isAuthorizedSender. - when true, it mutates params.sessionEntry.sendPolicy and persists the session entry. Authorization behavior that makes this reachable: - src/auto-reply/command-auth.ts:401-407 - senderIsOwner is computed separately from general command authorization. - src/auto-reply/command-auth.ts:420-429 - command authorization can succeed even when senderIsOwner === false. - src/auto-reply/command-auth.owner-default.test.ts:10-47 - existing coverage confirms a sender can be command-authorized while not treated as owner. Documented owner-only contract: - docs/tools/slash-commands.md:112 - /send on|off|inherit is documented as owner-only. - docs/concepts/session-tool.md:156 - sendPolicy is documented as settable via sessions.patch or owner-only /send on|off|inherit. Related privilege model: - src/gateway/method-scopes.ts:131-133 - sessions.patch is admin-scoped, which reinforces that session-delivery-policy mutation is treated as privileged state. Version history: - The vulnerable handler exists in release history going back at least to commit ea018a68ccb92dbc735bc1df9880d5c95c63ca35 (refactor(auto-reply): split reply pipeline). - Earliest released affected tag found: v2026.1.14-1 - Latest released affected tag verified: v2026.3.23 Technical Reproduction 1. Check out the shipped release tag v2026.3.23. 2. Configure a channel where: - a non-owner sender is allowed to run commands, for example through commands.allowFrom; - the owner identity is distinct, for example via commands.ownerAllowFrom. 3. Start or reuse a session with a live sessionEntry and sessionStore. 4. Send /send off as the non-owner but command-authorized sender. 5. Confirm the resolved command context has: - isAuthorizedSender === true - senderIsOwner === false 6. Observe that the handler still accepts the command, mutates sessionEntry.sendPolicy, and persists the session entry. Demonstrated Impact The vulnerable handler performs a real persistent session-state change: - src/auto-reply/reply/commands-session.ts:232-238 - /send inherit deletes sessionEntry.sendPolicy - other modes assign sessionEntry.sendPolicy = sendPolicyCommand.mode - the handler then calls persistSessionEntry(params) The mutation is not gated by owner status, only by general command authorization. That changes subsequent delivery behavior for the current session, which matches the documented meaning of sendPolicy. Environment - Product: OpenClaw - Verified shipped tag: v2026.3.23 - Shipped tag commit: ccfeecb6887cd97937e33a71877ad512741e82b2 - Published GitHub release time: 2026-03-23T23:15:50Z - Verification date: 2026-03-24 Duplicate Check I did not find an existing GHSA for /send. This is distinct from: - GHSA-r7vr-gr74-94p8 - that advisory covered owner-only authorization bypasses for /config and /debug, not /send. This is the same authorization class, but a different privileged command surface that still lacks the owner check. In Scope Check This report is in scope under SECURITY.md because: - it does not rely on adversarial operators sharing one gateway host or config; - it does not rely on trusted local state tampering; - SECURITY.md:151-152 explicitly says non-owner sender status matters for owner-only tools and commands; - /send is explicitly documented as owner-only, so this is a direct owner-only authorization bypass, not a complaint about normal shared-agent steering. This is therefore a concrete authorization flaw against a documented product boundary. Remediation Advice 1. Change /send to require owner status, not just command authorization. 2. Reuse the same owner-only rejection pattern already used by privileged command surfaces such as /config, /debug, and owner-only /plugins writes. 3. Add regression coverage for the exact case where: - a non-owner sender is command-authorized; - /send must still be rejected unless senderIsOwner === true. 4. Verify that the owner can still use /send on|off|inherit normally.", + "affected": [ + "openclaw@<= 2026.3.22" + ], + "patched": [ + "openclaw@>= 2026.3.24" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-27T15:52:20Z", + "updated": "2026-03-27T15:52:20Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-39mp-545q-w789" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-39mp-545q-w789", + "nvd_url": null, + "cvss_score": 5.4, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", + "cwe_ids": [ + "CWE-285" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-39mp-545q-w789" + ] + }, + { + "id": "GHSA-vqvg-86cc-cg83", + "ghsa_id": "GHSA-vqvg-86cc-cg83", + "cve_id": null, + "status": "active", + "stale": false, + "stale_after_days": 60, + "severity": "medium", + "type": "missing_authorization", + "nvd_category_id": "CWE-862", + "title": "Mutating internal /allowlist chat commands missed operator.admin scope enforcement", + "description": "Fixed in OpenClaw 2026.3.24, the current shipping release. Title Mutating internal /allowlist chat commands missed operator.admin scope enforcement CWE CWE-862 Missing Authorization CVSS v3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Base score: 6.5 (Medium) Severity Assessment Medium. This is a real authorization flaw in OpenClaw’s internal control plane. The issue does not require host access, trusted local state tampering, or multi-tenant assumptions, but exploitation does require an already authenticated internal Gateway caller with operator.write. Impact An authenticated internal Gateway caller limited to operator.write can perform state-changing /allowlist actions without operator.admin, even though comparable mutating internal chat commands already require operator.admin. The reachable effects are persistent changes to config-backed allowFrom entries and pairing-store-backed allowlist entries. This is not a semantic-modeling complaint and not a generic “trusted operator can do things” claim. It is a missing authorization check inside OpenClaw’s own internal scope model, where peer mutating command surfaces already distinguish operator.write from operator.admin. Affected Component Verified against the latest published GitHub release tag v2026.3.23 (ccfeecb6887cd97937e33a71877ad512741e82b2), published 2026-03-23T23:15:50Z. Exact vulnerable path on the shipped tag: - src/auto-reply/reply/commands-allowlist.ts:251-254 - /allowlist authorization uses only rejectUnauthorizedCommand(...). - src/auto-reply/reply/commands-allowlist.ts:386-524 - mutating config and pairing-store writes happen here, but there is no requireGatewayClientScopeForInternalChannel(..., operator.admin, ...). Reachability and scope model: - src/gateway/method-scopes.ts:94-109 - chat.send is a write-scoped method. - src/gateway/server.chat.gateway-server-chat.test.ts:539-559 - existing runtime coverage proves chat.send routes slash commands without an agent run. - src/auto-reply/command-auth.ts:574-577 - internal callers become senderIsOwner only when GatewayClientScopes includes operator.admin. Comparable internal mutating command paths already enforce operator.admin: - src/auto-reply/reply/commands-config.ts:64-73 - src/auto-reply/reply/commands-mcp.ts:89-96 - src/auto-reply/reply/commands-plugins.ts:387-394 - src/auto-reply/reply/commands-acp.ts:98-106 Version history: - Introduced by commit 555b2578a8cc6e1b93f717496935ead97bfbed8b (feat: add /allowlist command) - Earliest released affected tag found: v2026.1.20 - Latest released affected tag verified: v2026.3.23 Technical Reproduction 1. Check out the shipped release tag v2026.3.23. 2. Use an internal command context with: - Provider = \"webchat\" - Surface = \"webchat\" - GatewayClientScopes = [\"operator.write\"] - params.command.channel = \"webchat\" 3. Route a slash command through chat.send. 4. Execute either of these mutating commands: - /allowlist add dm channel=telegram 789 - /allowlist add dm --store channel=telegram 789 5. Confirm the command context is authorized but not owner-equivalent: - isAuthorizedSender === true - senderIsOwner === false 6. Observe that the commands still succeed and perform persistent writes. Demonstrated Impact The vulnerable handler performs real state mutation for a low-scope internal caller: - Config-backed mutation path: - src/auto-reply/reply/commands-allowlist.ts:398-503 - reads the config snapshot, applies the edit, validates, and writes the updated config to disk. - Store-backed mutation path: - src/auto-reply/reply/commands-allowlist.ts:479-485 - src/auto-reply/reply/commands-allowlist.ts:513-518 - updates the pairing-store allowlist without any admin-scope gate. The result is successful persistence, not just a misleading success message. Environment - Product: OpenClaw - Verified shipped tag: v2026.3.23 - Shipped tag commit: ccfeecb6887cd97937e33a71877ad512741e82b2 - Published GitHub release time: 2026-03-23T23:15:50Z - Verification date: 2026-03-24 Duplicate Check This is not a duplicate of: - GHSA-pjvx-rx66-r3fg - that advisory covered cross-account scoping in /allowlist ... --store, not missing internal operator.admin enforcement. - GHSA-hfpr-jhpq-x4rm - that advisory covered /config writes through chat.send, not /allowlist. - GHSA-3w6x-gv34-mqpf - same authorization class, but different command path (/acp, not /allowlist). In Scope Check This report is in scope under SECURITY.md because: - it does not rely on adversarial operators sharing one gateway host or config; - it does not target the HTTP compatibility endpoints that SECURITY.md explicitly treats as full operator-access surfaces; - it demonstrates a real authorization mismatch inside OpenClaw’s own internal control-plane scope model (operator.write vs operator.admin); - peer mutating internal chat commands already enforce operator.admin, so this is not a request for a new boundary but a missing check on an existing one. This is therefore a concrete authorization bug, not a trusted-operator hardening suggestion. Remediation Advice 1. Add requireGatewayClientScopeForInternalChannel(..., allowedScopes: [\"operator.admin\"], ...) to the mutating internal /allowlist paths. 2. Add regression coverage for both mutation modes: - internal operator.write must be rejected; - internal operator.admin must be allowed. 3. Cover both config-backed and store-backed writes. 4. Audit other mutating internal chat-command paths for the same missing-scope pattern.", + "affected": [ + "openclaw@<= 2026.3.22" + ], + "patched": [ + "openclaw@>= 2026.3.24" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-27T15:52:18Z", + "updated": "2026-03-27T15:52:18Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-vqvg-86cc-cg83" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vqvg-86cc-cg83", + "nvd_url": null, + "cvss_score": 6.5, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", + "cwe_ids": [ + "CWE-862" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-vqvg-86cc-cg83" + ] + }, + { + "id": "GHSA-cfp9-w5v9-3q4h", + "ghsa_id": "GHSA-cfp9-w5v9-3q4h", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "incorrect_authorization", + "nvd_category_id": "CWE-863", + "title": "Image tool bypassed tools.fs.workspaceOnly and could read mounted files outside the workspace", + "description": "Summary The image tool did not fully honor the tools.fs.workspaceOnly filesystem boundary. In affected releases, image-path resolution could still traverse sandbox bridge mounts outside the workspace and read files from mounted directories that the other file tools would reject. Affected Packages / Versions - Package: openclaw (npm) - Affected: < 2026.3.2 - Fixed: = 2026.3.2 - Latest released tags checked: v2026.3.23 (ccfeecb6887cd97937e33a71877ad512741e82b2) and v2026.3.23-2 (630f1479c44f78484dfa21bb407cbe6f171dac87) - Latest published npm version checked: 2026.3.23-2 Fix Commit(s) - dd9d9c1c609dcb4579f9e57bd7b5c879d0146b53 - 14baadda2c456f3cf749f1f97e8678746a34a7f4 Release Status The complete fix shipped in v2026.3.2 and remains present in v2026.3.23 and v2026.3.23-2. Code-Level Confirmation - src/agents/openclaw-tools.ts now passes fsPolicy into createImageTool, so the image tool receives the same workspace-only policy input as the other filesystem tools. - src/agents/tools/image-tool.ts, src/agents/tools/media-tool-shared.ts, and src/agents/sandbox-media-paths.ts now restrict local roots and sandbox-bridge resolution to the workspace when tools.fs.workspaceOnly is enabled. Thanks @YLChen-007 for reporting.", + "affected": [ + "openclaw@< 2026.3.2" + ], + "patched": [ + "openclaw@>= 2026.3.2" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-24T18:07:14Z", + "updated": "2026-03-24T18:07:14Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-cfp9-w5v9-3q4h" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cfp9-w5v9-3q4h", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-863" + ], + "credits": [ + "YLChen-007" + ], + "aliases": [ + "GHSA-cfp9-w5v9-3q4h" + ] + }, + { + "id": "GHSA-vfg3-pqpq-93m4", + "ghsa_id": "GHSA-vfg3-pqpq-93m4", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "incorrect_authorization", + "nvd_category_id": "CWE-863", + "title": "Tlon cite expansion happened before channel and DM authorization completed.", + "description": "Summary Tlon cite expansion happened before channel and DM authorization completed, allowing cite work and content handling before the final auth decision. Affected Packages / Versions - Package: openclaw (npm) - Affected: < 2026.3.22 - Fixed: = 2026.3.22 - Latest released tag checked: v2026.3.23-2 (630f1479c44f78484dfa21bb407cbe6f171dac87) - Latest published npm version checked: 2026.3.23-2 Fix Commit(s) - 3cbf932413e41d1836cb91aed1541a28a3122f93 - ebee4e2210e1f282a982c7ef2ad79d77a572fc87 Release Status The fix shipped in v2026.3.22 and remains present in v2026.3.23 and v2026.3.23-2. Code-Level Confirmation - extensions/tlon/src/monitor/index.ts now defers cite expansion until after authorization and preserves explicit empty-allowlist semantics. - extensions/tlon/src/monitor/utils.ts and extensions/tlon/src/security.test.ts ship the deferred cite expansion behavior and regressions. Thanks @zpbrent for reporting.", + "affected": [ + "openclaw@< 2026.3.22" + ], + "patched": [ + "openclaw@>= 2026.3.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-24T17:37:07Z", + "updated": "2026-03-24T17:37:07Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-vfg3-pqpq-93m4" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vfg3-pqpq-93m4", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-863" + ], + "credits": [ + "zpbrent" + ], + "aliases": [ + "GHSA-vfg3-pqpq-93m4" + ] + }, + { + "id": "GHSA-h3x4-hc5v-v2gm", + "ghsa_id": "GHSA-h3x4-hc5v-v2gm", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-40", + "title": "Windows media loaders accepted remote-host file URLs before local path validation", + "description": "Summary Windows local-media handling accepted remote-host file URLs and UNC-style paths before local-path validation, so network-hosted file targets could be treated as local content. Affected Packages / Versions - Package: openclaw (npm) - Affected: < 2026.3.22 - Fixed: = 2026.3.22 - Latest released tag checked: v2026.3.23-2 (630f1479c44f78484dfa21bb407cbe6f171dac87) - Latest published npm version checked: 2026.3.23-2 Fix Commit(s) - 4fd7feb0fd4ec16c48ed983980dba79a09b3aaf5 - 93880717f1cd34feaa45e74e939b7a5256288901 Release Status The fix shipped in v2026.3.22 and remains present in v2026.3.23 and v2026.3.23-2. Code-Level Confirmation - src/infra/local-file-access.ts now rejects remote-host file: URLs and UNC/network paths as non-local input. - src/media/web-media.ts, src/media-understanding/attachments.normalize.ts, and src/agents/sandbox-paths.ts all route through the shared local-file guard. Thanks @RacerZ-fighting, @Fushuling for reporting.", + "affected": [ + "openclaw@< 2026.3.22" + ], + "patched": [ + "openclaw@>= 2026.3.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-24T17:36:44Z", + "updated": "2026-03-24T17:36:44Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-h3x4-hc5v-v2gm" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h3x4-hc5v-v2gm", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-40" + ], + "credits": [ + "RacerZ-fighting", + "Fushuling" + ], + "aliases": [ + "GHSA-h3x4-hc5v-v2gm" + ] + }, + { + "id": "GHSA-3h2q-j2v4-6w5r", + "ghsa_id": "GHSA-3h2q-j2v4-6w5r", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-184", + "title": "system.run allowlist approval parsing missed PowerShell encoded-command wrappers", + "description": "OpenClaw's system.run shell-wrapper detection did not recognize PowerShell -EncodedCommand forms as inline-command wrappers. In allowlist mode, a caller with access to system.run could invoke pwsh or powershell using -EncodedCommand, -enc, or -e, and the request would fall back to plain argv analysis instead of the normal shell-wrapper approval path. This could allow a PowerShell inline payload to execute without the approval step that equivalent -Command invocations would require. Latest published npm version: 2026.3.2 Fixed on main on March 7, 2026 in 1d1757b16f48f1a93cd16ab0ad7e2c3c63ce727d by recognizing PowerShell encoded-command aliases during shell-wrapper parsing, so allowlist mode continues to require approval for those payloads. Normal approved PowerShell wrapper flows continue to work. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.3.2 - Patched version: = 2026.3.7 Fix Commit(s) - 1d1757b16f48f1a93cd16ab0ad7e2c3c63ce727d Release Process Note npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.3.2" + ], + "patched": [ + "openclaw@>= 2026.3.7" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-08T14:26:58Z", + "updated": "2026-03-08T14:26:58Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-3h2q-j2v4-6w5r" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3h2q-j2v4-6w5r", + "nvd_url": null, + "cvss_score": 5, + "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", + "cwe_ids": [ + "CWE-184", + "CWE-863" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-3h2q-j2v4-6w5r" + ] + }, + { + "id": "GHSA-9q2p-vc84-2rwm", + "ghsa_id": "GHSA-9q2p-vc84-2rwm", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-436", + "title": "system.run allow-always persistence included shell-commented payload tails", + "description": "OpenClaw's system.run allowlist analysis did not honor POSIX shell comment semantics when deriving allow-always persistence entries. A caller in security=allowlist mode who received an allow-always decision could submit a shell command whose tail was commented out at runtime, for example by using an unquoted # before a chained payload. The runtime shell would execute only the pre-comment portion, but allowlist persistence could still analyze and store the non-executed tail as a trusted follow-up command. Latest published npm version: 2026.3.2 Fixed on main on March 7, 2026 in 939b18475d734ed75173f59507e3ebbdfe1992b7 by teaching shell tokenization and chain/pipeline analysis to stop at unquoted shell comments, so allow-always persistence now tracks only commands that the shell can actually execute. Normal real chained commands and quoted # literals continue to work. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.3.2 - Patched version: = 2026.3.7 Fix Commit(s) - 939b18475d734ed75173f59507e3ebbdfe1992b7 Release Process Note npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.3.2" + ], + "patched": [ + "openclaw@>= 2026.3.7" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-08T14:26:57Z", + "updated": "2026-03-08T14:26:57Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-9q2p-vc84-2rwm" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9q2p-vc84-2rwm", + "nvd_url": null, + "cvss_score": 5, + "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", + "cwe_ids": [ + "CWE-436", + "CWE-863" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-9q2p-vc84-2rwm" + ] + }, + { + "id": "GHSA-hfpr-jhpq-x4rm", + "ghsa_id": "GHSA-hfpr-jhpq-x4rm", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "incorrect_authorization", + "nvd_category_id": "CWE-863", + "title": "operator.write chat.send could reach admin-only config writes", + "description": "Summary A gateway client authenticated with operator.write could route /config set or /config unset through chat.send and reach persistent config mutation even though direct config RPC methods are admin-scoped. Affected Packages / Versions - Package: openclaw (npm) - Latest published vulnerable version: 2026.3.2 - Affected range: <= 2026.3.2 - Patched in: 2026.3.7 Details Before the fix, chat.send ran slash commands in an internal gateway-chat context with CommandAuthorized: true, and /config write paths only checked command authorization plus commands.config / channels.= 2026.3.7" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-08T14:26:56Z", + "updated": "2026-03-08T14:26:56Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-hfpr-jhpq-x4rm" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hfpr-jhpq-x4rm", + "nvd_url": null, + "cvss_score": 4.3, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "cwe_ids": [ + "CWE-863" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-hfpr-jhpq-x4rm" + ] + }, + { + "id": "GHSA-j425-whc4-4jgc", + "ghsa_id": "GHSA-j425-whc4-4jgc", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-15", + "title": "system.run env override filtering allowed dangerous helper-command pivots", + "description": "Summary system.run env override sanitization allowed dangerous override-only helper-command pivots to reach subprocesses. A caller who could invoke system.run with env overrides could bypass allowlist/approval intent by steering an allowlisted tool through helper-command or config-loading environment variables such as GITSSHCOMMAND, editor/pager hooks, and GITCONFIG / NPMCONFIG. Affected Packages / Versions - Package: openclaw (npm) - Latest published vulnerable version: 2026.3.2 - Affected range: <= 2026.3.2 - Patched in: 2026.3.7 Details Before the fix, src/infra/host-env-security.ts blocked only a narrow set of override-only environment variables. Dangerous request-scoped overrides such as GITSSHCOMMAND and prefix families such as GITCONFIG and NPMCONFIG could still survive sanitizeSystemRunEnvOverrides(...) / sanitizeHostExecEnv(...) and reach the spawned process. That mattered for system.run allowlist and approval flows because approval evaluation was tied to the reviewed binary/argv, while the launched process could still inherit attacker-controlled env overrides that changed helper-command execution or config resolution. For allowlisted tools such as git, this allowed behavior outside the reviewed command semantics. The fix extends the shared TypeScript and macOS policy to block dangerous override-only exact keys and prefixes while preserving trusted inherited base-environment behavior. Impact This is a real protection-bypass issue, but exploitation requires an already tool-enabled caller who can invoke system.run and supply env overrides. In affected deployments, that caller could bypass allowlist/approval intent and trigger helper-command execution or config-loading behavior that is not represented by the approved command line. Maintainer severity is set to medium because the bug still requires that existing execution capability; the vulnerability is the mismatch between reviewed command semantics and the actual spawned-process behavior. Fix Commit(s) - e27bbe4982439da6864160fd1b66445058f74801 Release Process Note npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package. Thanks @tdjackey and @SnailSploit for reporting.", + "affected": [ + "openclaw@<= 2026.3.2" + ], + "patched": [ + "openclaw@>= 2026.3.7" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-08T14:26:56Z", + "updated": "2026-03-08T14:26:56Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-j425-whc4-4jgc" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-j425-whc4-4jgc", + "nvd_url": null, + "cvss_score": 6.3, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "cwe_ids": [ + "CWE-15", + "CWE-693" + ], + "credits": [ + "tdjackey", + "SnailSploit", + "zpbrent" + ], + "aliases": [ + "GHSA-j425-whc4-4jgc" + ] + }, + { + "id": "GHSA-pjvx-rx66-r3fg", + "ghsa_id": "GHSA-pjvx-rx66-r3fg", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-639", + "title": "Cross-account sender authorization expansion in /allowlist ... --store account scoping", + "description": "Summary /allowlist ... --store resolved the selected channel accountId for reads, but store writes still dropped that accountId and wrote into the legacy unscoped pairing allowlist store. Because default-account reads still merge legacy unscoped entries, a store entry intended for one account could silently authorize the same sender on the default account. This is a real cross-account sender-authorization scoping bug. Severity is set to medium because exploitation requires an already-authorized user who can run /allowlist edits. Affected Packages / Versions - Package: openclaw (npm) - Latest published version checked: 2026.3.2 - Affected versions: <= 2026.3.2 - Fixed on main: March 7, 2026 in 70da80bcb5574a10925469048d2ebb2abf882e73 - Patched release: 2026.3.7 Details The affected path was: - src/auto-reply/reply/commands-allowlist.ts:386-393 resolved accountId and read store state with it - src/auto-reply/reply/commands-allowlist.ts:697-702 and src/auto-reply/reply/commands-allowlist.ts:730-733 wrote store state without passing accountId - src/pairing/pairing-store.ts:231-234 and src/pairing/pairing-store.ts:534-554 still merged legacy unscoped allowlist entries into the default account The fix scopes /allowlist ... --store writes to the resolved account and clears legacy default-account store entries on removal so legacy reads no longer create cross-account authorization bleed-through. Impact - Vulnerability class: improper authorization scoping / incorrect authorization - Exploitation requires: an already-authorized sender who can run /allowlist edits - Security effect: unintended authorization expansion from one channel account into default Fix Commit(s) - 70da80bcb5574a10925469048d2ebb2abf882e73 — scope /allowlist ... --store writes by account and clean up legacy default-account removals Release Process Note npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.3.2" + ], + "patched": [ + "openclaw@>= 2026.3.7" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-08T14:26:55Z", + "updated": "2026-03-08T14:26:55Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-pjvx-rx66-r3fg" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-pjvx-rx66-r3fg", + "nvd_url": null, + "cvss_score": 5.4, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", + "cwe_ids": [ + "CWE-639", + "CWE-863" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-pjvx-rx66-r3fg" + ] + }, + { + "id": "GHSA-6rmx-gvvg-vh6j", + "ghsa_id": "GHSA-6rmx-gvvg-vh6j", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-307", + "title": "hooks count non-POST requests toward auth lockout", + "description": "OpenClaw's hooks HTTP handler counted hook authentication failures before rejecting unsupported HTTP methods. An unauthenticated client could send repeated non-POST requests (for example GET) with an invalid token to consume the hook auth failure budget and trigger the temporary lockout window for that client key. The fix moves the hook method gate ahead of auth-failure accounting so unsupported methods return 405 Method Not Allowed without incrementing the hook auth limiter. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.3.2 - Patched version: 2026.3.7 - Latest published npm version at patch time: 2026.3.2 Impact An unauthenticated network client that could reach /hooks/ could temporarily lock out legitimate webhook delivery when requests collapsed to the same hook auth client key, such as shared proxy or NAT topologies. Impact is limited to temporary availability loss for hook-triggered wake or automation delivery. Fix Commit(s) - 44820dceadac65ac7c0ce8fc0ffba8c2bd9fae89 Verification - pnpm check passed - pnpm test:fast passed - focused hook regression tests passed - pnpm exec vitest run --config vitest.gateway.config.ts still has unrelated current-main failures in src/gateway/server-channels.test.ts and src/gateway/server-methods/agents-mutate.test.ts Release Process Note npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package. Thanks @JNX03 for reporting.", + "affected": [ + "openclaw@<= 2026.3.2" + ], + "patched": [ + "openclaw@>= 2026.3.7" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-08T14:26:54Z", + "updated": "2026-03-08T14:26:54Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-6rmx-gvvg-vh6j" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6rmx-gvvg-vh6j", + "nvd_url": null, + "cvss_score": 5.3, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cwe_ids": [ + "CWE-307", + "CWE-799" + ], + "credits": [ + "JNX03" + ], + "aliases": [ + "GHSA-6rmx-gvvg-vh6j" + ] + }, + { + "id": "GHSA-rchv-x836-w7xp", + "ghsa_id": "GHSA-rchv-x836-w7xp", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "github_security_advisory", + "nvd_category_id": null, + "title": "Dashboard leaked gateway auth material via browser URL/query and localStorage", + "description": "OpenClaw's macOS Dashboard flow exposed Gateway authentication material to browser-controlled surfaces. Before the fix, the macOS app appended the shared Gateway token and password to the Dashboard URL query string when opening the Control UI in the browser. The Control UI then imported the token and persisted it into browser localStorage under openclaw.control.settings.v1. This expanded exposure of reusable Gateway admin credentials into browser address-bar/query surfaces and persistent script-readable storage. Affected Packages / Versions - Package: openclaw (npm) - Latest published version verified vulnerable: 2026.3.2 - Affected range: <= 2026.3.2 - Patched version: = 2026.3.7 Impact An attacker with access to browser-controlled surfaces or persistent browser storage could recover a valid Gateway admin token and reuse it against the OpenClaw management interface. The exposure chain was: 1. macOS Open Dashboard constructed a URL with auth material. 2. The browser received that credential-bearing URL. 3. The Control UI imported the token from the URL. 4. The Control UI persisted the token in localStorage. Fix The fix aligns the macOS Dashboard flow with the safer existing CLI/bootstrap pattern and removes persistent browser token storage: - macOS Dashboard now passes the Gateway token via URL fragment instead of query parameters. - macOS Dashboard no longer propagates the shared Gateway password into browser URLs. - Control UI keeps Gateway tokens in memory only for the current tab. - Control UI scrubs legacy persisted tokens from openclaw.control.settings.v1 on load. - Regression tests cover fragment transport, password omission, and token-scrubbing behavior. Fix Commit(s) - 10d0e3f3ca92326df0ca071fabffe463742f263c (March 7, 2026) Release Process Note npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package. Thanks @whiter6666 for reporting.", + "affected": [ + "openclaw@<= 2026.3.2" + ], + "patched": [ + "openclaw@>= 2026.3.7" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-08T14:26:54Z", + "updated": "2026-03-08T14:26:54Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-rchv-x836-w7xp" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rchv-x836-w7xp", + "nvd_url": null, + "cvss_score": 7.1, + "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", + "cwe_ids": [], + "credits": [ + "whiter6666" + ], + "aliases": [ + "GHSA-rchv-x836-w7xp" + ] + }, + { + "id": "GHSA-474h-prjg-mmw3", + "ghsa_id": "GHSA-474h-prjg-mmw3", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "github_security_advisory", + "nvd_category_id": "CWE-269", + "title": "Sandboxed sessionsspawn(runtime=\"acp\") bypassed sandbox inheritance and allowed host ACP initialization", + "description": "Summary Sandboxed sessionsspawn(runtime=\"acp\") could bypass sandbox inheritance and initialize host-side ACP runtime. The fix now fail-closes ACP spawn from sandboxed requester sessions and rejects sandbox=\"require\" for runtime=\"acp\". Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version at triage time: 2026.3.1 (March 2, 2026) - Vulnerable range: <=2026.3.1 - Patched release: 2026.3.2 (released) Technical Details - Root cause: runtime=\"subagent\" enforced sandbox inheritance, while runtime=\"acp\" did not enforce equivalent sandbox/runtime checks. - Security impact: sandbox-boundary bypass into host-side ACP initialization. - Fixed behavior: - deny ACP spawn when requester runtime is sandboxed - deny sessionsspawn with runtime=\"acp\", sandbox=\"require\" - align sandboxed prompt guidance to avoid advertising blocked ACP paths Fix Commit(s) - ac11f0af731d41743ba02d8595f4d0fe747336e3 - c703aa0fe92df9fb71cf254fc46991e05fba2114", + "affected": [ + "openclaw@<=2026.3.1" + ], + "patched": [ + "openclaw@>= 2026.3.2" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-03T04:14:22Z", + "updated": "2026-03-03T04:14:22Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-474h-prjg-mmw3" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-474h-prjg-mmw3", + "nvd_url": null, + "cvss_score": 8, + "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", + "cwe_ids": [ + "CWE-269" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-474h-prjg-mmw3" + ] + }, + { + "id": "GHSA-v865-p3gq-hw6m", + "ghsa_id": "GHSA-v865-p3gq-hw6m", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-288", + "title": "Encoded-path auth bypass in plugin /api/channels route classification", + "description": "Summary (Updated March 2, 2026) Encoded alternate-path requests could bypass plugin route auth checks for /api/channels/ due to canonicalization depth mismatch in vulnerable builds. Affected Packages / Versions - Package: openclaw (npm) - Latest published vulnerable version: 2026.3.1 - Affected range: <= 2026.3.1 - Patched release: 2026.3.2 (patchedversions: = 2026.3.2) Technical Details In affected versions, plugin auth-path classification and route-path canonicalization could diverge for deeply encoded slash variants (for example multi-encoded %2f). That mismatch allowed alternate encoded paths to evade protected-prefix auth checks while still resolving to /api/channels/... in plugin route handling. The fix set hardens this class of issue by: - canonicalizing route paths to a bounded fixpoint, - failing closed on malformed or unresolved canonicalization depth, - requiring explicit plugin-route auth contracts (no implicit auth default), - enforcing route ownership/conflict guards for duplicate route registrations, and - using shared webhook route lifecycle registration to avoid stale/conflicting route surfaces. Affected Deployments Deployments exposing plugin HTTP routes and relying on gateway auth for /api/channels/ protection. Fix Commit(s) - 93b07240257919f770d1e263e1f22753937b80ea - 2fd8264ab03bd178e62a5f0c50d1c8556c17f12d - d74bc257d8432f17e50b23ae713d7e0623a1fe0f - 7a7eee920a176a0043398c6b37bf4cc6eb983eeb", + "affected": [ + "openclaw@<= 2026.3.1" + ], + "patched": [ + "openclaw@>= 2026.3.2" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-03T04:14:18Z", + "updated": "2026-03-03T04:14:18Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-v865-p3gq-hw6m" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v865-p3gq-hw6m", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-288" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-v865-p3gq-hw6m" + ] + }, + { + "id": "GHSA-2858-xg23-26fp", + "ghsa_id": "GHSA-2858-xg23-26fp", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "server_side_request_forgery", + "nvd_category_id": "CWE-918", + "title": "Node camera URL payload host-binding bypass allowed gateway fetch pivots", + "description": "Summary OpenClaw accepted camera.snap / camera.clip node payload url fields and downloaded them on the gateway/agent host without binding downloads to the resolved node host. In OpenClaw's documented trust model, paired nodes are in the same operator trust boundary, so this is scoped as medium-severity hardening. A malicious or compromised paired node could still steer gateway-host fetches during camera URL retrieval. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: = 2026.2.13 <= 2026.3.1 - Latest vulnerable published version at time of update: 2026.3.1 - Patched versions: = 2026.3.2 (released) Technical Details Vulnerable flows accepted URL payloads and downloaded directly from the provided URL: - src/cli/nodes-camera.ts (writeUrlToFile) fetched URL payloads without node-host binding. - src/cli/nodes-cli/register.camera.ts passed camera.snap / camera.clip payload URLs into that downloader. - src/agents/tools/nodes-tool.ts did the same for camerasnap / cameraclip tool actions. Impact A malicious/compromised paired node could cause gateway-host URL fetches to off-node destinations reachable from the host network. This could be used for internal network probing/fetch pivots in deployments where paired nodes are not fully trusted. Remediation The fix introduces fail-closed node-host binding and guarded fetch for camera URL payload downloads: - Require resolved node host metadata for URL payload downloads. - Enforce hostname match between payload URL and resolved node host. - Use SSRF-guarded fetch with redirect host/protocol checks. - Apply the same enforcement across CLI and agent tool camera paths. Fix Commit(s) - 3bf19d6f40a0aaa55818b96eede3d05130c02533", + "affected": [ + "openclaw@>= 2026.2.13 <= 2026.3.1" + ], + "patched": [ + "openclaw@>= 2026.3.2" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-03T04:14:15Z", + "updated": "2026-03-03T04:14:15Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-2858-xg23-26fp" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2858-xg23-26fp", + "nvd_url": null, + "cvss_score": 5.5, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", + "cwe_ids": [ + "CWE-918" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-2858-xg23-26fp" + ] + }, + { + "id": "GHSA-8m9v-xpgf-g99m", + "ghsa_id": "GHSA-8m9v-xpgf-g99m", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "incorrect_authorization", + "nvd_category_id": "CWE-863", + "title": "Unauthorized sender bypass in stop triggers and /models command authorization", + "description": "Summary Unauthorized senders could trigger two command paths without sender authorization checks: 1. stop-like natural-language abort triggers 2. /models command output Impact An unauthorized sender could disrupt active sessions and view model/auth metadata that should be authorization-gated. Fix Sender authorization is now enforced for stop-like abort triggers and /models listings. Affected and Patched Versions - Affected: <= 2026.2.26 - Patched: 2026.3.1", + "affected": [ + "openclaw@<= 2026.2.26" + ], + "patched": [ + "openclaw@>= 2026.3.1" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-02T05:46:05Z", + "updated": "2026-03-02T05:46:05Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-8m9v-xpgf-g99m" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8m9v-xpgf-g99m", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-863" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-8m9v-xpgf-g99m" + ] + }, + { + "id": "GHSA-7xmq-g46g-f8pv", + "ghsa_id": "GHSA-7xmq-g46g-f8pv", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-59", + "title": "Sandbox media TOCTOU could read files outside sandbox root", + "description": "Summary Sandbox media handling had a time-of-check/time-of-use gap: media paths could be validated first and read later through a separate path. A symlink retarget between those steps could cause reads outside sandboxRoot. Impact Affected versions could permit host file reads outside the intended sandbox root in media attachment/image flows. Fix Media reads now use consolidated root-scoped, boundary-safe read paths at use time, removing check/use drift across call sites. Affected and Patched Versions - Affected: <= 2026.2.26 - Patched: 2026.3.1", + "affected": [ + "openclaw@<= 2026.2.26" + ], + "patched": [ + "openclaw@>= 2026.3.1" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-02T05:46:04Z", + "updated": "2026-03-02T05:46:04Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-7xmq-g46g-f8pv" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7xmq-g46g-f8pv", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-59", + "CWE-367" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-7xmq-g46g-f8pv" + ] + }, + { + "id": "GHSA-x82f-27x3-q89c", + "ghsa_id": "GHSA-x82f-27x3-q89c", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-59", + "title": "TOCTOU symlink race in writeFileWithinRoot could create or truncate files outside root boundaries", + "description": "Summary A symlink-retarget TOCTOU race in writeFileWithinRoot could point an attacker-controlled path alias outside the configured root between resolution and write operations. Impact Affected versions could cause out-of-root write side effects (including file creation or truncation) before final boundary validation. Fix Root-scoped write flow now opens existing files without pre-truncation, creates missing files with exclusive create semantics, truncates only after post-open identity/boundary checks, and removes out-of-root artifacts when a race is detected. Affected and Patched Versions - Affected: <= 2026.2.26 - Patched: 2026.3.1", + "affected": [ + "openclaw@<= 2026.2.26" + ], + "patched": [ + "openclaw@>= 2026.3.1" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-02T05:46:04Z", + "updated": "2026-03-02T05:46:04Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-x82f-27x3-q89c" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-x82f-27x3-q89c", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-59", + "CWE-367" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-x82f-27x3-q89c" + ] + }, + { + "id": "GHSA-392f-ggf5-fp3c", + "ghsa_id": "GHSA-392f-ggf5-fp3c", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-176", + "title": "Unicode canonicalization drift in node metadata policy classification could broaden node allowlists", + "description": "Summary A paired node could supply Unicode-confusable platform or deviceFamily metadata that passed metadata pinning but classified differently for command policy resolution, broadening default node command allowlists. Impact This is a policy-bypass issue within the paired-node trust boundary and can expand node command availability beyond intended defaults. Fix Node metadata canonicalization was hardened against confusables, and unknown platform defaults were made conservative (excluding system.run and system.which unless explicitly allowlisted). Affected and Patched Versions - Affected: <= 2026.2.26 - Patched: 2026.3.1", + "affected": [ + "openclaw@<= 2026.2.26" + ], + "patched": [ + "openclaw@>= 2026.3.1" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-02T05:46:02Z", + "updated": "2026-03-02T05:46:02Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-392f-ggf5-fp3c" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-392f-ggf5-fp3c", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-176", + "CWE-436" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-392f-ggf5-fp3c" + ] + }, + { + "id": "GHSA-gp3q-wpq4-5c5h", + "ghsa_id": "GHSA-gp3q-wpq4-5c5h", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "incorrect_authorization", + "nvd_category_id": "CWE-863", + "title": "LINE group allowlist scope mismatch with DM pairing-store entries", + "description": "Summary In specific LINE configurations, sender IDs approved through DM pairing could also satisfy group allowlist checks when operators expected group sender access to be scoped only to explicit group allowlists. Affected Packages / Versions - Package: openclaw (npm) - Latest published version at triage/update time: 2026.2.25 - Affected: <= 2026.2.25 - Patched: = 2026.2.26 (planned next release) Impact This is a group-authorization scope mismatch. DM pairing-store entries could influence group sender authorization in allowlist mode. Technical Details Root cause: group allowlist composition inherited pairing-store entries intended for DM approvals. Under default DM pairing policy, a DM-paired sender could match group allowlist checks. Fixes on main: - isolate group allowlist composition from pairing-store entries - centralize shared DM/group allowlist composition to preserve DM-only pairing behavior - add regression coverage for LINE and Mattermost policy paths Fix Commit(s) - 8bdda7a651c21e98faccdbbd73081e79cffe8be0 - 892a9c24b0f6118729ab5b5f5499b1a7e792dd15 (follow-up refactor hardening) Release Process Note patchedversions is pre-set to = 2026.2.26 so once npm 2026.2.26 is published, this advisory can be published directly without additional version-field edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.25" + ], + "patched": [ + "openclaw@>= 2026.2.26" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-26T22:40:37Z", + "updated": "2026-02-26T22:40:37Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-gp3q-wpq4-5c5h" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gp3q-wpq4-5c5h", + "nvd_url": null, + "cvss_score": 7.1, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", + "cwe_ids": [ + "CWE-863" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-gp3q-wpq4-5c5h" + ] + }, + { + "id": "GHSA-qcc4-p59m-p54m", + "ghsa_id": "GHSA-qcc4-p59m-p54m", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "github_security_advisory", + "nvd_category_id": "CWE-59", + "title": "Sandbox dangling-symlink alias handling could bypass workspace-only write boundary", + "description": "Summary A sandbox boundary-validation gap in symlink alias handling allowed certain workspace-only write paths to be treated as in-boundary even when they could resolve outside the workspace/sandbox root. Affected Packages / Versions - Package: npm openclaw - Affected versions: <= 2026.2.25 - Latest published npm version included in affected range: 2026.2.25 (checked on February 26, 2026) - Patched version (pre-set for release): 2026.2.26 Technical Details In affected versions, dangling symlink hops could be accepted during boundary checks under missing-target conditions. For workspace-only write flows (including applypatch), this could allow writes to resolve outside the configured workspace/sandbox boundary. The fix resolves symlink targets through existing ancestors and fails closed when canonical resolution escapes the configured boundary. Impact - Boundary-confined write operations could be redirected outside the configured workspace/sandbox root. - Primary impact is integrity of host-side files reachable from that path resolution. Fix Commit(s) - 4fd29a35bb85a1898ebff518364c467058b50e14 Release Process Note patchedversions is pre-set to the planned next release (2026.2.26) so once npm 2026.2.26 is published, the advisory can be published without further field edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<=2026.2.25" + ], + "patched": [ + "openclaw@>= 2026.2.26" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-26T22:40:37Z", + "updated": "2026-02-26T22:40:37Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-qcc4-p59m-p54m" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qcc4-p59m-p54m", + "nvd_url": null, + "cvss_score": 7, + "cvss_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "cwe_ids": [ + "CWE-59", + "CWE-367" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-qcc4-p59m-p54m" + ] + }, + { + "id": "GHSA-7qf6-h84j-8fq4", + "ghsa_id": "GHSA-7qf6-h84j-8fq4", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-367", + "title": "Microsoft Teams media fetch SSRF hardening: unified guarded fetch across Graph and attachment paths", + "description": "Impact Microsoft Teams media handling used mixed fetch paths for Graph metadata/content and attachment auth-retry flows. Some paths bypassed the shared SSRF guard model and created inconsistent host/DNS enforcement across redirect/fetch hops. Affected Packages / Versions - Package: openclaw (npm) - Latest published vulnerable version: 2026.2.25 - Affected range: <= 2026.2.25 - Planned patched version for next release: 2026.2.26 Technical Details The Microsoft Teams attachment/media code previously relied on plugin-local fetch behavior in parts of the flow, instead of uniformly using shared guarded fetch logic with pinned DNS + policy checks. This could allow policy drift and SSRF boundary inconsistency between channel/plugin paths. The fix unifies this path by: - routing Microsoft Teams Graph message/hosted-content/attachment fetches through shared SSRF-guarded fetch paths, - routing auth-scope fallback attachment downloads through the same guarded policy model, - centralizing hostname-suffix allowlist policy helpers in plugin-sdk so channel/plugins use the same allowlist normalization and policy construction behavior. Fix Commit(s) - 57334cd7d85174d5f951de01114fd5801b063564 Release Process Note patchedversions is pre-set to the planned next release (2026.2.26) so once npm openclaw@2026.2.26 is published, the advisory is ready to publish without further field edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<=2026.2.25" + ], + "patched": [ + "openclaw@>= 2026.2.26" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-26T22:40:33Z", + "updated": "2026-02-26T22:40:33Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-7qf6-h84j-8fq4" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7qf6-h84j-8fq4", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-367", + "CWE-918" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-7qf6-h84j-8fq4" + ] + }, + { + "id": "GHSA-gcj7-r3hg-m7w6", + "ghsa_id": "GHSA-gcj7-r3hg-m7w6", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "low", + "type": "github_security_advisory", + "nvd_category_id": "CWE-294", + "title": "voice-call Twilio replay dedupe now bound to authenticated webhook identity", + "description": "Summary The voice-call Twilio webhook path accepted replay/dedupe identity from unsigned request metadata (i-twilio-idempotency-token), enabling replayed signed requests to bypass replay detection and manager dedupe by mutating only that header. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.25 (latest published npm version at triage time) - Fixed on main: commit 1aadf26f9acc399affabd859937a09468a9c5cb4 - Planned patched npm version: 2026.2.26 Impact Deployments using the optional voice-call Twilio webhook path could accept replayed webhook events as fresh events when an attacker had one valid signed request and changed only the unsigned idempotency header. Technical Details The fix removes unsigned-header trust from Twilio replay/dedupe identity and binds replay/manager dedupe to authenticated request material. It also threads a verified request identity through provider parsing so dedupe uses verification-derived identity rather than mutable headers. Fix Commit(s) - 1aadf26f9acc399affabd859937a09468a9c5cb4 Release Process Note patchedversions is pre-set to the planned next release (2026.2.26). After the npm release is published, this advisory can be published without additional version-field edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<=2026.2.25" + ], + "patched": [ + "openclaw@>= 2026.2.26" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-26T22:40:32Z", + "updated": "2026-02-26T22:40:32Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-gcj7-r3hg-m7w6" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gcj7-r3hg-m7w6", + "nvd_url": null, + "cvss_score": 3.7, + "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cwe_ids": [ + "CWE-294", + "CWE-345" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-gcj7-r3hg-m7w6" + ] + }, + { + "id": "GHSA-f7ww-2725-qvw2", + "ghsa_id": "GHSA-f7ww-2725-qvw2", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-59", + "title": "Node system.run approval bypass via parent-symlink cwd rebind", + "description": "Summary For host=node executions, approval context could be bypassed after approval-time by rebinding a writable parent symlink in cwd while preserving the visible cwd string. Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.2.25 - Fixed: = 2026.2.26 (planned next npm release) Impact A command approved for one filesystem location could execute from a different location if a mutable parent symlink changed between approval and execution. Fix - Added immutable approval-time plan preparation (system.run.prepare) and systemRunPlanV2 canonical fields (argv, cwd, agentId, sessionKey). - Enforced canonical plan values through approval request storage and forwarding-time sanitization. - Rejected mutable parent-symlink path components during approval-plan building to block symlink rebind bypass. - Follow-up refactors centralized command catalogs and approval context/error handling to reduce future drift. Fix Commit(s) - 78a7ff2d50fb3bcef351571cb5a0f21430a340c1 - d82c042b09727a6148f3ca651b254c4a677aff26 - d06632ba45a8482192792c55d5ff0b2e21abb0a7 - 4e690e09c746408b5e27617a20cb3fdc5190dbda - 4b4718c8dfce2e2c48404aa5088af7c013bed60b Release Process Note patchedversions is pre-set to the planned next release (2026.2.26). Once npm openclaw@2026.2.26 is published, publish this advisory directly without further version-field edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.25" + ], + "patched": [ + "openclaw@>= 2026.2.26" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-26T22:40:31Z", + "updated": "2026-02-26T22:40:31Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-f7ww-2725-qvw2" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f7ww-2725-qvw2", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-59", + "CWE-367" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-f7ww-2725-qvw2" + ] + }, + { + "id": "GHSA-j26j-7qc4-3mrf", + "ghsa_id": "GHSA-j26j-7qc4-3mrf", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-639", + "title": "MS Teams fileConsent/invoke missing conversation binding allowed cross-conversation pending-upload consumption", + "description": "Summary In openclaw MS Teams file-consent flow, pending uploads were authorized by uploadId alone. fileConsent/invoke did not verify the invoke conversation against the conversation that created the pending upload. Impact An attacker who obtained a valid uploadId within TTL could trigger cross-conversation upload completion (accept path) or cancel a victim pending upload (decline path). Technical Details - Pending uploads stored conversationId, but invoke handling consumed by uploadId only. - The invoke path did not enforce conversation binding before uploadToConsentUrl(...) and pending-upload removal. - Fix binds accept/decline handling to normalized conversation id match before consuming pending upload state. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version (as of February 26, 2026): 2026.2.24 - Vulnerable range: <= 2026.2.24 - Patched in release: 2026.2.25 Remediation Upgrade to openclaw 2026.2.25 (or later) once published. Fix Commit(s) - 347f7b9550064f5f5b33c6e07f64e85b9657b6f1 Release Process Note patchedversions is pre-set to the release (2026.2.25). Advisory published with npm release 2026.2.25. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.24" + ], + "patched": [ + "openclaw@>= 2026.2.25" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-26T03:58:32Z", + "updated": "2026-02-26T03:58:32Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-j26j-7qc4-3mrf" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-j26j-7qc4-3mrf", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-639", + "CWE-862" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-j26j-7qc4-3mrf" + ] + }, + { + "id": "GHSA-xmv6-r34m-62p4", + "ghsa_id": "GHSA-xmv6-r34m-62p4", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "path_traversal", + "nvd_category_id": "CWE-22", + "title": "Sandbox media fallback tmp symlink alias bypass allows host file reads outside sandboxRoot", + "description": "Summary A sandbox path validation bypass in openclaw allows host file reads outside sandboxRoot via the media path fallback tmp flow when the fallback tmp root is a symlink alias. Affected Packages / Versions - Package: npm openclaw - Affected versions: <= 2026.2.24 - Latest published npm version at triage time (February 26, 2026): 2026.2.24 - Patched version : 2026.2.25 Details When /tmp/openclaw is unavailable or unsafe, resolvePreferredOpenClawTmpDir() in src/infra/tmp-openclaw-dir.ts fell back to os.tmpdir()/openclaw-= 2026.2.25" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-26T03:58:31Z", + "updated": "2026-02-26T03:58:31Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-xmv6-r34m-62p4" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xmv6-r34m-62p4", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-22", + "CWE-59" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-xmv6-r34m-62p4" + ] + }, + { + "id": "GHSA-3jx4-q2m7-r496", + "ghsa_id": "GHSA-3jx4-q2m7-r496", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "github_security_advisory", + "nvd_category_id": "CWE-59", + "title": "Hardlink alias checks could bypass workspace-only file boundaries in specific configurations", + "description": "Summary In certain workspace-restricted configurations, OpenClaw could follow hardlink aliases inside the workspace that reference files outside the workspace boundary. By default, tools.fs.workspaceOnly is off. This primarily affects deployments that intentionally enable workspace-only filesystem restrictions (and workspace-only applypatch checks). Impact - Confidentiality: out-of-workspace files could be read through in-workspace hardlink aliases. - Integrity: out-of-workspace files could be modified through in-workspace hardlink aliases. Affected Packages / Versions - Package: openclaw (npm) - Latest published version at triage time: 2026.2.24 - Affected range: <= 2026.2.24 - Planned patched version: 2026.2.25 Fix Commit(s) - 04d91d0319b82fd4de91ed05e9fc5219ff2ab64e (main) Remediation OpenClaw now rejects hardlinked final-file aliases during workspace boundary validation for: - workspace-only path checks (read / write / edit) - workspace-only applypatch read/write paths - sandbox mount-root path-safety checks Regression tests were added for applypatch, workspace fs tools, and sandbox fs bridge hardlink alias escapes. Release Process Note patchedversions is pre-set to the release (2026.2.25) so the advisory can be published after npm release with no further version-field edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.24" + ], + "patched": [ + "openclaw@>= 2026.2.25" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-26T03:58:27Z", + "updated": "2026-02-26T03:58:27Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-3jx4-q2m7-r496" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3jx4-q2m7-r496", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-59", + "CWE-668" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-3jx4-q2m7-r496" + ] + }, + { + "id": "GHSA-qj22-xqjr-v83v", + "ghsa_id": "GHSA-qj22-xqjr-v83v", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "incorrect_authorization", + "nvd_category_id": "CWE-863", + "title": "Telegram messagereaction authorization bypass allows unauthorized system-event injection", + "description": "A missing sender-authorization check in Telegram messagereaction handling allowed unauthorized users to trigger reaction-derived system events. Affected Packages / Versions - Package: openclaw (npm) - Introduced: 2026.2.17 - Affected: = 2026.2.17 and <= 2026.2.24 - Latest published at patch time: 2026.2.24 - Patched in release: 2026.2.25 Impact When reaction notifications are enabled, unauthorized Telegram senders could inject reaction system events despite configured DM/group authorization controls (dmPolicy, allowFrom, groupPolicy, groupAllowFrom). Fix Commit(s) - e56b0cf1a04f992ac6ebc775899f48ea31687640 Release Process Note patchedversions is pre-set to the release (2026.2.25) so once npm release 2026.2.25 is published, this advisory can be published without further edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.24" + ], + "patched": [ + "openclaw@>= 2026.2.25" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-26T03:58:21Z", + "updated": "2026-02-26T03:58:21Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-qj22-xqjr-v83v" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qj22-xqjr-v83v", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-863" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-qj22-xqjr-v83v" + ] + }, + { + "id": "GHSA-h97f-6pqj-q452", + "ghsa_id": "GHSA-h97f-6pqj-q452", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "low", + "type": "server_side_request_forgery", + "nvd_category_id": "CWE-918", + "title": "IPv6 multicast SSRF classifier bypass", + "description": "Summary OpenClaw's SSRF IP classifier did not treat IPv6 multicast literals (ff00::/8) as blocked/private-internal. This allowed literal multicast hosts to pass SSRF preflight checks. Impact A bypass in address classification existed for IPv6 multicast literals. OpenClaw's network fetch/navigation paths are constrained to HTTP/HTTPS and this was triaged as low-severity defense-in-depth hardening. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.24 - Patched versions: = 2026.2.25 Technical Details The IPv6 private/internal range set omitted multicast, so addresses like ff02::1 and ff05::1:3 were not classified as blocked by the shared SSRF classifier. Fix Commit(s) - baf656bc6fd7f83b6033e6dbc2548ec75028641f Release Process Note patchedversions is pre-set to the planned next npm release (2026.2.25). Once that release is published on npm, the advisory is published. Thanks @zpbrent for reporting.", + "affected": [ + "openclaw@<= 2026.2.24" + ], + "patched": [ + "openclaw@>= 2026.2.25" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-26T03:58:14Z", + "updated": "2026-02-26T03:58:14Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-h97f-6pqj-q452" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h97f-6pqj-q452", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-918" + ], + "credits": [ + "zpbrent" + ], + "aliases": [ + "GHSA-h97f-6pqj-q452" + ] + }, + { + "id": "GHSA-9f72-qcpw-2hxc", + "ghsa_id": "GHSA-9f72-qcpw-2hxc", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "exposure_of_sensitive_information", + "nvd_category_id": "CWE-200", + "title": "Native prompt image auto-load did not honor tools.fs.workspaceOnly in sandboxed runs", + "description": "Summary In sandboxed runs, native prompt image auto-load did not honor tools.fs.workspaceOnly=true. This optional hardening setting is not enabled by default. When operators enabled it, prompt text could still reference mounted out-of-workspace image paths (for example /agent/secret.png) and load those image bytes for vision-capable model input. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version at triage time: 2026.2.23 - Vulnerable version range: <= 2026.2.23 - Patched version (planned next release): 2026.2.24 Conditions Required This issue required all of the following: - sandbox mode enabled, - tools.fs.workspaceOnly=true configured, - an out-of-workspace mount path reachable from the sandbox (for example /agent), - vision-capable model path active for native prompt image loading. Technical Details Native prompt image ingestion (detectAndLoadPromptImages / loadImageFromRef) resolved and read sandbox paths but did not apply the same workspace-root assertion used by file tools when tools.fs.workspaceOnly was set. Fix Commit(s) - 370d115549c0dadace0902775eea0d5094aedfdc Verification - pnpm check - pnpm exec vitest run --config vitest.gateway.config.ts - pnpm test:fast Release Process Note patchedversions is pre-set to the planned next release (2026.2.24) so once npm release is available, this advisory only needs publish action. Thanks @tdjackey for reporting. Publication Update (2026-02-25) openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks = 2026.2.24 as patched.", + "affected": [ + "openclaw@<= 2026.2.23" + ], + "patched": [ + "openclaw@>= 2026.2.24" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-25T04:37:41Z", + "updated": "2026-02-25T04:37:41Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-9f72-qcpw-2hxc" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9f72-qcpw-2hxc", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-200", + "CWE-284" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-9f72-qcpw-2hxc" + ] + }, + { + "id": "GHSA-h656-5vcf-cm23", + "ghsa_id": "GHSA-h656-5vcf-cm23", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "improper_access_control", + "nvd_category_id": "CWE-284", + "title": "Telegram: Unauthorized Senders Trigger Media Download and Disk Write Before Access Check", + "description": "Impact In Telegram DM mode, inbound media was downloaded and written to disk before sender authorization checks completed. An unauthorized sender could trigger inbound media download/write activity (including media groups) even when DM access should be denied. Affected Packages / Versions - Package: openclaw (npm) - Latest published version currently affected: 2026.2.23 - Vulnerable range: <= 2026.2.23 - Patched in planned next release: 2026.2.24 Fix Commit(s) - 9514201fb9b51de5d0b23151110d0ff5d9c8bd67 Technical Details The Telegram handler flow now enforces DM authorization before media download/write paths execute, including media-group handling. Inbound channel activity tracking was also moved to run after DM authorization in the Telegram message context path. Release Process Note patchedversions is pre-set to the planned next release (2026.2.24). After npm publish, the advisory can be published without further version-field edits. Thanks @v8hid for reporting. Publication Update (2026-02-25) openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks = 2026.2.24 as patched.", + "affected": [ + "openclaw@<=2026.2.23" + ], + "patched": [ + "openclaw@>= 2026.2.24" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-25T04:37:39Z", + "updated": "2026-02-25T04:37:39Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-h656-5vcf-cm23" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h656-5vcf-cm23", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-284", + "CWE-404", + "CWE-406", + "CWE-770" + ], + "credits": [ + "v8hid" + ], + "aliases": [ + "GHSA-h656-5vcf-cm23" + ] + }, + { + "id": "GHSA-33hm-cq8r-wc49", + "ghsa_id": "GHSA-33hm-cq8r-wc49", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "path_traversal", + "nvd_category_id": "CWE-22", + "title": "Temporary path handling could write outside OpenClaw temp boundary", + "description": "Summary Sandbox media local-path validation accepted absolute paths under host tmp, even when those paths were outside the active sandbox root. Affected Packages / Versions - Package: openclaw (npm) - Latest published version verified during triage: 2026.2.23 - Affected versions: <= 2026.2.23 - Patched versions (planned next release): = 2026.2.24 Details In affected versions, sandbox media path resolution allowed absolute host tmp paths as trusted media inputs when they were under os.tmpdir(), without requiring that the path stay within the active sandboxRoot. Because outbound attachment hydration consumed these paths as already validated, this enabled out-of-sandbox host tmp file reads and exfiltration through attachment delivery. Impact - Confidentiality impact: high for deployments relying on sandboxRoot as a strict local filesystem boundary. - Practical impact: attacker-controlled media references could read and attach host tmp files outside the sandbox workspace boundary. Remediation - Restrict sandbox tmp-path acceptance to OpenClaw-managed temp roots only. - Default SDK/extension temp helpers to OpenClaw-managed temp roots. - Add CI guardrails to prevent broad tmp-root regressions in messaging/channel code paths. Fix Commit(s) - d3da67c7a9b463edc1a9b1c1f7af107a34ca32f5 - 79a7b3d22ef92e36a4031093d80a0acb0d82f351 - def993dbd843ff28f2b3bad5cc24603874ba9f1e Release Process Note The advisory is pre-set with patched version 2026.2.24 so it is ready for publication once that npm release is available. Thanks @tdjackey for reporting. Publication Update (2026-02-25) openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks = 2026.2.24 as patched.", + "affected": [ + "openclaw@<= 2026.2.23" + ], + "patched": [ + "openclaw@>= 2026.2.24" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-25T04:37:35Z", + "updated": "2026-02-25T04:37:35Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-33hm-cq8r-wc49" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-33hm-cq8r-wc49", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-22", + "CWE-284" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-33hm-cq8r-wc49" + ] + }, + { + "id": "GHSA-534w-2vm4-89xr", + "ghsa_id": "GHSA-534w-2vm4-89xr", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "improper_access_control", + "nvd_category_id": "CWE-284", + "title": "Zalo group sender allowlist bypass permits unauthorized GROUP dispatch", + "description": "A missing group-sender authorization check in the Zalo plugin allowed unauthorized GROUP messages to enter agent dispatch paths in configurations intended to restrict group traffic. Impact When Zalo group handling was configured with allowlist-style controls, a sender not present in the intended group allowlist could still trigger agent processing through the GROUP message path. Root Cause Group access checks were not consistently enforced before dispatch for Zalo GROUP messages. The fix adds explicit runtime group-policy evaluation (groupPolicy, groupAllowFrom, fallback to allowFrom) and fail-closed behavior for missing provider config. Affected Packages / Versions - Package: openclaw (npm) - Latest published vulnerable version: 2026.2.23 (as of 2026-02-24) - Affected range: <= 2026.2.23 - Planned patched version: 2026.2.24 Fix Commit(s) - b4010a0b627025c809c0e5dbdbd4770f3bc59ef8 Release Process Note patchedversions is pre-set to the planned next release (2026.2.24). Once that npm release is published, this advisory should only need to be published. Thanks @tdjackey for reporting. Publication Update (2026-02-25) openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks = 2026.2.24 as patched.", + "affected": [ + "openclaw@<= 2026.2.23" + ], + "patched": [ + "openclaw@>= 2026.2.24" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-25T04:37:33Z", + "updated": "2026-02-25T04:37:33Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-534w-2vm4-89xr" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-534w-2vm4-89xr", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-284", + "CWE-863" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-534w-2vm4-89xr" + ] + }, + { + "id": "GHSA-r294-2894-92j3", + "ghsa_id": "GHSA-r294-2894-92j3", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "cross_site_scripting", + "nvd_category_id": "CWE-79", + "title": "Stored XSS in exported session HTML viewer via markdown/raw-HTML rendering", + "description": "Summary The exported session HTML viewer allowed stored XSS when untrusted session content included raw HTML markdown tokens or unescaped metadata fields. Impact Opening a crafted exported HTML session could execute attacker-controlled JavaScript in the viewer context. This can expose session content in the page and enable phishing or UI spoofing in the trusted export view. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.22-2 - Patched version (released): = 2026.2.23 Technical Details The exporter rendered markdown with marked.parse(...) and inserted HTML via innerHTML, but did not override the html renderer token path. Raw HTML (for example = 2026.2.23" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-24T05:27:23Z", + "updated": "2026-02-24T05:27:23Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-r294-2894-92j3" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-r294-2894-92j3", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-79" + ], + "credits": [ + "allsmog" + ], + "aliases": [ + "GHSA-r294-2894-92j3" + ] + }, + { + "id": "GHSA-7ff8-xjh3-mgh6", + "ghsa_id": "GHSA-7ff8-xjh3-mgh6", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-266", + "title": "non-default autoAllowSkills setting could bypass on-miss exec prompt", + "description": "Summary In openclaw versions up to and including 2026.2.22-2, a non-default exec-approval configuration could allow a skill-name collision to bypass an ask=on-miss prompt. When autoAllowSkills=true, a path-scoped executable such as ./skill-bin could resolve to basename skill-bin, satisfy the skills allowlist segment, and run without prompting for approval. Affected Packages / Versions - Package: npm openclaw - Affected versions: <= 2026.2.22-2 - Patched versions: = 2026.2.23 (released) Configuration Scope (Not Default) This behavior requires non-default settings and does not affect default installs. Required conditions: - autoAllowSkills=true (default is false) - system.run with security=allowlist - ask=on-miss Technical Details The allowlist evaluator accepted skills satisfaction by bin-name match, so ./skill-bin could match skillBins.has(\"skill-bin\") after resolution. The fix hardens skill auto-allow matching by requiring: - a pathless invocation token (no / or \\\\), and - a trusted resolved executable path for that skill bin on the machine where skills run. This preserves normal skill-bin ... behavior while preventing ./=2026.2.23" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-24T05:27:21Z", + "updated": "2026-02-24T05:27:21Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-7ff8-xjh3-mgh6" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7ff8-xjh3-mgh6", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-266", + "CWE-863" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-7ff8-xjh3-mgh6" + ] + }, + { + "id": "GHSA-2j9j-gf59-p4p5", + "ghsa_id": "GHSA-2j9j-gf59-p4p5", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "low", + "type": "github_security_advisory", + "nvd_category_id": null, + "title": "iOS deep link (openclaw://agent) can trigger gateway agent requests without local confirmation", + "description": "Summary A crafted openclaw://agent deep link could cause OpenClaw iOS to forward an agent.request event to a connected Gateway without local confirmation on iOS. Affected Packages / Versions - Advisory package metadata: openclaw (swift ecosystem). - Latest published npm openclaw at triage time: 2026.2.22-2. - Affected practical surface: internal preview iOS builds only (not publicly distributed). - Structured advisory range is set to <= 2026.2.22-2 and patched version is pre-set to 2026.2.23 and is now public. Impact - External deep-link trigger could cause unintended agent action initiation in an already-connected iOS node context. - This is a user-interaction deep-link abuse issue, not unauthenticated server takeover. - Severity is set to Low because iOS distribution is internal preview/super-alpha and not public/TestFlight release. Remediation The iOS deep-link path now requires local confirmation unless a trusted deep-link key is provided, and unkeyed deep links have delivery-routing fields stripped before submission. Fix Commit(s) - ff4e6ca0d942ef52330dcbe116321ae4fed21749 Release Process Note patchedversions is pre-set to the released version (2026.2.23). This advisory now reflects released fix version 2026.2.23. Thanks @GCXWLP for reporting.", + "affected": [ + "openclaw@<= 2026.2.22-2" + ], + "patched": [ + "openclaw@2026.2.23" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-24T05:27:20Z", + "updated": "2026-02-24T05:27:20Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-2j9j-gf59-p4p5" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2j9j-gf59-p4p5", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [], + "credits": [ + "GCXWLP" + ], + "aliases": [ + "GHSA-2j9j-gf59-p4p5" + ] + }, + { + "id": "GHSA-6x2m-hqfw-hvpj", + "ghsa_id": "GHSA-6x2m-hqfw-hvpj", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-285", + "title": "Node exec approvals could be replayed across nodes", + "description": "Summary exec.approval requests for host=node were not explicitly bound to the target nodeId, so an approval intended for one node could be replayed for a different node under the same operator-controlled gateway fleet. Impact An operator approval for a system.run request could be reused across nodes if the request payload did not carry node identity through approval and execution checks. Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.2.22-2 - Fixed: 2026.2.23 (released) Mitigation Upgrade to 2026.2.23 or later once published. Fix Details The fix requires and persists nodeId for host=node approval requests and rejects execution when the approving node binding does not match the invoking node. Fix Commit(s) - 4a3f8438e527ac371a67fe7ac68a287f0dbe6063 Release Process Note patchedversions is pre-set to the released version (2026.2.23). This advisory now reflects released fix version 2026.2.23. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.22-2" + ], + "patched": [ + "openclaw@>= 2026.2.23" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-24T05:27:18Z", + "updated": "2026-02-24T05:27:18Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-6x2m-hqfw-hvpj" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6x2m-hqfw-hvpj", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-285", + "CWE-863" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-6x2m-hqfw-hvpj" + ] + }, + { + "id": "GHSA-2ch6-x3g4-7759", + "ghsa_id": "GHSA-2ch6-x3g4-7759", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-639", + "title": "commands.allowFrom sender authorization accepted conversation identifiers via ctx.From", + "description": "Summary commands.allowFrom is documented as a sender authorization allowlist for commands/directives, but command authorization could include ctx.From (conversation identity) as a sender candidate. When commands.allowFrom contained conversation-like identifiers (for example Discord channel:= 2026.2.23" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-24T05:27:14Z", + "updated": "2026-02-24T05:27:14Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-796m-2973-wc5q" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-796m-2973-wc5q", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-436" + ], + "credits": [ + "jiseoung" + ], + "aliases": [ + "GHSA-796m-2973-wc5q" + ] + }, + { + "id": "GHSA-8j9w-9pm5-pv8m", + "ghsa_id": "GHSA-8j9w-9pm5-pv8m", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-184", + "title": "DUPLICATE of GHSA-3c6h-g97w-fg78: safeBins denied flags can be bypassed via GNU long-option abbreviations", + "description": "Duplicate Notice This draft advisory duplicates GHSA-3c6h-g97w-fg78. Canonical advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-3c6h-g97w-fg78 Use GHSA-3c6h-g97w-fg78 for tracking/publication. This advisory is published as a duplicate notice. Summary OpenClaw safeBins argument validation allowed denied flags to be bypassed via GNU long-option abbreviations. The validator matched denied long flags by exact string and treated unknown long options as allowed, creating a policy/runtime mismatch: commands could be approved as safe-bin usage while runtime behavior reached denied options. Impact - Default safe-bin wc: unauthorized file-read behavior via abbreviated --files0-fro (runtime resolves to --files0-from). - Configured safe-bin sort: external program invocation via abbreviated --compress-prog (runtime resolves to --compress-program). - Additional hardening gap: unknown or ambiguous long options in safe-bin mode were not rejected fail-closed. Technical Details Affected paths included safe-bin argv validation and allowlist evaluation: - src/infra/exec-safe-bin-policy.ts - src/infra/exec-approvals-allowlist.ts Affected Packages / Versions - Ecosystem: npm - Package: openclaw - Affected versions: <= 2026.2.22-2 - Fixed in code on main: 2026.2.23 (released) Remediation - Canonicalize long options using GNU-style unique-prefix matching. - Reject unknown and ambiguous long options in safe-bin mode (fail-closed). - Reject inline values for non-value long flags. - Deny additional sort filesystem-dependent flags in safe-bin mode: --random-source, --temporary-directory, -T. - Add regression tests for denied-flag abbreviations and fail-closed long-option handling. Fix Commit(s) - 3b8e33037ae2e12af7beb56fcf0346f1f8cbde6f Release Process Note Patched in 2026.2.23 and published. Thanks @jiseoung for reporting.", + "affected": [ + "openclaw@<= 2026.2.22-2" + ], + "patched": [ + "openclaw@>=2026.2.23" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-24T05:27:13Z", + "updated": "2026-02-24T05:27:13Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-8j9w-9pm5-pv8m" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8j9w-9pm5-pv8m", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-184" + ], + "credits": [ + "jiseoung" + ], + "aliases": [ + "GHSA-8j9w-9pm5-pv8m" + ] + }, + { + "id": "GHSA-4cqv-h74h-93j4", + "ghsa_id": "GHSA-4cqv-h74h-93j4", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "improper_authentication", + "nvd_category_id": "CWE-287", + "title": "Discord allowFrom slug-collision authorization bypass", + "description": "OpenClaw supports Discord allowlists using either user IDs or names/tags. Name/tag matching depends on slug normalization, so different user tags can collide to the same slug and unintentionally satisfy a name-based allowlist entry. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.21-2 - Patched versions: = 2026.2.22 What Changed - openclaw security audit now warns on Discord name/tag allowlist entries (DM allowlists, guild/channel users, and pairing-store entries). - Runtime authorization now prefers resolved user IDs when a configured name/tag can be resolved, without rewriting config files on disk. - Name-based entries remain supported for compatibility. Recommendations - Prefer stable Discord user IDs for security-sensitive allowlists. - Run openclaw security audit and address warnings where practical. Fix Commit(s) - f97c45c5b5e0698b6667bb5f6badc0cac7dabd12 - 747bb581b3f2264495e1fec5a0727d9f2ca1b6f1 Release Process Note Patched version fields now point to 2026.2.22 and fixes are merged on main. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.21-2" + ], + "patched": [ + "openclaw@>= 2026.2.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-23T00:52:17Z", + "updated": "2026-02-23T00:52:17Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-4cqv-h74h-93j4" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4cqv-h74h-93j4", + "nvd_url": null, + "cvss_score": 6.5, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "cwe_ids": [ + "CWE-287" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-4cqv-h74h-93j4" + ] + }, + { + "id": "GHSA-jxrq-8fm4-9p58", + "ghsa_id": "GHSA-jxrq-8fm4-9p58", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-59", + "title": "Zip extraction symlink traversal could write outside destination", + "description": "Summary A path confinement bypass in OpenClaw ZIP extraction allowed writes outside the intended destination when a pre-existing symlink was present under the extraction root. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version at triage time: 2026.2.21-2 - Affected versions: <= 2026.2.21-2 - Planned patched version for next release: 2026.2.22 Technical Details The vulnerable path was in src/infra/archive.ts ZIP extraction logic. Output-path checks were lexical, but writes could still traverse an existing symlink in destination path segments. The fix blocks this by: - rejecting symlink traversal in destination path segments, - validating resolved destination paths remain inside the extraction root, - using no-follow file opens for ZIP output writes where supported, - adding a regression test for pre-seeded destination symlink traversal. Impact - Type: Arbitrary file write outside extraction root via symlink traversal during ZIP extraction. - Preconditions: attacker-controlled archive extraction plus pre-existing symlink in destination path. Fix Commit(s) - 4b226b74f5fd3b106a83a6347fd404172e2fd246 Release Process Note Patched version is pre-set to the planned next release (2026.2.22). Once npm release 2026.2.22 is published, the advisory can be published without further field edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.21-2" + ], + "patched": [ + "openclaw@>= 2026.2.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-23T00:52:17Z", + "updated": "2026-02-23T00:52:17Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-jxrq-8fm4-9p58" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jxrq-8fm4-9p58", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-59" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-jxrq-8fm4-9p58" + ] + }, + { + "id": "GHSA-jwf4-8wf4-jf2m", + "ghsa_id": "GHSA-jwf4-8wf4-jf2m", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "incorrect_authorization", + "nvd_category_id": "CWE-863", + "title": "BlueBubbles (optional plugin) pairing/allowlist mismatch when allowFrom is empty", + "description": "Summary BlueBubbles is an optional OpenClaw channel plugin. A configuration-sensitive access-control mismatch allowed DM senders to be treated as authorized when dmPolicy was pairing or allowlist and allowFrom was empty/unset. Severity Rationale (Medium) Severity is set to medium because: - this affects an optional plugin, not core messaging surfaces; - many deployments use owner-controlled/private BlueBubbles identities with limited external reachability; - practical exploitability depends on an untrusted sender being able to reach that specific BlueBubbles account identifier. In typical personal/self-hosted BlueBubbles setups, the mapped Apple identity is single-owner and not broadly reachable, so this is usually low practical risk. Risk is higher in deployments where the identifier is publicly reachable and/or agent tool permissions are broad. Technical Details 1. BlueBubbles DM policy defaults to pairing (dmPolicy ?? \"pairing\"). 2. Effective allowlist can be empty (effectiveAllowFrom). 3. DM/reaction authorization called isAllowedBlueBubblesSender(...). 4. That delegated to shared isAllowedParsedChatSender(...), which previously returned true for empty allowlists. 5. Result: unknown senders could bypass intended pairing/allowlist gating when allowFrom was empty. Affected Packages / Versions - Package: openclaw (npm) - Vulnerable versions: <= 2026.2.21-2 - Planned fixed version: 2026.2.22 Fix The shared parsed-chat allowlist helper now fails closed on empty allowlists, restoring expected BlueBubbles DM gating behavior. BlueBubbles inbound gating was also refactored to use one shared DM/group decision helper for both message and reaction paths to reduce future drift. Fix Commit(s) - 9632b9bcf032c5f2280c3103961fde912ab1f920 - 2ba6de7eaad812e5e8603018e14e54e96bdd57dd - 51c0893673de8e5cea64e64351dbfa4680ba0dec - 4540790cb62412676f7b61cfc6e47443f84a251e Release Process Note patchedversions is pre-set to the planned next release (2026.2.22). Once npm release 2026.2.22 is published, this advisory is ready to publish without additional field edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.21-2" + ], + "patched": [ + "openclaw@2026.2.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-23T00:52:16Z", + "updated": "2026-02-23T00:52:16Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-jwf4-8wf4-jf2m" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jwf4-8wf4-jf2m", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-863" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-jwf4-8wf4-jf2m" + ] + }, + { + "id": "GHSA-659f-22xc-98f2", + "ghsa_id": "GHSA-659f-22xc-98f2", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "code_injection", + "nvd_category_id": "CWE-94", + "title": "Hook transform path containment missed symlink-resolved escapes", + "description": "Vulnerability Webhook transform modules were validated with lexical path checks only. A symlink under the allowed hooks transform tree could resolve outside the intended directory and be dynamically imported. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.21-2 - Patched version (planned next release): 2026.2.22 Impact When an attacker can cause a transform module path to reference a symlinked entry that resolves outside the trusted transform directory, the gateway may import and execute unintended JavaScript with gateway-process privileges. Attack Preconditions - Hook transforms are enabled and reachable. - Attacker can influence transform path resolution (for example via privileged config access and/or writable filesystem path in the transform tree). - A symlink escape exists to attacker-controlled code. Remediation - Enforce realpath-aware containment for existing path ancestors before dynamic import. - Keep lexical containment checks for traversal and absolute-path escapes. - Add regression coverage for: - transform module symlink escape rejection, - hooks.transformsDir symlink escape rejection, - in-root symlink allow-case. Fix Commit(s) - f4dd0577b055f77af783105bd65eae32f3d5e6a1 Release Process Note patchedversions is pre-set to the planned next release (2026.2.22). After npm release is published, advisory publication can proceed without further version edits. Thanks @aether-ai-agent for reporting.", + "affected": [ + "openclaw@<=2026.2.21-2" + ], + "patched": [ + "openclaw@2026.2.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-23T00:52:09Z", + "updated": "2026-02-23T00:52:09Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-659f-22xc-98f2" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-659f-22xc-98f2", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-94" + ], + "credits": [], + "aliases": [ + "GHSA-659f-22xc-98f2" + ] + }, + { + "id": "GHSA-5847-rm3g-23mw", + "ghsa_id": "GHSA-5847-rm3g-23mw", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": null, + "title": "Hook auth rate limiter bypass via IPv4-mapped IPv6 client key variants", + "description": "Vulnerability The hook authentication throttle keyed failed attempts by raw socket remoteAddress text. IPv4 and IPv4-mapped IPv6 forms of the same client (for example 1.2.3.4 and ::ffff:1.2.3.4) were treated as different clients, allowing separate rate-limit buckets. Impact An attacker could split failed hook-auth attempts across both address forms and effectively double the brute-force budget from 20 to 40 attempts per 60-second window. Affected Components - src/gateway/server-http.ts - src/gateway/auth-rate-limit.ts Affected Packages / Versions - Package: openclaw (npm) - Vulnerable versions: <= 2026.2.21-2 - Patched version (planned next release): 2026.2.22 Remediation Centralize and reuse canonical client-IP normalization for auth rate-limiting, and use that canonical key for hook auth throttling. Fix Commit(s) - 3284d2eb227e7b6536d543bcf5c3e320bc9d13c5 Release Process Note patchedversions is pre-set to the planned next release (2026.2.22) so once npm release 2026.2.22 is published, this advisory can be published directly. Thanks @aether-ai-agent for reporting.", + "affected": [ + "openclaw@<=2026.2.21-2" + ], + "patched": [ + "openclaw@>= 2026.2.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-23T00:52:08Z", + "updated": "2026-02-23T00:52:08Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-5847-rm3g-23mw" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5847-rm3g-23mw", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [], + "credits": [], + "aliases": [ + "GHSA-5847-rm3g-23mw" + ] + }, + { + "id": "GHSA-9mph-4f7v-fmvh", + "ghsa_id": "GHSA-9mph-4f7v-fmvh", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": null, + "title": "Agent avatar symlink traversal in gateway session metadata", + "description": "Summary A crafted local avatar path could follow a symlink outside the agent workspace and return arbitrary file contents as a base64 data: URL in gateway responses. Impact - Confidentiality impact: local file read in the gateway process context. - Exfiltration path: agents.list can return the resulting avatarUrl payload. Affected Components - src/gateway/session-utils.ts (resolveIdentityAvatarUrl) Affected Packages / Versions - Package: openclaw (npm) - Introduced: v2026.1.21 - Affected published versions: <= 2026.2.21-2 - Planned patched version: 2026.2.22 Remediation - Resolve workspace and avatar paths with realpath and enforce realpath containment. - Open files with ONOFOLLOW when available. - Compare pre-open and opened file identity (dev/ino) to block swap races. - Add regression tests for outside-workspace symlink rejection and in-workspace symlink allowance. Fix Commit(s) - 3d0337504349954237d09e4d957df5cb844d5e77 Release Process Note The advisory patchedversions field is pre-set to the planned next release (2026.2.22). After that npm release is published, the remaining step is to publish this advisory. Thanks @aether-ai-agent for reporting.", + "affected": [ + "openclaw@<= 2026.2.21-2" + ], + "patched": [ + "openclaw@>= 2026.2.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-23T00:52:08Z", + "updated": "2026-02-23T00:52:08Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-9mph-4f7v-fmvh" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9mph-4f7v-fmvh", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [], + "credits": [], + "aliases": [ + "GHSA-9mph-4f7v-fmvh" + ] + }, + { + "id": "GHSA-5h2c-8v84-qpvr", + "ghsa_id": "GHSA-5h2c-8v84-qpvr", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-15", + "title": "Shell-env fallback trusted startup env and could execute attacker-influenced login-shell paths", + "description": "Summary OpenClaw shell-env fallback trusted startup environment values and could execute attacker-influenced login-shell startup paths before loading env keys. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: = 2026.1.5 and <= 2026.2.21-2 - Fixed on main: 9363c320d8ffe29290906752fab92621da02c3f7 - Planned patched release version (pre-set): 2026.2.22 Details The vulnerable chain was in the shell-env fallback path: 1. src/infra/shell-env.ts - resolveShell(env) trusted env.SHELL when set. - execLoginShellEnvZero(...) executed ${SHELL} -l -c \"env -0\" with inherited runtime env. 2. src/config/io.ts - Config env values were applied before shell fallback execution. 3. src/config/env-vars.ts / env policy coverage - SHELL handling was hardened, but startup-path selectors (HOME, ZDOTDIR) still needed explicit blocking in config env ingestion and sanitization for shell fallback execution. With env/config influence, this could trigger unintended command execution in shell startup processing on the OpenClaw host process context. Fix Mainline hardening now: - blocks SHELL, HOME, and ZDOTDIR during config env ingestion used by runtime fallback, - sanitizes shell fallback execution env, pinning HOME to the real user home and dropping ZDOTDIR + dangerous startup vars, - adds regression tests for config env ingestion and shell fallback/path-probe sanitization. Fix Commit(s) - 9363c320d8ffe29290906752fab92621da02c3f7 Impact - Local code-execution risk in environments where attacker-controlled env/config input can reach shell-env fallback. - Under OpenClaw trust assumptions (SECURITY.md), this is not a public-remote issue and depends on crossing local trusted-operator boundaries. Release Process Note patchedversions is intentionally pre-set to the planned next release (2026.2.22) so once npm release is out, maintainers can publish advisory immediately. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<=2026.2.21-2" + ], + "patched": [ + "openclaw@>= 2026.2.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-23T00:52:06Z", + "updated": "2026-02-23T00:52:06Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-5h2c-8v84-qpvr" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5h2c-8v84-qpvr", + "nvd_url": null, + "cvss_score": 5.3, + "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "cwe_ids": [ + "CWE-15", + "CWE-78" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-5h2c-8v84-qpvr" + ] + }, + { + "id": "GHSA-8mf7-vv8w-hjr2", + "ghsa_id": "GHSA-8mf7-vv8w-hjr2", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "low", + "type": "os_command_injection", + "nvd_category_id": "CWE-78", + "title": "tools.exec.safeBins generic fallback allowed interpreter-style inline payload execution in allowlist mode", + "description": "Summary When tools.exec.safeBins contained a binary without an explicit safe-bin profile, OpenClaw used a permissive generic fallback profile. In allowlist mode, that could let interpreter-style binaries (for example python3, node, ruby) execute inline payloads via flags like -c. This requires explicit operator configuration to add such binaries to safeBins, so impact is limited to non-default/misconfigured deployments. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.21-2 - Patched in code: = 2026.2.22 (planned next npm release) Fix - Remove generic safe-bin fallback during allowlist evaluation. - Require explicit safe-bin profiles for safeBins entries. - Add configurable tools.exec.safeBinProfiles (global + per-agent) for safe custom binaries. - Update docs to clearly separate safeBins from command allowlist semantics. Fix Commit(s) - 47c3f742b6c488be26dd7b9636dbbb8676089154 Release Process Note patchedversions is pre-set to the planned next release (= 2026.2.22) so once that npm release is published, the advisory can be published directly without further metadata edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.21-2" + ], + "patched": [ + "openclaw@>= 2026.2.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-23T00:52:06Z", + "updated": "2026-02-23T00:52:06Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-8mf7-vv8w-hjr2" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8mf7-vv8w-hjr2", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-78", + "CWE-693" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-8mf7-vv8w-hjr2" + ] + }, + { + "id": "GHSA-4rqq-w8v4-7p47", + "ghsa_id": "GHSA-4rqq-w8v4-7p47", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "low", + "type": "github_security_advisory", + "nvd_category_id": null, + "title": "Incomplete IPv4 special-use SSRF blocking in web fetch guard", + "description": "Summary isPrivateIpv4() in bundled SSRF guard code missed several IPv4 special-use/non-global ranges, so webfetch could allow targets that should be blocked by SSRF policy. Affected Packages / Versions - Package: openclaw (npm) - Latest published affected version: 2026.2.21-2 (published 2026-02-21) - Structured vulnerable range: <= 2026.2.21-2 - Planned patched version (pre-set): = 2026.2.22 Impact Low severity. Exploitation requires network reachability to the relevant special-use ranges and a request path that reaches webfetch URL fetching. Technical Details Affected releases used narrow IPv4 private-range checks that omitted multiple RFC special-use/non-global ranges. This allowed requests such as http://198.18.0.1/... through SSRF validation in affected releases. Follow-up hardening consolidates local-host/tailnet range checks so gateway/browser/tailnet paths share one canonical IP classification flow. Fix Commit(s) - 71bd15bb4294d3d1b54386064d69cd0f5f731bd8 - 44dfbd23df453e51b71ef79a148c28c53e89168c - 333fbb86347998526dd514290adfd5f727caa6d9 - f14ebd743cfc73f667fae80af70043d0ab1f88bd Release Process Note patchedversions is intentionally pre-set to the planned next release (= 2026.2.22) so once npm 2026.2.22 is published, maintainers can publish this advisory without further metadata edits. Thanks @princeeismond-dot for reporting.", + "affected": [ + "openclaw@<= 2026.2.21-2" + ], + "patched": [ + "openclaw@>= 2026.2.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-23T00:52:05Z", + "updated": "2026-02-23T00:52:05Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-4rqq-w8v4-7p47" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4rqq-w8v4-7p47", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [], + "credits": [ + "princeeismond-dot" + ], + "aliases": [ + "GHSA-4rqq-w8v4-7p47" + ] + }, + { + "id": "GHSA-f6h3-846h-2r8w", + "ghsa_id": "GHSA-f6h3-846h-2r8w", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-639", + "title": "Elevated allowFrom matching tightened for sender-scoped authorization", + "description": "Summary In certain elevated-mode configurations, tools.elevated.allowFrom accepted broader identity signals than intended. The fix tightens matching to sender-scoped identity by default and makes mutable metadata matching explicit. Context OpenClaw is commonly used in 1:1 chats or trusted group chats. In that intended model, this issue is best treated as authorization hardening / defense-in-depth for elevated sender approval. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version at triage: 2026.2.21-2 - Affected versions: <= 2026.2.21-2 - Planned patched version (pre-set for publish-ready advisory): 2026.2.22 Details Elevated sender authorization now matches sender-scoped identity values only by default (SenderId, From, SenderE164) and no longer considers recipient routing fields such as ctx.To. Mutable sender metadata (SenderName, SenderUsername, SenderTag) now requires explicit allowlist prefixes (name:, username:, tag:). Explicit identity prefixes are also supported (id:, from:, e164:). Fix Commit(s) - 6817c0ec7b4fa830123d4f5c340f075a4bd04ee2 Release Process Note The advisory patchedversions is pre-set to the planned next release (2026.2.22). Once npm openclaw@2026.2.22 is published, this advisory can be published without additional content edits. Thanks @jiseoung for reporting.", + "affected": [ + "openclaw@<= 2026.2.21-2" + ], + "patched": [ + "openclaw@>= 2026.2.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-23T00:52:03Z", + "updated": "2026-02-23T00:52:03Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-f6h3-846h-2r8w" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f6h3-846h-2r8w", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-639" + ], + "credits": [ + "jiseoung" + ], + "aliases": [ + "GHSA-f6h3-846h-2r8w" + ] + }, + { + "id": "GHSA-qhrr-grqp-6x2g", + "ghsa_id": "GHSA-qhrr-grqp-6x2g", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-426", + "title": "tools.exec.safeBins trusted PATH directories allowed binary shadowing in allowlist mode", + "description": "Summary In openclaw allowlist mode, tools.exec.safeBins trusted PATH-derived directories for safe-bin resolution. A same-name binary placed in a trusted PATH directory could satisfy safe-bin checks and execute. Impact This is an allowlist bypass in exec policy that can lead to command execution in the OpenClaw runtime context when allowlist mode relies on safe bins and an attacker can influence trusted binary locations. Affected Packages / Versions - Package: openclaw (npm) - Vulnerable versions: <= 2026.2.21-2 - Patched versions: = 2026.2.22 (planned next release) - Latest published npm version at triage time (2026-02-22): 2026.2.21-2 Root Cause - Safe-bin trust accepted PATH-derived directories instead of explicit trusted directories. - Safe-bin execution used shell command tokens that could resolve to shadowed binaries. Remediation - Stop trusting PATH-derived directories for safe-bin trust. - Add explicit tools.exec.safeBinTrustedDirs for opt-in extra trusted paths. - Pin safe-bin shell execution to resolved absolute executable paths. Fix Commit(s) - 64b273a71cf0b2f2419c974832cede1fc2158729 Release Process Note patchedversions is pre-set to the planned next release (2026.2.22). After npm release, this advisory is ready for publish without additional field edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.21-2" + ], + "patched": [ + "openclaw@>= 2026.2.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-23T00:52:00Z", + "updated": "2026-02-23T00:52:00Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-qhrr-grqp-6x2g" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qhrr-grqp-6x2g", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-426" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-qhrr-grqp-6x2g" + ] + }, + { + "id": "GHSA-cjv3-m589-v3rx", + "ghsa_id": "GHSA-cjv3-m589-v3rx", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "cross_site_scripting", + "nvd_category_id": "CWE-79", + "title": "Canvas route hardening for mixed-trust deployments", + "description": "Summary This advisory tracks a defense-in-depth hardening for canvas routes. In mixed-trust or network-visible deployments, prior canvas auth/fallback behavior could broaden access beyond intended boundaries. Deployment Context OpenClaw’s default model is trusted host + loopback-first access. Some operators intentionally expose canvas routes on LAN/tailnet. This update is aimed at those broader deployment patterns. What Changed - Require explicit token or session-capability authorization for canvas routes. - Remove shared-IP fallback paths for canvas access. - Tighten bind/fallback behavior to fail closed. Impact Risk was highest in non-loopback or mixed-trust environments. In strict single-operator trusted-host setups, practical exposure is lower. Affected Packages / Versions - Package: openclaw (npm) - Vulnerable: <= 2026.2.19-2 - Patched: 2026.2.21 (next release target) Fix Commit(s) - c45f3c5b004c8d63dc0e282e2176f8c9355d24f1 - 08a7967936cfc0b2af6b27ec1f9272542648ad6c Release Process Note Fix is already on main. Publish this advisory after npm release 2026.2.21 ships. Thanks @NucleiAv for reporting.", + "affected": [ + "openclaw@<= 2026.2.19-2" + ], + "patched": [ + "openclaw@>=2026.2.21" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T18:16:09Z", + "updated": "2026-02-21T18:16:09Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-cjv3-m589-v3rx" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cjv3-m589-v3rx", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-79", + "CWE-1021" + ], + "credits": [ + "NucleiAv" + ], + "aliases": [ + "GHSA-cjv3-m589-v3rx" + ] + }, + { + "id": "GHSA-w9cg-v44m-4qv8", + "ghsa_id": "GHSA-w9cg-v44m-4qv8", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-15", + "title": "BASHENV / ENV startup-file injection into spawned shell commands", + "description": "Summary BASHENV / ENV startup-file injection could lead to unintended pre-command shell execution when attacker-controlled environment values were admitted and then inherited by host command execution paths. Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.2.19-2 - Fixed on main: 2cdbadee1f8fcaa93302d7debbfc529e19868ea4 - Planned patched release version: 2026.2.21 Details The fix hardens environment handling across all relevant execution paths: - Blocks dangerous startup/runtime env keys and prefixes in shared host env sanitization. - Sanitizes inherited ambient environment even when no per-request overrides are provided. - Blocks dangerous config-driven env injection before values enter process environment. - Uses the same sanitizer in macOS host execution paths. - Aligns skill env override sanitization with the shared dangerous-env policy. Impact Medium. Exploitation requires local/privileged influence over configuration or environment inputs; there is no standalone remote unauthenticated trigger from this issue alone. Fix Commit(s) - 2cdbadee1f8fcaa93302d7debbfc529e19868ea4 Release Process Note patchedversions is pre-set to the planned next release (2026.2.21). Once npm openclaw@2026.2.21 is published, the advisory can be published without further field edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.19-2" + ], + "patched": [ + "openclaw@>=2026.2.21" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T18:16:03Z", + "updated": "2026-02-21T18:16:03Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-w9cg-v44m-4qv8" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w9cg-v44m-4qv8", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-15", + "CWE-78" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-w9cg-v44m-4qv8" + ] + }, + { + "id": "GHSA-w7j5-j98m-w679", + "ghsa_id": "GHSA-w7j5-j98m-w679", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "github_security_advisory", + "nvd_category_id": "CWE-250", + "title": "Multiple E2E/test Dockerfiles run all processes as root", + "description": "Three Dockerfiles in scripts/docker/ and scripts/e2e/ lack a USER directive, meaning all processes run as uid 0 (root). If any process is compromised, the attacker has root inside the container, making container breakout significantly easier. Partial fix (2026-02-08): Commit 28e1a65e added USER sandbox to Dockerfile.sandbox and Dockerfile.sandbox-browser. The E2E/test Dockerfiles listed below remain unpatched. Affected components: - scripts/e2e/Dockerfile - scripts/e2e/Dockerfile.qr-import - scripts/docker/install-sh-e2e/Dockerfile - scripts/docker/install-sh-nonroot/Dockerfile (runs as app but with NOPASSWD sudo — see related advisory) Technical Reproduction: 1. Open each Dockerfile listed above and search for a USER directive — none found. 2. Run any of these containers: docker run --rm -it = 2026.2.21" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T10:42:51Z", + "updated": "2026-02-21T10:42:51Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-w7j5-j98m-w679" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w7j5-j98m-w679", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-250" + ], + "credits": [ + "TerminalsandCoffee" + ], + "aliases": [ + "GHSA-w7j5-j98m-w679" + ] + }, + { + "id": "GHSA-82g8-464f-2mv7", + "ghsa_id": "GHSA-82g8-464f-2mv7", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-15", + "title": "Skill env override host env injection", + "description": "Summary applySkillConfigEnvOverrides previously copied skills.entries..env values into the host process.env without applying the host env safety policy. Impact In affected versions, dangerous process-level variables such as NODEOPTIONS could be injected when unset, which can influence runtime/child-process behavior. Required attacker capability An attacker must be able to modify OpenClaw local state/config (for example ~/.openclaw/openclaw.json) to set skills.entries.= 2026.2.21" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T10:42:37Z", + "updated": "2026-03-02T06:53:28Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-82g8-464f-2mv7" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-82g8-464f-2mv7", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-15", + "CWE-94", + "CWE-1341" + ], + "credits": [ + "nedlir" + ], + "aliases": [ + "GHSA-82g8-464f-2mv7" + ] + }, + { + "id": "GHSA-jjgj-cpp9-cvpv", + "ghsa_id": "GHSA-jjgj-cpp9-cvpv", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "path_traversal", + "nvd_category_id": "CWE-22", + "title": "Local File Exfiltration via MCP Tool Result MEDIA: Directive Injection", + "description": "Summary A malicious or compromised MCP (Model Context Protocol) tool server can exfiltrate arbitrary local files from the host system by injecting MEDIA: directives into tool result text content. OpenClaw's tool result processing pipeline extracts file paths from MEDIA: tokens without source-level validation, passes them through a localRoots allowlist check that includes os.tmpdir() by default (covering /tmp on Linux/macOS and %TEMP% on Windows), and then reads and delivers the file contents to external messaging channels such as Discord, Slack, Telegram, and WhatsApp. Affected Component OpenClaw (all versions up to and including latest as of 2026-02-19) Vulnerability Details Root Cause The vulnerability exists across multiple files in the media processing pipeline: 1. Unvalidated extraction (src/agents/pi-embedded-subscribe.tools.ts, lines 143-202): extractToolResultMediaPaths() parses MEDIA: tokens from MCP tool result text content blocks using a regex. It accepts any file path (absolute, relative, Windows drive, UNC, file:// URI) without validating the source is trusted or the path is within expected boundaries. 2. Overly broad default allowlist (src/media/local-roots.ts, lines 7-16): buildMediaLocalRoots() includes os.tmpdir() in the default allowed directory list. On Linux/macOS this is /tmp (world-readable, often containing application secrets, database dumps, SSH keys, session tokens), and on Windows it is %TEMP% (user's temp directory containing application caches, credentials, and temporary secrets). 3. Delivery to external channels (src/agents/pi-embedded-subscribe.handlers.tools.ts, lines 380-392): After extraction, media paths are delivered via ctx.params.onToolResult({ mediaUrls: mediaPaths }), which flows through the outbound delivery pipeline to send file contents as attachments to Discord, Slack, Telegram, and other configured messaging channels. Attack Flow Secondary Attack Vector: details.path Fallback When an MCP tool result contains type: \"image\" content blocks, extractToolResultMediaPaths() falls back to reading result.details.path (lines 192-199). A malicious tool can return: This bypasses the MEDIA: token parsing entirely and directly injects arbitrary file paths. Third Attack Vector: file:// URI Scheme The loadWebMediaInternal() function (line 228-233) converts file:// URIs to local paths via fileURLToPath(): This provides an alternative syntax for targeting files. Impact - File exfiltration: Any file within os.tmpdir() (or the OpenClaw state directory) can be read and sent to external messaging channels - Secret theft: Temporary files often contain API keys, database credentials, SSH keys, session tokens, and application secrets - Cross-application data theft: Other applications' temp files (browser caches, build artifacts, CI/CD secrets) are accessible - Silent exfiltration: The file content is sent as a media attachment to messaging channels the attacker can monitor, with no user-visible indication - Automated exploitation: If auto-reply is enabled, the malicious tool can be triggered without user interaction Reproduction Steps Prerequisites - Node.js 18+ installed - No OpenClaw installation required (PoC is self-contained) Steps 1. Save the PoC script below as poc-media-exfil.js 2. Run: node poc-media-exfil.js 3. Observe: All 21 assertions pass, confirming the vulnerability PoC Script Expected Output Affected Code Locations | File | Lines | Function | Role | |------|-------|----------|------| | src/media/parse.ts | 7 | MEDIATOKENRE | Regex that matches MEDIA: directives in text | | src/agents/pi-embedded-subscribe.tools.ts | 143-202 | extractToolResultMediaPaths() | Extracts file paths from MCP tool results without source validation | | src/agents/pi-embedded-subscribe.handlers.tools.ts | 380-392 | handleToolExecutionEnd() | Delivers extracted media paths to messaging channels | | src/media/local-roots.ts | 7-16 | buildMediaLocalRoots() | Includes os.tmpdir() in default allowed roots | | src/web/media.ts | 60-117 | assertLocalMediaAllowed() | Validates paths against overly broad localRoots | | src/web/media.ts | 212-381 | loadWebMediaInternal() | Reads validated files into memory for delivery | Suggested Remediation 1. Validate MEDIA: source trust: Only accept MEDIA: directives from OpenClaw's own internal tools (TTS, image generation). Reject or flag MEDIA: directives from external MCP tool results. 2. Remove os.tmpdir() from default localRoots: The temp directory is too broad. Replace with a narrow OpenClaw-specific subdirectory (e.g., path.join(os.tmpdir(), \"openclaw-media\")). 3. Add source tagging to tool results: Tag each tool result with its source (internal vs. MCP external) and enforce different media access policies for each. 4. Require explicit opt-in for file media delivery: When a tool result contains MEDIA: directives referencing local files, require user confirmation before reading and sending the file. Differentiation from Existing Advisories This vulnerability is distinct from all existing OpenClaw security advisories. Below is an explicit comparison against every advisory or commit that could appear superficially related: Not a duplicate of path traversal advisories (apply-patch, workspace escape, etc.) The existing path traversal advisories (e.g., those targeting apply-patch tool workspace containment via assertSandboxPath(), or resolveFileWithinRoot() in the canvas host file resolver) are about preventing filesystem access outside a sandbox boundary. This vulnerability is fundamentally different: - Different attack surface: The attack enters through MCP tool result text content (extractToolResultMediaPaths() in pi-embedded-subscribe.tools.ts), not through tool arguments, HTTP paths, or patch file contents. - Different code path: The vulnerable pipeline is extractToolResultMediaPaths() → handleToolExecutionEnd() → onToolResult() → loadWebMedia() → assertLocalMediaAllowed(). None of these functions are involved in the existing path traversal fixes. - The validation passes by design: This is not a bypass of assertLocalMediaAllowed(). The function works correctly. The problem is that os.tmpdir() is included in the default localRoots allowlist (src/media/local-roots.ts:10), making the entire system temp directory readable by any MCP tool that returns a MEDIA: directive. Not a duplicate of SSRF advisories The existing SSRF advisories cover fetchWithSsrFGuard() and resolvePinnedHostnameWithPolicy() in src/infra/net/. This vulnerability does not involve any HTTP fetching or DNS resolution. Instead, it reads local files from disk and delivers them outbound to messaging channels. The MEDIA: path is a local filesystem path, not a URL. Not a duplicate of canvas host file disclosure The canvas host file disclosure advisory covers the HTTP serving side (resolveFileWithinRoot() in src/canvas-host/file-resolver.ts), where path traversal in the URL could escape the canvas root directory. This vulnerability is about outbound file exfiltration through the agent messaging pipeline, not about the canvas host HTTP server. Not a duplicate of inbound attachment root policy (1316e57) Commit 1316e57 (\"enforce inbound attachment root policy across pipelines\") added src/media/inbound-path-policy.ts to restrict inbound media paths from messaging channels (e.g., iMessage attachment roots). This vulnerability is about outbound media delivery, where files are read from disk and sent to external channels via MEDIA: directives in MCP tool results. Different direction, different code, different policy layer. Not a duplicate of any webhook/messaging auth bypass The webhook auth bypass and messaging platform allowlist bypass advisories cover authentication between OpenClaw and external services. This vulnerability assumes the MCP tool is already configured and trusted. The issue is that tool results can inject MEDIA: directives that cause unintended local file reads and exfiltration. Verification: zero prior fixes for this code path A git log search for commits touching localRoots, local-roots, tmpdir, or extractToolResultMediaPaths returns zero results, confirming this vulnerability has never been reported or addressed. References - OpenClaw MCP tool integration documentation - OWASP Path Traversal - CWE-22: Improper Limitation of a Pathname to a Restricted Directory - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor Credit Anmol Vats (@NucleiAv)", + "affected": [ + "openclaw@<= 2026.2.19-2" + ], + "patched": [ + "openclaw@>= 2026.2.21" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T10:42:36Z", + "updated": "2026-02-21T10:42:36Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-jjgj-cpp9-cvpv" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jjgj-cpp9-cvpv", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-22", + "CWE-200" + ], + "credits": [ + "NucleiAv" + ], + "aliases": [ + "GHSA-jjgj-cpp9-cvpv" + ] + }, + { + "id": "GHSA-3x3x-h76w-hp98", + "ghsa_id": "GHSA-3x3x-h76w-hp98", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-184", + "title": "OpenClaw exec allowlist safeBins short-option bypass could permit arbitrary file write", + "description": "Summary OpenClaw exec allowlist/safeBins policy could be bypassed with attached short-option payloads (for example sort -o/tmp/poc), enabling file-write operations while still satisfying safeBins checks. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.17 - Latest published vulnerable version: 2026.2.17 - Patched in: 2026.2.19 Impact When tools.exec.security=allowlist and tools.exec.safeBins included affected binaries, attached short-option payloads could bypass safeBins argument validation and permit file-write behavior that should have been denied. Fix Commit(s) - cfe8457a0f4aae5324daec261d3b0aad1461a4bc - bafdbb6f112409a65decd3d4e7350fbd637c7754 - fec48a5006eab37c6a5821726ccaeec886486b13 Thanks @FailButWin and @Redgrave961 for reporting.", + "affected": [ + "openclaw@<=2026.2.17" + ], + "patched": [ + "openclaw@>= 2026.2.19" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T10:34:16Z", + "updated": "2026-02-21T10:39:23Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-3x3x-h76w-hp98" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3x3x-h76w-hp98", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-184" + ], + "credits": [ + "FailButWin", + "Redgrave961" + ], + "aliases": [ + "GHSA-3x3x-h76w-hp98" + ] + }, + { + "id": "GHSA-2hm8-rqrm-xfjq", + "ghsa_id": "GHSA-2hm8-rqrm-xfjq", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "low", + "type": "github_security_advisory", + "nvd_category_id": "CWE-269", + "title": "Owner-only gateway tool access checks were incomplete in specific authenticated DM flows", + "description": "Summary In authenticated non-owner DM sessions, a narrow tool-invocation path could reach broader-than-intended owner-only gateway actions. Impact This requires an authenticated non-owner sender in a DM session and a specific tool invocation path. No unauthenticated access is involved, and this does not provide direct code execution by itself. Root Cause - Some gateway call paths were still using broader default scopes instead of method-level least-privilege scopes. - Owner-only enforcement depended on tool-name checks and was not consistently metadata-driven across all call paths. Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.2.17 (latest published npm version as of February 19, 2026) - Patched: 2026.2.19 Remediation - Refactored gateway method scope mapping to a data-driven table and added guard tests to ensure all exposed core gateway methods stay classified. - Centralized owner-only enforcement in tool policy wrappers and tool metadata. - Marked owner-only tools explicitly (cron, gateway, whatsapplogin) and removed duplicated per-tool owner checks. - Refactored gateway call path internals into smaller helpers while preserving behavior and coverage. Fix Commit(s) - a40c10d3e24568b1e2947c104484be74bf66b8d2 - 2777d8ad91ef1e8a7c6f5b4b18f8507be7d02914 - 3d7ad1cfca4daaa84cd553e843e0e08fa6201349 Thanks @Adam55A-code for reporting.", + "affected": [ + "openclaw@<= 2026.2.17" + ], + "patched": [ + "openclaw@>= 2026.2.19" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T10:34:15Z", + "updated": "2026-02-21T10:40:02Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-2hm8-rqrm-xfjq" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2hm8-rqrm-xfjq", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-269", + "CWE-863" + ], + "credits": [ + "Adam55A-code" + ], + "aliases": [ + "GHSA-2hm8-rqrm-xfjq" + ] + }, + { + "id": "GHSA-ff98-w8hj-qrxf", + "ghsa_id": "GHSA-ff98-w8hj-qrxf", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "low", + "type": "os_command_injection", + "nvd_category_id": "CWE-78", + "title": "Plugin runtime command execution is part of trusted plugin boundary", + "description": "Summary OpenClaw plugins/extensions run in-process and are treated as trusted code. This advisory tracks trust-boundary clarification around plugin runtime command execution (runtime.system.runCommandWithTimeout). Impact Plugins already execute with the same OS privileges as the OpenClaw process. Exposing runtime command helpers does not cross an additional sandbox boundary. Affected Packages / Versions - Package: openclaw (npm) - Latest published version reviewed: 2026.2.17 - Affected range for this advisory record: <= 2026.2.17 - Planned patched version metadata: 2026.2.19 (next release line) Fix Commit(s) - 2e421f32dfc589c02706265fd3c3137ffc06c4b1 Remediation - Install only trusted plugins. - Use plugins.allow to pin explicit trusted plugin IDs. - SECURITY.md now explicitly documents that plugin runtime helpers are convenience APIs, not a sandbox boundary. Thanks @markmusson for reporting.", + "affected": [ + "openclaw@<= 2026.2.17" + ], + "patched": [ + "openclaw@>= 2026.2.19" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T10:34:13Z", + "updated": "2026-02-21T10:39:21Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-ff98-w8hj-qrxf" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-ff98-w8hj-qrxf", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-78" + ], + "credits": [ + "markmusson" + ], + "aliases": [ + "GHSA-ff98-w8hj-qrxf" + ] + }, + { + "id": "GHSA-vj3g-5px3-gr46", + "ghsa_id": "GHSA-vj3g-5px3-gr46", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "path_traversal", + "nvd_category_id": "CWE-22", + "title": "Path traversal in Feishu media temp-file naming allows writes outside os.tmpdir()", + "description": "Summary OpenClaw’s Feishu media download flow used untrusted Feishu media keys (imageKey / fileKey) when building temporary file paths in extensions/feishu/src/media.ts. Because those keys were interpolated directly into temp-file paths, traversal segments could escape the temp directory and redirect writes outside os.tmpdir(). Impact This is an arbitrary file write issue (within the OpenClaw process file permissions). If an attacker can control Feishu media key values returned to the client (for example via compromised upstream response path), they can influence where downloaded bytes are written. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version at triage: 2026.2.17 - Affected versions: <= 2026.2.17 - Fixed version: 2026.2.19 Fix Commit(s) - c821099157a9767d4df208c6b12f214946507871 - cdb00fe2428000e7a08f9b7848784a0049176705 - ec232a9e2dff60f0e3d7e827a7c868db5254473f Remediation The fix removes key-derived temp-file naming and keeps downloads in safe temp locations. Additional hardening isolates SDK writeFile calls in per-download temp directories (mkdtemp) with deterministic cleanup, enforces Feishu key trust-boundary validation, and adds a repository guard test against dynamic path.join(os.tmpdir(), \\...${...}\\) patterns in runtime code. Thanks @allsmog for reporting.", + "affected": [ + "openclaw@<= 2026.2.17" + ], + "patched": [ + "openclaw@>= 2026.2.19" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T10:34:11Z", + "updated": "2026-02-21T10:39:20Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-vj3g-5px3-gr46" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vj3g-5px3-gr46", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-22" + ], + "credits": [ + "allsmog" + ], + "aliases": [ + "GHSA-vj3g-5px3-gr46" + ] + }, + { + "id": "GHSA-2mc2-g238-722j", + "ghsa_id": "GHSA-2mc2-g238-722j", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "os_command_injection", + "nvd_category_id": "CWE-78", + "title": "iMessage remote attachment SCP hardening (strict host-key checks and remoteHost validation)", + "description": "Summary Remote iMessage attachment fetches used SCP with trust-on-first-use host-key behavior and accepted unvalidated remote host tokens. Before the fix: - SCP used StrictHostKeyChecking=accept-new in the remote attachment path. - channels.imessage.remoteHost was not validated as a strict SSH host token. Impact In remote iMessage deployments that use SCP attachment fetching, a first-connection MITM/DNS-poisoning scenario could cause the wrong host key to be trusted. Unsafe remote host token values could also alter SCP argument semantics. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version currently affected: 2026.2.17 - Vulnerable range (structured field): <= 2026.2.17 - Patched version (pre-set for next release): = 2026.2.19 Fix The fix hardens remote attachment SSH/SCP handling by: - requiring StrictHostKeyChecking=yes for SCP and SSH tunnel paths, - adding strict remoteHost normalization/validation, - adding -- argument barrier for SCP remote source parsing, - validating channels.imessage.remoteHost in config schema, - rejecting unsafe auto-detected host tokens at runtime. Fix Commit(s) - Pushed to main: 49d0def6d1e88f002026b1d2a35aa615d48a751a Thanks @allsmog for reporting.", + "affected": [ + "openclaw@<= 2026.2.17" + ], + "patched": [ + "openclaw@>= 2026.2.19" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T10:34:10Z", + "updated": "2026-02-21T10:39:20Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-2mc2-g238-722j" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2mc2-g238-722j", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-78", + "CWE-295" + ], + "credits": [ + "allsmog" + ], + "aliases": [ + "GHSA-2mc2-g238-722j" + ] + }, + { + "id": "GHSA-8cp7-rp8r-mg77", + "ghsa_id": "GHSA-8cp7-rp8r-mg77", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "server_side_request_forgery", + "nvd_category_id": "CWE-918", + "title": "SSRF guard bypass via IPv6 transition over ISATAP", + "description": "Summary OpenClaw's SSRF hostname/IP guard did not detect ISATAP embedded IPv4 addresses (...:5efe:w.x.y.z). A crafted URL containing an ISATAP IPv6 literal could embed a private IPv4 target (for example loopback) and bypass private-address filtering in URL-fetching paths. Severity Assessment Rated medium: the bug weakens SSRF protections in URL fetch flows, but impact depends on reaching a URL-fetching path with attacker-controlled input and is generally constrained to internal network access attempts. Affected Packages / Versions - Package: openclaw (npm) - Affected: =2026.1.20 <=2026.2.17 - Latest published at patch time: 2026.2.17 - Patched release: 2026.2.19 Security Policy Context Per SECURITY.md, OpenClaw's web/gateway surface is intended for local use by default, public internet exposure is out-of-scope, and prompt-injection reports are out-of-scope for bounty handling. This advisory tracks a core SSRF-guard bypass in fetch protections. Impact This can permit SSRF-style access attempts to internal/private network targets through URL ingestion/fetch paths that rely on shared hostname/IP blocking. Fix - Added RFC 5214 ISATAP embedded-IPv4 detection to the shared SSRF classifier. - Centralized hostname/IP blocking through isBlockedHostnameOrIp and routed relevant validators to that shared path. - Added regression tests for ISATAP private vs public embedded IPv4 handling. Fix Commit(s) - d51929ecb52fe65e90bf36795f4247feb29eb8aa Thanks @zpbrent for reporting.", + "affected": [ + "openclaw@>=2026.1.20 <=2026.2.17" + ], + "patched": [ + "openclaw@>= 2026.2.19" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T10:34:08Z", + "updated": "2026-02-21T10:39:19Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-8cp7-rp8r-mg77" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8cp7-rp8r-mg77", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-918" + ], + "credits": [ + "zpbrent" + ], + "aliases": [ + "GHSA-8cp7-rp8r-mg77" + ] + }, + { + "id": "GHSA-pfv7-rr5m-qmv6", + "ghsa_id": "GHSA-pfv7-rr5m-qmv6", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": null, + "title": "Auth inconsistency on local Browser Extension Relay /extension endpoint", + "description": "Summary When the optional Chrome extension relay is enabled, /extension accepted unauthenticated WebSocket upgrades while /json/ and /cdp required auth. Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.2.17 - Latest published npm version at triage time: 2026.2.17 Impact This is a local-only issue on loopback (127.0.0.1) and only applies when the extension relay feature is in use. A local process on the same machine could connect to /extension without the token and interfere with extension-relay behavior. No remote network exploit path is involved. Fix - Require gateway-token auth on both /extension and /cdp relay WebSocket endpoints. - Keep loopback/origin checks as defense-in-depth, not as authentication. - Use one token path in setup: gateway.auth.token / OPENCLAWGATEWAYTOKEN. Fix Commit(s) - 7e54b6c96feb1a5c30884f2b32037b8dadd0e532 Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.17" + ], + "patched": [ + "openclaw@>= 2026.2.19" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T10:34:07Z", + "updated": "2026-02-21T10:39:18Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-pfv7-rr5m-qmv6" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-pfv7-rr5m-qmv6", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-pfv7-rr5m-qmv6" + ] + }, + { + "id": "GHSA-6c9j-x93c-rw6j", + "ghsa_id": "GHSA-6c9j-x93c-rw6j", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-203", + "title": "OpenClaw safeBins file-existence oracle information disclosure", + "description": "An information disclosure vulnerability in OpenClaw's tools.exec.safeBins approval flow allowed a file-existence oracle. When safe-bin validation examined candidate file paths, command allow/deny behavior could differ based on whether a path already existed on the host filesystem. An attacker could probe for file presence by comparing outcomes for existing vs non-existing filenames. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.17 - Latest published vulnerable version at triage time: 2026.2.17 - Planned patched version: 2026.2.18 Impact Attackers with access to this execution surface could infer whether specific files exist (for example secrets/config files), enabling filesystem enumeration and improving follow-on attack planning. Fix The safe-bin policy was changed to deterministic argv-only validation without host file-existence checks. File-oriented flags are blocked for safe-bin mode (for example sort -o, jq -f, grep -f), and trusted-path checks remain enforced. Fix Commit(s) - bafdbb6f112409a65decd3d4e7350fbd637c7754 Found using MCPwner Thanks @nedlir for reporting.", + "affected": [ + "openclaw@<=2026.2.17" + ], + "patched": [ + "openclaw@>= 2026.2.18" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-19T16:03:56Z", + "updated": "2026-02-26T07:11:44Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-6c9j-x93c-rw6j" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6c9j-x93c-rw6j", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-203" + ], + "credits": [ + "nedlir" + ], + "aliases": [ + "GHSA-6c9j-x93c-rw6j" + ] + }, + { + "id": "GHSA-mmpf-jwf4-h3qv", + "ghsa_id": "GHSA-mmpf-jwf4-h3qv", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "low", + "type": "github_security_advisory", + "nvd_category_id": "CWE-77", + "title": "Option injection in pre-commit hook can stage ignored files", + "description": "Summary A maliciously-named file (for example, --force) can trigger option injection in the repository's git-hooks/pre-commit hook when a contributor uses the built-in git hook setup (git config core.hooksPath git-hooks). This can cause unintended staging of ignored files. Details The hook collected staged filenames and piped them through xargs into git add without a -- separator. Filenames beginning with - could be interpreted as flags. This issue only affects contributors who: - use the repo's git-hooks/ hook mechanism (not the pre-commit framework), and - run commits in a working directory that contains sensitive ignored files. Impact Under specific circumstances, ignored files (for example .env) can be added to git history. Affected Packages / Versions - Repository versions: <= 2026.2.14 - Fixed in: 2026.2.15 Note: the npm package does not ship git-hooks/; the impact is on contributors working from the repository checkout/source release. Fix The hook now: - uses NUL-delimited file lists (git diff ... -z) to safely handle whitespace, and - passes paths to git add after -- to prevent option injection. Fix Commit(s) - b88f37762f5b6d7ec0f589eb761815e466e4ef4b - ba84b1253967143692166023f9e174c149b6f2ed Thanks @mrthankyou for reporting.", + "affected": [ + "openclaw@<=2026.2.14" + ], + "patched": [ + "openclaw@>=2026.2.15" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-18T03:39:01Z", + "updated": "2026-02-21T10:37:07Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-mmpf-jwf4-h3qv" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mmpf-jwf4-h3qv", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-77" + ], + "credits": [ + "mrthankyou" + ], + "aliases": [ + "GHSA-mmpf-jwf4-h3qv" + ] + }, + { + "id": "GHSA-h9g4-589h-68xv", + "ghsa_id": "GHSA-h9g4-589h-68xv", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "missing_authentication_for_critical_function", + "nvd_category_id": "CWE-306", + "title": "Authentication bypass in sandbox browser bridge server", + "description": "Summary openclaw could start the sandbox browser bridge server without authentication. When the sandboxed browser is enabled, openclaw runs a local (loopback) HTTP bridge that exposes browser control endpoints (for example /profiles, /tabs, /tabs/open, /agent/). Due to missing auth wiring in the sandbox initialization path, that bridge server accepted requests without requiring gateway auth. CVSS - CVSS v3.1: 7.1 - Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Impact A local attacker (any process on the same machine) could access the bridge server port and: - enumerate open tabs and retrieve CDP WebSocket URLs - open/close/navigate tabs - execute JavaScript in page contexts via CDP - exfiltrate cookies/session data and page contents from authenticated sessions This is a localhost-only exposure (CVSS AV:L), but provides full browser-session compromise for sandboxed browser usage. Affected Versions - Introduced in: 2026.1.29-beta.1 (first npm release that shipped the sandbox browser bridge) - Affected range: =2026.1.29-beta.1 <2026.2.14 Patched Versions - 2026.2.14 Mitigation - Upgrade to 2026.2.14 (recommended). - Or disable the sandboxed browser (agents.defaults.sandbox.browser.enabled=false). Fix Details - The sandbox browser bridge server now always requires auth and enforces the same gateway browser control auth (token/password) that loopback browser clients already use. - Additional hardening: bridge server refuses non-loopback binds; local helper servers are bound to loopback. - Added regression tests (including unit coverage for per-port bridge auth fallback). Fix commits: - openclaw/openclaw@4711a943e30bc58016247152ba06472dab09d0b0 - openclaw/openclaw@6dd6bce997c48752134f2d6ed89b27de01ced7e3 - openclaw/openclaw@cd84885a4ac78eadb7bf321aae98db9519426d67 Credits Thanks to Adnan Jakati (@jackhax) of Praetorian for reporting this issue.", + "affected": [ + "openclaw@>=2026.1.29-beta.1 <2026.2.14" + ], + "patched": [ + "openclaw@2026.2.14" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-16T01:37:15Z", + "updated": "2026-02-16T01:45:52Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-h9g4-589h-68xv" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h9g4-589h-68xv", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-306" + ], + "credits": [ + "jackhax" + ], + "aliases": [ + "GHSA-h9g4-589h-68xv" + ] + }, + { + "id": "GHSA-chm2-m3w2-wcxm", + "ghsa_id": "GHSA-chm2-m3w2-wcxm", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "low", + "type": "github_security_advisory", + "nvd_category_id": "CWE-290", + "title": "Google Chat spoofing access with allowlist authorized mutable email principal despite sender-ID mismatch", + "description": "Summary Google Chat allowlisting supports matching by sender email in addition to immutable sender resource name (users/=2026.2.14" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-16T00:31:29Z", + "updated": "2026-02-21T10:40:48Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-chm2-m3w2-wcxm" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-chm2-m3w2-wcxm", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-290", + "CWE-863" + ], + "credits": [ + "vincentkoc" + ], + "aliases": [ + "GHSA-chm2-m3w2-wcxm" + ] + }, + { + "id": "GHSA-w5c7-9qqw-6645", + "ghsa_id": "GHSA-w5c7-9qqw-6645", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": null, + "title": "Inter-session prompts could be treated as direct user instructions", + "description": "Summary Inter-session messages sent via sessionssend could be interpreted as direct end-user instructions because they were persisted as role: \"user\" without provenance metadata. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.12 (i.e. < 2026.2.13) - Fixed in: 2026.2.13 (patched versions = 2026.2.13) Impact A delegated or internal session could inject instructions into another session that appeared equivalent to externally-originated user input. This is an instruction-provenance confusion issue (confused-deputy style), which can lead to unintended privileged behavior in workflows that trust role: \"user\" as a sole authority signal. Technical details Before the fix, routed inter-session prompts were stored as regular user turns without a verifiable source marker. As a result, downstream workers and transcript readers could not distinguish: - External user input - Internal inter-session routed input Fix OpenClaw now carries explicit input provenance end-to-end for routed prompts. Key changes: - Added structured provenance model (inputProvenance) with kind values including intersession. - sessionssend and agent-to-agent steps now set inter-session provenance when invoking target runs. - Provenance is persisted on user messages as message.provenance.kind = \"intersession\" (role remains user for provider compatibility). - Transcript readers and memory helpers were updated to respect provenance and avoid treating inter-session prompts as external user-originated input. - Runtime context rebuilding now annotates inter-session turns with an explicit in-memory marker ([Inter-session message]) for clearer model-side disambiguation. - Regression tests were added for transcript parsing, session tools flow, runner sanitization, and memory hook behavior. Fix Commit(s) - 85409e401b6586f83954cb53552395d7aab04797 Workarounds If immediate upgrade is not possible: - Disable or restrict sessionssend in affected environments. - Do not use role alone as an authority boundary; require provenance-aware checks in orchestration logic. Credit Reported by @anbecker. Thanks @anbecker for reporting.", + "affected": [ + "openclaw@<2026.2.13" + ], + "patched": [ + "openclaw@>=2026.2.13" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-15T23:31:43Z", + "updated": "2026-02-21T10:37:10Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-w5c7-9qqw-6645" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w5c7-9qqw-6645", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [], + "credits": [ + "anbecker" + ], + "aliases": [ + "GHSA-w5c7-9qqw-6645" + ] + }, + { + "id": "GHSA-fhvm-j76f-qmjv", + "ghsa_id": "GHSA-fhvm-j76f-qmjv", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "github_security_advisory", + "nvd_category_id": "CWE-285", + "title": "Potential access-group authorization bypass if channel type lookup fails", + "description": "Summary When Telegram webhook mode is enabled without a configured webhook secret, OpenClaw may accept unauthenticated HTTP POST requests at the Telegram webhook endpoint and trust attacker-controlled update JSON. This can allow forged Telegram updates that spoof message.from.id / chat.id, potentially bypassing sender allowlists and executing privileged bot commands. Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.1.30 - Patched: = 2026.2.1 Impact An attacker who can reach the webhook endpoint can forge Telegram updates and impersonate allowlisted/paired senders by spoofing fields in the webhook payload (for example message.from.id). Impact depends on enabled commands/tools and the deployment’s network exposure. Mitigations / Workarounds - Configure a strong channels.telegram.webhookSecret and ensure your reverse proxy forwards the X-Telegram-Bot-Api-Secret-Token header unchanged. Fix Commit(s) - ca92597e1f9593236ad86810b66633144b69314d (config validation: webhookUrl requires webhookSecret) Defense-in-depth / supporting fixes: - 5643a934799dc523ec2ef18c007e1aa2c386b670 (default webhook listener bind host to loopback) - 3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930 (bound webhook request body size/time) - 633fe8b9c17f02fcc68ecdb5ec212a5ace932f09 (runtime guard: reject webhook startup when secret is missing/empty) Thanks @yueyueL for reporting.", + "affected": [ + "openclaw@<=2026.2.1" + ], + "patched": [ + "openclaw@>=2026.2.2" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-14T21:15:31Z", + "updated": "2026-02-21T10:37:22Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-fhvm-j76f-qmjv" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fhvm-j76f-qmjv", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-285" + ], + "credits": [ + "simecek", + "stanislavfortaisle" + ], + "aliases": [ + "GHSA-fhvm-j76f-qmjv" + ] + }, + { + "id": "GHSA-g27f-9qjv-22pm", + "ghsa_id": "GHSA-g27f-9qjv-22pm", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "low", + "type": "github_security_advisory", + "nvd_category_id": "CWE-117", + "title": "OpenClaw log poisoning (indirect prompt injection) via WebSocket headers", + "description": "Summary In openclaw versions prior to 2026.2.13, OpenClaw logged certain WebSocket request headers (including Origin and User-Agent) without neutralization or length limits on the \"closed before connect\" path. If an unauthenticated client can reach the gateway and send crafted header values, those values may be written into core logs. Under workflows where logs are later read or interpreted by an LLM (for example via AI-assisted debugging), this can increase the risk of indirect prompt injection (log poisoning). Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.2.12 - Fixed: = 2026.2.13 Details - Component: src/gateway/server/ws-connection.ts - Trigger: WebSocket connection closes before completing the connect/handshake; header values are included in the log message and structured context. Impact This issue is primarily an indirect prompt injection risk and depends on downstream log consumption behavior. If you do not feed logs into an LLM or other automation, impact is limited. Fix Header values written to gateway logs are now sanitized and truncated (including removal of control/format characters and length limiting). - Fix commits: d637a263505448bf4505b85535babbfaacedbaac, e84318e4bcdc948d92e57fda1eb763a65e1774f0 (PR #15592) Workarounds - Upgrade to openclaw@2026.2.13 or later. - Treat logs as untrusted input when using AI-assisted debugging (sanitize/escape, and do not auto-execute instructions derived from logs). - Restrict gateway network exposure; apply reverse-proxy limits on header size where applicable. Thanks @pkerkhofs for reporting.", + "affected": [ + "openclaw@<= 2026.2.12" + ], + "patched": [ + "openclaw@2026.2.13" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-14T20:19:44Z", + "updated": "2026-02-14T20:19:44Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-g27f-9qjv-22pm" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g27f-9qjv-22pm", + "nvd_url": null, + "cvss_score": 3.1, + "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", + "cwe_ids": [ + "CWE-117" + ], + "credits": [ + "pkerkhofs" + ], + "aliases": [ + "GHSA-g27f-9qjv-22pm" + ] + }, + { + "id": "GHSA-56f2-hvwg-5743", + "ghsa_id": "GHSA-56f2-hvwg-5743", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "server_side_request_forgery", + "nvd_category_id": "CWE-918", + "title": "SSRF in Image Tool Remote Fetch", + "description": "Summary A server-side request forgery (SSRF) vulnerability in the Image tool allowed attackers to force OpenClaw to make HTTP requests to arbitrary internal or restricted network targets. Affected Versions - npm: openclaw <= 2026.2.1 Patched Versions - npm: openclaw 2026.2.2 and later Fix Commits - 81c68f582d4a9a20d9cca9f367d2da9edc5a65ae (guard remote media fetches with SSRF checks) - 9bd64c8a1f91dda602afc1d5246a2ff2be164647 (expand SSRF guard coverage) Details The Image tool accepts file paths, file:// URLs, data: URLs, and http(s) URLs. In vulnerable versions, http(s) URLs were fetched without SSRF protections, enabling requests to localhost, RFC1918, link-local, and cloud metadata targets. This was fixed by routing remote media fetching through the SSRF guard (private/internal IP + hostname blocking, redirect hardening, DNS pinning). Exploitability Notes - Requires attacker-controlled invocation of the Image tool (direct tool access, or a gateway/channel surface that forwards untrusted image arguments into tool calls). - The image tool expects the fetched content to be an image. Many high-value SSRF targets return text/JSON (for example cloud metadata endpoints), which will typically fail media-type validation. In practice, the most direct confidentiality impact comes from internal endpoints that actually return images (screenshots/renderers, camera snapshots, chart exports, etc.). - Remote fetches are GET-only with no custom headers. Some metadata services require special headers or session tokens (for example GCP Metadata-Flavor, AWS IMDSv2 token), which can further reduce the likelihood of direct credential theft in some environments. - Despite the above constraints, SSRF remains a powerful primitive: it can enable internal network probing and access to unauthenticated/internal HTTP endpoints, and can chain with other weaknesses if present. Related - Duplicate / broader writeup: GHSA-9vf6-3vcv-rpj2 (closed). Thanks @p80n-sec for reporting.", + "affected": [ + "openclaw@<=2026.2.1" + ], + "patched": [ + "openclaw@2026.2.2" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-14T17:21:19Z", + "updated": "2026-02-14T17:21:19Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-56f2-hvwg-5743" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-56f2-hvwg-5743", + "nvd_url": null, + "cvss_score": 7.6, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", + "cwe_ids": [ + "CWE-918" + ], + "credits": [ + "p80n-sec" + ], + "aliases": [ + "GHSA-56f2-hvwg-5743" + ] + }, + { + "id": "GHSA-hv93-r4j3-q65f", + "ghsa_id": "GHSA-hv93-r4j3-q65f", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "github_security_advisory", + "nvd_category_id": "CWE-330", + "title": "Hook Session Key Override Enables Targeted Cross-Session Routing", + "description": "Summary The issue is not deterministic session keys by itself. The exploitable path was accepting externally supplied sessionKey values on authenticated hook ingress, allowing a hook token holder to route messages into chosen sessions. Affected Behavior - POST /hooks/agent accepted payload sessionKey and used it directly for session routing. - Common session-key shapes (for example agent:main:dm:= 2.0.0-beta3, < 2026.2.12" + ], + "patched": [ + "openclaw@>= 2026.2.12" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-14T13:36:56Z", + "updated": "2026-02-21T14:11:04Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-hv93-r4j3-q65f" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hv93-r4j3-q65f", + "nvd_url": null, + "cvss_score": 7.1, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", + "cwe_ids": [ + "CWE-330", + "CWE-639" + ], + "credits": [ + "alpernae" + ], + "aliases": [ + "GHSA-hv93-r4j3-q65f" + ] + }, + { + "id": "GHSA-gv46-4xfq-jv58", + "ghsa_id": "GHSA-gv46-4xfq-jv58", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "critical", + "type": "github_security_advisory", + "nvd_category_id": "CWE-20", + "title": "Remote Code Execution via Node Invoke Approval Bypass in Gateway", + "description": "Summary A remote code execution (RCE) vulnerability in the gateway-to-node invocation path allowed an authenticated gateway client to bypass node-host exec approvals by injecting internal control fields into node.invoke parameters. Affected Component - Gateway method: node.invoke for node command system.run - Node host runner: exec approval gating for system.run Impact If an attacker can authenticate to a gateway (for example via a leaked/shared gateway token or a paired device token with operator.write), they could execute arbitrary commands on connected node hosts that support system.run. This can lead to full compromise of developer workstations, CI runners, and servers running the node host. Technical Details The gateway forwarded user-controlled params to node hosts without sanitizing internal approval fields. The node host treated params.approved === true and/or params.approvalDecision as sufficient to skip the approval workflow. Fix Patched in OpenClaw 2026.2.14. - Commits: - 318379cdb8d045da0009b0051bd0e712e5c65e2d - a7af646fdab124a7536998db6bd6ad567d2b06b0 - c1594627421f95b6bc4ad7c606657dc75b5ad0ce - 0af76f5f0e93540efbdf054895216c398692afcd - Gateway strips untrusted approval control fields from system.run user input. - Gateway only re-attaches approval flags when params.runId references a valid exec.approval.request record and the request context matches. Approval IDs are bound to the requesting device identity (stable across reconnects), preventing replay by other clients. - Gateway forwards only an allowlisted set of system.run parameters, preventing future control-field smuggling. Mitigations - Upgrade to 2026.2.14 or later. - Restrict access to the gateway (do not expose it to untrusted networks/users). - Rotate gateway credentials if you suspect token/password exposure. - Disable remote command execution on nodes by blocking system.run at the gateway (gateway.nodes.denyCommands) and/or by configuring node exec security to deny. Credits Thanks to @222n5 for reporting this issue.", + "affected": [ + "openclaw@< 2026.2.14" + ], + "patched": [ + "openclaw@>= 2026.2.14" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-14T12:06:43Z", + "updated": "2026-02-14T12:32:18Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-gv46-4xfq-jv58" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gv46-4xfq-jv58", + "nvd_url": null, + "cvss_score": 9.9, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", + "cwe_ids": [ + "CWE-20", + "CWE-441", + "CWE-863" + ], + "credits": [ + "222n5" + ], + "aliases": [ + "GHSA-gv46-4xfq-jv58" + ] + }, + { + "id": "GHSA-943q-mwmv-hhvh", + "ghsa_id": "GHSA-943q-mwmv-hhvh", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "os_command_injection", + "nvd_category_id": "CWE-78", + "title": "OC-02: Gateway /tools/invoke tool escalation + ACP permission auto-approval", + "description": "Summary OpenClaw Gateway exposes an authenticated HTTP endpoint (POST /tools/invoke) intended for invoking a constrained set of tools. Two issues could combine to significantly increase blast radius in misconfigured or exposed deployments: - The HTTP gateway layer did not deny high-risk session orchestration tools by default, allowing a caller with Gateway auth to invoke tools like sessionsspawn / sessionssend and pivot into creating or controlling agent sessions. - ACP clients could auto-approve permission requests for risky tools with insufficient user interaction/guardrails, reducing the friction that should normally prevent silent execution or mutation. Impact If the Gateway is reachable by an attacker and they obtain a valid Gateway token, they may be able to: - Escalate from single-tool invocation to spawning/controlling sessions and reach command execution capabilities depending on tool policy and runtime environment. - Perform cross-session message injection via sessionssend. - In ACP-integrated scenarios, obtain unintended approvals for non-read/search tool permissions. CVSS - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8) Affected versions - openclaw < 2026.2.14 Fixed in - openclaw = 2026.2.14 Remediation The default behavior is now hardened: - PR #15390: deny high-risk tools over HTTP /tools/invoke by default (with gateway.tools.{allow,deny} overrides) and harden ACP permission handling. - Commit bb1c3dfe1: ACP clients now prompt for any non-read/search permission request (fail closed for mutating/execution/fetch operations). - Commit 539689a2f: security audit warns when gateway.tools.allow re-enables default-denied HTTP tools, since this can increase RCE blast radius if the Gateway is reachable. - Commit 153a7644e: ACP safe-kind inference is stricter to avoid accidental auto-approval due to substring matches (still auto-approves only confident read/search). Mitigations / deployment guidance - Keep the Gateway loopback-only unless you have a strong reason not to: gateway.bind=\"loopback\" / openclaw gateway run --bind loopback. - Avoid exposing the Gateway directly to the public internet. Use an SSH tunnel or Tailscale to access a loopback-bound Gateway. - Treat opting in to default-denied HTTP tools (via gateway.tools.allow) as high-risk and audit such configurations carefully. Credits Thanks to @aether-ai-agent for reporting this issue and contributing remediation work.", + "affected": [ + "openclaw@<2026.2.14" + ], + "patched": [ + "openclaw@>=2026.2.14" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-14T11:55:07Z", + "updated": "2026-02-14T12:19:32Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-943q-mwmv-hhvh" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-943q-mwmv-hhvh", + "nvd_url": null, + "cvss_score": 8.8, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "cwe_ids": [ + "CWE-78" + ], + "credits": [ + "aether-ai-agent" + ], + "aliases": [ + "GHSA-943q-mwmv-hhvh" + ] + } + ] } diff --git a/advisories/ghsa-without-cve.json.sig b/advisories/ghsa-without-cve.json.sig new file mode 100644 index 0000000..8082ce7 --- /dev/null +++ b/advisories/ghsa-without-cve.json.sig @@ -0,0 +1 @@ +P0KWbrwl6ZiBEv2w8uJ7LrbKMHPeNJX0EQBz1QFVgPd9S8xRaE6GsXuOVnkOxkn7g3PpQ6Zh7ywrICd1npiMDA== \ No newline at end of file diff --git a/skills/clawsec-feed/advisories/feed.json b/skills/clawsec-feed/advisories/feed.json index 71a4511..8ce4ede 100644 --- a/skills/clawsec-feed/advisories/feed.json +++ b/skills/clawsec-feed/advisories/feed.json @@ -1,6 +1,6 @@ { "version": "0.0.3", - "updated": "2026-05-16T22:02:27Z", + "updated": "2026-05-24T18:52:13Z", "description": "Community-driven security advisory feed for ClawSec. Automatically updated with OpenClaw-related CVEs from NVD and community-reported security incidents.", "advisories": [ { @@ -96,7 +96,7 @@ "https://github.com/openclaw/openclaw/security/advisories/GHSA-q8ff-7ffm-m3r9", "https://www.vulncheck.com/advisories/openclaw-webhook-route-secret-cache-not-invalidated-after-rotation" ], - "cvss_score": 6.0, + "cvss_score": 6, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45005", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.0); network accessible", @@ -168,7 +168,7 @@ "https://github.com/openclaw/openclaw/security/advisories/GHSA-55cf-xx38-4p9p", "https://www.vulncheck.com/advisories/openclaw-connector-endpoint-host-override-via-workspace-dotenv-files" ], - "cvss_score": 5.0, + "cvss_score": 5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45003", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.0); requires local access", @@ -276,7 +276,7 @@ "https://github.com/openclaw/openclaw/commit/e90c89cf8b1459f2aa1f3a665be67392b6c03fdf", "https://github.com/openclaw/openclaw/security/advisories/GHSA-j4c5-89f5-f3pm" ], - "cvss_score": 5.0, + "cvss_score": 5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45000", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.0); network accessible; SSRF affects agents making external requests", @@ -564,7 +564,7 @@ "https://github.com/openclaw/openclaw/security/advisories/GHSA-h2vw-ph2c-jvwf", "https://www.vulncheck.com/advisories/openclaw-minimax-api-host-override-via-workspace-dotenv" ], - "cvss_score": 5.0, + "cvss_score": 5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44992", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.0); requires local access", @@ -4508,7 +4508,7 @@ "https://github.com/openclaw/openclaw/security/advisories/GHSA-jp4j-q5fc-58gv", "https://www.vulncheck.com/advisories/openclaw-policy-enforcement-bypass-in-discord-component-interactions" ], - "cvss_score": 5.0, + "cvss_score": 5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41367", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.0); network accessible; RCE is critical in agent deployments", @@ -5654,7 +5654,7 @@ "https://github.com/openclaw/openclaw/security/advisories/GHSA-rm5c-4rmf-vvhw", "https://www.vulncheck.com/advisories/openclaw-time-of-check-time-of-use-toctou-vulnerability-in-sandbox-file-operations" ], - "cvss_score": 5.0, + "cvss_score": 5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41338", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.0); requires local access", @@ -6493,6 +6493,140 @@ "exploit_sources": [] } }, + { + "id": "GHSA-mr34-9552-qr95", + "ghsa_id": "GHSA-mr34-9552-qr95", + "cve_id": null, + "status": "active", + "stale": false, + "stale_after_days": 60, + "severity": "medium", + "type": "path_traversal", + "nvd_category_id": "CWE-22", + "title": "Webchat media embedding enforces local-root containment for tool-result files", + "description": "Summary Webchat tool-result media normalization could pass local and UNC-style file paths into the host-side media embedding path without applying the configured local-root containment policy. Impact A crafted tool-result media reference could cause the host to attempt local file reads or Windows UNC/network path access while preparing webchat media blocks. This could disclose allowed host files or trigger network credential exposure on affected Windows deployments. Severity remains medium because exploitation depends on a tool-result media path reaching the webchat embedding path, but the sink is a host-side file read before the user sees the rendered result. Affected versions - Affected: = 2026.4.7, < 2026.4.15 - Patched: 2026.4.15 Fix OpenClaw 2026.4.15 hardens the webchat media path and the shared media resolver. Remote-host file:// URLs and Windows network paths are rejected before filesystem access, and audio embedding now enforces configured localRoots containment before stat or read operations. Verified in v2026.4.15: - src/gateway/server-methods/chat-webchat-media.ts uses safe file-URL parsing, rejects Windows network paths, and calls assertLocalMediaAllowed before probing local audio files. - src/media/web-media.ts rejects remote-host file:// URLs, Windows network paths, and local-root bypasses on the shared media path. - src/gateway/server-methods/chat-webchat-media.test.ts covers both remote-host file:// rejection and local-root denial before filesystem access. Fix commits included in v2026.4.15 and absent from v2026.4.14: - 1470de5d3e0970856d86cd99336bb8ada3fe87da via PR #67293 - 6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde via PR #67298 - 52ef42302ead9e183e6c8810e0a04ee4ef8ae9fc via PR #67303 as defense-in-depth for trusted media passthrough anchoring Thanks to @Kherrisan for reporting this issue.", + "affected": [ + "openclaw@>= 2026.4.7, < 2026.4.15" + ], + "patched": [ + "openclaw@2026.4.15" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-04-16T23:40:33Z", + "updated": "2026-04-16T23:40:33Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-mr34-9552-qr95" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mr34-9552-qr95", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-22", + "CWE-73" + ], + "credits": [ + "Kherrisan" + ], + "aliases": [ + "GHSA-mr34-9552-qr95" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-536q-mj95-h29h", + "ghsa_id": "GHSA-536q-mj95-h29h", + "cve_id": null, + "status": "active", + "stale": false, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": null, + "title": "Browser press/type interaction routes missed complete navigation guard coverage", + "description": "Summary Browser press/type interaction routes missed complete navigation guard coverage. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: < 2026.4.10 - Patched versions: = 2026.4.10 Impact Some browser press/type style interactions could trigger navigation without complete post-action SSRF policy enforcement. Technical Details The fix applies a three-phase interaction navigation guard to navigation-capable interactions, including pressKey and type submit flows. Fix The issue was fixed in #62023 and #63226 and #63889. The first stable tag containing the fix is v2026.4.10, and openclaw@2026.4.14 includes the fix. Fix Commit(s) - 049acf23cb03e1b92f5c71cd99c6ec5f35cc56fe - 5f5b3d733bdd791cb457f838514179e1288b10b3 - e0b8ddc1a55185aff1cf9e0e095014d2e4f1d894 - PR: #62023, #63226, #63889 Release Process Note Users should upgrade to openclaw 2026.4.10 or newer. The latest npm release, 2026.4.14, already includes the fix. Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.", + "affected": [ + "openclaw@< 2026.4.10" + ], + "patched": [ + "openclaw@>= 2026.4.10" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-04-16T15:19:51Z", + "updated": "2026-04-16T15:19:52Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-536q-mj95-h29h" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-536q-mj95-h29h", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [], + "credits": [ + "zsxsoft", + "KeenSecurityLab", + "qclawer" + ], + "aliases": [ + "GHSA-536q-mj95-h29h" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-53vx-pmqw-863c", + "ghsa_id": "GHSA-53vx-pmqw-863c", + "cve_id": null, + "status": "active", + "stale": false, + "stale_after_days": 60, + "severity": "high", + "type": "server_side_request_forgery", + "nvd_category_id": "CWE-918", + "title": "Browser SSRF policy default allowed private-network navigation", + "description": "Summary Browser SSRF policy default allowed private-network navigation. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: < 2026.4.14 - Patched versions: = 2026.4.14 Impact Browser SSRF protection could allow private-network navigation by default in paths where restrictive behavior was expected, exposing internal services or metadata endpoints through browser-driven requests. Technical Details The fix preserves strict SSRF configuration semantics, keeps private-network access disabled unless explicitly opted in, and updates loopback CDP readiness handling for the stricter default. Fix The issue was fixed in #66354 and #66386. The first stable tag containing the fix is v2026.4.14, and openclaw@2026.4.14 includes the fix. Fix Commit(s) - 024f4614a1a1831406e763adc40ef226e3d5e9ed - 1dabfef28db523e7de81edeb3dd689e9171236a2 - 213c36cf51121ef6c05cfccd78037371f968f31a - 7eecfa411df3d12e6b810e6ca5df47254fc3db3f - PR: #66354, #66386 Release Process Note Users should upgrade to openclaw 2026.4.14 or newer. The latest npm release, 2026.4.14, already includes the fix. Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.", + "affected": [ + "openclaw@< 2026.4.14" + ], + "patched": [ + "openclaw@>= 2026.4.14" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-04-16T15:19:27Z", + "updated": "2026-04-16T15:19:27Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-53vx-pmqw-863c" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-53vx-pmqw-863c", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-918", + "CWE-1188" + ], + "credits": [ + "dhyabi2" + ], + "aliases": [ + "GHSA-53vx-pmqw-863c" + ], + "source_feed": "ghsa-without-cve" + }, { "id": "CVE-2026-3691", "severity": "medium", @@ -8608,6 +8742,94 @@ "exploit_sources": [] } }, + { + "id": "GHSA-jf56-mccx-5f3f", + "ghsa_id": "GHSA-jf56-mccx-5f3f", + "cve_id": null, + "status": "active", + "stale": false, + "stale_after_days": 60, + "severity": "high", + "type": "github_security_advisory", + "nvd_category_id": "CWE-501", + "title": "Authenticated /hooks/wake and mapped wake payloads are promoted into the trusted System: prompt channel", + "description": "Impact Authenticated /hooks/wake and mapped wake payloads are promoted into the trusted System: prompt channel. An authenticated wake hook or mapped wake payload could be promoted into the trusted System prompt channel instead of an untrusted event. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.2 - Patched versions: 2026.4.8 Fix The issue was fixed on main and is available in the patched npm version listed above. The verified fixed tree is commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5. Verification The fix was re-checked against main before publication, including targeted regression tests for the affected security boundary. Credits Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.4.2" + ], + "patched": [ + "openclaw@2026.4.8" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-04-08T05:33:37Z", + "updated": "2026-04-08T05:33:37Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-jf56-mccx-5f3f" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jf56-mccx-5f3f", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-501" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-jf56-mccx-5f3f" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-gfmx-pph7-g46x", + "ghsa_id": "GHSA-gfmx-pph7-g46x", + "cve_id": null, + "status": "active", + "stale": false, + "stale_after_days": 60, + "severity": "high", + "type": "github_security_advisory", + "nvd_category_id": "CWE-501", + "title": "Lower-trust background runtime output is injected into trusted System: events, and local async exec completion misses the intended exec-event downgrade", + "description": "Impact Lower-trust background runtime output is injected into trusted System: events, and local async exec completion misses the intended exec-event downgrade. Lower-trust runtime/background output could be promoted into trusted System events, allowing prompt-injection into later agent turns. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.2 - Patched versions: 2026.4.8 Fix The issue was fixed on main and is available in the patched npm version listed above. The verified fixed tree is commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5. Verification The fix was re-checked against main before publication, including targeted regression tests for the affected security boundary. Credits Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.4.2" + ], + "patched": [ + "openclaw@2026.4.8" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-04-08T05:33:36Z", + "updated": "2026-04-08T05:33:36Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-gfmx-pph7-g46x" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gfmx-pph7-g46x", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-501" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-gfmx-pph7-g46x" + ], + "source_feed": "ghsa-without-cve" + }, { "id": "CVE-2026-34511", "severity": "medium", @@ -8644,6 +8866,48 @@ "exploit_sources": [] } }, + { + "id": "GHSA-846p-hgpv-vphc", + "ghsa_id": "GHSA-846p-hgpv-vphc", + "cve_id": null, + "status": "active", + "stale": false, + "stale_after_days": 60, + "severity": "high", + "type": "github_security_advisory", + "nvd_category_id": null, + "title": "QQ Bot structured payloads could read arbitrary local files", + "description": "Summary Before OpenClaw 2026.4.2, QQ Bot structured media payloads could read local files from attacker-chosen paths. A crafted structured payload could escape QQ Bot-owned media roots and cause arbitrary file reads on the host. Impact Prompt-influenced structured payload output could exfiltrate any host file readable by the OpenClaw process through the QQ Bot media-send path. This was a real confidentiality bug on the host filesystem boundary. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.1 - Patched versions: = 2026.4.2 - Latest published npm version: 2026.4.1 Fix Commit(s) - 2c45b06afdd6f7c621038b5419d8e661cff34a7f — restrict QQ Bot structured payload local paths Release Process Note The fix is present on main and is staged for OpenClaw 2026.4.2. Publish this advisory after the 2026.4.2 npm release is live. Thanks @feiyang666 of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.", + "affected": [ + "openclaw@<= 2026.4.1" + ], + "patched": [ + "openclaw@>= 2026.4.2" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-04-02T19:21:36Z", + "updated": "2026-04-03T01:33:55Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-846p-hgpv-vphc" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-846p-hgpv-vphc", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [], + "credits": [ + "feiyang666" + ], + "aliases": [ + "GHSA-846p-hgpv-vphc" + ], + "source_feed": "ghsa-without-cve" + }, { "id": "CVE-2026-34426", "severity": "high", @@ -8752,6 +9016,51 @@ "exploit_sources": [] } }, + { + "id": "GHSA-cwq8-6f96-g3q4", + "ghsa_id": "GHSA-cwq8-6f96-g3q4", + "cve_id": null, + "status": "active", + "stale": false, + "stale_after_days": 60, + "severity": "low", + "type": "github_security_advisory", + "nvd_category_id": "CWE-636", + "title": "Security Scan Failure Does Not Block Plugin Installation (Fail-Open)", + "description": "Summary Security Scan Failure Does Not Block Plugin Installation (Fail-Open) Current Maintainer Triage - Status: open - Normalized severity: low - Assessment: Real in shipped v2026.3.28 plugin install flow, but low severity fits because it still requires an operator to choose installation of an untrusted package and the scan failure was visible rather than silent. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version: 2026.3.31 - Vulnerable version range: <=2026.3.28 - Patched versions: = 2026.3.31 - First stable tag containing the fix: v2026.3.31 Fix Commit(s) - 7a953a52271b9188a5fa830739a4366614ff9916 — 2026-03-30T15:36:08+01:00 - 44b993613601280d46a5b88190e46669fc13d669 — 2026-03-31T23:16:11+09:00 - 0d7f1e2c84eca65df7dee890d9c30e2a841c030a — 2026-03-31T23:27:20+09:00 - bf96c67fd1954740aeabfadc7cfe3098bcfc6b68 — 2026-03-31T15:53:29+01:00 Release Process Note - The fix is already present in released version 2026.3.31. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @davidluzsilva for reporting.", + "affected": [ + "openclaw@<=2026.3.28" + ], + "patched": [ + "openclaw@>= 2026.3.31" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-31T21:45:37Z", + "updated": "2026-03-31T21:45:37Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-cwq8-6f96-g3q4" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cwq8-6f96-g3q4", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-636", + "CWE-754" + ], + "credits": [ + "davidluzsilva" + ], + "aliases": [ + "GHSA-cwq8-6f96-g3q4" + ], + "source_feed": "ghsa-without-cve" + }, { "id": "CVE-2026-34504", "severity": "high", @@ -9733,7 +10042,7 @@ "https://github.com/openclaw/openclaw/security/advisories/GHSA-qc36-x95h-7j53", "https://www.vulncheck.com/advisories/openclaw-approval-bypass-via-unrecognized-script-runners" ], - "cvss_score": 8.0, + "cvss_score": 8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32978", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.0); network accessible", @@ -10133,13 +10442,101 @@ "exploit_sources": [] } }, + { + "id": "GHSA-39mp-545q-w789", + "ghsa_id": "GHSA-39mp-545q-w789", + "cve_id": null, + "status": "active", + "stale": false, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-285", + "title": "Non-owner command-authorized sender can change the owner-only /send session delivery policy", + "description": "Fixed in OpenClaw 2026.3.24, the current shipping release. Title Non-owner command-authorized sender can change the owner-only /send session delivery policy CWE CWE-285 Improper Authorization CVSS v3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L Base score: 5.4 (Medium) Severity Assessment Medium. This is a real owner-only authorization bypass, but the demonstrated impact is limited to persistent mutation of the current session’s delivery policy rather than direct code execution, sandbox escape, or cross-host compromise. Impact A non-owner sender who is allowed to run commands can invoke /send on|off|inherit and persistently change the current session’s sendPolicy, even though OpenClaw documents /send as owner-only. That lets a lower-trust participant: - disable reply delivery for the current session (/send off), suppressing future replies in that chat; - re-enable reply delivery (/send on) after the owner intentionally disabled it; - remove the session override (/send inherit). Affected Component Verified against the latest published GitHub release tag v2026.3.23 (ccfeecb6887cd97937e33a71877ad512741e82b2), published 2026-03-23T23:15:50Z. Exact vulnerable path on the shipped tag: - src/auto-reply/reply/commands-session.ts:212-239 - handleSendPolicyCommand(...) checks only params.command.isAuthorizedSender. - when true, it mutates params.sessionEntry.sendPolicy and persists the session entry. Authorization behavior that makes this reachable: - src/auto-reply/command-auth.ts:401-407 - senderIsOwner is computed separately from general command authorization. - src/auto-reply/command-auth.ts:420-429 - command authorization can succeed even when senderIsOwner === false. - src/auto-reply/command-auth.owner-default.test.ts:10-47 - existing coverage confirms a sender can be command-authorized while not treated as owner. Documented owner-only contract: - docs/tools/slash-commands.md:112 - /send on|off|inherit is documented as owner-only. - docs/concepts/session-tool.md:156 - sendPolicy is documented as settable via sessions.patch or owner-only /send on|off|inherit. Related privilege model: - src/gateway/method-scopes.ts:131-133 - sessions.patch is admin-scoped, which reinforces that session-delivery-policy mutation is treated as privileged state. Version history: - The vulnerable handler exists in release history going back at least to commit ea018a68ccb92dbc735bc1df9880d5c95c63ca35 (refactor(auto-reply): split reply pipeline). - Earliest released affected tag found: v2026.1.14-1 - Latest released affected tag verified: v2026.3.23 Technical Reproduction 1. Check out the shipped release tag v2026.3.23. 2. Configure a channel where: - a non-owner sender is allowed to run commands, for example through commands.allowFrom; - the owner identity is distinct, for example via commands.ownerAllowFrom. 3. Start or reuse a session with a live sessionEntry and sessionStore. 4. Send /send off as the non-owner but command-authorized sender. 5. Confirm the resolved command context has: - isAuthorizedSender === true - senderIsOwner === false 6. Observe that the handler still accepts the command, mutates sessionEntry.sendPolicy, and persists the session entry. Demonstrated Impact The vulnerable handler performs a real persistent session-state change: - src/auto-reply/reply/commands-session.ts:232-238 - /send inherit deletes sessionEntry.sendPolicy - other modes assign sessionEntry.sendPolicy = sendPolicyCommand.mode - the handler then calls persistSessionEntry(params) The mutation is not gated by owner status, only by general command authorization. That changes subsequent delivery behavior for the current session, which matches the documented meaning of sendPolicy. Environment - Product: OpenClaw - Verified shipped tag: v2026.3.23 - Shipped tag commit: ccfeecb6887cd97937e33a71877ad512741e82b2 - Published GitHub release time: 2026-03-23T23:15:50Z - Verification date: 2026-03-24 Duplicate Check I did not find an existing GHSA for /send. This is distinct from: - GHSA-r7vr-gr74-94p8 - that advisory covered owner-only authorization bypasses for /config and /debug, not /send. This is the same authorization class, but a different privileged command surface that still lacks the owner check. In Scope Check This report is in scope under SECURITY.md because: - it does not rely on adversarial operators sharing one gateway host or config; - it does not rely on trusted local state tampering; - SECURITY.md:151-152 explicitly says non-owner sender status matters for owner-only tools and commands; - /send is explicitly documented as owner-only, so this is a direct owner-only authorization bypass, not a complaint about normal shared-agent steering. This is therefore a concrete authorization flaw against a documented product boundary. Remediation Advice 1. Change /send to require owner status, not just command authorization. 2. Reuse the same owner-only rejection pattern already used by privileged command surfaces such as /config, /debug, and owner-only /plugins writes. 3. Add regression coverage for the exact case where: - a non-owner sender is command-authorized; - /send must still be rejected unless senderIsOwner === true. 4. Verify that the owner can still use /send on|off|inherit normally.", + "affected": [ + "openclaw@<= 2026.3.22" + ], + "patched": [ + "openclaw@>= 2026.3.24" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-27T15:52:20Z", + "updated": "2026-03-27T15:52:20Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-39mp-545q-w789" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-39mp-545q-w789", + "nvd_url": null, + "cvss_score": 5.4, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", + "cwe_ids": [ + "CWE-285" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-39mp-545q-w789" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-vqvg-86cc-cg83", + "ghsa_id": "GHSA-vqvg-86cc-cg83", + "cve_id": null, + "status": "active", + "stale": false, + "stale_after_days": 60, + "severity": "medium", + "type": "missing_authorization", + "nvd_category_id": "CWE-862", + "title": "Mutating internal /allowlist chat commands missed operator.admin scope enforcement", + "description": "Fixed in OpenClaw 2026.3.24, the current shipping release. Title Mutating internal /allowlist chat commands missed operator.admin scope enforcement CWE CWE-862 Missing Authorization CVSS v3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Base score: 6.5 (Medium) Severity Assessment Medium. This is a real authorization flaw in OpenClaw’s internal control plane. The issue does not require host access, trusted local state tampering, or multi-tenant assumptions, but exploitation does require an already authenticated internal Gateway caller with operator.write. Impact An authenticated internal Gateway caller limited to operator.write can perform state-changing /allowlist actions without operator.admin, even though comparable mutating internal chat commands already require operator.admin. The reachable effects are persistent changes to config-backed allowFrom entries and pairing-store-backed allowlist entries. This is not a semantic-modeling complaint and not a generic “trusted operator can do things” claim. It is a missing authorization check inside OpenClaw’s own internal scope model, where peer mutating command surfaces already distinguish operator.write from operator.admin. Affected Component Verified against the latest published GitHub release tag v2026.3.23 (ccfeecb6887cd97937e33a71877ad512741e82b2), published 2026-03-23T23:15:50Z. Exact vulnerable path on the shipped tag: - src/auto-reply/reply/commands-allowlist.ts:251-254 - /allowlist authorization uses only rejectUnauthorizedCommand(...). - src/auto-reply/reply/commands-allowlist.ts:386-524 - mutating config and pairing-store writes happen here, but there is no requireGatewayClientScopeForInternalChannel(..., operator.admin, ...). Reachability and scope model: - src/gateway/method-scopes.ts:94-109 - chat.send is a write-scoped method. - src/gateway/server.chat.gateway-server-chat.test.ts:539-559 - existing runtime coverage proves chat.send routes slash commands without an agent run. - src/auto-reply/command-auth.ts:574-577 - internal callers become senderIsOwner only when GatewayClientScopes includes operator.admin. Comparable internal mutating command paths already enforce operator.admin: - src/auto-reply/reply/commands-config.ts:64-73 - src/auto-reply/reply/commands-mcp.ts:89-96 - src/auto-reply/reply/commands-plugins.ts:387-394 - src/auto-reply/reply/commands-acp.ts:98-106 Version history: - Introduced by commit 555b2578a8cc6e1b93f717496935ead97bfbed8b (feat: add /allowlist command) - Earliest released affected tag found: v2026.1.20 - Latest released affected tag verified: v2026.3.23 Technical Reproduction 1. Check out the shipped release tag v2026.3.23. 2. Use an internal command context with: - Provider = \"webchat\" - Surface = \"webchat\" - GatewayClientScopes = [\"operator.write\"] - params.command.channel = \"webchat\" 3. Route a slash command through chat.send. 4. Execute either of these mutating commands: - /allowlist add dm channel=telegram 789 - /allowlist add dm --store channel=telegram 789 5. Confirm the command context is authorized but not owner-equivalent: - isAuthorizedSender === true - senderIsOwner === false 6. Observe that the commands still succeed and perform persistent writes. Demonstrated Impact The vulnerable handler performs real state mutation for a low-scope internal caller: - Config-backed mutation path: - src/auto-reply/reply/commands-allowlist.ts:398-503 - reads the config snapshot, applies the edit, validates, and writes the updated config to disk. - Store-backed mutation path: - src/auto-reply/reply/commands-allowlist.ts:479-485 - src/auto-reply/reply/commands-allowlist.ts:513-518 - updates the pairing-store allowlist without any admin-scope gate. The result is successful persistence, not just a misleading success message. Environment - Product: OpenClaw - Verified shipped tag: v2026.3.23 - Shipped tag commit: ccfeecb6887cd97937e33a71877ad512741e82b2 - Published GitHub release time: 2026-03-23T23:15:50Z - Verification date: 2026-03-24 Duplicate Check This is not a duplicate of: - GHSA-pjvx-rx66-r3fg - that advisory covered cross-account scoping in /allowlist ... --store, not missing internal operator.admin enforcement. - GHSA-hfpr-jhpq-x4rm - that advisory covered /config writes through chat.send, not /allowlist. - GHSA-3w6x-gv34-mqpf - same authorization class, but different command path (/acp, not /allowlist). In Scope Check This report is in scope under SECURITY.md because: - it does not rely on adversarial operators sharing one gateway host or config; - it does not target the HTTP compatibility endpoints that SECURITY.md explicitly treats as full operator-access surfaces; - it demonstrates a real authorization mismatch inside OpenClaw’s own internal control-plane scope model (operator.write vs operator.admin); - peer mutating internal chat commands already enforce operator.admin, so this is not a request for a new boundary but a missing check on an existing one. This is therefore a concrete authorization bug, not a trusted-operator hardening suggestion. Remediation Advice 1. Add requireGatewayClientScopeForInternalChannel(..., allowedScopes: [\"operator.admin\"], ...) to the mutating internal /allowlist paths. 2. Add regression coverage for both mutation modes: - internal operator.write must be rejected; - internal operator.admin must be allowed. 3. Cover both config-backed and store-backed writes. 4. Audit other mutating internal chat-command paths for the same missing-scope pattern.", + "affected": [ + "openclaw@<= 2026.3.22" + ], + "patched": [ + "openclaw@>= 2026.3.24" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-27T15:52:18Z", + "updated": "2026-03-27T15:52:18Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-vqvg-86cc-cg83" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vqvg-86cc-cg83", + "nvd_url": null, + "cvss_score": 6.5, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", + "cwe_ids": [ + "CWE-862" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-vqvg-86cc-cg83" + ], + "source_feed": "ghsa-without-cve" + }, { "id": "CVE-2026-32846", "severity": "high", "type": "path_traversal", "nvd_category_id": "CWE-22", - "title": "OpenClaw through 2026.3.23 (fixed in commit 4797bbc) contains a path traversal vulnerability in medi...", - "description": "OpenClaw through 2026.3.23 (fixed in commit 4797bbc) contains a path traversal vulnerability in media parsing that allows attackers to read arbitrary files by bypassing path validation in the isLikelyLocalPath() and isValidMedia() functions. Attackers can exploit incomplete validation and the allowBareFilename bypass to reference files outside the intended application sandbox, resulting in disclosure of sensitive information including system files, environment files, and SSH keys.", + "title": "OpenClaw before 2026.3.28 contains a path traversal vulnerability in media parsing that allows attac...", + "description": "OpenClaw before 2026.3.28 contains a path traversal vulnerability in media parsing that allows attackers to read arbitrary files by bypassing path validation in the isLikelyLocalPath() and isValidMedia() functions. Attackers can exploit incomplete validation and the allowBareFilename bypass to reference files outside the intended application sandbox, resulting in disclosure of sensitive information including system files, environment files, and SSH keys.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" @@ -10169,6 +10566,139 @@ "exploit_sources": [] } }, + { + "id": "GHSA-cfp9-w5v9-3q4h", + "ghsa_id": "GHSA-cfp9-w5v9-3q4h", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "incorrect_authorization", + "nvd_category_id": "CWE-863", + "title": "Image tool bypassed tools.fs.workspaceOnly and could read mounted files outside the workspace", + "description": "Summary The image tool did not fully honor the tools.fs.workspaceOnly filesystem boundary. In affected releases, image-path resolution could still traverse sandbox bridge mounts outside the workspace and read files from mounted directories that the other file tools would reject. Affected Packages / Versions - Package: openclaw (npm) - Affected: < 2026.3.2 - Fixed: = 2026.3.2 - Latest released tags checked: v2026.3.23 (ccfeecb6887cd97937e33a71877ad512741e82b2) and v2026.3.23-2 (630f1479c44f78484dfa21bb407cbe6f171dac87) - Latest published npm version checked: 2026.3.23-2 Fix Commit(s) - dd9d9c1c609dcb4579f9e57bd7b5c879d0146b53 - 14baadda2c456f3cf749f1f97e8678746a34a7f4 Release Status The complete fix shipped in v2026.3.2 and remains present in v2026.3.23 and v2026.3.23-2. Code-Level Confirmation - src/agents/openclaw-tools.ts now passes fsPolicy into createImageTool, so the image tool receives the same workspace-only policy input as the other filesystem tools. - src/agents/tools/image-tool.ts, src/agents/tools/media-tool-shared.ts, and src/agents/sandbox-media-paths.ts now restrict local roots and sandbox-bridge resolution to the workspace when tools.fs.workspaceOnly is enabled. Thanks @YLChen-007 for reporting.", + "affected": [ + "openclaw@< 2026.3.2" + ], + "patched": [ + "openclaw@>= 2026.3.2" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-24T18:07:14Z", + "updated": "2026-03-24T18:07:14Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-cfp9-w5v9-3q4h" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cfp9-w5v9-3q4h", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-863" + ], + "credits": [ + "YLChen-007" + ], + "aliases": [ + "GHSA-cfp9-w5v9-3q4h" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-vfg3-pqpq-93m4", + "ghsa_id": "GHSA-vfg3-pqpq-93m4", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "incorrect_authorization", + "nvd_category_id": "CWE-863", + "title": "Tlon cite expansion happened before channel and DM authorization completed.", + "description": "Summary Tlon cite expansion happened before channel and DM authorization completed, allowing cite work and content handling before the final auth decision. Affected Packages / Versions - Package: openclaw (npm) - Affected: < 2026.3.22 - Fixed: = 2026.3.22 - Latest released tag checked: v2026.3.23-2 (630f1479c44f78484dfa21bb407cbe6f171dac87) - Latest published npm version checked: 2026.3.23-2 Fix Commit(s) - 3cbf932413e41d1836cb91aed1541a28a3122f93 - ebee4e2210e1f282a982c7ef2ad79d77a572fc87 Release Status The fix shipped in v2026.3.22 and remains present in v2026.3.23 and v2026.3.23-2. Code-Level Confirmation - extensions/tlon/src/monitor/index.ts now defers cite expansion until after authorization and preserves explicit empty-allowlist semantics. - extensions/tlon/src/monitor/utils.ts and extensions/tlon/src/security.test.ts ship the deferred cite expansion behavior and regressions. Thanks @zpbrent for reporting.", + "affected": [ + "openclaw@< 2026.3.22" + ], + "patched": [ + "openclaw@>= 2026.3.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-24T17:37:07Z", + "updated": "2026-03-24T17:37:07Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-vfg3-pqpq-93m4" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vfg3-pqpq-93m4", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-863" + ], + "credits": [ + "zpbrent" + ], + "aliases": [ + "GHSA-vfg3-pqpq-93m4" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-h3x4-hc5v-v2gm", + "ghsa_id": "GHSA-h3x4-hc5v-v2gm", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-40", + "title": "Windows media loaders accepted remote-host file URLs before local path validation", + "description": "Summary Windows local-media handling accepted remote-host file URLs and UNC-style paths before local-path validation, so network-hosted file targets could be treated as local content. Affected Packages / Versions - Package: openclaw (npm) - Affected: < 2026.3.22 - Fixed: = 2026.3.22 - Latest released tag checked: v2026.3.23-2 (630f1479c44f78484dfa21bb407cbe6f171dac87) - Latest published npm version checked: 2026.3.23-2 Fix Commit(s) - 4fd7feb0fd4ec16c48ed983980dba79a09b3aaf5 - 93880717f1cd34feaa45e74e939b7a5256288901 Release Status The fix shipped in v2026.3.22 and remains present in v2026.3.23 and v2026.3.23-2. Code-Level Confirmation - src/infra/local-file-access.ts now rejects remote-host file: URLs and UNC/network paths as non-local input. - src/media/web-media.ts, src/media-understanding/attachments.normalize.ts, and src/agents/sandbox-paths.ts all route through the shared local-file guard. Thanks @RacerZ-fighting, @Fushuling for reporting.", + "affected": [ + "openclaw@< 2026.3.22" + ], + "patched": [ + "openclaw@>= 2026.3.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-24T17:36:44Z", + "updated": "2026-03-24T17:36:44Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-h3x4-hc5v-v2gm" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h3x4-hc5v-v2gm", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-40" + ], + "credits": [ + "RacerZ-fighting", + "Fushuling" + ], + "aliases": [ + "GHSA-h3x4-hc5v-v2gm" + ], + "source_feed": "ghsa-without-cve" + }, { "id": "CVE-2026-32913", "severity": "critical", @@ -11337,7 +11867,7 @@ "https://github.com/openclaw/openclaw/commit/b34097f62df9d1960cc22600269cd3f3284e2124", "https://github.com/openclaw/openclaw/security/advisories/GHSA-w76h-8m22-hpgh" ], - "cvss_score": 6.0, + "cvss_score": 6, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32037", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.0); network accessible; SSRF affects agents making external requests", @@ -12164,7 +12694,7 @@ "https://github.com/openclaw/openclaw/security/advisories/GHSA-r65x-2hqr-j5hf", "https://www.vulncheck.com/advisories/openclaw-node-reconnect-metadata-spoofing-via-unsigned-platform-fields" ], - "cvss_score": 8.0, + "cvss_score": 8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32014", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.0); network accessible", @@ -12738,7 +13268,7 @@ "https://github.com/openclaw/openclaw/security/advisories/GHSA-q399-23r3-hfx4", "https://www.vulncheck.com/advisories/openclaw-executable-rebind-via-unbound-path-token-in-system-run-approvals" ], - "cvss_score": 6.0, + "cvss_score": 6, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31997", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.0); requires local access", @@ -14230,6 +14760,319 @@ "exploit_sources": [] } }, + { + "id": "GHSA-3h2q-j2v4-6w5r", + "ghsa_id": "GHSA-3h2q-j2v4-6w5r", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-184", + "title": "system.run allowlist approval parsing missed PowerShell encoded-command wrappers", + "description": "OpenClaw's system.run shell-wrapper detection did not recognize PowerShell -EncodedCommand forms as inline-command wrappers. In allowlist mode, a caller with access to system.run could invoke pwsh or powershell using -EncodedCommand, -enc, or -e, and the request would fall back to plain argv analysis instead of the normal shell-wrapper approval path. This could allow a PowerShell inline payload to execute without the approval step that equivalent -Command invocations would require. Latest published npm version: 2026.3.2 Fixed on main on March 7, 2026 in 1d1757b16f48f1a93cd16ab0ad7e2c3c63ce727d by recognizing PowerShell encoded-command aliases during shell-wrapper parsing, so allowlist mode continues to require approval for those payloads. Normal approved PowerShell wrapper flows continue to work. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.3.2 - Patched version: = 2026.3.7 Fix Commit(s) - 1d1757b16f48f1a93cd16ab0ad7e2c3c63ce727d Release Process Note npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.3.2" + ], + "patched": [ + "openclaw@>= 2026.3.7" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-08T14:26:58Z", + "updated": "2026-03-08T14:26:58Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-3h2q-j2v4-6w5r" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3h2q-j2v4-6w5r", + "nvd_url": null, + "cvss_score": 5, + "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", + "cwe_ids": [ + "CWE-184", + "CWE-863" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-3h2q-j2v4-6w5r" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-9q2p-vc84-2rwm", + "ghsa_id": "GHSA-9q2p-vc84-2rwm", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-436", + "title": "system.run allow-always persistence included shell-commented payload tails", + "description": "OpenClaw's system.run allowlist analysis did not honor POSIX shell comment semantics when deriving allow-always persistence entries. A caller in security=allowlist mode who received an allow-always decision could submit a shell command whose tail was commented out at runtime, for example by using an unquoted # before a chained payload. The runtime shell would execute only the pre-comment portion, but allowlist persistence could still analyze and store the non-executed tail as a trusted follow-up command. Latest published npm version: 2026.3.2 Fixed on main on March 7, 2026 in 939b18475d734ed75173f59507e3ebbdfe1992b7 by teaching shell tokenization and chain/pipeline analysis to stop at unquoted shell comments, so allow-always persistence now tracks only commands that the shell can actually execute. Normal real chained commands and quoted # literals continue to work. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.3.2 - Patched version: = 2026.3.7 Fix Commit(s) - 939b18475d734ed75173f59507e3ebbdfe1992b7 Release Process Note npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.3.2" + ], + "patched": [ + "openclaw@>= 2026.3.7" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-08T14:26:57Z", + "updated": "2026-03-08T14:26:57Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-9q2p-vc84-2rwm" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9q2p-vc84-2rwm", + "nvd_url": null, + "cvss_score": 5, + "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", + "cwe_ids": [ + "CWE-436", + "CWE-863" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-9q2p-vc84-2rwm" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-hfpr-jhpq-x4rm", + "ghsa_id": "GHSA-hfpr-jhpq-x4rm", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "incorrect_authorization", + "nvd_category_id": "CWE-863", + "title": "operator.write chat.send could reach admin-only config writes", + "description": "Summary A gateway client authenticated with operator.write could route /config set or /config unset through chat.send and reach persistent config mutation even though direct config RPC methods are admin-scoped. Affected Packages / Versions - Package: openclaw (npm) - Latest published vulnerable version: 2026.3.2 - Affected range: <= 2026.3.2 - Patched in: 2026.3.7 Details Before the fix, chat.send ran slash commands in an internal gateway-chat context with CommandAuthorized: true, and /config write paths only checked command authorization plus commands.config / channels.= 2026.3.7" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-08T14:26:56Z", + "updated": "2026-03-08T14:26:56Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-hfpr-jhpq-x4rm" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hfpr-jhpq-x4rm", + "nvd_url": null, + "cvss_score": 4.3, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "cwe_ids": [ + "CWE-863" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-hfpr-jhpq-x4rm" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-j425-whc4-4jgc", + "ghsa_id": "GHSA-j425-whc4-4jgc", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-15", + "title": "system.run env override filtering allowed dangerous helper-command pivots", + "description": "Summary system.run env override sanitization allowed dangerous override-only helper-command pivots to reach subprocesses. A caller who could invoke system.run with env overrides could bypass allowlist/approval intent by steering an allowlisted tool through helper-command or config-loading environment variables such as GITSSHCOMMAND, editor/pager hooks, and GITCONFIG / NPMCONFIG. Affected Packages / Versions - Package: openclaw (npm) - Latest published vulnerable version: 2026.3.2 - Affected range: <= 2026.3.2 - Patched in: 2026.3.7 Details Before the fix, src/infra/host-env-security.ts blocked only a narrow set of override-only environment variables. Dangerous request-scoped overrides such as GITSSHCOMMAND and prefix families such as GITCONFIG and NPMCONFIG could still survive sanitizeSystemRunEnvOverrides(...) / sanitizeHostExecEnv(...) and reach the spawned process. That mattered for system.run allowlist and approval flows because approval evaluation was tied to the reviewed binary/argv, while the launched process could still inherit attacker-controlled env overrides that changed helper-command execution or config resolution. For allowlisted tools such as git, this allowed behavior outside the reviewed command semantics. The fix extends the shared TypeScript and macOS policy to block dangerous override-only exact keys and prefixes while preserving trusted inherited base-environment behavior. Impact This is a real protection-bypass issue, but exploitation requires an already tool-enabled caller who can invoke system.run and supply env overrides. In affected deployments, that caller could bypass allowlist/approval intent and trigger helper-command execution or config-loading behavior that is not represented by the approved command line. Maintainer severity is set to medium because the bug still requires that existing execution capability; the vulnerability is the mismatch between reviewed command semantics and the actual spawned-process behavior. Fix Commit(s) - e27bbe4982439da6864160fd1b66445058f74801 Release Process Note npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package. Thanks @tdjackey and @SnailSploit for reporting.", + "affected": [ + "openclaw@<= 2026.3.2" + ], + "patched": [ + "openclaw@>= 2026.3.7" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-08T14:26:56Z", + "updated": "2026-03-08T14:26:56Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-j425-whc4-4jgc" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-j425-whc4-4jgc", + "nvd_url": null, + "cvss_score": 6.3, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "cwe_ids": [ + "CWE-15", + "CWE-693" + ], + "credits": [ + "tdjackey", + "SnailSploit", + "zpbrent" + ], + "aliases": [ + "GHSA-j425-whc4-4jgc" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-pjvx-rx66-r3fg", + "ghsa_id": "GHSA-pjvx-rx66-r3fg", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-639", + "title": "Cross-account sender authorization expansion in /allowlist ... --store account scoping", + "description": "Summary /allowlist ... --store resolved the selected channel accountId for reads, but store writes still dropped that accountId and wrote into the legacy unscoped pairing allowlist store. Because default-account reads still merge legacy unscoped entries, a store entry intended for one account could silently authorize the same sender on the default account. This is a real cross-account sender-authorization scoping bug. Severity is set to medium because exploitation requires an already-authorized user who can run /allowlist edits. Affected Packages / Versions - Package: openclaw (npm) - Latest published version checked: 2026.3.2 - Affected versions: <= 2026.3.2 - Fixed on main: March 7, 2026 in 70da80bcb5574a10925469048d2ebb2abf882e73 - Patched release: 2026.3.7 Details The affected path was: - src/auto-reply/reply/commands-allowlist.ts:386-393 resolved accountId and read store state with it - src/auto-reply/reply/commands-allowlist.ts:697-702 and src/auto-reply/reply/commands-allowlist.ts:730-733 wrote store state without passing accountId - src/pairing/pairing-store.ts:231-234 and src/pairing/pairing-store.ts:534-554 still merged legacy unscoped allowlist entries into the default account The fix scopes /allowlist ... --store writes to the resolved account and clears legacy default-account store entries on removal so legacy reads no longer create cross-account authorization bleed-through. Impact - Vulnerability class: improper authorization scoping / incorrect authorization - Exploitation requires: an already-authorized sender who can run /allowlist edits - Security effect: unintended authorization expansion from one channel account into default Fix Commit(s) - 70da80bcb5574a10925469048d2ebb2abf882e73 — scope /allowlist ... --store writes by account and clean up legacy default-account removals Release Process Note npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.3.2" + ], + "patched": [ + "openclaw@>= 2026.3.7" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-08T14:26:55Z", + "updated": "2026-03-08T14:26:55Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-pjvx-rx66-r3fg" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-pjvx-rx66-r3fg", + "nvd_url": null, + "cvss_score": 5.4, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", + "cwe_ids": [ + "CWE-639", + "CWE-863" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-pjvx-rx66-r3fg" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-6rmx-gvvg-vh6j", + "ghsa_id": "GHSA-6rmx-gvvg-vh6j", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-307", + "title": "hooks count non-POST requests toward auth lockout", + "description": "OpenClaw's hooks HTTP handler counted hook authentication failures before rejecting unsupported HTTP methods. An unauthenticated client could send repeated non-POST requests (for example GET) with an invalid token to consume the hook auth failure budget and trigger the temporary lockout window for that client key. The fix moves the hook method gate ahead of auth-failure accounting so unsupported methods return 405 Method Not Allowed without incrementing the hook auth limiter. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.3.2 - Patched version: 2026.3.7 - Latest published npm version at patch time: 2026.3.2 Impact An unauthenticated network client that could reach /hooks/ could temporarily lock out legitimate webhook delivery when requests collapsed to the same hook auth client key, such as shared proxy or NAT topologies. Impact is limited to temporary availability loss for hook-triggered wake or automation delivery. Fix Commit(s) - 44820dceadac65ac7c0ce8fc0ffba8c2bd9fae89 Verification - pnpm check passed - pnpm test:fast passed - focused hook regression tests passed - pnpm exec vitest run --config vitest.gateway.config.ts still has unrelated current-main failures in src/gateway/server-channels.test.ts and src/gateway/server-methods/agents-mutate.test.ts Release Process Note npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package. Thanks @JNX03 for reporting.", + "affected": [ + "openclaw@<= 2026.3.2" + ], + "patched": [ + "openclaw@>= 2026.3.7" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-08T14:26:54Z", + "updated": "2026-03-08T14:26:54Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-6rmx-gvvg-vh6j" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6rmx-gvvg-vh6j", + "nvd_url": null, + "cvss_score": 5.3, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cwe_ids": [ + "CWE-307", + "CWE-799" + ], + "credits": [ + "JNX03" + ], + "aliases": [ + "GHSA-6rmx-gvvg-vh6j" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-rchv-x836-w7xp", + "ghsa_id": "GHSA-rchv-x836-w7xp", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "github_security_advisory", + "nvd_category_id": null, + "title": "Dashboard leaked gateway auth material via browser URL/query and localStorage", + "description": "OpenClaw's macOS Dashboard flow exposed Gateway authentication material to browser-controlled surfaces. Before the fix, the macOS app appended the shared Gateway token and password to the Dashboard URL query string when opening the Control UI in the browser. The Control UI then imported the token and persisted it into browser localStorage under openclaw.control.settings.v1. This expanded exposure of reusable Gateway admin credentials into browser address-bar/query surfaces and persistent script-readable storage. Affected Packages / Versions - Package: openclaw (npm) - Latest published version verified vulnerable: 2026.3.2 - Affected range: <= 2026.3.2 - Patched version: = 2026.3.7 Impact An attacker with access to browser-controlled surfaces or persistent browser storage could recover a valid Gateway admin token and reuse it against the OpenClaw management interface. The exposure chain was: 1. macOS Open Dashboard constructed a URL with auth material. 2. The browser received that credential-bearing URL. 3. The Control UI imported the token from the URL. 4. The Control UI persisted the token in localStorage. Fix The fix aligns the macOS Dashboard flow with the safer existing CLI/bootstrap pattern and removes persistent browser token storage: - macOS Dashboard now passes the Gateway token via URL fragment instead of query parameters. - macOS Dashboard no longer propagates the shared Gateway password into browser URLs. - Control UI keeps Gateway tokens in memory only for the current tab. - Control UI scrubs legacy persisted tokens from openclaw.control.settings.v1 on load. - Regression tests cover fragment transport, password omission, and token-scrubbing behavior. Fix Commit(s) - 10d0e3f3ca92326df0ca071fabffe463742f263c (March 7, 2026) Release Process Note npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package. Thanks @whiter6666 for reporting.", + "affected": [ + "openclaw@<= 2026.3.2" + ], + "patched": [ + "openclaw@>= 2026.3.7" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-08T14:26:54Z", + "updated": "2026-03-08T14:26:54Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-rchv-x836-w7xp" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rchv-x836-w7xp", + "nvd_url": null, + "cvss_score": 7.1, + "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", + "cwe_ids": [], + "credits": [ + "whiter6666" + ], + "aliases": [ + "GHSA-rchv-x836-w7xp" + ], + "source_feed": "ghsa-without-cve" + }, { "id": "CVE-2026-29613", "severity": "medium", @@ -15890,6 +16733,317 @@ "exploit_sources": [] } }, + { + "id": "GHSA-474h-prjg-mmw3", + "ghsa_id": "GHSA-474h-prjg-mmw3", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "github_security_advisory", + "nvd_category_id": "CWE-269", + "title": "Sandboxed sessionsspawn(runtime=\"acp\") bypassed sandbox inheritance and allowed host ACP initialization", + "description": "Summary Sandboxed sessionsspawn(runtime=\"acp\") could bypass sandbox inheritance and initialize host-side ACP runtime. The fix now fail-closes ACP spawn from sandboxed requester sessions and rejects sandbox=\"require\" for runtime=\"acp\". Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version at triage time: 2026.3.1 (March 2, 2026) - Vulnerable range: <=2026.3.1 - Patched release: 2026.3.2 (released) Technical Details - Root cause: runtime=\"subagent\" enforced sandbox inheritance, while runtime=\"acp\" did not enforce equivalent sandbox/runtime checks. - Security impact: sandbox-boundary bypass into host-side ACP initialization. - Fixed behavior: - deny ACP spawn when requester runtime is sandboxed - deny sessionsspawn with runtime=\"acp\", sandbox=\"require\" - align sandboxed prompt guidance to avoid advertising blocked ACP paths Fix Commit(s) - ac11f0af731d41743ba02d8595f4d0fe747336e3 - c703aa0fe92df9fb71cf254fc46991e05fba2114", + "affected": [ + "openclaw@<=2026.3.1" + ], + "patched": [ + "openclaw@>= 2026.3.2" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-03T04:14:22Z", + "updated": "2026-03-03T04:14:22Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-474h-prjg-mmw3" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-474h-prjg-mmw3", + "nvd_url": null, + "cvss_score": 8, + "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", + "cwe_ids": [ + "CWE-269" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-474h-prjg-mmw3" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-v865-p3gq-hw6m", + "ghsa_id": "GHSA-v865-p3gq-hw6m", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-288", + "title": "Encoded-path auth bypass in plugin /api/channels route classification", + "description": "Summary (Updated March 2, 2026) Encoded alternate-path requests could bypass plugin route auth checks for /api/channels/ due to canonicalization depth mismatch in vulnerable builds. Affected Packages / Versions - Package: openclaw (npm) - Latest published vulnerable version: 2026.3.1 - Affected range: <= 2026.3.1 - Patched release: 2026.3.2 (patchedversions: = 2026.3.2) Technical Details In affected versions, plugin auth-path classification and route-path canonicalization could diverge for deeply encoded slash variants (for example multi-encoded %2f). That mismatch allowed alternate encoded paths to evade protected-prefix auth checks while still resolving to /api/channels/... in plugin route handling. The fix set hardens this class of issue by: - canonicalizing route paths to a bounded fixpoint, - failing closed on malformed or unresolved canonicalization depth, - requiring explicit plugin-route auth contracts (no implicit auth default), - enforcing route ownership/conflict guards for duplicate route registrations, and - using shared webhook route lifecycle registration to avoid stale/conflicting route surfaces. Affected Deployments Deployments exposing plugin HTTP routes and relying on gateway auth for /api/channels/ protection. Fix Commit(s) - 93b07240257919f770d1e263e1f22753937b80ea - 2fd8264ab03bd178e62a5f0c50d1c8556c17f12d - d74bc257d8432f17e50b23ae713d7e0623a1fe0f - 7a7eee920a176a0043398c6b37bf4cc6eb983eeb", + "affected": [ + "openclaw@<= 2026.3.1" + ], + "patched": [ + "openclaw@>= 2026.3.2" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-03T04:14:18Z", + "updated": "2026-03-03T04:14:18Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-v865-p3gq-hw6m" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v865-p3gq-hw6m", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-288" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-v865-p3gq-hw6m" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-2858-xg23-26fp", + "ghsa_id": "GHSA-2858-xg23-26fp", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "server_side_request_forgery", + "nvd_category_id": "CWE-918", + "title": "Node camera URL payload host-binding bypass allowed gateway fetch pivots", + "description": "Summary OpenClaw accepted camera.snap / camera.clip node payload url fields and downloaded them on the gateway/agent host without binding downloads to the resolved node host. In OpenClaw's documented trust model, paired nodes are in the same operator trust boundary, so this is scoped as medium-severity hardening. A malicious or compromised paired node could still steer gateway-host fetches during camera URL retrieval. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: = 2026.2.13 <= 2026.3.1 - Latest vulnerable published version at time of update: 2026.3.1 - Patched versions: = 2026.3.2 (released) Technical Details Vulnerable flows accepted URL payloads and downloaded directly from the provided URL: - src/cli/nodes-camera.ts (writeUrlToFile) fetched URL payloads without node-host binding. - src/cli/nodes-cli/register.camera.ts passed camera.snap / camera.clip payload URLs into that downloader. - src/agents/tools/nodes-tool.ts did the same for camerasnap / cameraclip tool actions. Impact A malicious/compromised paired node could cause gateway-host URL fetches to off-node destinations reachable from the host network. This could be used for internal network probing/fetch pivots in deployments where paired nodes are not fully trusted. Remediation The fix introduces fail-closed node-host binding and guarded fetch for camera URL payload downloads: - Require resolved node host metadata for URL payload downloads. - Enforce hostname match between payload URL and resolved node host. - Use SSRF-guarded fetch with redirect host/protocol checks. - Apply the same enforcement across CLI and agent tool camera paths. Fix Commit(s) - 3bf19d6f40a0aaa55818b96eede3d05130c02533", + "affected": [ + "openclaw@>= 2026.2.13 <= 2026.3.1" + ], + "patched": [ + "openclaw@>= 2026.3.2" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-03T04:14:15Z", + "updated": "2026-03-03T04:14:15Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-2858-xg23-26fp" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2858-xg23-26fp", + "nvd_url": null, + "cvss_score": 5.5, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", + "cwe_ids": [ + "CWE-918" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-2858-xg23-26fp" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-8m9v-xpgf-g99m", + "ghsa_id": "GHSA-8m9v-xpgf-g99m", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "incorrect_authorization", + "nvd_category_id": "CWE-863", + "title": "Unauthorized sender bypass in stop triggers and /models command authorization", + "description": "Summary Unauthorized senders could trigger two command paths without sender authorization checks: 1. stop-like natural-language abort triggers 2. /models command output Impact An unauthorized sender could disrupt active sessions and view model/auth metadata that should be authorization-gated. Fix Sender authorization is now enforced for stop-like abort triggers and /models listings. Affected and Patched Versions - Affected: <= 2026.2.26 - Patched: 2026.3.1", + "affected": [ + "openclaw@<= 2026.2.26" + ], + "patched": [ + "openclaw@>= 2026.3.1" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-02T05:46:05Z", + "updated": "2026-03-02T05:46:05Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-8m9v-xpgf-g99m" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8m9v-xpgf-g99m", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-863" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-8m9v-xpgf-g99m" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-7xmq-g46g-f8pv", + "ghsa_id": "GHSA-7xmq-g46g-f8pv", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-59", + "title": "Sandbox media TOCTOU could read files outside sandbox root", + "description": "Summary Sandbox media handling had a time-of-check/time-of-use gap: media paths could be validated first and read later through a separate path. A symlink retarget between those steps could cause reads outside sandboxRoot. Impact Affected versions could permit host file reads outside the intended sandbox root in media attachment/image flows. Fix Media reads now use consolidated root-scoped, boundary-safe read paths at use time, removing check/use drift across call sites. Affected and Patched Versions - Affected: <= 2026.2.26 - Patched: 2026.3.1", + "affected": [ + "openclaw@<= 2026.2.26" + ], + "patched": [ + "openclaw@>= 2026.3.1" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-02T05:46:04Z", + "updated": "2026-03-02T05:46:04Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-7xmq-g46g-f8pv" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7xmq-g46g-f8pv", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-59", + "CWE-367" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-7xmq-g46g-f8pv" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-x82f-27x3-q89c", + "ghsa_id": "GHSA-x82f-27x3-q89c", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-59", + "title": "TOCTOU symlink race in writeFileWithinRoot could create or truncate files outside root boundaries", + "description": "Summary A symlink-retarget TOCTOU race in writeFileWithinRoot could point an attacker-controlled path alias outside the configured root between resolution and write operations. Impact Affected versions could cause out-of-root write side effects (including file creation or truncation) before final boundary validation. Fix Root-scoped write flow now opens existing files without pre-truncation, creates missing files with exclusive create semantics, truncates only after post-open identity/boundary checks, and removes out-of-root artifacts when a race is detected. Affected and Patched Versions - Affected: <= 2026.2.26 - Patched: 2026.3.1", + "affected": [ + "openclaw@<= 2026.2.26" + ], + "patched": [ + "openclaw@>= 2026.3.1" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-02T05:46:04Z", + "updated": "2026-03-02T05:46:04Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-x82f-27x3-q89c" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-x82f-27x3-q89c", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-59", + "CWE-367" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-x82f-27x3-q89c" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-392f-ggf5-fp3c", + "ghsa_id": "GHSA-392f-ggf5-fp3c", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-176", + "title": "Unicode canonicalization drift in node metadata policy classification could broaden node allowlists", + "description": "Summary A paired node could supply Unicode-confusable platform or deviceFamily metadata that passed metadata pinning but classified differently for command policy resolution, broadening default node command allowlists. Impact This is a policy-bypass issue within the paired-node trust boundary and can expand node command availability beyond intended defaults. Fix Node metadata canonicalization was hardened against confusables, and unknown platform defaults were made conservative (excluding system.run and system.which unless explicitly allowlisted). Affected and Patched Versions - Affected: <= 2026.2.26 - Patched: 2026.3.1", + "affected": [ + "openclaw@<= 2026.2.26" + ], + "patched": [ + "openclaw@>= 2026.3.1" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-03-02T05:46:02Z", + "updated": "2026-03-02T05:46:02Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-392f-ggf5-fp3c" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-392f-ggf5-fp3c", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-176", + "CWE-436" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-392f-ggf5-fp3c" + ], + "source_feed": "ghsa-without-cve" + }, { "id": "CVE-2026-28363", "severity": "critical", @@ -15924,6 +17078,1951 @@ "exploit_sources": [] } }, + { + "id": "GHSA-gp3q-wpq4-5c5h", + "ghsa_id": "GHSA-gp3q-wpq4-5c5h", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "incorrect_authorization", + "nvd_category_id": "CWE-863", + "title": "LINE group allowlist scope mismatch with DM pairing-store entries", + "description": "Summary In specific LINE configurations, sender IDs approved through DM pairing could also satisfy group allowlist checks when operators expected group sender access to be scoped only to explicit group allowlists. Affected Packages / Versions - Package: openclaw (npm) - Latest published version at triage/update time: 2026.2.25 - Affected: <= 2026.2.25 - Patched: = 2026.2.26 (planned next release) Impact This is a group-authorization scope mismatch. DM pairing-store entries could influence group sender authorization in allowlist mode. Technical Details Root cause: group allowlist composition inherited pairing-store entries intended for DM approvals. Under default DM pairing policy, a DM-paired sender could match group allowlist checks. Fixes on main: - isolate group allowlist composition from pairing-store entries - centralize shared DM/group allowlist composition to preserve DM-only pairing behavior - add regression coverage for LINE and Mattermost policy paths Fix Commit(s) - 8bdda7a651c21e98faccdbbd73081e79cffe8be0 - 892a9c24b0f6118729ab5b5f5499b1a7e792dd15 (follow-up refactor hardening) Release Process Note patchedversions is pre-set to = 2026.2.26 so once npm 2026.2.26 is published, this advisory can be published directly without additional version-field edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.25" + ], + "patched": [ + "openclaw@>= 2026.2.26" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-26T22:40:37Z", + "updated": "2026-02-26T22:40:37Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-gp3q-wpq4-5c5h" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gp3q-wpq4-5c5h", + "nvd_url": null, + "cvss_score": 7.1, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", + "cwe_ids": [ + "CWE-863" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-gp3q-wpq4-5c5h" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-qcc4-p59m-p54m", + "ghsa_id": "GHSA-qcc4-p59m-p54m", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "github_security_advisory", + "nvd_category_id": "CWE-59", + "title": "Sandbox dangling-symlink alias handling could bypass workspace-only write boundary", + "description": "Summary A sandbox boundary-validation gap in symlink alias handling allowed certain workspace-only write paths to be treated as in-boundary even when they could resolve outside the workspace/sandbox root. Affected Packages / Versions - Package: npm openclaw - Affected versions: <= 2026.2.25 - Latest published npm version included in affected range: 2026.2.25 (checked on February 26, 2026) - Patched version (pre-set for release): 2026.2.26 Technical Details In affected versions, dangling symlink hops could be accepted during boundary checks under missing-target conditions. For workspace-only write flows (including applypatch), this could allow writes to resolve outside the configured workspace/sandbox boundary. The fix resolves symlink targets through existing ancestors and fails closed when canonical resolution escapes the configured boundary. Impact - Boundary-confined write operations could be redirected outside the configured workspace/sandbox root. - Primary impact is integrity of host-side files reachable from that path resolution. Fix Commit(s) - 4fd29a35bb85a1898ebff518364c467058b50e14 Release Process Note patchedversions is pre-set to the planned next release (2026.2.26) so once npm 2026.2.26 is published, the advisory can be published without further field edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<=2026.2.25" + ], + "patched": [ + "openclaw@>= 2026.2.26" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-26T22:40:37Z", + "updated": "2026-02-26T22:40:37Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-qcc4-p59m-p54m" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qcc4-p59m-p54m", + "nvd_url": null, + "cvss_score": 7, + "cvss_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "cwe_ids": [ + "CWE-59", + "CWE-367" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-qcc4-p59m-p54m" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-7qf6-h84j-8fq4", + "ghsa_id": "GHSA-7qf6-h84j-8fq4", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-367", + "title": "Microsoft Teams media fetch SSRF hardening: unified guarded fetch across Graph and attachment paths", + "description": "Impact Microsoft Teams media handling used mixed fetch paths for Graph metadata/content and attachment auth-retry flows. Some paths bypassed the shared SSRF guard model and created inconsistent host/DNS enforcement across redirect/fetch hops. Affected Packages / Versions - Package: openclaw (npm) - Latest published vulnerable version: 2026.2.25 - Affected range: <= 2026.2.25 - Planned patched version for next release: 2026.2.26 Technical Details The Microsoft Teams attachment/media code previously relied on plugin-local fetch behavior in parts of the flow, instead of uniformly using shared guarded fetch logic with pinned DNS + policy checks. This could allow policy drift and SSRF boundary inconsistency between channel/plugin paths. The fix unifies this path by: - routing Microsoft Teams Graph message/hosted-content/attachment fetches through shared SSRF-guarded fetch paths, - routing auth-scope fallback attachment downloads through the same guarded policy model, - centralizing hostname-suffix allowlist policy helpers in plugin-sdk so channel/plugins use the same allowlist normalization and policy construction behavior. Fix Commit(s) - 57334cd7d85174d5f951de01114fd5801b063564 Release Process Note patchedversions is pre-set to the planned next release (2026.2.26) so once npm openclaw@2026.2.26 is published, the advisory is ready to publish without further field edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<=2026.2.25" + ], + "patched": [ + "openclaw@>= 2026.2.26" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-26T22:40:33Z", + "updated": "2026-02-26T22:40:33Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-7qf6-h84j-8fq4" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7qf6-h84j-8fq4", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-367", + "CWE-918" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-7qf6-h84j-8fq4" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-gcj7-r3hg-m7w6", + "ghsa_id": "GHSA-gcj7-r3hg-m7w6", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "low", + "type": "github_security_advisory", + "nvd_category_id": "CWE-294", + "title": "voice-call Twilio replay dedupe now bound to authenticated webhook identity", + "description": "Summary The voice-call Twilio webhook path accepted replay/dedupe identity from unsigned request metadata (i-twilio-idempotency-token), enabling replayed signed requests to bypass replay detection and manager dedupe by mutating only that header. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.25 (latest published npm version at triage time) - Fixed on main: commit 1aadf26f9acc399affabd859937a09468a9c5cb4 - Planned patched npm version: 2026.2.26 Impact Deployments using the optional voice-call Twilio webhook path could accept replayed webhook events as fresh events when an attacker had one valid signed request and changed only the unsigned idempotency header. Technical Details The fix removes unsigned-header trust from Twilio replay/dedupe identity and binds replay/manager dedupe to authenticated request material. It also threads a verified request identity through provider parsing so dedupe uses verification-derived identity rather than mutable headers. Fix Commit(s) - 1aadf26f9acc399affabd859937a09468a9c5cb4 Release Process Note patchedversions is pre-set to the planned next release (2026.2.26). After the npm release is published, this advisory can be published without additional version-field edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<=2026.2.25" + ], + "patched": [ + "openclaw@>= 2026.2.26" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-26T22:40:32Z", + "updated": "2026-02-26T22:40:32Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-gcj7-r3hg-m7w6" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gcj7-r3hg-m7w6", + "nvd_url": null, + "cvss_score": 3.7, + "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cwe_ids": [ + "CWE-294", + "CWE-345" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-gcj7-r3hg-m7w6" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-f7ww-2725-qvw2", + "ghsa_id": "GHSA-f7ww-2725-qvw2", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-59", + "title": "Node system.run approval bypass via parent-symlink cwd rebind", + "description": "Summary For host=node executions, approval context could be bypassed after approval-time by rebinding a writable parent symlink in cwd while preserving the visible cwd string. Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.2.25 - Fixed: = 2026.2.26 (planned next npm release) Impact A command approved for one filesystem location could execute from a different location if a mutable parent symlink changed between approval and execution. Fix - Added immutable approval-time plan preparation (system.run.prepare) and systemRunPlanV2 canonical fields (argv, cwd, agentId, sessionKey). - Enforced canonical plan values through approval request storage and forwarding-time sanitization. - Rejected mutable parent-symlink path components during approval-plan building to block symlink rebind bypass. - Follow-up refactors centralized command catalogs and approval context/error handling to reduce future drift. Fix Commit(s) - 78a7ff2d50fb3bcef351571cb5a0f21430a340c1 - d82c042b09727a6148f3ca651b254c4a677aff26 - d06632ba45a8482192792c55d5ff0b2e21abb0a7 - 4e690e09c746408b5e27617a20cb3fdc5190dbda - 4b4718c8dfce2e2c48404aa5088af7c013bed60b Release Process Note patchedversions is pre-set to the planned next release (2026.2.26). Once npm openclaw@2026.2.26 is published, publish this advisory directly without further version-field edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.25" + ], + "patched": [ + "openclaw@>= 2026.2.26" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-26T22:40:31Z", + "updated": "2026-02-26T22:40:31Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-f7ww-2725-qvw2" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f7ww-2725-qvw2", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-59", + "CWE-367" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-f7ww-2725-qvw2" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-j26j-7qc4-3mrf", + "ghsa_id": "GHSA-j26j-7qc4-3mrf", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-639", + "title": "MS Teams fileConsent/invoke missing conversation binding allowed cross-conversation pending-upload consumption", + "description": "Summary In openclaw MS Teams file-consent flow, pending uploads were authorized by uploadId alone. fileConsent/invoke did not verify the invoke conversation against the conversation that created the pending upload. Impact An attacker who obtained a valid uploadId within TTL could trigger cross-conversation upload completion (accept path) or cancel a victim pending upload (decline path). Technical Details - Pending uploads stored conversationId, but invoke handling consumed by uploadId only. - The invoke path did not enforce conversation binding before uploadToConsentUrl(...) and pending-upload removal. - Fix binds accept/decline handling to normalized conversation id match before consuming pending upload state. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version (as of February 26, 2026): 2026.2.24 - Vulnerable range: <= 2026.2.24 - Patched in release: 2026.2.25 Remediation Upgrade to openclaw 2026.2.25 (or later) once published. Fix Commit(s) - 347f7b9550064f5f5b33c6e07f64e85b9657b6f1 Release Process Note patchedversions is pre-set to the release (2026.2.25). Advisory published with npm release 2026.2.25. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.24" + ], + "patched": [ + "openclaw@>= 2026.2.25" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-26T03:58:32Z", + "updated": "2026-02-26T03:58:32Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-j26j-7qc4-3mrf" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-j26j-7qc4-3mrf", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-639", + "CWE-862" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-j26j-7qc4-3mrf" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-xmv6-r34m-62p4", + "ghsa_id": "GHSA-xmv6-r34m-62p4", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "path_traversal", + "nvd_category_id": "CWE-22", + "title": "Sandbox media fallback tmp symlink alias bypass allows host file reads outside sandboxRoot", + "description": "Summary A sandbox path validation bypass in openclaw allows host file reads outside sandboxRoot via the media path fallback tmp flow when the fallback tmp root is a symlink alias. Affected Packages / Versions - Package: npm openclaw - Affected versions: <= 2026.2.24 - Latest published npm version at triage time (February 26, 2026): 2026.2.24 - Patched version : 2026.2.25 Details When /tmp/openclaw is unavailable or unsafe, resolvePreferredOpenClawTmpDir() in src/infra/tmp-openclaw-dir.ts fell back to os.tmpdir()/openclaw-= 2026.2.25" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-26T03:58:31Z", + "updated": "2026-02-26T03:58:31Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-xmv6-r34m-62p4" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xmv6-r34m-62p4", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-22", + "CWE-59" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-xmv6-r34m-62p4" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-3jx4-q2m7-r496", + "ghsa_id": "GHSA-3jx4-q2m7-r496", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "github_security_advisory", + "nvd_category_id": "CWE-59", + "title": "Hardlink alias checks could bypass workspace-only file boundaries in specific configurations", + "description": "Summary In certain workspace-restricted configurations, OpenClaw could follow hardlink aliases inside the workspace that reference files outside the workspace boundary. By default, tools.fs.workspaceOnly is off. This primarily affects deployments that intentionally enable workspace-only filesystem restrictions (and workspace-only applypatch checks). Impact - Confidentiality: out-of-workspace files could be read through in-workspace hardlink aliases. - Integrity: out-of-workspace files could be modified through in-workspace hardlink aliases. Affected Packages / Versions - Package: openclaw (npm) - Latest published version at triage time: 2026.2.24 - Affected range: <= 2026.2.24 - Planned patched version: 2026.2.25 Fix Commit(s) - 04d91d0319b82fd4de91ed05e9fc5219ff2ab64e (main) Remediation OpenClaw now rejects hardlinked final-file aliases during workspace boundary validation for: - workspace-only path checks (read / write / edit) - workspace-only applypatch read/write paths - sandbox mount-root path-safety checks Regression tests were added for applypatch, workspace fs tools, and sandbox fs bridge hardlink alias escapes. Release Process Note patchedversions is pre-set to the release (2026.2.25) so the advisory can be published after npm release with no further version-field edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.24" + ], + "patched": [ + "openclaw@>= 2026.2.25" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-26T03:58:27Z", + "updated": "2026-02-26T03:58:27Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-3jx4-q2m7-r496" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3jx4-q2m7-r496", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-59", + "CWE-668" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-3jx4-q2m7-r496" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-qj22-xqjr-v83v", + "ghsa_id": "GHSA-qj22-xqjr-v83v", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "incorrect_authorization", + "nvd_category_id": "CWE-863", + "title": "Telegram messagereaction authorization bypass allows unauthorized system-event injection", + "description": "A missing sender-authorization check in Telegram messagereaction handling allowed unauthorized users to trigger reaction-derived system events. Affected Packages / Versions - Package: openclaw (npm) - Introduced: 2026.2.17 - Affected: = 2026.2.17 and <= 2026.2.24 - Latest published at patch time: 2026.2.24 - Patched in release: 2026.2.25 Impact When reaction notifications are enabled, unauthorized Telegram senders could inject reaction system events despite configured DM/group authorization controls (dmPolicy, allowFrom, groupPolicy, groupAllowFrom). Fix Commit(s) - e56b0cf1a04f992ac6ebc775899f48ea31687640 Release Process Note patchedversions is pre-set to the release (2026.2.25) so once npm release 2026.2.25 is published, this advisory can be published without further edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.24" + ], + "patched": [ + "openclaw@>= 2026.2.25" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-26T03:58:21Z", + "updated": "2026-02-26T03:58:21Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-qj22-xqjr-v83v" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qj22-xqjr-v83v", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-863" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-qj22-xqjr-v83v" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-h97f-6pqj-q452", + "ghsa_id": "GHSA-h97f-6pqj-q452", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "low", + "type": "server_side_request_forgery", + "nvd_category_id": "CWE-918", + "title": "IPv6 multicast SSRF classifier bypass", + "description": "Summary OpenClaw's SSRF IP classifier did not treat IPv6 multicast literals (ff00::/8) as blocked/private-internal. This allowed literal multicast hosts to pass SSRF preflight checks. Impact A bypass in address classification existed for IPv6 multicast literals. OpenClaw's network fetch/navigation paths are constrained to HTTP/HTTPS and this was triaged as low-severity defense-in-depth hardening. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.24 - Patched versions: = 2026.2.25 Technical Details The IPv6 private/internal range set omitted multicast, so addresses like ff02::1 and ff05::1:3 were not classified as blocked by the shared SSRF classifier. Fix Commit(s) - baf656bc6fd7f83b6033e6dbc2548ec75028641f Release Process Note patchedversions is pre-set to the planned next npm release (2026.2.25). Once that release is published on npm, the advisory is published. Thanks @zpbrent for reporting.", + "affected": [ + "openclaw@<= 2026.2.24" + ], + "patched": [ + "openclaw@>= 2026.2.25" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-26T03:58:14Z", + "updated": "2026-02-26T03:58:14Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-h97f-6pqj-q452" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h97f-6pqj-q452", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-918" + ], + "credits": [ + "zpbrent" + ], + "aliases": [ + "GHSA-h97f-6pqj-q452" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-9f72-qcpw-2hxc", + "ghsa_id": "GHSA-9f72-qcpw-2hxc", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "exposure_of_sensitive_information", + "nvd_category_id": "CWE-200", + "title": "Native prompt image auto-load did not honor tools.fs.workspaceOnly in sandboxed runs", + "description": "Summary In sandboxed runs, native prompt image auto-load did not honor tools.fs.workspaceOnly=true. This optional hardening setting is not enabled by default. When operators enabled it, prompt text could still reference mounted out-of-workspace image paths (for example /agent/secret.png) and load those image bytes for vision-capable model input. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version at triage time: 2026.2.23 - Vulnerable version range: <= 2026.2.23 - Patched version (planned next release): 2026.2.24 Conditions Required This issue required all of the following: - sandbox mode enabled, - tools.fs.workspaceOnly=true configured, - an out-of-workspace mount path reachable from the sandbox (for example /agent), - vision-capable model path active for native prompt image loading. Technical Details Native prompt image ingestion (detectAndLoadPromptImages / loadImageFromRef) resolved and read sandbox paths but did not apply the same workspace-root assertion used by file tools when tools.fs.workspaceOnly was set. Fix Commit(s) - 370d115549c0dadace0902775eea0d5094aedfdc Verification - pnpm check - pnpm exec vitest run --config vitest.gateway.config.ts - pnpm test:fast Release Process Note patchedversions is pre-set to the planned next release (2026.2.24) so once npm release is available, this advisory only needs publish action. Thanks @tdjackey for reporting. Publication Update (2026-02-25) openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks = 2026.2.24 as patched.", + "affected": [ + "openclaw@<= 2026.2.23" + ], + "patched": [ + "openclaw@>= 2026.2.24" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-25T04:37:41Z", + "updated": "2026-02-25T04:37:41Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-9f72-qcpw-2hxc" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9f72-qcpw-2hxc", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-200", + "CWE-284" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-9f72-qcpw-2hxc" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-h656-5vcf-cm23", + "ghsa_id": "GHSA-h656-5vcf-cm23", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "improper_access_control", + "nvd_category_id": "CWE-284", + "title": "Telegram: Unauthorized Senders Trigger Media Download and Disk Write Before Access Check", + "description": "Impact In Telegram DM mode, inbound media was downloaded and written to disk before sender authorization checks completed. An unauthorized sender could trigger inbound media download/write activity (including media groups) even when DM access should be denied. Affected Packages / Versions - Package: openclaw (npm) - Latest published version currently affected: 2026.2.23 - Vulnerable range: <= 2026.2.23 - Patched in planned next release: 2026.2.24 Fix Commit(s) - 9514201fb9b51de5d0b23151110d0ff5d9c8bd67 Technical Details The Telegram handler flow now enforces DM authorization before media download/write paths execute, including media-group handling. Inbound channel activity tracking was also moved to run after DM authorization in the Telegram message context path. Release Process Note patchedversions is pre-set to the planned next release (2026.2.24). After npm publish, the advisory can be published without further version-field edits. Thanks @v8hid for reporting. Publication Update (2026-02-25) openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks = 2026.2.24 as patched.", + "affected": [ + "openclaw@<=2026.2.23" + ], + "patched": [ + "openclaw@>= 2026.2.24" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-25T04:37:39Z", + "updated": "2026-02-25T04:37:39Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-h656-5vcf-cm23" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h656-5vcf-cm23", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-284", + "CWE-404", + "CWE-406", + "CWE-770" + ], + "credits": [ + "v8hid" + ], + "aliases": [ + "GHSA-h656-5vcf-cm23" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-33hm-cq8r-wc49", + "ghsa_id": "GHSA-33hm-cq8r-wc49", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "path_traversal", + "nvd_category_id": "CWE-22", + "title": "Temporary path handling could write outside OpenClaw temp boundary", + "description": "Summary Sandbox media local-path validation accepted absolute paths under host tmp, even when those paths were outside the active sandbox root. Affected Packages / Versions - Package: openclaw (npm) - Latest published version verified during triage: 2026.2.23 - Affected versions: <= 2026.2.23 - Patched versions (planned next release): = 2026.2.24 Details In affected versions, sandbox media path resolution allowed absolute host tmp paths as trusted media inputs when they were under os.tmpdir(), without requiring that the path stay within the active sandboxRoot. Because outbound attachment hydration consumed these paths as already validated, this enabled out-of-sandbox host tmp file reads and exfiltration through attachment delivery. Impact - Confidentiality impact: high for deployments relying on sandboxRoot as a strict local filesystem boundary. - Practical impact: attacker-controlled media references could read and attach host tmp files outside the sandbox workspace boundary. Remediation - Restrict sandbox tmp-path acceptance to OpenClaw-managed temp roots only. - Default SDK/extension temp helpers to OpenClaw-managed temp roots. - Add CI guardrails to prevent broad tmp-root regressions in messaging/channel code paths. Fix Commit(s) - d3da67c7a9b463edc1a9b1c1f7af107a34ca32f5 - 79a7b3d22ef92e36a4031093d80a0acb0d82f351 - def993dbd843ff28f2b3bad5cc24603874ba9f1e Release Process Note The advisory is pre-set with patched version 2026.2.24 so it is ready for publication once that npm release is available. Thanks @tdjackey for reporting. Publication Update (2026-02-25) openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks = 2026.2.24 as patched.", + "affected": [ + "openclaw@<= 2026.2.23" + ], + "patched": [ + "openclaw@>= 2026.2.24" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-25T04:37:35Z", + "updated": "2026-02-25T04:37:35Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-33hm-cq8r-wc49" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-33hm-cq8r-wc49", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-22", + "CWE-284" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-33hm-cq8r-wc49" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-534w-2vm4-89xr", + "ghsa_id": "GHSA-534w-2vm4-89xr", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "improper_access_control", + "nvd_category_id": "CWE-284", + "title": "Zalo group sender allowlist bypass permits unauthorized GROUP dispatch", + "description": "A missing group-sender authorization check in the Zalo plugin allowed unauthorized GROUP messages to enter agent dispatch paths in configurations intended to restrict group traffic. Impact When Zalo group handling was configured with allowlist-style controls, a sender not present in the intended group allowlist could still trigger agent processing through the GROUP message path. Root Cause Group access checks were not consistently enforced before dispatch for Zalo GROUP messages. The fix adds explicit runtime group-policy evaluation (groupPolicy, groupAllowFrom, fallback to allowFrom) and fail-closed behavior for missing provider config. Affected Packages / Versions - Package: openclaw (npm) - Latest published vulnerable version: 2026.2.23 (as of 2026-02-24) - Affected range: <= 2026.2.23 - Planned patched version: 2026.2.24 Fix Commit(s) - b4010a0b627025c809c0e5dbdbd4770f3bc59ef8 Release Process Note patchedversions is pre-set to the planned next release (2026.2.24). Once that npm release is published, this advisory should only need to be published. Thanks @tdjackey for reporting. Publication Update (2026-02-25) openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks = 2026.2.24 as patched.", + "affected": [ + "openclaw@<= 2026.2.23" + ], + "patched": [ + "openclaw@>= 2026.2.24" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-25T04:37:33Z", + "updated": "2026-02-25T04:37:33Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-534w-2vm4-89xr" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-534w-2vm4-89xr", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-284", + "CWE-863" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-534w-2vm4-89xr" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-r294-2894-92j3", + "ghsa_id": "GHSA-r294-2894-92j3", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "cross_site_scripting", + "nvd_category_id": "CWE-79", + "title": "Stored XSS in exported session HTML viewer via markdown/raw-HTML rendering", + "description": "Summary The exported session HTML viewer allowed stored XSS when untrusted session content included raw HTML markdown tokens or unescaped metadata fields. Impact Opening a crafted exported HTML session could execute attacker-controlled JavaScript in the viewer context. This can expose session content in the page and enable phishing or UI spoofing in the trusted export view. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.22-2 - Patched version (released): = 2026.2.23 Technical Details The exporter rendered markdown with marked.parse(...) and inserted HTML via innerHTML, but did not override the html renderer token path. Raw HTML (for example = 2026.2.23" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-24T05:27:23Z", + "updated": "2026-02-24T05:27:23Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-r294-2894-92j3" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-r294-2894-92j3", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-79" + ], + "credits": [ + "allsmog" + ], + "aliases": [ + "GHSA-r294-2894-92j3" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-7ff8-xjh3-mgh6", + "ghsa_id": "GHSA-7ff8-xjh3-mgh6", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-266", + "title": "non-default autoAllowSkills setting could bypass on-miss exec prompt", + "description": "Summary In openclaw versions up to and including 2026.2.22-2, a non-default exec-approval configuration could allow a skill-name collision to bypass an ask=on-miss prompt. When autoAllowSkills=true, a path-scoped executable such as ./skill-bin could resolve to basename skill-bin, satisfy the skills allowlist segment, and run without prompting for approval. Affected Packages / Versions - Package: npm openclaw - Affected versions: <= 2026.2.22-2 - Patched versions: = 2026.2.23 (released) Configuration Scope (Not Default) This behavior requires non-default settings and does not affect default installs. Required conditions: - autoAllowSkills=true (default is false) - system.run with security=allowlist - ask=on-miss Technical Details The allowlist evaluator accepted skills satisfaction by bin-name match, so ./skill-bin could match skillBins.has(\"skill-bin\") after resolution. The fix hardens skill auto-allow matching by requiring: - a pathless invocation token (no / or \\\\), and - a trusted resolved executable path for that skill bin on the machine where skills run. This preserves normal skill-bin ... behavior while preventing ./=2026.2.23" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-24T05:27:21Z", + "updated": "2026-02-24T05:27:21Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-7ff8-xjh3-mgh6" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7ff8-xjh3-mgh6", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-266", + "CWE-863" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-7ff8-xjh3-mgh6" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-2j9j-gf59-p4p5", + "ghsa_id": "GHSA-2j9j-gf59-p4p5", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "low", + "type": "github_security_advisory", + "nvd_category_id": null, + "title": "iOS deep link (openclaw://agent) can trigger gateway agent requests without local confirmation", + "description": "Summary A crafted openclaw://agent deep link could cause OpenClaw iOS to forward an agent.request event to a connected Gateway without local confirmation on iOS. Affected Packages / Versions - Advisory package metadata: openclaw (swift ecosystem). - Latest published npm openclaw at triage time: 2026.2.22-2. - Affected practical surface: internal preview iOS builds only (not publicly distributed). - Structured advisory range is set to <= 2026.2.22-2 and patched version is pre-set to 2026.2.23 and is now public. Impact - External deep-link trigger could cause unintended agent action initiation in an already-connected iOS node context. - This is a user-interaction deep-link abuse issue, not unauthenticated server takeover. - Severity is set to Low because iOS distribution is internal preview/super-alpha and not public/TestFlight release. Remediation The iOS deep-link path now requires local confirmation unless a trusted deep-link key is provided, and unkeyed deep links have delivery-routing fields stripped before submission. Fix Commit(s) - ff4e6ca0d942ef52330dcbe116321ae4fed21749 Release Process Note patchedversions is pre-set to the released version (2026.2.23). This advisory now reflects released fix version 2026.2.23. Thanks @GCXWLP for reporting.", + "affected": [ + "openclaw@<= 2026.2.22-2" + ], + "patched": [ + "openclaw@2026.2.23" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-24T05:27:20Z", + "updated": "2026-02-24T05:27:20Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-2j9j-gf59-p4p5" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2j9j-gf59-p4p5", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [], + "credits": [ + "GCXWLP" + ], + "aliases": [ + "GHSA-2j9j-gf59-p4p5" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-6x2m-hqfw-hvpj", + "ghsa_id": "GHSA-6x2m-hqfw-hvpj", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-285", + "title": "Node exec approvals could be replayed across nodes", + "description": "Summary exec.approval requests for host=node were not explicitly bound to the target nodeId, so an approval intended for one node could be replayed for a different node under the same operator-controlled gateway fleet. Impact An operator approval for a system.run request could be reused across nodes if the request payload did not carry node identity through approval and execution checks. Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.2.22-2 - Fixed: 2026.2.23 (released) Mitigation Upgrade to 2026.2.23 or later once published. Fix Details The fix requires and persists nodeId for host=node approval requests and rejects execution when the approving node binding does not match the invoking node. Fix Commit(s) - 4a3f8438e527ac371a67fe7ac68a287f0dbe6063 Release Process Note patchedversions is pre-set to the released version (2026.2.23). This advisory now reflects released fix version 2026.2.23. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.22-2" + ], + "patched": [ + "openclaw@>= 2026.2.23" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-24T05:27:18Z", + "updated": "2026-02-24T05:27:18Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-6x2m-hqfw-hvpj" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6x2m-hqfw-hvpj", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-285", + "CWE-863" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-6x2m-hqfw-hvpj" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-2ch6-x3g4-7759", + "ghsa_id": "GHSA-2ch6-x3g4-7759", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-639", + "title": "commands.allowFrom sender authorization accepted conversation identifiers via ctx.From", + "description": "Summary commands.allowFrom is documented as a sender authorization allowlist for commands/directives, but command authorization could include ctx.From (conversation identity) as a sender candidate. When commands.allowFrom contained conversation-like identifiers (for example Discord channel:= 2026.2.23" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-24T05:27:14Z", + "updated": "2026-02-24T05:27:14Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-796m-2973-wc5q" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-796m-2973-wc5q", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-436" + ], + "credits": [ + "jiseoung" + ], + "aliases": [ + "GHSA-796m-2973-wc5q" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-8j9w-9pm5-pv8m", + "ghsa_id": "GHSA-8j9w-9pm5-pv8m", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-184", + "title": "DUPLICATE of GHSA-3c6h-g97w-fg78: safeBins denied flags can be bypassed via GNU long-option abbreviations", + "description": "Duplicate Notice This draft advisory duplicates GHSA-3c6h-g97w-fg78. Canonical advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-3c6h-g97w-fg78 Use GHSA-3c6h-g97w-fg78 for tracking/publication. This advisory is published as a duplicate notice. Summary OpenClaw safeBins argument validation allowed denied flags to be bypassed via GNU long-option abbreviations. The validator matched denied long flags by exact string and treated unknown long options as allowed, creating a policy/runtime mismatch: commands could be approved as safe-bin usage while runtime behavior reached denied options. Impact - Default safe-bin wc: unauthorized file-read behavior via abbreviated --files0-fro (runtime resolves to --files0-from). - Configured safe-bin sort: external program invocation via abbreviated --compress-prog (runtime resolves to --compress-program). - Additional hardening gap: unknown or ambiguous long options in safe-bin mode were not rejected fail-closed. Technical Details Affected paths included safe-bin argv validation and allowlist evaluation: - src/infra/exec-safe-bin-policy.ts - src/infra/exec-approvals-allowlist.ts Affected Packages / Versions - Ecosystem: npm - Package: openclaw - Affected versions: <= 2026.2.22-2 - Fixed in code on main: 2026.2.23 (released) Remediation - Canonicalize long options using GNU-style unique-prefix matching. - Reject unknown and ambiguous long options in safe-bin mode (fail-closed). - Reject inline values for non-value long flags. - Deny additional sort filesystem-dependent flags in safe-bin mode: --random-source, --temporary-directory, -T. - Add regression tests for denied-flag abbreviations and fail-closed long-option handling. Fix Commit(s) - 3b8e33037ae2e12af7beb56fcf0346f1f8cbde6f Release Process Note Patched in 2026.2.23 and published. Thanks @jiseoung for reporting.", + "affected": [ + "openclaw@<= 2026.2.22-2" + ], + "patched": [ + "openclaw@>=2026.2.23" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-24T05:27:13Z", + "updated": "2026-02-24T05:27:13Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-8j9w-9pm5-pv8m" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8j9w-9pm5-pv8m", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-184" + ], + "credits": [ + "jiseoung" + ], + "aliases": [ + "GHSA-8j9w-9pm5-pv8m" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-4cqv-h74h-93j4", + "ghsa_id": "GHSA-4cqv-h74h-93j4", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "improper_authentication", + "nvd_category_id": "CWE-287", + "title": "Discord allowFrom slug-collision authorization bypass", + "description": "OpenClaw supports Discord allowlists using either user IDs or names/tags. Name/tag matching depends on slug normalization, so different user tags can collide to the same slug and unintentionally satisfy a name-based allowlist entry. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.21-2 - Patched versions: = 2026.2.22 What Changed - openclaw security audit now warns on Discord name/tag allowlist entries (DM allowlists, guild/channel users, and pairing-store entries). - Runtime authorization now prefers resolved user IDs when a configured name/tag can be resolved, without rewriting config files on disk. - Name-based entries remain supported for compatibility. Recommendations - Prefer stable Discord user IDs for security-sensitive allowlists. - Run openclaw security audit and address warnings where practical. Fix Commit(s) - f97c45c5b5e0698b6667bb5f6badc0cac7dabd12 - 747bb581b3f2264495e1fec5a0727d9f2ca1b6f1 Release Process Note Patched version fields now point to 2026.2.22 and fixes are merged on main. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.21-2" + ], + "patched": [ + "openclaw@>= 2026.2.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-23T00:52:17Z", + "updated": "2026-02-23T00:52:17Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-4cqv-h74h-93j4" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4cqv-h74h-93j4", + "nvd_url": null, + "cvss_score": 6.5, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "cwe_ids": [ + "CWE-287" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-4cqv-h74h-93j4" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-jxrq-8fm4-9p58", + "ghsa_id": "GHSA-jxrq-8fm4-9p58", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-59", + "title": "Zip extraction symlink traversal could write outside destination", + "description": "Summary A path confinement bypass in OpenClaw ZIP extraction allowed writes outside the intended destination when a pre-existing symlink was present under the extraction root. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version at triage time: 2026.2.21-2 - Affected versions: <= 2026.2.21-2 - Planned patched version for next release: 2026.2.22 Technical Details The vulnerable path was in src/infra/archive.ts ZIP extraction logic. Output-path checks were lexical, but writes could still traverse an existing symlink in destination path segments. The fix blocks this by: - rejecting symlink traversal in destination path segments, - validating resolved destination paths remain inside the extraction root, - using no-follow file opens for ZIP output writes where supported, - adding a regression test for pre-seeded destination symlink traversal. Impact - Type: Arbitrary file write outside extraction root via symlink traversal during ZIP extraction. - Preconditions: attacker-controlled archive extraction plus pre-existing symlink in destination path. Fix Commit(s) - 4b226b74f5fd3b106a83a6347fd404172e2fd246 Release Process Note Patched version is pre-set to the planned next release (2026.2.22). Once npm release 2026.2.22 is published, the advisory can be published without further field edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.21-2" + ], + "patched": [ + "openclaw@>= 2026.2.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-23T00:52:17Z", + "updated": "2026-02-23T00:52:17Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-jxrq-8fm4-9p58" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jxrq-8fm4-9p58", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-59" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-jxrq-8fm4-9p58" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-jwf4-8wf4-jf2m", + "ghsa_id": "GHSA-jwf4-8wf4-jf2m", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "incorrect_authorization", + "nvd_category_id": "CWE-863", + "title": "BlueBubbles (optional plugin) pairing/allowlist mismatch when allowFrom is empty", + "description": "Summary BlueBubbles is an optional OpenClaw channel plugin. A configuration-sensitive access-control mismatch allowed DM senders to be treated as authorized when dmPolicy was pairing or allowlist and allowFrom was empty/unset. Severity Rationale (Medium) Severity is set to medium because: - this affects an optional plugin, not core messaging surfaces; - many deployments use owner-controlled/private BlueBubbles identities with limited external reachability; - practical exploitability depends on an untrusted sender being able to reach that specific BlueBubbles account identifier. In typical personal/self-hosted BlueBubbles setups, the mapped Apple identity is single-owner and not broadly reachable, so this is usually low practical risk. Risk is higher in deployments where the identifier is publicly reachable and/or agent tool permissions are broad. Technical Details 1. BlueBubbles DM policy defaults to pairing (dmPolicy ?? \"pairing\"). 2. Effective allowlist can be empty (effectiveAllowFrom). 3. DM/reaction authorization called isAllowedBlueBubblesSender(...). 4. That delegated to shared isAllowedParsedChatSender(...), which previously returned true for empty allowlists. 5. Result: unknown senders could bypass intended pairing/allowlist gating when allowFrom was empty. Affected Packages / Versions - Package: openclaw (npm) - Vulnerable versions: <= 2026.2.21-2 - Planned fixed version: 2026.2.22 Fix The shared parsed-chat allowlist helper now fails closed on empty allowlists, restoring expected BlueBubbles DM gating behavior. BlueBubbles inbound gating was also refactored to use one shared DM/group decision helper for both message and reaction paths to reduce future drift. Fix Commit(s) - 9632b9bcf032c5f2280c3103961fde912ab1f920 - 2ba6de7eaad812e5e8603018e14e54e96bdd57dd - 51c0893673de8e5cea64e64351dbfa4680ba0dec - 4540790cb62412676f7b61cfc6e47443f84a251e Release Process Note patchedversions is pre-set to the planned next release (2026.2.22). Once npm release 2026.2.22 is published, this advisory is ready to publish without additional field edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.21-2" + ], + "patched": [ + "openclaw@2026.2.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-23T00:52:16Z", + "updated": "2026-02-23T00:52:16Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-jwf4-8wf4-jf2m" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jwf4-8wf4-jf2m", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-863" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-jwf4-8wf4-jf2m" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-659f-22xc-98f2", + "ghsa_id": "GHSA-659f-22xc-98f2", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "code_injection", + "nvd_category_id": "CWE-94", + "title": "Hook transform path containment missed symlink-resolved escapes", + "description": "Vulnerability Webhook transform modules were validated with lexical path checks only. A symlink under the allowed hooks transform tree could resolve outside the intended directory and be dynamically imported. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.21-2 - Patched version (planned next release): 2026.2.22 Impact When an attacker can cause a transform module path to reference a symlinked entry that resolves outside the trusted transform directory, the gateway may import and execute unintended JavaScript with gateway-process privileges. Attack Preconditions - Hook transforms are enabled and reachable. - Attacker can influence transform path resolution (for example via privileged config access and/or writable filesystem path in the transform tree). - A symlink escape exists to attacker-controlled code. Remediation - Enforce realpath-aware containment for existing path ancestors before dynamic import. - Keep lexical containment checks for traversal and absolute-path escapes. - Add regression coverage for: - transform module symlink escape rejection, - hooks.transformsDir symlink escape rejection, - in-root symlink allow-case. Fix Commit(s) - f4dd0577b055f77af783105bd65eae32f3d5e6a1 Release Process Note patchedversions is pre-set to the planned next release (2026.2.22). After npm release is published, advisory publication can proceed without further version edits. Thanks @aether-ai-agent for reporting.", + "affected": [ + "openclaw@<=2026.2.21-2" + ], + "patched": [ + "openclaw@2026.2.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-23T00:52:09Z", + "updated": "2026-02-23T00:52:09Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-659f-22xc-98f2" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-659f-22xc-98f2", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-94" + ], + "credits": [], + "aliases": [ + "GHSA-659f-22xc-98f2" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-5847-rm3g-23mw", + "ghsa_id": "GHSA-5847-rm3g-23mw", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": null, + "title": "Hook auth rate limiter bypass via IPv4-mapped IPv6 client key variants", + "description": "Vulnerability The hook authentication throttle keyed failed attempts by raw socket remoteAddress text. IPv4 and IPv4-mapped IPv6 forms of the same client (for example 1.2.3.4 and ::ffff:1.2.3.4) were treated as different clients, allowing separate rate-limit buckets. Impact An attacker could split failed hook-auth attempts across both address forms and effectively double the brute-force budget from 20 to 40 attempts per 60-second window. Affected Components - src/gateway/server-http.ts - src/gateway/auth-rate-limit.ts Affected Packages / Versions - Package: openclaw (npm) - Vulnerable versions: <= 2026.2.21-2 - Patched version (planned next release): 2026.2.22 Remediation Centralize and reuse canonical client-IP normalization for auth rate-limiting, and use that canonical key for hook auth throttling. Fix Commit(s) - 3284d2eb227e7b6536d543bcf5c3e320bc9d13c5 Release Process Note patchedversions is pre-set to the planned next release (2026.2.22) so once npm release 2026.2.22 is published, this advisory can be published directly. Thanks @aether-ai-agent for reporting.", + "affected": [ + "openclaw@<=2026.2.21-2" + ], + "patched": [ + "openclaw@>= 2026.2.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-23T00:52:08Z", + "updated": "2026-02-23T00:52:08Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-5847-rm3g-23mw" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5847-rm3g-23mw", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [], + "credits": [], + "aliases": [ + "GHSA-5847-rm3g-23mw" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-9mph-4f7v-fmvh", + "ghsa_id": "GHSA-9mph-4f7v-fmvh", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": null, + "title": "Agent avatar symlink traversal in gateway session metadata", + "description": "Summary A crafted local avatar path could follow a symlink outside the agent workspace and return arbitrary file contents as a base64 data: URL in gateway responses. Impact - Confidentiality impact: local file read in the gateway process context. - Exfiltration path: agents.list can return the resulting avatarUrl payload. Affected Components - src/gateway/session-utils.ts (resolveIdentityAvatarUrl) Affected Packages / Versions - Package: openclaw (npm) - Introduced: v2026.1.21 - Affected published versions: <= 2026.2.21-2 - Planned patched version: 2026.2.22 Remediation - Resolve workspace and avatar paths with realpath and enforce realpath containment. - Open files with ONOFOLLOW when available. - Compare pre-open and opened file identity (dev/ino) to block swap races. - Add regression tests for outside-workspace symlink rejection and in-workspace symlink allowance. Fix Commit(s) - 3d0337504349954237d09e4d957df5cb844d5e77 Release Process Note The advisory patchedversions field is pre-set to the planned next release (2026.2.22). After that npm release is published, the remaining step is to publish this advisory. Thanks @aether-ai-agent for reporting.", + "affected": [ + "openclaw@<= 2026.2.21-2" + ], + "patched": [ + "openclaw@>= 2026.2.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-23T00:52:08Z", + "updated": "2026-02-23T00:52:08Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-9mph-4f7v-fmvh" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9mph-4f7v-fmvh", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [], + "credits": [], + "aliases": [ + "GHSA-9mph-4f7v-fmvh" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-5h2c-8v84-qpvr", + "ghsa_id": "GHSA-5h2c-8v84-qpvr", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-15", + "title": "Shell-env fallback trusted startup env and could execute attacker-influenced login-shell paths", + "description": "Summary OpenClaw shell-env fallback trusted startup environment values and could execute attacker-influenced login-shell startup paths before loading env keys. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: = 2026.1.5 and <= 2026.2.21-2 - Fixed on main: 9363c320d8ffe29290906752fab92621da02c3f7 - Planned patched release version (pre-set): 2026.2.22 Details The vulnerable chain was in the shell-env fallback path: 1. src/infra/shell-env.ts - resolveShell(env) trusted env.SHELL when set. - execLoginShellEnvZero(...) executed ${SHELL} -l -c \"env -0\" with inherited runtime env. 2. src/config/io.ts - Config env values were applied before shell fallback execution. 3. src/config/env-vars.ts / env policy coverage - SHELL handling was hardened, but startup-path selectors (HOME, ZDOTDIR) still needed explicit blocking in config env ingestion and sanitization for shell fallback execution. With env/config influence, this could trigger unintended command execution in shell startup processing on the OpenClaw host process context. Fix Mainline hardening now: - blocks SHELL, HOME, and ZDOTDIR during config env ingestion used by runtime fallback, - sanitizes shell fallback execution env, pinning HOME to the real user home and dropping ZDOTDIR + dangerous startup vars, - adds regression tests for config env ingestion and shell fallback/path-probe sanitization. Fix Commit(s) - 9363c320d8ffe29290906752fab92621da02c3f7 Impact - Local code-execution risk in environments where attacker-controlled env/config input can reach shell-env fallback. - Under OpenClaw trust assumptions (SECURITY.md), this is not a public-remote issue and depends on crossing local trusted-operator boundaries. Release Process Note patchedversions is intentionally pre-set to the planned next release (2026.2.22) so once npm release is out, maintainers can publish advisory immediately. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<=2026.2.21-2" + ], + "patched": [ + "openclaw@>= 2026.2.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-23T00:52:06Z", + "updated": "2026-02-23T00:52:06Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-5h2c-8v84-qpvr" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5h2c-8v84-qpvr", + "nvd_url": null, + "cvss_score": 5.3, + "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "cwe_ids": [ + "CWE-15", + "CWE-78" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-5h2c-8v84-qpvr" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-8mf7-vv8w-hjr2", + "ghsa_id": "GHSA-8mf7-vv8w-hjr2", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "low", + "type": "os_command_injection", + "nvd_category_id": "CWE-78", + "title": "tools.exec.safeBins generic fallback allowed interpreter-style inline payload execution in allowlist mode", + "description": "Summary When tools.exec.safeBins contained a binary without an explicit safe-bin profile, OpenClaw used a permissive generic fallback profile. In allowlist mode, that could let interpreter-style binaries (for example python3, node, ruby) execute inline payloads via flags like -c. This requires explicit operator configuration to add such binaries to safeBins, so impact is limited to non-default/misconfigured deployments. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.21-2 - Patched in code: = 2026.2.22 (planned next npm release) Fix - Remove generic safe-bin fallback during allowlist evaluation. - Require explicit safe-bin profiles for safeBins entries. - Add configurable tools.exec.safeBinProfiles (global + per-agent) for safe custom binaries. - Update docs to clearly separate safeBins from command allowlist semantics. Fix Commit(s) - 47c3f742b6c488be26dd7b9636dbbb8676089154 Release Process Note patchedversions is pre-set to the planned next release (= 2026.2.22) so once that npm release is published, the advisory can be published directly without further metadata edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.21-2" + ], + "patched": [ + "openclaw@>= 2026.2.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-23T00:52:06Z", + "updated": "2026-02-23T00:52:06Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-8mf7-vv8w-hjr2" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8mf7-vv8w-hjr2", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-78", + "CWE-693" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-8mf7-vv8w-hjr2" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-4rqq-w8v4-7p47", + "ghsa_id": "GHSA-4rqq-w8v4-7p47", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "low", + "type": "github_security_advisory", + "nvd_category_id": null, + "title": "Incomplete IPv4 special-use SSRF blocking in web fetch guard", + "description": "Summary isPrivateIpv4() in bundled SSRF guard code missed several IPv4 special-use/non-global ranges, so webfetch could allow targets that should be blocked by SSRF policy. Affected Packages / Versions - Package: openclaw (npm) - Latest published affected version: 2026.2.21-2 (published 2026-02-21) - Structured vulnerable range: <= 2026.2.21-2 - Planned patched version (pre-set): = 2026.2.22 Impact Low severity. Exploitation requires network reachability to the relevant special-use ranges and a request path that reaches webfetch URL fetching. Technical Details Affected releases used narrow IPv4 private-range checks that omitted multiple RFC special-use/non-global ranges. This allowed requests such as http://198.18.0.1/... through SSRF validation in affected releases. Follow-up hardening consolidates local-host/tailnet range checks so gateway/browser/tailnet paths share one canonical IP classification flow. Fix Commit(s) - 71bd15bb4294d3d1b54386064d69cd0f5f731bd8 - 44dfbd23df453e51b71ef79a148c28c53e89168c - 333fbb86347998526dd514290adfd5f727caa6d9 - f14ebd743cfc73f667fae80af70043d0ab1f88bd Release Process Note patchedversions is intentionally pre-set to the planned next release (= 2026.2.22) so once npm 2026.2.22 is published, maintainers can publish this advisory without further metadata edits. Thanks @princeeismond-dot for reporting.", + "affected": [ + "openclaw@<= 2026.2.21-2" + ], + "patched": [ + "openclaw@>= 2026.2.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-23T00:52:05Z", + "updated": "2026-02-23T00:52:05Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-4rqq-w8v4-7p47" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4rqq-w8v4-7p47", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [], + "credits": [ + "princeeismond-dot" + ], + "aliases": [ + "GHSA-4rqq-w8v4-7p47" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-f6h3-846h-2r8w", + "ghsa_id": "GHSA-f6h3-846h-2r8w", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-639", + "title": "Elevated allowFrom matching tightened for sender-scoped authorization", + "description": "Summary In certain elevated-mode configurations, tools.elevated.allowFrom accepted broader identity signals than intended. The fix tightens matching to sender-scoped identity by default and makes mutable metadata matching explicit. Context OpenClaw is commonly used in 1:1 chats or trusted group chats. In that intended model, this issue is best treated as authorization hardening / defense-in-depth for elevated sender approval. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version at triage: 2026.2.21-2 - Affected versions: <= 2026.2.21-2 - Planned patched version (pre-set for publish-ready advisory): 2026.2.22 Details Elevated sender authorization now matches sender-scoped identity values only by default (SenderId, From, SenderE164) and no longer considers recipient routing fields such as ctx.To. Mutable sender metadata (SenderName, SenderUsername, SenderTag) now requires explicit allowlist prefixes (name:, username:, tag:). Explicit identity prefixes are also supported (id:, from:, e164:). Fix Commit(s) - 6817c0ec7b4fa830123d4f5c340f075a4bd04ee2 Release Process Note The advisory patchedversions is pre-set to the planned next release (2026.2.22). Once npm openclaw@2026.2.22 is published, this advisory can be published without additional content edits. Thanks @jiseoung for reporting.", + "affected": [ + "openclaw@<= 2026.2.21-2" + ], + "patched": [ + "openclaw@>= 2026.2.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-23T00:52:03Z", + "updated": "2026-02-23T00:52:03Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-f6h3-846h-2r8w" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f6h3-846h-2r8w", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-639" + ], + "credits": [ + "jiseoung" + ], + "aliases": [ + "GHSA-f6h3-846h-2r8w" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-qhrr-grqp-6x2g", + "ghsa_id": "GHSA-qhrr-grqp-6x2g", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-426", + "title": "tools.exec.safeBins trusted PATH directories allowed binary shadowing in allowlist mode", + "description": "Summary In openclaw allowlist mode, tools.exec.safeBins trusted PATH-derived directories for safe-bin resolution. A same-name binary placed in a trusted PATH directory could satisfy safe-bin checks and execute. Impact This is an allowlist bypass in exec policy that can lead to command execution in the OpenClaw runtime context when allowlist mode relies on safe bins and an attacker can influence trusted binary locations. Affected Packages / Versions - Package: openclaw (npm) - Vulnerable versions: <= 2026.2.21-2 - Patched versions: = 2026.2.22 (planned next release) - Latest published npm version at triage time (2026-02-22): 2026.2.21-2 Root Cause - Safe-bin trust accepted PATH-derived directories instead of explicit trusted directories. - Safe-bin execution used shell command tokens that could resolve to shadowed binaries. Remediation - Stop trusting PATH-derived directories for safe-bin trust. - Add explicit tools.exec.safeBinTrustedDirs for opt-in extra trusted paths. - Pin safe-bin shell execution to resolved absolute executable paths. Fix Commit(s) - 64b273a71cf0b2f2419c974832cede1fc2158729 Release Process Note patchedversions is pre-set to the planned next release (2026.2.22). After npm release, this advisory is ready for publish without additional field edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.21-2" + ], + "patched": [ + "openclaw@>= 2026.2.22" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-23T00:52:00Z", + "updated": "2026-02-23T00:52:00Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-qhrr-grqp-6x2g" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qhrr-grqp-6x2g", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-426" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-qhrr-grqp-6x2g" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-cjv3-m589-v3rx", + "ghsa_id": "GHSA-cjv3-m589-v3rx", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "cross_site_scripting", + "nvd_category_id": "CWE-79", + "title": "Canvas route hardening for mixed-trust deployments", + "description": "Summary This advisory tracks a defense-in-depth hardening for canvas routes. In mixed-trust or network-visible deployments, prior canvas auth/fallback behavior could broaden access beyond intended boundaries. Deployment Context OpenClaw’s default model is trusted host + loopback-first access. Some operators intentionally expose canvas routes on LAN/tailnet. This update is aimed at those broader deployment patterns. What Changed - Require explicit token or session-capability authorization for canvas routes. - Remove shared-IP fallback paths for canvas access. - Tighten bind/fallback behavior to fail closed. Impact Risk was highest in non-loopback or mixed-trust environments. In strict single-operator trusted-host setups, practical exposure is lower. Affected Packages / Versions - Package: openclaw (npm) - Vulnerable: <= 2026.2.19-2 - Patched: 2026.2.21 (next release target) Fix Commit(s) - c45f3c5b004c8d63dc0e282e2176f8c9355d24f1 - 08a7967936cfc0b2af6b27ec1f9272542648ad6c Release Process Note Fix is already on main. Publish this advisory after npm release 2026.2.21 ships. Thanks @NucleiAv for reporting.", + "affected": [ + "openclaw@<= 2026.2.19-2" + ], + "patched": [ + "openclaw@>=2026.2.21" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T18:16:09Z", + "updated": "2026-02-21T18:16:09Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-cjv3-m589-v3rx" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cjv3-m589-v3rx", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-79", + "CWE-1021" + ], + "credits": [ + "NucleiAv" + ], + "aliases": [ + "GHSA-cjv3-m589-v3rx" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-w9cg-v44m-4qv8", + "ghsa_id": "GHSA-w9cg-v44m-4qv8", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-15", + "title": "BASHENV / ENV startup-file injection into spawned shell commands", + "description": "Summary BASHENV / ENV startup-file injection could lead to unintended pre-command shell execution when attacker-controlled environment values were admitted and then inherited by host command execution paths. Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.2.19-2 - Fixed on main: 2cdbadee1f8fcaa93302d7debbfc529e19868ea4 - Planned patched release version: 2026.2.21 Details The fix hardens environment handling across all relevant execution paths: - Blocks dangerous startup/runtime env keys and prefixes in shared host env sanitization. - Sanitizes inherited ambient environment even when no per-request overrides are provided. - Blocks dangerous config-driven env injection before values enter process environment. - Uses the same sanitizer in macOS host execution paths. - Aligns skill env override sanitization with the shared dangerous-env policy. Impact Medium. Exploitation requires local/privileged influence over configuration or environment inputs; there is no standalone remote unauthenticated trigger from this issue alone. Fix Commit(s) - 2cdbadee1f8fcaa93302d7debbfc529e19868ea4 Release Process Note patchedversions is pre-set to the planned next release (2026.2.21). Once npm openclaw@2026.2.21 is published, the advisory can be published without further field edits. Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.19-2" + ], + "patched": [ + "openclaw@>=2026.2.21" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T18:16:03Z", + "updated": "2026-02-21T18:16:03Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-w9cg-v44m-4qv8" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w9cg-v44m-4qv8", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-15", + "CWE-78" + ], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-w9cg-v44m-4qv8" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-w7j5-j98m-w679", + "ghsa_id": "GHSA-w7j5-j98m-w679", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "github_security_advisory", + "nvd_category_id": "CWE-250", + "title": "Multiple E2E/test Dockerfiles run all processes as root", + "description": "Three Dockerfiles in scripts/docker/ and scripts/e2e/ lack a USER directive, meaning all processes run as uid 0 (root). If any process is compromised, the attacker has root inside the container, making container breakout significantly easier. Partial fix (2026-02-08): Commit 28e1a65e added USER sandbox to Dockerfile.sandbox and Dockerfile.sandbox-browser. The E2E/test Dockerfiles listed below remain unpatched. Affected components: - scripts/e2e/Dockerfile - scripts/e2e/Dockerfile.qr-import - scripts/docker/install-sh-e2e/Dockerfile - scripts/docker/install-sh-nonroot/Dockerfile (runs as app but with NOPASSWD sudo — see related advisory) Technical Reproduction: 1. Open each Dockerfile listed above and search for a USER directive — none found. 2. Run any of these containers: docker run --rm -it = 2026.2.21" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T10:42:51Z", + "updated": "2026-02-21T10:42:51Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-w7j5-j98m-w679" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w7j5-j98m-w679", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-250" + ], + "credits": [ + "TerminalsandCoffee" + ], + "aliases": [ + "GHSA-w7j5-j98m-w679" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-82g8-464f-2mv7", + "ghsa_id": "GHSA-82g8-464f-2mv7", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-15", + "title": "Skill env override host env injection", + "description": "Summary applySkillConfigEnvOverrides previously copied skills.entries..env values into the host process.env without applying the host env safety policy. Impact In affected versions, dangerous process-level variables such as NODEOPTIONS could be injected when unset, which can influence runtime/child-process behavior. Required attacker capability An attacker must be able to modify OpenClaw local state/config (for example ~/.openclaw/openclaw.json) to set skills.entries.= 2026.2.21" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T10:42:37Z", + "updated": "2026-03-02T06:53:28Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-82g8-464f-2mv7" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-82g8-464f-2mv7", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-15", + "CWE-94", + "CWE-1341" + ], + "credits": [ + "nedlir" + ], + "aliases": [ + "GHSA-82g8-464f-2mv7" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-jjgj-cpp9-cvpv", + "ghsa_id": "GHSA-jjgj-cpp9-cvpv", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "path_traversal", + "nvd_category_id": "CWE-22", + "title": "Local File Exfiltration via MCP Tool Result MEDIA: Directive Injection", + "description": "Summary A malicious or compromised MCP (Model Context Protocol) tool server can exfiltrate arbitrary local files from the host system by injecting MEDIA: directives into tool result text content. OpenClaw's tool result processing pipeline extracts file paths from MEDIA: tokens without source-level validation, passes them through a localRoots allowlist check that includes os.tmpdir() by default (covering /tmp on Linux/macOS and %TEMP% on Windows), and then reads and delivers the file contents to external messaging channels such as Discord, Slack, Telegram, and WhatsApp. Affected Component OpenClaw (all versions up to and including latest as of 2026-02-19) Vulnerability Details Root Cause The vulnerability exists across multiple files in the media processing pipeline: 1. Unvalidated extraction (src/agents/pi-embedded-subscribe.tools.ts, lines 143-202): extractToolResultMediaPaths() parses MEDIA: tokens from MCP tool result text content blocks using a regex. It accepts any file path (absolute, relative, Windows drive, UNC, file:// URI) without validating the source is trusted or the path is within expected boundaries. 2. Overly broad default allowlist (src/media/local-roots.ts, lines 7-16): buildMediaLocalRoots() includes os.tmpdir() in the default allowed directory list. On Linux/macOS this is /tmp (world-readable, often containing application secrets, database dumps, SSH keys, session tokens), and on Windows it is %TEMP% (user's temp directory containing application caches, credentials, and temporary secrets). 3. Delivery to external channels (src/agents/pi-embedded-subscribe.handlers.tools.ts, lines 380-392): After extraction, media paths are delivered via ctx.params.onToolResult({ mediaUrls: mediaPaths }), which flows through the outbound delivery pipeline to send file contents as attachments to Discord, Slack, Telegram, and other configured messaging channels. Attack Flow Secondary Attack Vector: details.path Fallback When an MCP tool result contains type: \"image\" content blocks, extractToolResultMediaPaths() falls back to reading result.details.path (lines 192-199). A malicious tool can return: This bypasses the MEDIA: token parsing entirely and directly injects arbitrary file paths. Third Attack Vector: file:// URI Scheme The loadWebMediaInternal() function (line 228-233) converts file:// URIs to local paths via fileURLToPath(): This provides an alternative syntax for targeting files. Impact - File exfiltration: Any file within os.tmpdir() (or the OpenClaw state directory) can be read and sent to external messaging channels - Secret theft: Temporary files often contain API keys, database credentials, SSH keys, session tokens, and application secrets - Cross-application data theft: Other applications' temp files (browser caches, build artifacts, CI/CD secrets) are accessible - Silent exfiltration: The file content is sent as a media attachment to messaging channels the attacker can monitor, with no user-visible indication - Automated exploitation: If auto-reply is enabled, the malicious tool can be triggered without user interaction Reproduction Steps Prerequisites - Node.js 18+ installed - No OpenClaw installation required (PoC is self-contained) Steps 1. Save the PoC script below as poc-media-exfil.js 2. Run: node poc-media-exfil.js 3. Observe: All 21 assertions pass, confirming the vulnerability PoC Script Expected Output Affected Code Locations | File | Lines | Function | Role | |------|-------|----------|------| | src/media/parse.ts | 7 | MEDIATOKENRE | Regex that matches MEDIA: directives in text | | src/agents/pi-embedded-subscribe.tools.ts | 143-202 | extractToolResultMediaPaths() | Extracts file paths from MCP tool results without source validation | | src/agents/pi-embedded-subscribe.handlers.tools.ts | 380-392 | handleToolExecutionEnd() | Delivers extracted media paths to messaging channels | | src/media/local-roots.ts | 7-16 | buildMediaLocalRoots() | Includes os.tmpdir() in default allowed roots | | src/web/media.ts | 60-117 | assertLocalMediaAllowed() | Validates paths against overly broad localRoots | | src/web/media.ts | 212-381 | loadWebMediaInternal() | Reads validated files into memory for delivery | Suggested Remediation 1. Validate MEDIA: source trust: Only accept MEDIA: directives from OpenClaw's own internal tools (TTS, image generation). Reject or flag MEDIA: directives from external MCP tool results. 2. Remove os.tmpdir() from default localRoots: The temp directory is too broad. Replace with a narrow OpenClaw-specific subdirectory (e.g., path.join(os.tmpdir(), \"openclaw-media\")). 3. Add source tagging to tool results: Tag each tool result with its source (internal vs. MCP external) and enforce different media access policies for each. 4. Require explicit opt-in for file media delivery: When a tool result contains MEDIA: directives referencing local files, require user confirmation before reading and sending the file. Differentiation from Existing Advisories This vulnerability is distinct from all existing OpenClaw security advisories. Below is an explicit comparison against every advisory or commit that could appear superficially related: Not a duplicate of path traversal advisories (apply-patch, workspace escape, etc.) The existing path traversal advisories (e.g., those targeting apply-patch tool workspace containment via assertSandboxPath(), or resolveFileWithinRoot() in the canvas host file resolver) are about preventing filesystem access outside a sandbox boundary. This vulnerability is fundamentally different: - Different attack surface: The attack enters through MCP tool result text content (extractToolResultMediaPaths() in pi-embedded-subscribe.tools.ts), not through tool arguments, HTTP paths, or patch file contents. - Different code path: The vulnerable pipeline is extractToolResultMediaPaths() → handleToolExecutionEnd() → onToolResult() → loadWebMedia() → assertLocalMediaAllowed(). None of these functions are involved in the existing path traversal fixes. - The validation passes by design: This is not a bypass of assertLocalMediaAllowed(). The function works correctly. The problem is that os.tmpdir() is included in the default localRoots allowlist (src/media/local-roots.ts:10), making the entire system temp directory readable by any MCP tool that returns a MEDIA: directive. Not a duplicate of SSRF advisories The existing SSRF advisories cover fetchWithSsrFGuard() and resolvePinnedHostnameWithPolicy() in src/infra/net/. This vulnerability does not involve any HTTP fetching or DNS resolution. Instead, it reads local files from disk and delivers them outbound to messaging channels. The MEDIA: path is a local filesystem path, not a URL. Not a duplicate of canvas host file disclosure The canvas host file disclosure advisory covers the HTTP serving side (resolveFileWithinRoot() in src/canvas-host/file-resolver.ts), where path traversal in the URL could escape the canvas root directory. This vulnerability is about outbound file exfiltration through the agent messaging pipeline, not about the canvas host HTTP server. Not a duplicate of inbound attachment root policy (1316e57) Commit 1316e57 (\"enforce inbound attachment root policy across pipelines\") added src/media/inbound-path-policy.ts to restrict inbound media paths from messaging channels (e.g., iMessage attachment roots). This vulnerability is about outbound media delivery, where files are read from disk and sent to external channels via MEDIA: directives in MCP tool results. Different direction, different code, different policy layer. Not a duplicate of any webhook/messaging auth bypass The webhook auth bypass and messaging platform allowlist bypass advisories cover authentication between OpenClaw and external services. This vulnerability assumes the MCP tool is already configured and trusted. The issue is that tool results can inject MEDIA: directives that cause unintended local file reads and exfiltration. Verification: zero prior fixes for this code path A git log search for commits touching localRoots, local-roots, tmpdir, or extractToolResultMediaPaths returns zero results, confirming this vulnerability has never been reported or addressed. References - OpenClaw MCP tool integration documentation - OWASP Path Traversal - CWE-22: Improper Limitation of a Pathname to a Restricted Directory - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor Credit Anmol Vats (@NucleiAv)", + "affected": [ + "openclaw@<= 2026.2.19-2" + ], + "patched": [ + "openclaw@>= 2026.2.21" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T10:42:36Z", + "updated": "2026-02-21T10:42:36Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-jjgj-cpp9-cvpv" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jjgj-cpp9-cvpv", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-22", + "CWE-200" + ], + "credits": [ + "NucleiAv" + ], + "aliases": [ + "GHSA-jjgj-cpp9-cvpv" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-3x3x-h76w-hp98", + "ghsa_id": "GHSA-3x3x-h76w-hp98", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-184", + "title": "OpenClaw exec allowlist safeBins short-option bypass could permit arbitrary file write", + "description": "Summary OpenClaw exec allowlist/safeBins policy could be bypassed with attached short-option payloads (for example sort -o/tmp/poc), enabling file-write operations while still satisfying safeBins checks. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.17 - Latest published vulnerable version: 2026.2.17 - Patched in: 2026.2.19 Impact When tools.exec.security=allowlist and tools.exec.safeBins included affected binaries, attached short-option payloads could bypass safeBins argument validation and permit file-write behavior that should have been denied. Fix Commit(s) - cfe8457a0f4aae5324daec261d3b0aad1461a4bc - bafdbb6f112409a65decd3d4e7350fbd637c7754 - fec48a5006eab37c6a5821726ccaeec886486b13 Thanks @FailButWin and @Redgrave961 for reporting.", + "affected": [ + "openclaw@<=2026.2.17" + ], + "patched": [ + "openclaw@>= 2026.2.19" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T10:34:16Z", + "updated": "2026-02-21T10:39:23Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-3x3x-h76w-hp98" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3x3x-h76w-hp98", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-184" + ], + "credits": [ + "FailButWin", + "Redgrave961" + ], + "aliases": [ + "GHSA-3x3x-h76w-hp98" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-2hm8-rqrm-xfjq", + "ghsa_id": "GHSA-2hm8-rqrm-xfjq", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "low", + "type": "github_security_advisory", + "nvd_category_id": "CWE-269", + "title": "Owner-only gateway tool access checks were incomplete in specific authenticated DM flows", + "description": "Summary In authenticated non-owner DM sessions, a narrow tool-invocation path could reach broader-than-intended owner-only gateway actions. Impact This requires an authenticated non-owner sender in a DM session and a specific tool invocation path. No unauthenticated access is involved, and this does not provide direct code execution by itself. Root Cause - Some gateway call paths were still using broader default scopes instead of method-level least-privilege scopes. - Owner-only enforcement depended on tool-name checks and was not consistently metadata-driven across all call paths. Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.2.17 (latest published npm version as of February 19, 2026) - Patched: 2026.2.19 Remediation - Refactored gateway method scope mapping to a data-driven table and added guard tests to ensure all exposed core gateway methods stay classified. - Centralized owner-only enforcement in tool policy wrappers and tool metadata. - Marked owner-only tools explicitly (cron, gateway, whatsapplogin) and removed duplicated per-tool owner checks. - Refactored gateway call path internals into smaller helpers while preserving behavior and coverage. Fix Commit(s) - a40c10d3e24568b1e2947c104484be74bf66b8d2 - 2777d8ad91ef1e8a7c6f5b4b18f8507be7d02914 - 3d7ad1cfca4daaa84cd553e843e0e08fa6201349 Thanks @Adam55A-code for reporting.", + "affected": [ + "openclaw@<= 2026.2.17" + ], + "patched": [ + "openclaw@>= 2026.2.19" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T10:34:15Z", + "updated": "2026-02-21T10:40:02Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-2hm8-rqrm-xfjq" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2hm8-rqrm-xfjq", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-269", + "CWE-863" + ], + "credits": [ + "Adam55A-code" + ], + "aliases": [ + "GHSA-2hm8-rqrm-xfjq" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-ff98-w8hj-qrxf", + "ghsa_id": "GHSA-ff98-w8hj-qrxf", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "low", + "type": "os_command_injection", + "nvd_category_id": "CWE-78", + "title": "Plugin runtime command execution is part of trusted plugin boundary", + "description": "Summary OpenClaw plugins/extensions run in-process and are treated as trusted code. This advisory tracks trust-boundary clarification around plugin runtime command execution (runtime.system.runCommandWithTimeout). Impact Plugins already execute with the same OS privileges as the OpenClaw process. Exposing runtime command helpers does not cross an additional sandbox boundary. Affected Packages / Versions - Package: openclaw (npm) - Latest published version reviewed: 2026.2.17 - Affected range for this advisory record: <= 2026.2.17 - Planned patched version metadata: 2026.2.19 (next release line) Fix Commit(s) - 2e421f32dfc589c02706265fd3c3137ffc06c4b1 Remediation - Install only trusted plugins. - Use plugins.allow to pin explicit trusted plugin IDs. - SECURITY.md now explicitly documents that plugin runtime helpers are convenience APIs, not a sandbox boundary. Thanks @markmusson for reporting.", + "affected": [ + "openclaw@<= 2026.2.17" + ], + "patched": [ + "openclaw@>= 2026.2.19" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T10:34:13Z", + "updated": "2026-02-21T10:39:21Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-ff98-w8hj-qrxf" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-ff98-w8hj-qrxf", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-78" + ], + "credits": [ + "markmusson" + ], + "aliases": [ + "GHSA-ff98-w8hj-qrxf" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-vj3g-5px3-gr46", + "ghsa_id": "GHSA-vj3g-5px3-gr46", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "path_traversal", + "nvd_category_id": "CWE-22", + "title": "Path traversal in Feishu media temp-file naming allows writes outside os.tmpdir()", + "description": "Summary OpenClaw’s Feishu media download flow used untrusted Feishu media keys (imageKey / fileKey) when building temporary file paths in extensions/feishu/src/media.ts. Because those keys were interpolated directly into temp-file paths, traversal segments could escape the temp directory and redirect writes outside os.tmpdir(). Impact This is an arbitrary file write issue (within the OpenClaw process file permissions). If an attacker can control Feishu media key values returned to the client (for example via compromised upstream response path), they can influence where downloaded bytes are written. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version at triage: 2026.2.17 - Affected versions: <= 2026.2.17 - Fixed version: 2026.2.19 Fix Commit(s) - c821099157a9767d4df208c6b12f214946507871 - cdb00fe2428000e7a08f9b7848784a0049176705 - ec232a9e2dff60f0e3d7e827a7c868db5254473f Remediation The fix removes key-derived temp-file naming and keeps downloads in safe temp locations. Additional hardening isolates SDK writeFile calls in per-download temp directories (mkdtemp) with deterministic cleanup, enforces Feishu key trust-boundary validation, and adds a repository guard test against dynamic path.join(os.tmpdir(), \\...${...}\\) patterns in runtime code. Thanks @allsmog for reporting.", + "affected": [ + "openclaw@<= 2026.2.17" + ], + "patched": [ + "openclaw@>= 2026.2.19" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T10:34:11Z", + "updated": "2026-02-21T10:39:20Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-vj3g-5px3-gr46" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vj3g-5px3-gr46", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-22" + ], + "credits": [ + "allsmog" + ], + "aliases": [ + "GHSA-vj3g-5px3-gr46" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-2mc2-g238-722j", + "ghsa_id": "GHSA-2mc2-g238-722j", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "os_command_injection", + "nvd_category_id": "CWE-78", + "title": "iMessage remote attachment SCP hardening (strict host-key checks and remoteHost validation)", + "description": "Summary Remote iMessage attachment fetches used SCP with trust-on-first-use host-key behavior and accepted unvalidated remote host tokens. Before the fix: - SCP used StrictHostKeyChecking=accept-new in the remote attachment path. - channels.imessage.remoteHost was not validated as a strict SSH host token. Impact In remote iMessage deployments that use SCP attachment fetching, a first-connection MITM/DNS-poisoning scenario could cause the wrong host key to be trusted. Unsafe remote host token values could also alter SCP argument semantics. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version currently affected: 2026.2.17 - Vulnerable range (structured field): <= 2026.2.17 - Patched version (pre-set for next release): = 2026.2.19 Fix The fix hardens remote attachment SSH/SCP handling by: - requiring StrictHostKeyChecking=yes for SCP and SSH tunnel paths, - adding strict remoteHost normalization/validation, - adding -- argument barrier for SCP remote source parsing, - validating channels.imessage.remoteHost in config schema, - rejecting unsafe auto-detected host tokens at runtime. Fix Commit(s) - Pushed to main: 49d0def6d1e88f002026b1d2a35aa615d48a751a Thanks @allsmog for reporting.", + "affected": [ + "openclaw@<= 2026.2.17" + ], + "patched": [ + "openclaw@>= 2026.2.19" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T10:34:10Z", + "updated": "2026-02-21T10:39:20Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-2mc2-g238-722j" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2mc2-g238-722j", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-78", + "CWE-295" + ], + "credits": [ + "allsmog" + ], + "aliases": [ + "GHSA-2mc2-g238-722j" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-8cp7-rp8r-mg77", + "ghsa_id": "GHSA-8cp7-rp8r-mg77", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "server_side_request_forgery", + "nvd_category_id": "CWE-918", + "title": "SSRF guard bypass via IPv6 transition over ISATAP", + "description": "Summary OpenClaw's SSRF hostname/IP guard did not detect ISATAP embedded IPv4 addresses (...:5efe:w.x.y.z). A crafted URL containing an ISATAP IPv6 literal could embed a private IPv4 target (for example loopback) and bypass private-address filtering in URL-fetching paths. Severity Assessment Rated medium: the bug weakens SSRF protections in URL fetch flows, but impact depends on reaching a URL-fetching path with attacker-controlled input and is generally constrained to internal network access attempts. Affected Packages / Versions - Package: openclaw (npm) - Affected: =2026.1.20 <=2026.2.17 - Latest published at patch time: 2026.2.17 - Patched release: 2026.2.19 Security Policy Context Per SECURITY.md, OpenClaw's web/gateway surface is intended for local use by default, public internet exposure is out-of-scope, and prompt-injection reports are out-of-scope for bounty handling. This advisory tracks a core SSRF-guard bypass in fetch protections. Impact This can permit SSRF-style access attempts to internal/private network targets through URL ingestion/fetch paths that rely on shared hostname/IP blocking. Fix - Added RFC 5214 ISATAP embedded-IPv4 detection to the shared SSRF classifier. - Centralized hostname/IP blocking through isBlockedHostnameOrIp and routed relevant validators to that shared path. - Added regression tests for ISATAP private vs public embedded IPv4 handling. Fix Commit(s) - d51929ecb52fe65e90bf36795f4247feb29eb8aa Thanks @zpbrent for reporting.", + "affected": [ + "openclaw@>=2026.1.20 <=2026.2.17" + ], + "patched": [ + "openclaw@>= 2026.2.19" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T10:34:08Z", + "updated": "2026-02-21T10:39:19Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-8cp7-rp8r-mg77" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8cp7-rp8r-mg77", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-918" + ], + "credits": [ + "zpbrent" + ], + "aliases": [ + "GHSA-8cp7-rp8r-mg77" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-pfv7-rr5m-qmv6", + "ghsa_id": "GHSA-pfv7-rr5m-qmv6", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": null, + "title": "Auth inconsistency on local Browser Extension Relay /extension endpoint", + "description": "Summary When the optional Chrome extension relay is enabled, /extension accepted unauthenticated WebSocket upgrades while /json/ and /cdp required auth. Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.2.17 - Latest published npm version at triage time: 2026.2.17 Impact This is a local-only issue on loopback (127.0.0.1) and only applies when the extension relay feature is in use. A local process on the same machine could connect to /extension without the token and interfere with extension-relay behavior. No remote network exploit path is involved. Fix - Require gateway-token auth on both /extension and /cdp relay WebSocket endpoints. - Keep loopback/origin checks as defense-in-depth, not as authentication. - Use one token path in setup: gateway.auth.token / OPENCLAWGATEWAYTOKEN. Fix Commit(s) - 7e54b6c96feb1a5c30884f2b32037b8dadd0e532 Thanks @tdjackey for reporting.", + "affected": [ + "openclaw@<= 2026.2.17" + ], + "patched": [ + "openclaw@>= 2026.2.19" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-21T10:34:07Z", + "updated": "2026-02-21T10:39:18Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-pfv7-rr5m-qmv6" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-pfv7-rr5m-qmv6", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [], + "credits": [ + "tdjackey" + ], + "aliases": [ + "GHSA-pfv7-rr5m-qmv6" + ], + "source_feed": "ghsa-without-cve" + }, { "id": "CVE-2026-27576", "severity": "medium", @@ -15945,7 +19044,7 @@ "https://github.com/openclaw/openclaw/commit/8ae2d5110f6ceadef73822aa3db194fb60d2ba68", "https://github.com/openclaw/openclaw/commit/ebcf19746f5c500a41817e03abecadea8655654a" ], - "cvss_score": 4.0, + "cvss_score": 4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27576", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (4.0); requires local access; RCE is critical in agent deployments", @@ -16896,6 +19995,50 @@ "exploit_sources": [] } }, + { + "id": "GHSA-6c9j-x93c-rw6j", + "ghsa_id": "GHSA-6c9j-x93c-rw6j", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": "CWE-203", + "title": "OpenClaw safeBins file-existence oracle information disclosure", + "description": "An information disclosure vulnerability in OpenClaw's tools.exec.safeBins approval flow allowed a file-existence oracle. When safe-bin validation examined candidate file paths, command allow/deny behavior could differ based on whether a path already existed on the host filesystem. An attacker could probe for file presence by comparing outcomes for existing vs non-existing filenames. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.17 - Latest published vulnerable version at triage time: 2026.2.17 - Planned patched version: 2026.2.18 Impact Attackers with access to this execution surface could infer whether specific files exist (for example secrets/config files), enabling filesystem enumeration and improving follow-on attack planning. Fix The safe-bin policy was changed to deterministic argv-only validation without host file-existence checks. File-oriented flags are blocked for safe-bin mode (for example sort -o, jq -f, grep -f), and trusted-path checks remain enforced. Fix Commit(s) - bafdbb6f112409a65decd3d4e7350fbd637c7754 Found using MCPwner Thanks @nedlir for reporting.", + "affected": [ + "openclaw@<=2026.2.17" + ], + "patched": [ + "openclaw@>= 2026.2.18" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-19T16:03:56Z", + "updated": "2026-02-26T07:11:44Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-6c9j-x93c-rw6j" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6c9j-x93c-rw6j", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-203" + ], + "credits": [ + "nedlir" + ], + "aliases": [ + "GHSA-6c9j-x93c-rw6j" + ], + "source_feed": "ghsa-without-cve" + }, { "id": "CVE-2026-25474", "severity": "high", @@ -16968,6 +20111,450 @@ "exploit_sources": [] } }, + { + "id": "GHSA-mmpf-jwf4-h3qv", + "ghsa_id": "GHSA-mmpf-jwf4-h3qv", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "low", + "type": "github_security_advisory", + "nvd_category_id": "CWE-77", + "title": "Option injection in pre-commit hook can stage ignored files", + "description": "Summary A maliciously-named file (for example, --force) can trigger option injection in the repository's git-hooks/pre-commit hook when a contributor uses the built-in git hook setup (git config core.hooksPath git-hooks). This can cause unintended staging of ignored files. Details The hook collected staged filenames and piped them through xargs into git add without a -- separator. Filenames beginning with - could be interpreted as flags. This issue only affects contributors who: - use the repo's git-hooks/ hook mechanism (not the pre-commit framework), and - run commits in a working directory that contains sensitive ignored files. Impact Under specific circumstances, ignored files (for example .env) can be added to git history. Affected Packages / Versions - Repository versions: <= 2026.2.14 - Fixed in: 2026.2.15 Note: the npm package does not ship git-hooks/; the impact is on contributors working from the repository checkout/source release. Fix The hook now: - uses NUL-delimited file lists (git diff ... -z) to safely handle whitespace, and - passes paths to git add after -- to prevent option injection. Fix Commit(s) - b88f37762f5b6d7ec0f589eb761815e466e4ef4b - ba84b1253967143692166023f9e174c149b6f2ed Thanks @mrthankyou for reporting.", + "affected": [ + "openclaw@<=2026.2.14" + ], + "patched": [ + "openclaw@>=2026.2.15" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-18T03:39:01Z", + "updated": "2026-02-21T10:37:07Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-mmpf-jwf4-h3qv" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mmpf-jwf4-h3qv", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-77" + ], + "credits": [ + "mrthankyou" + ], + "aliases": [ + "GHSA-mmpf-jwf4-h3qv" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-h9g4-589h-68xv", + "ghsa_id": "GHSA-h9g4-589h-68xv", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "missing_authentication_for_critical_function", + "nvd_category_id": "CWE-306", + "title": "Authentication bypass in sandbox browser bridge server", + "description": "Summary openclaw could start the sandbox browser bridge server without authentication. When the sandboxed browser is enabled, openclaw runs a local (loopback) HTTP bridge that exposes browser control endpoints (for example /profiles, /tabs, /tabs/open, /agent/). Due to missing auth wiring in the sandbox initialization path, that bridge server accepted requests without requiring gateway auth. CVSS - CVSS v3.1: 7.1 - Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Impact A local attacker (any process on the same machine) could access the bridge server port and: - enumerate open tabs and retrieve CDP WebSocket URLs - open/close/navigate tabs - execute JavaScript in page contexts via CDP - exfiltrate cookies/session data and page contents from authenticated sessions This is a localhost-only exposure (CVSS AV:L), but provides full browser-session compromise for sandboxed browser usage. Affected Versions - Introduced in: 2026.1.29-beta.1 (first npm release that shipped the sandbox browser bridge) - Affected range: =2026.1.29-beta.1 <2026.2.14 Patched Versions - 2026.2.14 Mitigation - Upgrade to 2026.2.14 (recommended). - Or disable the sandboxed browser (agents.defaults.sandbox.browser.enabled=false). Fix Details - The sandbox browser bridge server now always requires auth and enforces the same gateway browser control auth (token/password) that loopback browser clients already use. - Additional hardening: bridge server refuses non-loopback binds; local helper servers are bound to loopback. - Added regression tests (including unit coverage for per-port bridge auth fallback). Fix commits: - openclaw/openclaw@4711a943e30bc58016247152ba06472dab09d0b0 - openclaw/openclaw@6dd6bce997c48752134f2d6ed89b27de01ced7e3 - openclaw/openclaw@cd84885a4ac78eadb7bf321aae98db9519426d67 Credits Thanks to Adnan Jakati (@jackhax) of Praetorian for reporting this issue.", + "affected": [ + "openclaw@>=2026.1.29-beta.1 <2026.2.14" + ], + "patched": [ + "openclaw@2026.2.14" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-16T01:37:15Z", + "updated": "2026-02-16T01:45:52Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-h9g4-589h-68xv" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h9g4-589h-68xv", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-306" + ], + "credits": [ + "jackhax" + ], + "aliases": [ + "GHSA-h9g4-589h-68xv" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-chm2-m3w2-wcxm", + "ghsa_id": "GHSA-chm2-m3w2-wcxm", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "low", + "type": "github_security_advisory", + "nvd_category_id": "CWE-290", + "title": "Google Chat spoofing access with allowlist authorized mutable email principal despite sender-ID mismatch", + "description": "Summary Google Chat allowlisting supports matching by sender email in addition to immutable sender resource name (users/=2026.2.14" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-16T00:31:29Z", + "updated": "2026-02-21T10:40:48Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-chm2-m3w2-wcxm" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-chm2-m3w2-wcxm", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-290", + "CWE-863" + ], + "credits": [ + "vincentkoc" + ], + "aliases": [ + "GHSA-chm2-m3w2-wcxm" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-w5c7-9qqw-6645", + "ghsa_id": "GHSA-w5c7-9qqw-6645", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "medium", + "type": "github_security_advisory", + "nvd_category_id": null, + "title": "Inter-session prompts could be treated as direct user instructions", + "description": "Summary Inter-session messages sent via sessionssend could be interpreted as direct end-user instructions because they were persisted as role: \"user\" without provenance metadata. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.12 (i.e. < 2026.2.13) - Fixed in: 2026.2.13 (patched versions = 2026.2.13) Impact A delegated or internal session could inject instructions into another session that appeared equivalent to externally-originated user input. This is an instruction-provenance confusion issue (confused-deputy style), which can lead to unintended privileged behavior in workflows that trust role: \"user\" as a sole authority signal. Technical details Before the fix, routed inter-session prompts were stored as regular user turns without a verifiable source marker. As a result, downstream workers and transcript readers could not distinguish: - External user input - Internal inter-session routed input Fix OpenClaw now carries explicit input provenance end-to-end for routed prompts. Key changes: - Added structured provenance model (inputProvenance) with kind values including intersession. - sessionssend and agent-to-agent steps now set inter-session provenance when invoking target runs. - Provenance is persisted on user messages as message.provenance.kind = \"intersession\" (role remains user for provider compatibility). - Transcript readers and memory helpers were updated to respect provenance and avoid treating inter-session prompts as external user-originated input. - Runtime context rebuilding now annotates inter-session turns with an explicit in-memory marker ([Inter-session message]) for clearer model-side disambiguation. - Regression tests were added for transcript parsing, session tools flow, runner sanitization, and memory hook behavior. Fix Commit(s) - 85409e401b6586f83954cb53552395d7aab04797 Workarounds If immediate upgrade is not possible: - Disable or restrict sessionssend in affected environments. - Do not use role alone as an authority boundary; require provenance-aware checks in orchestration logic. Credit Reported by @anbecker. Thanks @anbecker for reporting.", + "affected": [ + "openclaw@<2026.2.13" + ], + "patched": [ + "openclaw@>=2026.2.13" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-15T23:31:43Z", + "updated": "2026-02-21T10:37:10Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-w5c7-9qqw-6645" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w5c7-9qqw-6645", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [], + "credits": [ + "anbecker" + ], + "aliases": [ + "GHSA-w5c7-9qqw-6645" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-fhvm-j76f-qmjv", + "ghsa_id": "GHSA-fhvm-j76f-qmjv", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "github_security_advisory", + "nvd_category_id": "CWE-285", + "title": "Potential access-group authorization bypass if channel type lookup fails", + "description": "Summary When Telegram webhook mode is enabled without a configured webhook secret, OpenClaw may accept unauthenticated HTTP POST requests at the Telegram webhook endpoint and trust attacker-controlled update JSON. This can allow forged Telegram updates that spoof message.from.id / chat.id, potentially bypassing sender allowlists and executing privileged bot commands. Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.1.30 - Patched: = 2026.2.1 Impact An attacker who can reach the webhook endpoint can forge Telegram updates and impersonate allowlisted/paired senders by spoofing fields in the webhook payload (for example message.from.id). Impact depends on enabled commands/tools and the deployment’s network exposure. Mitigations / Workarounds - Configure a strong channels.telegram.webhookSecret and ensure your reverse proxy forwards the X-Telegram-Bot-Api-Secret-Token header unchanged. Fix Commit(s) - ca92597e1f9593236ad86810b66633144b69314d (config validation: webhookUrl requires webhookSecret) Defense-in-depth / supporting fixes: - 5643a934799dc523ec2ef18c007e1aa2c386b670 (default webhook listener bind host to loopback) - 3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930 (bound webhook request body size/time) - 633fe8b9c17f02fcc68ecdb5ec212a5ace932f09 (runtime guard: reject webhook startup when secret is missing/empty) Thanks @yueyueL for reporting.", + "affected": [ + "openclaw@<=2026.2.1" + ], + "patched": [ + "openclaw@>=2026.2.2" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-14T21:15:31Z", + "updated": "2026-02-21T10:37:22Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-fhvm-j76f-qmjv" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fhvm-j76f-qmjv", + "nvd_url": null, + "cvss_score": null, + "cvss_vector": null, + "cwe_ids": [ + "CWE-285" + ], + "credits": [ + "simecek", + "stanislavfortaisle" + ], + "aliases": [ + "GHSA-fhvm-j76f-qmjv" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-g27f-9qjv-22pm", + "ghsa_id": "GHSA-g27f-9qjv-22pm", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "low", + "type": "github_security_advisory", + "nvd_category_id": "CWE-117", + "title": "OpenClaw log poisoning (indirect prompt injection) via WebSocket headers", + "description": "Summary In openclaw versions prior to 2026.2.13, OpenClaw logged certain WebSocket request headers (including Origin and User-Agent) without neutralization or length limits on the \"closed before connect\" path. If an unauthenticated client can reach the gateway and send crafted header values, those values may be written into core logs. Under workflows where logs are later read or interpreted by an LLM (for example via AI-assisted debugging), this can increase the risk of indirect prompt injection (log poisoning). Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.2.12 - Fixed: = 2026.2.13 Details - Component: src/gateway/server/ws-connection.ts - Trigger: WebSocket connection closes before completing the connect/handshake; header values are included in the log message and structured context. Impact This issue is primarily an indirect prompt injection risk and depends on downstream log consumption behavior. If you do not feed logs into an LLM or other automation, impact is limited. Fix Header values written to gateway logs are now sanitized and truncated (including removal of control/format characters and length limiting). - Fix commits: d637a263505448bf4505b85535babbfaacedbaac, e84318e4bcdc948d92e57fda1eb763a65e1774f0 (PR #15592) Workarounds - Upgrade to openclaw@2026.2.13 or later. - Treat logs as untrusted input when using AI-assisted debugging (sanitize/escape, and do not auto-execute instructions derived from logs). - Restrict gateway network exposure; apply reverse-proxy limits on header size where applicable. Thanks @pkerkhofs for reporting.", + "affected": [ + "openclaw@<= 2026.2.12" + ], + "patched": [ + "openclaw@2026.2.13" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-14T20:19:44Z", + "updated": "2026-02-14T20:19:44Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-g27f-9qjv-22pm" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g27f-9qjv-22pm", + "nvd_url": null, + "cvss_score": 3.1, + "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", + "cwe_ids": [ + "CWE-117" + ], + "credits": [ + "pkerkhofs" + ], + "aliases": [ + "GHSA-g27f-9qjv-22pm" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-56f2-hvwg-5743", + "ghsa_id": "GHSA-56f2-hvwg-5743", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "server_side_request_forgery", + "nvd_category_id": "CWE-918", + "title": "SSRF in Image Tool Remote Fetch", + "description": "Summary A server-side request forgery (SSRF) vulnerability in the Image tool allowed attackers to force OpenClaw to make HTTP requests to arbitrary internal or restricted network targets. Affected Versions - npm: openclaw <= 2026.2.1 Patched Versions - npm: openclaw 2026.2.2 and later Fix Commits - 81c68f582d4a9a20d9cca9f367d2da9edc5a65ae (guard remote media fetches with SSRF checks) - 9bd64c8a1f91dda602afc1d5246a2ff2be164647 (expand SSRF guard coverage) Details The Image tool accepts file paths, file:// URLs, data: URLs, and http(s) URLs. In vulnerable versions, http(s) URLs were fetched without SSRF protections, enabling requests to localhost, RFC1918, link-local, and cloud metadata targets. This was fixed by routing remote media fetching through the SSRF guard (private/internal IP + hostname blocking, redirect hardening, DNS pinning). Exploitability Notes - Requires attacker-controlled invocation of the Image tool (direct tool access, or a gateway/channel surface that forwards untrusted image arguments into tool calls). - The image tool expects the fetched content to be an image. Many high-value SSRF targets return text/JSON (for example cloud metadata endpoints), which will typically fail media-type validation. In practice, the most direct confidentiality impact comes from internal endpoints that actually return images (screenshots/renderers, camera snapshots, chart exports, etc.). - Remote fetches are GET-only with no custom headers. Some metadata services require special headers or session tokens (for example GCP Metadata-Flavor, AWS IMDSv2 token), which can further reduce the likelihood of direct credential theft in some environments. - Despite the above constraints, SSRF remains a powerful primitive: it can enable internal network probing and access to unauthenticated/internal HTTP endpoints, and can chain with other weaknesses if present. Related - Duplicate / broader writeup: GHSA-9vf6-3vcv-rpj2 (closed). Thanks @p80n-sec for reporting.", + "affected": [ + "openclaw@<=2026.2.1" + ], + "patched": [ + "openclaw@2026.2.2" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-14T17:21:19Z", + "updated": "2026-02-14T17:21:19Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-56f2-hvwg-5743" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-56f2-hvwg-5743", + "nvd_url": null, + "cvss_score": 7.6, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", + "cwe_ids": [ + "CWE-918" + ], + "credits": [ + "p80n-sec" + ], + "aliases": [ + "GHSA-56f2-hvwg-5743" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-hv93-r4j3-q65f", + "ghsa_id": "GHSA-hv93-r4j3-q65f", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "github_security_advisory", + "nvd_category_id": "CWE-330", + "title": "Hook Session Key Override Enables Targeted Cross-Session Routing", + "description": "Summary The issue is not deterministic session keys by itself. The exploitable path was accepting externally supplied sessionKey values on authenticated hook ingress, allowing a hook token holder to route messages into chosen sessions. Affected Behavior - POST /hooks/agent accepted payload sessionKey and used it directly for session routing. - Common session-key shapes (for example agent:main:dm:= 2.0.0-beta3, < 2026.2.12" + ], + "patched": [ + "openclaw@>= 2026.2.12" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-14T13:36:56Z", + "updated": "2026-02-21T14:11:04Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-hv93-r4j3-q65f" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hv93-r4j3-q65f", + "nvd_url": null, + "cvss_score": 7.1, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", + "cwe_ids": [ + "CWE-330", + "CWE-639" + ], + "credits": [ + "alpernae" + ], + "aliases": [ + "GHSA-hv93-r4j3-q65f" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-gv46-4xfq-jv58", + "ghsa_id": "GHSA-gv46-4xfq-jv58", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "critical", + "type": "github_security_advisory", + "nvd_category_id": "CWE-20", + "title": "Remote Code Execution via Node Invoke Approval Bypass in Gateway", + "description": "Summary A remote code execution (RCE) vulnerability in the gateway-to-node invocation path allowed an authenticated gateway client to bypass node-host exec approvals by injecting internal control fields into node.invoke parameters. Affected Component - Gateway method: node.invoke for node command system.run - Node host runner: exec approval gating for system.run Impact If an attacker can authenticate to a gateway (for example via a leaked/shared gateway token or a paired device token with operator.write), they could execute arbitrary commands on connected node hosts that support system.run. This can lead to full compromise of developer workstations, CI runners, and servers running the node host. Technical Details The gateway forwarded user-controlled params to node hosts without sanitizing internal approval fields. The node host treated params.approved === true and/or params.approvalDecision as sufficient to skip the approval workflow. Fix Patched in OpenClaw 2026.2.14. - Commits: - 318379cdb8d045da0009b0051bd0e712e5c65e2d - a7af646fdab124a7536998db6bd6ad567d2b06b0 - c1594627421f95b6bc4ad7c606657dc75b5ad0ce - 0af76f5f0e93540efbdf054895216c398692afcd - Gateway strips untrusted approval control fields from system.run user input. - Gateway only re-attaches approval flags when params.runId references a valid exec.approval.request record and the request context matches. Approval IDs are bound to the requesting device identity (stable across reconnects), preventing replay by other clients. - Gateway forwards only an allowlisted set of system.run parameters, preventing future control-field smuggling. Mitigations - Upgrade to 2026.2.14 or later. - Restrict access to the gateway (do not expose it to untrusted networks/users). - Rotate gateway credentials if you suspect token/password exposure. - Disable remote command execution on nodes by blocking system.run at the gateway (gateway.nodes.denyCommands) and/or by configuring node exec security to deny. Credits Thanks to @222n5 for reporting this issue.", + "affected": [ + "openclaw@< 2026.2.14" + ], + "patched": [ + "openclaw@>= 2026.2.14" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-14T12:06:43Z", + "updated": "2026-02-14T12:32:18Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-gv46-4xfq-jv58" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gv46-4xfq-jv58", + "nvd_url": null, + "cvss_score": 9.9, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", + "cwe_ids": [ + "CWE-20", + "CWE-441", + "CWE-863" + ], + "credits": [ + "222n5" + ], + "aliases": [ + "GHSA-gv46-4xfq-jv58" + ], + "source_feed": "ghsa-without-cve" + }, + { + "id": "GHSA-943q-mwmv-hhvh", + "ghsa_id": "GHSA-943q-mwmv-hhvh", + "cve_id": null, + "status": "stale", + "stale": true, + "stale_after_days": 60, + "severity": "high", + "type": "os_command_injection", + "nvd_category_id": "CWE-78", + "title": "OC-02: Gateway /tools/invoke tool escalation + ACP permission auto-approval", + "description": "Summary OpenClaw Gateway exposes an authenticated HTTP endpoint (POST /tools/invoke) intended for invoking a constrained set of tools. Two issues could combine to significantly increase blast radius in misconfigured or exposed deployments: - The HTTP gateway layer did not deny high-risk session orchestration tools by default, allowing a caller with Gateway auth to invoke tools like sessionsspawn / sessionssend and pivot into creating or controlling agent sessions. - ACP clients could auto-approve permission requests for risky tools with insufficient user interaction/guardrails, reducing the friction that should normally prevent silent execution or mutation. Impact If the Gateway is reachable by an attacker and they obtain a valid Gateway token, they may be able to: - Escalate from single-tool invocation to spawning/controlling sessions and reach command execution capabilities depending on tool policy and runtime environment. - Perform cross-session message injection via sessionssend. - In ACP-integrated scenarios, obtain unintended approvals for non-read/search tool permissions. CVSS - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8) Affected versions - openclaw < 2026.2.14 Fixed in - openclaw = 2026.2.14 Remediation The default behavior is now hardened: - PR #15390: deny high-risk tools over HTTP /tools/invoke by default (with gateway.tools.{allow,deny} overrides) and harden ACP permission handling. - Commit bb1c3dfe1: ACP clients now prompt for any non-read/search permission request (fail closed for mutating/execution/fetch operations). - Commit 539689a2f: security audit warns when gateway.tools.allow re-enables default-denied HTTP tools, since this can increase RCE blast radius if the Gateway is reachable. - Commit 153a7644e: ACP safe-kind inference is stricter to avoid accidental auto-approval due to substring matches (still auto-approves only confident read/search). Mitigations / deployment guidance - Keep the Gateway loopback-only unless you have a strong reason not to: gateway.bind=\"loopback\" / openclaw gateway run --bind loopback. - Avoid exposing the Gateway directly to the public internet. Use an SSH tunnel or Tailscale to access a loopback-bound Gateway. - Treat opting in to default-denied HTTP tools (via gateway.tools.allow) as high-risk and audit such configurations carefully. Credits Thanks to @aether-ai-agent for reporting this issue and contributing remediation work.", + "affected": [ + "openclaw@<2026.2.14" + ], + "patched": [ + "openclaw@>=2026.2.14" + ], + "platforms": [ + "openclaw" + ], + "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "published": "2026-02-14T11:55:07Z", + "updated": "2026-02-14T12:19:32Z", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-943q-mwmv-hhvh" + ], + "source": "GitHub Security Advisory", + "repository": "openclaw/openclaw", + "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-943q-mwmv-hhvh", + "nvd_url": null, + "cvss_score": 8.8, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "cwe_ids": [ + "CWE-78" + ], + "credits": [ + "aether-ai-agent" + ], + "aliases": [ + "GHSA-943q-mwmv-hhvh" + ], + "source_feed": "ghsa-without-cve" + }, { "id": "CVE-2026-25593", "severity": "high", diff --git a/skills/clawsec-feed/advisories/feed.json.sig b/skills/clawsec-feed/advisories/feed.json.sig index 6cd65a6..960fdd9 100644 --- a/skills/clawsec-feed/advisories/feed.json.sig +++ b/skills/clawsec-feed/advisories/feed.json.sig @@ -1 +1 @@ -0XMKs0QnzZYtU1YeMVNVpqzLecu8buTcBx+60hi7puHKARdshGlOSHZ8E27fo6qhz6MJx6/7zoIjCz6y+q1zBA== \ No newline at end of file +ie4iZN7vM+097ZsWnz+YExEB6fMbB2fWsrlmtF7+mJh5uhy7qzYmIgJ0wLWatl38mgNRutHT2PwIc7F5RzeaDA== \ No newline at end of file