{ "version": "0.0.3", "updated": "2026-05-31T07:16:20Z", "description": "Community-driven security advisory feed for ClawSec. Automatically updated with OpenClaw-related CVEs from NVD and community-reported security incidents.", "advisories": [ { "id": "CVE-2026-35674", "severity": "high", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.5.18 contains a scope bypass vulnerability in the Gateway chat.send route that ...", "description": "OpenClaw before 2026.5.18 contains a scope bypass vulnerability in the Gateway chat.send route that allows scoped clients to execute privileged commands. Attackers with operator.write scope can deliver commands through inherited external routes to bypass operator.approvals and operator.admin scope requirements, enabling unauthorized plugin, config, MCP, allowlist, and ACP mutations.", "affected": [ "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-29T16:16:26.377", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-hw9r-h9mr-4jff", "https://www.vulncheck.com/advisories/openclaw-scope-bypass-via-inherited-chat-send-route" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35674", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35673", "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.4.29 contains an SSRF policy bypass vulnerability in browser debug and export r...", "description": "OpenClaw before 2026.4.29 contains an SSRF policy bypass vulnerability in browser debug and export routes that allows reuse of already-open blocked tabs. Attackers with access to these routes can bypass private-network SSRF policies by reusing blocked tabs to export or inspect content that should remain protected.", "affected": [ "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-29T16:16:26.230", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-hcm3-8f6r-6xwg", "https://www.vulncheck.com/advisories/openclaw-ssrf-policy-bypass-via-browser-debug-export-routes" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35673", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); network accessible; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": true, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35630", "severity": "high", "type": "missing_authorization", "nvd_category_id": "CWE-862", "title": "OpenClaw before 2026.5.18 contains an authorization bypass vulnerability in QQBot native approval bu...", "description": "OpenClaw before 2026.5.18 contains an authorization bypass vulnerability in QQBot native approval buttons that fails to enforce configured approver identity. Non-approver users can click approval buttons to resolve pending exec or plugin approval requests without proper authorization.", "affected": [ "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-29T16:16:26.097", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-mgq6-vr84-7m2j", "https://www.vulncheck.com/advisories/openclaw-qqbot-missing-approver-identity-enforcement-in-native-approval-buttons" ], "cvss_score": 8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35630", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.0); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-34507", "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.4.29 contains a policy bypass vulnerability in QQBot admin commands that allows...", "description": "OpenClaw before 2026.4.29 contains a policy bypass vulnerability in QQBot admin commands that allows authenticated senders to skip DM-only and allowFrom policy checks. Attackers can route admin commands from unauthorized senders or contexts to execute restricted behavior that policy should have blocked.", "affected": [ "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-29T16:16:25.950", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-w4v6-g3wm-w36c", "https://www.vulncheck.com/advisories/openclaw-policy-bypass-in-qqbot-admin-commands-via-dm-only-and-allowfrom-checks" ], "cvss_score": 5.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34507", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.4); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32906", "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.5.12 contains a privilege escalation vulnerability in Slack plugin approvals th...", "description": "OpenClaw before 2026.5.12 contains a privilege escalation vulnerability in Slack plugin approvals that allows exec-authorized users to resolve plugin approvals through the exec approver gate. Attackers with limited exec approval permissions can bypass intended approval splits to approve plugin actions outside operator configuration.", "affected": [ "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-29T16:16:25.220", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-wv26-j37q-2g7p", "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-in-slack-plugin-approvals-via-exec-approver-gate" ], "cvss_score": 4.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32906", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (4.3); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32905", "severity": "high", "type": "missing_authorization", "nvd_category_id": "CWE-862", "title": "OpenClaw before 2026.5.4 contains an authorization bypass vulnerability in the bundled device-pair p...", "description": "OpenClaw before 2026.5.4 contains an authorization bypass vulnerability in the bundled device-pair plugin that allows non-owner authorized chat senders to issue device-pairing bootstrap codes without proper scope validation. Attackers with chat command access can create setup codes to enroll devices with operator/node capabilities, granting persistent credentials until manual removal.", "affected": [ "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-29T16:16:25.093", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-xr4f-mjxj-w6w5", "https://www.vulncheck.com/advisories/openclaw-unauthorized-device-pairing-bootstrap-code-issuance-via-chat-command" ], "cvss_score": 8.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32905", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.3); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "GHSA-275c-xpvc-jgfw", "ghsa_id": "GHSA-275c-xpvc-jgfw", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": null, "title": "Slack and Zalo webhook secrets could remain active after secrets.reload", "description": "Summary Slack and Zalo webhook secrets could remain active after secrets.reload. In affected versions, a caller with an old webhook secret during the stale-secret window could keep accepting the previous secret after secrets.reload. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could deliver webhook events briefly after the operator expected revocation. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.4.22. Mitigations restart the affected channel runtime after rotating webhook secrets until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<=2026.4.21" ], "patched": [ "openclaw@2026.4.22" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:40:10Z", "updated": "2026-05-28T17:40:10Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-275c-xpvc-jgfw" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-275c-xpvc-jgfw", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [], "credits": [ "feynman-hou" ], "aliases": [ "GHSA-275c-xpvc-jgfw" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-rj6p-xmxr-qj4h", "ghsa_id": "GHSA-rj6p-xmxr-qj4h", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "missing_authorization", "nvd_category_id": "CWE-862", "title": "MCP loopback could skip owner-only tool policy for non-owner callers", "description": "Summary MCP loopback could skip owner-only tool policy for non-owner callers. In affected versions, a non-owner caller reaching the affected loopback path could skip owner-only tool policy and before-tool-call hooks. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could invoke owner-only behavior through that loopback path. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Resolution Update to a patched OpenClaw release when one is listed for this advisory. If the Patched versions field is populated, use that version or later. Mitigations restrict MCP loopback access to trusted operators until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<2026.4.24" ], "patched": [ "openclaw@2026.4.24" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:40:09Z", "updated": "2026-05-28T17:40:10Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-rj6p-xmxr-qj4h" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rj6p-xmxr-qj4h", "nvd_url": null, "cvss_score": 6.6, "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "cwe_ids": [ "CWE-862" ], "credits": [ "zsxsoft", "KeenSecurityLab", "qclawer" ], "aliases": [ "GHSA-rj6p-xmxr-qj4h" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-4m3v-q747-pc6h", "ghsa_id": "GHSA-4m3v-q747-pc6h", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": null, "title": "Mattermost slash token revocation could lag until monitor refresh", "description": "Summary Mattermost slash token revocation could lag until monitor refresh. In affected versions, a caller with an old Mattermost slash token during the refresh window could continue accepting the old token until the monitor refreshed. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could invoke slash command behavior briefly after token revocation. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.4.24. Mitigations restart or refresh the Mattermost monitor after token rotation until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<=2026.4.23" ], "patched": [ "openclaw@2026.4.24" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:40:08Z", "updated": "2026-05-28T17:40:08Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-4m3v-q747-pc6h" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4m3v-q747-pc6h", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [], "credits": [ "feynman-hou" ], "aliases": [ "GHSA-4m3v-q747-pc6h" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-4hpg-mp64-x7xq", "ghsa_id": "GHSA-4hpg-mp64-x7xq", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": null, "title": "Internal/webchat command auth could inherit ownerAllowFrom wildcard state", "description": "Summary Internal/webchat command auth could inherit ownerAllowFrom wildcard state. In affected versions, a sender on an affected internal or webchat path could inherit wildcard ownerAllowFrom state across channel boundaries. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could run owner-style command behavior that should have stayed channel-scoped. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.4.25. Mitigations keep owner command allowlists explicit per channel until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<=2026.4.24" ], "patched": [ "openclaw@2026.4.25" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:40:06Z", "updated": "2026-05-28T17:40:07Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-4hpg-mp64-x7xq" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4hpg-mp64-x7xq", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [], "credits": [ "zsxsoft", "KeenSecurityLab", "qclawer" ], "aliases": [ "GHSA-4hpg-mp64-x7xq" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-p39j-x9h5-q66m", "ghsa_id": "GHSA-p39j-x9h5-q66m", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": null, "title": "Embedded runner policy could be confused by provider aliases", "description": "Summary Embedded runner policy could be confused by provider aliases. In affected versions, a request using provider aliases could compare policy against an alias instead of the canonical provider identity. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could select bundled tool access outside the intended provider policy. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.4.25. Mitigations avoid provider alias routing for embedded runner tool policy until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<=2026.4.24" ], "patched": [ "openclaw@2026.4.25" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:40:05Z", "updated": "2026-05-28T17:40:05Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-p39j-x9h5-q66m" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-p39j-x9h5-q66m", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [], "credits": [ "zsxsoft", "KeenSecurityLab", "qclawer" ], "aliases": [ "GHSA-p39j-x9h5-q66m" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-mpc8-jxjh-qpgh", "ghsa_id": "GHSA-mpc8-jxjh-qpgh", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": null, "title": "Focus command could miss controlScope enforcement", "description": "Summary Focus command could miss controlScope enforcement. In affected versions, a caller able to trigger the focus command could run the command without enforcing the expected control scope. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could change focus state outside the intended caller authority. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.4.25. Mitigations restrict focus command access to trusted operators until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<=2026.4.24" ], "patched": [ "openclaw@2026.4.25" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:40:03Z", "updated": "2026-05-28T17:40:04Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-mpc8-jxjh-qpgh" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mpc8-jxjh-qpgh", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [], "credits": [ "zsxsoft", "KeenSecurityLab", "qclawer" ], "aliases": [ "GHSA-mpc8-jxjh-qpgh" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-985f-72mj-8gf7", "ghsa_id": "GHSA-985f-72mj-8gf7", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": null, "title": "Tool group policy callers could accept unvalidated group IDs", "description": "Summary Tool group policy callers could accept unvalidated group IDs. In affected versions, a caller that can supply a group id to the affected policy resolver could resolve policy for an unvalidated group id. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could apply the wrong group-policy decision for a tool invocation. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.4.25. Mitigations avoid exposing group-policy controlled tools to untrusted senders until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<=2026.4.24" ], "patched": [ "openclaw@2026.4.25" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:40:01Z", "updated": "2026-05-28T17:40:02Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-985f-72mj-8gf7" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-985f-72mj-8gf7", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [], "credits": [ "zsxsoft", "KeenSecurityLab", "qclawer" ], "aliases": [ "GHSA-985f-72mj-8gf7" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-8mg9-j9cf-54cj", "ghsa_id": "GHSA-8mg9-j9cf-54cj", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": null, "title": "Empty-scope device re-pairing could confuse caller scope containment", "description": "Summary Empty-scope device re-pairing could confuse caller scope containment. In affected versions, a device re-pairing request with an empty scope set could skip the intended containment guard during re-pairing. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could restore or retain scopes broader than the caller should grant. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.4.25. Mitigations revoke unexpected device sessions and require fresh pairing for suspicious devices until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<=2026.4.24" ], "patched": [ "openclaw@2026.4.25" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:40:00Z", "updated": "2026-05-28T17:40:00Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-8mg9-j9cf-54cj" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8mg9-j9cf-54cj", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [], "credits": [ "zsxsoft", "KeenSecurityLab", "qclawer" ], "aliases": [ "GHSA-8mg9-j9cf-54cj" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-6c4r-g249-wv3c", "ghsa_id": "GHSA-6c4r-g249-wv3c", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-668", "title": "Sandboxed session spawn could expose the real workspace path to child prompts", "description": "Summary Sandboxed session spawn could expose the real workspace path to child prompts. In affected versions, a child session spawned from a sandboxed parent could forward the host workspace path into the child session prompt. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could reveal host workspace location or related memory context to the child model. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.4.26. Mitigations avoid spawning child sessions from sensitive sandboxed workspaces until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<= 2026.4.25" ], "patched": [ "openclaw@2026.4.26" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:59Z", "updated": "2026-05-28T17:39:59Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-6c4r-g249-wv3c" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6c4r-g249-wv3c", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-668" ], "credits": [ "anshumanbh" ], "aliases": [ "GHSA-6c4r-g249-wv3c" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-24vr-rprv-67rf", "ghsa_id": "GHSA-24vr-rprv-67rf", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": null, "title": "Workspace .env npmexecpath could influence bundled runtime dependency install", "description": "Summary Workspace .env npmexecpath could influence bundled runtime dependency install. In affected versions, a workspace .env in a repository opened by a trusted operator could override the package-manager executable path used by the install helper. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could run an unintended local package-manager executable during dependency setup. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.4.29. Mitigations install bundled runtime dependencies from trusted workspaces until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@< 2026.4.29" ], "patched": [ "openclaw@2026.4.29" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:58Z", "updated": "2026-05-28T17:39:58Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-24vr-rprv-67rf" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-24vr-rprv-67rf", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [], "credits": [ "feynman-hou" ], "aliases": [ "GHSA-24vr-rprv-67rf" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-rx78-29qr-5hq8", "ghsa_id": "GHSA-rx78-29qr-5hq8", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": null, "title": "Workspace-derived service PATH could influence trash command selection", "description": "Summary Workspace-derived service PATH could influence trash command selection. In affected versions, a workspace-derived environment path could select an unintended trash executable during maintenance. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could run a local executable from a path the operator did not intend for maintenance tasks. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.2. Mitigations keep maintenance flows on trusted workspaces and fixed service paths until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@< 2026.5.2" ], "patched": [ "openclaw@2026.5.2" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:57Z", "updated": "2026-05-28T17:39:57Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-rx78-29qr-5hq8" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rx78-29qr-5hq8", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [], "credits": [], "aliases": [ "GHSA-rx78-29qr-5hq8" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-v8cx-933x-r976", "ghsa_id": "GHSA-v8cx-933x-r976", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": null, "title": "Fake package roots could influence memory-core artifact loading", "description": "Summary Fake package roots could influence memory-core artifact loading. In affected versions, a local package root resolution path influenced by workspace state could select a package root that was not the intended bundled artifact root. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could load memory-core artifacts from an unintended local location. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.4.25. Mitigations run memory-core flows from trusted workspaces until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<=2026.4.24" ], "patched": [ "openclaw@2026.4.25" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:56Z", "updated": "2026-05-28T17:39:56Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-v8cx-933x-r976" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v8cx-933x-r976", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [], "credits": [ "feynman-hou" ], "aliases": [ "GHSA-v8cx-933x-r976" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-wc84-j36w-pw4x", "ghsa_id": "GHSA-wc84-j36w-pw4x", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": null, "title": "Workspace .env STATEDIRECTORY could influence bundled runtime dependency roots", "description": "Summary Workspace .env STATEDIRECTORY could influence bundled runtime dependency roots. In affected versions, a workspace .env in a repository opened by a trusted operator could set STATEDIRECTORY before runtime dependency root resolution. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could load bundled runtime dependencies from an unintended local state path. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.2. Mitigations avoid opening untrusted workspace env files before runtime dependency installation until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@< 2026.5.2" ], "patched": [ "openclaw@2026.5.2" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:55Z", "updated": "2026-05-28T17:39:55Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-wc84-j36w-pw4x" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wc84-j36w-pw4x", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [], "credits": [ "feynman-hou" ], "aliases": [ "GHSA-wc84-j36w-pw4x" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-fq9j-vw4w-fr6v", "ghsa_id": "GHSA-fq9j-vw4w-fr6v", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": null, "title": "Workspace .env CLOUDSDKPYTHON could influence Gmail setup gcloud execution", "description": "Summary Workspace .env CLOUDSDKPYTHON could influence Gmail setup gcloud execution. In affected versions, a workspace .env in a repository opened by a trusted operator could influence which Python runtime gcloud used through CLOUDSDKPYTHON. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could run setup through an unintended local Python path. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.2. Mitigations run Gmail setup from trusted workspaces and clear workspace env overrides until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@< 2026.5.2" ], "patched": [ "openclaw@2026.5.2" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:54Z", "updated": "2026-05-28T17:39:54Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-fq9j-vw4w-fr6v" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fq9j-vw4w-fr6v", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [], "credits": [ "feynman-hou" ], "aliases": [ "GHSA-fq9j-vw4w-fr6v" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-8wg3-5mcm-fjq8", "ghsa_id": "GHSA-8wg3-5mcm-fjq8", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": null, "title": "Workspace .env could override Homebrew executable selection for skill install flows", "description": "Summary Workspace .env could override Homebrew executable selection for skill install flows. In affected versions, a workspace .env in a repository opened by a trusted operator could override the Homebrew executable used by the install helper. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could run an unintended Homebrew-compatible executable during skill setup. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.27. Mitigations avoid running skill install flows from untrusted workspaces until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@< 2026.5.27" ], "patched": [ "openclaw@2026.5.27" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:53Z", "updated": "2026-05-28T17:39:53Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-8wg3-5mcm-fjq8" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8wg3-5mcm-fjq8", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [], "credits": [ "feynman-hou" ], "aliases": [ "GHSA-8wg3-5mcm-fjq8" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-77pv-3w4q-vrj5", "ghsa_id": "GHSA-77pv-3w4q-vrj5", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": null, "title": "QQBot pre-dispatch slash commands could skip allowFrom checks", "description": "Summary QQBot pre-dispatch slash commands could skip allowFrom checks. In affected versions, a QQBot sender able to invoke slash commands could dispatch the command before applying the configured allowFrom policy. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could trigger command handling from a sender that policy should have blocked. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.4.27. Mitigations restrict QQBot slash command exposure until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<=2026.4.26" ], "patched": [ "openclaw@2026.4.27" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:52Z", "updated": "2026-05-28T17:39:52Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-77pv-3w4q-vrj5" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-77pv-3w4q-vrj5", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [], "credits": [ "zsxsoft", "KeenSecurityLab", "qclawer" ], "aliases": [ "GHSA-77pv-3w4q-vrj5" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-v2ww-5rh7-2h5v", "ghsa_id": "GHSA-v2ww-5rh7-2h5v", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "high", "type": "github_security_advisory", "nvd_category_id": "CWE-693", "title": "Linux and macOS exec allowlists skipped configured argument patterns", "description": "Summary OpenClaw's exec allowlist supported optional argPattern entries to restrict the arguments accepted for an allowlisted executable. In affected releases, Linux and macOS gateways skipped argPattern checks and treated a matching executable path as sufficient to satisfy the allowlist. This meant an operator could configure an allowlist entry that appeared to permit only a narrow argv shape, but OpenClaw would allow other argv for the same executable without an approval prompt when tools.exec.security was set to allowlist. This issue is limited to direct enforcement of configured argPattern values. OpenClaw's exec approvals remain best-effort guardrails and do not attempt to semantically model every interpreter, loader, package script, shell feature, or transitive file a command may use. Affected configurations This affects OpenClaw gateway deployments that meet all of these conditions: - the gateway runs on Linux or macOS - exec is configured with tools.exec.security: \"allowlist\" - at least one exec allowlist entry uses argPattern - the allowlisted executable accepts security-relevant arguments or flags Path-only allowlist entries are not additionally affected by this issue, because those entries intentionally allow any arguments for the matched executable. Windows was not affected by this specific bug because the affected code path already applied argPattern checks on Windows. Impact If an untrusted or lower-trust sender can influence a tool-enabled agent to call exec, they may be able to run disallowed arguments for an executable that the operator intended to restrict with argPattern. Depending on the executable, those arguments can cause host-side file access, network access, or command execution that should have required an approval prompt. The practical impact depends on the operator's allowlist and channel exposure. Examples of higher-risk allowlisted executables include tools with interpreter, loader, subprocess, network, or plugin flags such as git, python, node, bash, find, tar, and ssh. This is not a bypass of all exec approval semantics. It is a bypass of the direct argPattern predicate that the operator configured and that the exec tool description advertised as enforced at runtime. Patched Versions The first stable patched version is 2026.5.12. Mitigations Upgrade to openclaw@2026.5.12 or later. Before upgrading, operators who use exec allowlist mode should review entries that combine an executable path with argPattern, especially for interpreter-like or subprocess-capable tools.", "affected": [ "openclaw@< 2026.5.12" ], "patched": [ "openclaw@2026.5.12" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:50Z", "updated": "2026-05-28T17:39:50Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-v2ww-5rh7-2h5v" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v2ww-5rh7-2h5v", "nvd_url": null, "cvss_score": 7.1, "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L", "cwe_ids": [ "CWE-693", "CWE-863" ], "credits": [ "Curly-Haired-Baboon" ], "aliases": [ "GHSA-v2ww-5rh7-2h5v" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-72fw-cqh5-f324", "ghsa_id": "GHSA-72fw-cqh5-f324", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": null, "title": "memory-wiki shared search could miss session visibility checks", "description": "Summary memory-wiki shared search could miss session visibility checks. In affected versions, a caller able to search shared memory could skip the session visibility guard on the affected search path. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could return memory entries that should not have been visible to that session. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.4.29. Mitigations limit shared memory search to trusted operators until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<=2026.4.27" ], "patched": [ "openclaw@2026.4.29" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:49Z", "updated": "2026-05-28T17:39:49Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-72fw-cqh5-f324" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-72fw-cqh5-f324", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [], "credits": [ "zsxsoft", "KeenSecurityLab", "qclawer" ], "aliases": [ "GHSA-72fw-cqh5-f324" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-grc3-2j34-p6gm", "ghsa_id": "GHSA-grc3-2j34-p6gm", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": null, "title": "message.action forwarding could send Gateway credentials to model-supplied loopback URLs", "description": "Summary message.action forwarding could send Gateway credentials to model-supplied loopback URLs. In affected versions, model-controlled action metadata that selects a loopback Gateway URL could forward the action payload with Gateway credentials to the supplied loopback URL. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could expose the token and action payload to a local listener chosen through the affected path. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.2. Mitigations restrict message action forwarding and avoid model-supplied loopback targets until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<= 2026.4.29" ], "patched": [ "openclaw@2026.5.2" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:47Z", "updated": "2026-05-28T17:39:47Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-grc3-2j34-p6gm" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-grc3-2j34-p6gm", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [], "credits": [ "anshumanbh" ], "aliases": [ "GHSA-grc3-2j34-p6gm" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-jvm4-4j77-39p6", "ghsa_id": "GHSA-jvm4-4j77-39p6", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": null, "title": "QQBot streaming command could mutate config without explicit allowFrom", "description": "Summary QQBot streaming command could mutate config without explicit allowFrom. In affected versions, a QQBot sender reaching the affected command could change configuration without requiring an explicit non-wildcard allowlist entry. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could modify QQBot streaming configuration outside the intended admin policy. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.4.29. Mitigations disable the command or restrict it to explicit trusted QQBot senders until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "@openclaw/qqbot@<= 2026.4.27" ], "patched": [ "@openclaw/qqbot@2026.4.29" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:46Z", "updated": "2026-05-28T17:39:46Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-jvm4-4j77-39p6" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jvm4-4j77-39p6", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [], "credits": [ "anshumanbh" ], "aliases": [ "GHSA-jvm4-4j77-39p6" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-8c59-hr4w-qg69", "ghsa_id": "GHSA-8c59-hr4w-qg69", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-290", "title": "Zalo allowFrom could bind to mutable display names", "description": "Summary Zalo allowFrom could bind to mutable display names. In affected versions, a Zalo friend or contact with mutable display metadata could match a policy entry through mutable display metadata. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could receive agent responses intended for another Zalo identity. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.3. Mitigations use stable Zalo identifiers where available and keep friend access restricted until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<= 2026.5.2" ], "patched": [ "openclaw@2026.5.3" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:43Z", "updated": "2026-05-28T17:39:43Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-8c59-hr4w-qg69" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8c59-hr4w-qg69", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-290" ], "credits": [ "PhilipPhil" ], "aliases": [ "GHSA-8c59-hr4w-qg69" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-qjpc-qf9m-xwmr", "ghsa_id": "GHSA-qjpc-qf9m-xwmr", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "high", "type": "missing_authorization", "nvd_category_id": "CWE-862", "title": "Trusted-proxy Control UI WebSocket accepted client-declared scopes before pairing", "description": "Summary In trusted-proxy Control UI mode, OpenClaw accepted a WebSocket client's declared operator scopes before those scopes were bound to a server-approved pairing or trusted-proxy authorization baseline. This issue affects trusted-proxy Control UI deployments. It does not apply to shared-secret Control UI sessions, which are treated as trusted operator sessions by design. Affected configurations This affects deployments using gateway.auth.mode: \"trusted-proxy\" for Control UI access where a restricted trusted-proxy user could open a Control UI WebSocket and present a fresh, unpaired device identity with elevated requested scopes. Impact An unpaired or restricted trusted-proxy Control UI client could obtain cached operator.admin authority on its live WebSocket connection. That authority could then be used for admin-gated Gateway RPCs until the connection was closed or revalidated. Patched Versions The first stable patched version is 2026.5.18. Mitigations Upgrade to openclaw@2026.5.18 or later. Before upgrading, restrict trusted-proxy Control UI access to users who should have the scopes they can request, and restart the gateway after changing trusted-proxy authorization policy.", "affected": [ "openclaw@< 2026.5.18" ], "patched": [ "openclaw@2026.5.18" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:42Z", "updated": "2026-05-28T17:39:42Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-qjpc-qf9m-xwmr" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qjpc-qf9m-xwmr", "nvd_url": null, "cvss_score": 8.8, "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "cwe_ids": [ "CWE-862", "CWE-863" ], "credits": [ "adactum", "handmilkingsoftware" ], "aliases": [ "GHSA-qjpc-qf9m-xwmr" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-rwp6-7w3q-75fq", "ghsa_id": "GHSA-rwp6-7w3q-75fq", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-276", "title": "Config recovery could restore openclaw.json with broad file permissions", "description": "Summary Config recovery could restore openclaw.json with broad file permissions. In affected versions, a local recovery path after configuration repair could leave the restored config file more readable than intended. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could expose local configuration to other same-host users where OS permissions allow it. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.4.24. Mitigations check openclaw.json permissions after recovery on shared hosts until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@= 2026.4.23" ], "patched": [ "openclaw@2026.4.24" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:41Z", "updated": "2026-05-28T17:39:41Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-rwp6-7w3q-75fq" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rwp6-7w3q-75fq", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-276" ], "credits": [ "Kaze310" ], "aliases": [ "GHSA-rwp6-7w3q-75fq" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-c29c-2q9c-pc86", "ghsa_id": "GHSA-c29c-2q9c-pc86", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-290", "title": "Slack allowFrom could bind to mutable display names", "description": "Summary Slack allowFrom could bind to mutable display names. In affected versions, a Slack account able to change display name metadata could match a policy entry through mutable display metadata. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could receive agent access intended for another Slack identity. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.3. Mitigations use stable Slack user IDs in allowlists until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<= 2026.5.3-1" ], "patched": [ "openclaw@2026.5.3" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:40Z", "updated": "2026-05-28T17:39:40Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-c29c-2q9c-pc86" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-c29c-2q9c-pc86", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-290" ], "credits": [ "PhilipPhil" ], "aliases": [ "GHSA-c29c-2q9c-pc86" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-gp79-m99v-gjmh", "ghsa_id": "GHSA-gp79-m99v-gjmh", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": null, "title": "Mattermost handlers could fall open when channel type was missing", "description": "Summary Mattermost handlers could fall open when channel type was missing. In affected versions, a Mattermost event missing channel type metadata could continue without applying the intended DM policy decision. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could process a Mattermost event that should have been gated by channel policy. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.6. Mitigations keep Mattermost bot access restricted and review channel metadata errors until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<=2026.5.5" ], "patched": [ "openclaw@2026.5.6" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:39Z", "updated": "2026-05-28T17:39:39Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-gp79-m99v-gjmh" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gp79-m99v-gjmh", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [], "credits": [ "zsxsoft", "KeenSecurityLab", "qclawer" ], "aliases": [ "GHSA-gp79-m99v-gjmh" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-c226-q6fx-6j6c", "ghsa_id": "GHSA-c226-q6fx-6j6c", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": null, "title": "macOS Swift exec allowlist missed combined POSIX inline flags", "description": "Summary macOS Swift exec allowlist missed combined POSIX inline flags. In affected versions, a command request using combined POSIX inline-command flags could miss inline-command content expressed through combined flags. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could run shell content outside the intended allowlist check. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.6. Mitigations require approval for combined shell flag forms on macOS until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<=2026.5.5" ], "patched": [ "openclaw@2026.5.6" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:38Z", "updated": "2026-05-28T17:39:38Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-c226-q6fx-6j6c" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-c226-q6fx-6j6c", "nvd_url": null, "cvss_score": 6.6, "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "cwe_ids": [], "credits": [ "zsxsoft", "KeenSecurityLab", "qclawer" ], "aliases": [ "GHSA-c226-q6fx-6j6c" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-3wqp-prf6-2m72", "ghsa_id": "GHSA-3wqp-prf6-2m72", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "low", "type": "github_security_advisory", "nvd_category_id": null, "title": "Feishu dynamic-agent bindings could miss configWrites enforcement", "description": "Summary Feishu dynamic-agent bindings could miss configWrites enforcement. In affected versions, a Feishu sender using dynamic-agent binding behavior could create or update bindings without honoring the configured config-write control. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could change sender-agent binding state beyond the intended policy. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.6. Mitigations disable sender-created Feishu dynamic-agent bindings until patched if not needed. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<=2026.5.5" ], "patched": [ "openclaw@2026.5.6" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:37Z", "updated": "2026-05-28T17:39:37Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-3wqp-prf6-2m72" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3wqp-prf6-2m72", "nvd_url": null, "cvss_score": 3.1, "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "cwe_ids": [], "credits": [ "zsxsoft", "KeenSecurityLab", "qclawer" ], "aliases": [ "GHSA-3wqp-prf6-2m72" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-cqwv-9qjx-vxw2", "ghsa_id": "GHSA-cqwv-9qjx-vxw2", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": null, "title": "Skill Workshop apply flow could override pending approval", "description": "Summary Skill Workshop apply flow could override pending approval. In affected versions, an agent tool call reaching the affected Skill Workshop apply path could set apply: true despite approvalPolicy: pending. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could apply a workshop change before the expected approval step. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.6. Mitigations review Skill Workshop changes manually and keep the tool restricted until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<=2026.5.5" ], "patched": [ "openclaw@2026.5.6" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:35Z", "updated": "2026-05-28T17:39:35Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-cqwv-9qjx-vxw2" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cqwv-9qjx-vxw2", "nvd_url": null, "cvss_score": 5.3, "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "cwe_ids": [], "credits": [ "zsxsoft", "KeenSecurityLab", "qclawer" ], "aliases": [ "GHSA-cqwv-9qjx-vxw2" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-68xw-r643-9p5w", "ghsa_id": "GHSA-68xw-r643-9p5w", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "low", "type": "github_security_advisory", "nvd_category_id": null, "title": "Skill-command dispatch could skip before-tool-call hooks", "description": "Summary Skill-command dispatch could skip before-tool-call hooks. In affected versions, a skill command routed through the affected dispatch path could run without the same runBeforeToolCallHook coverage as other tool entry points. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could miss hook-based auditing or policy parity for that command path. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.6. Mitigations avoid relying on hook-only enforcement for skill commands until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<=2026.5.5" ], "patched": [ "openclaw@2026.5.6" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:34Z", "updated": "2026-05-29T03:38:44Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-68xw-r643-9p5w" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-68xw-r643-9p5w", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [], "credits": [ "zsxsoft", "qclawer", "KeenSecurityLab" ], "aliases": [ "GHSA-68xw-r643-9p5w" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-x629-46cc-7xgw", "ghsa_id": "GHSA-x629-46cc-7xgw", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": null, "title": "Active Memory write scope could mutate global config", "description": "Summary Active Memory write scope could mutate global config. In affected versions, a Gateway caller with operator.write access to the affected command could change global configuration without requiring operator.admin. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could apply configuration changes beyond the intended write scope. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.6. Mitigations limit Active Memory write access to trusted operators until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<=2026.5.5" ], "patched": [ "openclaw@2026.5.6" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:33Z", "updated": "2026-05-28T17:39:33Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-x629-46cc-7xgw" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-x629-46cc-7xgw", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [], "credits": [ "zsxsoft", "KeenSecurityLab", "qclawer" ], "aliases": [ "GHSA-x629-46cc-7xgw" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-w5ww-7chg-mxcq", "ghsa_id": "GHSA-w5ww-7chg-mxcq", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": null, "title": "Telegram interactive callbacks could skip commands.allowFrom", "description": "Summary Telegram interactive callbacks could skip commands.allowFrom. In affected versions, a Telegram user able to invoke an affected callback could mark the callback as an authorized sender before applying commands.allowFrom. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could trigger command behavior outside the configured Telegram sender allowlist. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.6. Mitigations restrict Telegram command callbacks to trusted chats until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<=2026.5.5" ], "patched": [ "openclaw@2026.5.6" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:32Z", "updated": "2026-05-28T17:39:32Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-w5ww-7chg-mxcq" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w5ww-7chg-mxcq", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [], "credits": [ "zsxsoft", "KeenSecurityLab", "qclawer" ], "aliases": [ "GHSA-w5ww-7chg-mxcq" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-p73f-w79w-jqr5", "ghsa_id": "GHSA-p73f-w79w-jqr5", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": null, "title": "Native command authorization could skip owner-command enforcement", "description": "Summary Native command authorization could skip owner-command enforcement. In affected versions, a sender able to trigger native command handling could authorize a native command without enforcing the configured owner-only command policy. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could run an owner-style command from a sender that should not have that command access. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.6. Mitigations keep native command surfaces limited to trusted senders until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<=2026.5.5" ], "patched": [ "openclaw@2026.5.6" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:31Z", "updated": "2026-05-29T03:36:40Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-p73f-w79w-jqr5" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-p73f-w79w-jqr5", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [], "credits": [ "zsxsoft", "KeenSecurityLab", "qclawer" ], "aliases": [ "GHSA-p73f-w79w-jqr5" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-7hxm-f538-3xp6", "ghsa_id": "GHSA-7hxm-f538-3xp6", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-290", "title": "Matrix allowFrom could bind to mutable display names", "description": "Summary Matrix allowFrom could bind to mutable display names. In affected versions, a Matrix account able to change display name metadata could match a policy entry through mutable display metadata. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could receive agent access intended for another Matrix identity. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.7. Mitigations use stable Matrix user IDs in allowlists until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<= 2026.5.6" ], "patched": [ "openclaw@2026.5.7" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:30Z", "updated": "2026-05-28T17:39:30Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-7hxm-f538-3xp6" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7hxm-f538-3xp6", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-290" ], "credits": [ "PhilipPhil" ], "aliases": [ "GHSA-7hxm-f538-3xp6" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-cw4q-gqg5-g38h", "ghsa_id": "GHSA-cw4q-gqg5-g38h", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-290", "title": "Discord allowFrom could bind to mutable display names", "description": "Summary Discord allowFrom could bind to mutable display names. In affected versions, a Discord account able to change display or global name metadata could match a policy entry through mutable display metadata. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could receive agent access intended for another Discord identity. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.7. Mitigations use stable Discord user IDs in allowlists until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<= 2026.5.6" ], "patched": [ "openclaw@2026.5.7" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:29Z", "updated": "2026-05-28T17:39:29Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-cw4q-gqg5-g38h" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cw4q-gqg5-g38h", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-290" ], "credits": [ "PhilipPhil" ], "aliases": [ "GHSA-cw4q-gqg5-g38h" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-p2fh-f5fc-44hr", "ghsa_id": "GHSA-p2fh-f5fc-44hr", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-732", "title": "memory-wiki ingest could read local files with operator.write scope", "description": "Summary memory-wiki ingest could read local files with operator.write scope. In affected versions, a Gateway caller with operator.write access to the plugin tool could read arbitrary local file paths instead of staying within the intended ingest sources. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could import local file content into wiki memory. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Resolution Update to a patched OpenClaw release when one is listed for this advisory. If the Patched versions field is populated, use that version or later. Mitigations limit memory-wiki write access to trusted operators until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<= 2026.5.6" ], "patched": [ "openclaw@>= 2026.4.7" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:28Z", "updated": "2026-05-28T17:39:28Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-p2fh-f5fc-44hr" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-p2fh-f5fc-44hr", "nvd_url": null, "cvss_score": 6.5, "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "cwe_ids": [ "CWE-732" ], "credits": [ "Blee72" ], "aliases": [ "GHSA-p2fh-f5fc-44hr" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-77q5-rr5v-x43q", "ghsa_id": "GHSA-77q5-rr5v-x43q", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-20", "title": "Trusted retry endpoint checks could match hostname prefixes", "description": "Summary Trusted retry endpoint checks could match hostname prefixes. In affected versions, a retry endpoint URL chosen by lower-trust input could pass validation by using a hostname prefix that resembled a trusted host. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could send authentication material to an endpoint outside the intended trust target. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.7. Mitigations pin retry endpoints to exact trusted origins until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@*" ], "patched": [], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:26Z", "updated": "2026-05-28T17:39:27Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-77q5-rr5v-x43q" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-77q5-rr5v-x43q", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-20", "CWE-345", "CWE-1023" ], "credits": [ "ccy41928-del" ], "aliases": [ "GHSA-77q5-rr5v-x43q" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-83w9-h5wv-j9xm", "ghsa_id": "GHSA-83w9-h5wv-j9xm", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-367", "title": "Node pairing reconnection could confuse approval scope state", "description": "Summary Node pairing reconnection could confuse approval scope state. In affected versions, a paired or reconnecting node session could mutate pairing state in a way that changed the approval scope decision. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could restore or present broader node authority than the operator intended. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.27. Mitigations revoke unexpected node pairings and re-pair only trusted nodes until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@< 2026.5.27" ], "patched": [ "openclaw@2026.5.27" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:25Z", "updated": "2026-05-28T17:39:25Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-83w9-h5wv-j9xm" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-83w9-h5wv-j9xm", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-367" ], "credits": [ "YLChen-007" ], "aliases": [ "GHSA-83w9-h5wv-j9xm" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-j472-gf56-x589", "ghsa_id": "GHSA-j472-gf56-x589", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-184", "title": "PowerShell encoded-command aliases could miss exec allowlist checks", "description": "Summary PowerShell encoded-command aliases could miss exec allowlist checks. In affected versions, a command request using abbreviated encoded-command flags could use an alias form not recognized by the allowlist parser. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could run encoded PowerShell content without the intended allowlist decision. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.12. Mitigations avoid allowlisting PowerShell wrapper forms and require approval for encoded commands until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<= 2026.5.7" ], "patched": [ "openclaw@2026.5.12" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:25Z", "updated": "2026-05-28T17:39:25Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-j472-gf56-x589" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-j472-gf56-x589", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-184" ], "credits": [ "YLChen-007" ], "aliases": [ "GHSA-j472-gf56-x589" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-w9hf-3pp7-pvxv", "ghsa_id": "GHSA-w9hf-3pp7-pvxv", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "cross_site_scripting", "nvd_category_id": "CWE-79", "title": "Exported session HTML could keep unsafe markdown links", "description": "Summary Exported session HTML could keep unsafe markdown links. In affected versions, content rendered into an exported session could preserve unsafe javascript: or data: links in generated HTML. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could run browser-side script if a trusted operator opens the exported file and activates the link. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.12. Mitigations do not open exported session HTML from untrusted content in a privileged browser profile until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<= 2026.5.7" ], "patched": [ "openclaw@2026.5.12" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:23Z", "updated": "2026-05-28T17:39:23Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-w9hf-3pp7-pvxv" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w9hf-3pp7-pvxv", "nvd_url": null, "cvss_score": 6.1, "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "cwe_ids": [ "CWE-79" ], "credits": [ "YLChen-007" ], "aliases": [ "GHSA-w9hf-3pp7-pvxv" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-8j37-5w68-wj2g", "ghsa_id": "GHSA-8j37-5w68-wj2g", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "low", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "BlueBubbles sender policy could match mutable conversation identifiers", "description": "Summary BlueBubbles sender policy could match mutable conversation identifiers. In affected versions, a participant able to influence conversation-level identifiers could match an allowlist entry through conversation metadata rather than a stable sender identity. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could receive agent responses that should have been limited to a configured sender. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.7. Mitigations prefer stable sender identifiers and keep BlueBubbles groups restricted until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<= 2026.5.6" ], "patched": [ "openclaw@2026.5.7" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:22Z", "updated": "2026-05-28T17:39:22Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-8j37-5w68-wj2g" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8j37-5w68-wj2g", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-863" ], "credits": [ "YLChen-007" ], "aliases": [ "GHSA-8j37-5w68-wj2g" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-fcvx-5cxc-v5p8", "ghsa_id": "GHSA-fcvx-5cxc-v5p8", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "low", "type": "github_security_advisory", "nvd_category_id": "CWE-285", "title": "Slack reaction events could ignore reaction notification settings", "description": "Summary Slack reaction events could ignore reaction notification settings. In affected versions, a Slack reaction event delivered to the configured app could enter the agent pipeline even when reaction notifications were disabled. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could trigger unintended agent processing for reaction events. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.12. Mitigations disable or restrict Slack reaction event subscriptions until patched if this path is not needed. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<= 2026.5.7" ], "patched": [ "openclaw@2026.5.12" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:18Z", "updated": "2026-05-28T17:39:18Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-fcvx-5cxc-v5p8" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fcvx-5cxc-v5p8", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-285" ], "credits": [ "YLChen-007" ], "aliases": [ "GHSA-fcvx-5cxc-v5p8" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-f397-5vjw-v2c2", "ghsa_id": "GHSA-f397-5vjw-v2c2", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-184", "title": "Shell inline-command parsing could miss an allowlist check", "description": "Summary Shell inline-command parsing could miss an allowlist check. In affected versions, a command request using shell inline-command forms could route an inline command through a parser case that did not receive the expected allowlist decision. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could run shell content without the intended approval or allowlist prompt. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.12. Mitigations require approval for shell inline-command forms until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<= 2026.5.10-beta.1" ], "patched": [ "openclaw@2026.5.12" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:16Z", "updated": "2026-05-28T17:39:16Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-f397-5vjw-v2c2" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f397-5vjw-v2c2", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-184" ], "credits": [ "YLChen-007" ], "aliases": [ "GHSA-f397-5vjw-v2c2" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-9v8j-9c9g-w66c", "ghsa_id": "GHSA-9v8j-9c9g-w66c", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-269", "title": "Bootstrap token replay could widen pending pairing scopes", "description": "Summary Bootstrap token replay could widen pending pairing scopes. In affected versions, a caller with access to a pending bootstrap token could reuse the token before approval with a broader requested scope set. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could present or retain broader pending pairing authority than intended. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.12. Mitigations treat pairing codes as sensitive and cancel unexpected pending pairings until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<= 2026.5.10-beta.2" ], "patched": [ "openclaw@2026.5.12" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:15Z", "updated": "2026-05-28T17:39:15Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-9v8j-9c9g-w66c" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9v8j-9c9g-w66c", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-269" ], "credits": [ "YLChen-007" ], "aliases": [ "GHSA-9v8j-9c9g-w66c" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-rjxq-qqhf-8hwh", "ghsa_id": "GHSA-rjxq-qqhf-8hwh", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "high", "type": "exposure_of_sensitive_information", "nvd_category_id": "CWE-200", "title": "MCP Streamable HTTP redirects could forward configured custom headers to another origin", "description": "Summary OpenClaw supports remote MCP Streamable HTTP servers with operator-configured custom headers. In affected releases, those headers could be forwarded when the MCP endpoint responded with a cross-origin redirect. This issue is limited to configured MCP Streamable HTTP servers that use custom headers. It does not expose unrelated OpenClaw credentials. Affected configurations This affects deployments where an MCP server is configured with: - transportType: \"streamable-http\" - sensitive custom headers under mcp.servers..headers - an MCP endpoint that is malicious, compromised, or able to redirect to another origin Impact Custom MCP headers, such as API keys or tenant-routing headers, could be sent to the redirect target. The exposed credential scope depends on the header the operator configured for that MCP server. Patched Versions The first stable patched version is 2026.5.12. Mitigations Upgrade to openclaw@2026.5.8 or later. Before upgrading, avoid custom MCP headers with servers you do not fully trust, and rotate any MCP-specific credentials that may have been exposed by a redirecting endpoint.", "affected": [ "openclaw@< 2026.5.12" ], "patched": [ "openclaw@2026.5.12" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:13Z", "updated": "2026-05-28T17:39:13Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-rjxq-qqhf-8hwh" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rjxq-qqhf-8hwh", "nvd_url": null, "cvss_score": 7.1, "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "cwe_ids": [ "CWE-200" ], "credits": [ "YLChen-007" ], "aliases": [ "GHSA-rjxq-qqhf-8hwh" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-chr9-m4q2-76hw", "ghsa_id": "GHSA-chr9-m4q2-76hw", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "high", "type": "improper_access_control", "nvd_category_id": "CWE-284", "title": "Control UI locality spoofing could mint a durable admin device token", "description": "Summary In affected LAN/shared-token Control UI deployments, a caller could spoof locality information used during Control UI pairing and obtain a durable admin-capable device token. This issue is limited to deployments where the caller already has the network/authentication foothold needed to reach the Control UI pairing path. It is not an unauthenticated internet exposure issue. Affected configurations This affects configurations such as LAN-bound gateways or shared-token Control UI access where locality signals were accepted as sufficient for pairing decisions. Impact A temporary or shared Control UI access path could be turned into a persistent admin device token. That token could remain useful after the shared gateway token was rotated, unless the paired device was removed. The issue is a pairing/locality validation problem: locality-derived trust was stronger than it should have been. Patched Versions The first stable patched version is 2026.5.22. Mitigations Upgrade to openclaw@2026.5.22 or later. For older deployments, remove unexpected paired devices and avoid exposing Control UI pairing paths on networks with untrusted clients.", "affected": [ "openclaw@< 2026.5.22" ], "patched": [ "openclaw@2026.5.22" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:12Z", "updated": "2026-05-28T17:39:12Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-chr9-m4q2-76hw" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-chr9-m4q2-76hw", "nvd_url": null, "cvss_score": 8, "cvss_vector": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "cwe_ids": [ "CWE-284", "CWE-287", "CWE-290", "CWE-863" ], "credits": [ "cantinagen" ], "aliases": [ "GHSA-chr9-m4q2-76hw" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-rggc-m335-3wvj", "ghsa_id": "GHSA-rggc-m335-3wvj", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-269", "title": "Same-host trusted-proxy deployments could accept local forged identity headers", "description": "Summary Same-host trusted-proxy deployments could accept local forged identity headers. In affected versions, a local same-host caller that can reach the proxy-facing Gateway port could supply identity headers normally reserved for the trusted proxy. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could receive operator identity associated with the forged headers. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.18. Mitigations bind trusted-proxy ingress behind the actual proxy and firewall direct same-host access. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@< 2026.5.18" ], "patched": [ "openclaw@2026.5.18" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:11Z", "updated": "2026-05-28T17:39:11Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-rggc-m335-3wvj" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rggc-m335-3wvj", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-269", "CWE-284", "CWE-287", "CWE-290", "CWE-863" ], "credits": [ "cantinagen" ], "aliases": [ "GHSA-rggc-m335-3wvj" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-6fvr-66p3-3qj4", "ghsa_id": "GHSA-6fvr-66p3-3qj4", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "high", "type": "exposure_of_sensitive_information", "nvd_category_id": "CWE-200", "title": "Hook-triggered CLI runs could receive owner MCP tool authority", "description": "Summary OpenClaw hook ingress can start automated agent runs using a configured hook token. In affected releases, a hook-triggered run could select a bundled CLI backend that received owner-scoped MCP loopback authority instead of a scope appropriate for hook ingress. This issue affects the boundary between hook-token automation and owner-only MCP tools. It does not affect deployments with hooks disabled. Affected configurations This affects deployments where hooks are enabled, /hooks/agent is reachable with a valid hook token, and a bundled CLI backend can be selected for the hook-triggered run. Impact A caller with the hook token could cause the spawned CLI runtime to see or call MCP tools that should have been owner-only. The practical impact depends on which MCP tools are available; the reported proof used persistent cron state as a representative owner-only action. Patched Versions The first stable patched version is 2026.5.20. Fixed in the 2026.5.20 stable release. Mitigations Upgrade to openclaw@2026.5.20 or later. Keep hook tokens secret, restrict network access to hook endpoints, and disable hooks when they are not needed.", "affected": [ "openclaw@< 2026.5.20" ], "patched": [ "openclaw@2026.5.20" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:09Z", "updated": "2026-05-28T17:39:09Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-6fvr-66p3-3qj4" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6fvr-66p3-3qj4", "nvd_url": null, "cvss_score": 8.4, "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L", "cwe_ids": [ "CWE-200", "CWE-284" ], "credits": [ "cantinagen" ], "aliases": [ "GHSA-6fvr-66p3-3qj4" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-q99w-vh6v-q3v7", "ghsa_id": "GHSA-q99w-vh6v-q3v7", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "high", "type": "improper_access_control", "nvd_category_id": "CWE-284", "title": "Pairing-scoped device session could restore revoked node token authority", "description": "Summary In affected releases, a surviving pairing-scoped session for a device could re-establish node token authority after that node token had been revoked. Revocation should require the device to lose that authority unless it is approved again through the normal pairing flow. This issue affects token revocation and device-role containment. It does not allow unauthenticated device creation. Affected configurations This affects deployments where an already paired device keeps a same-device session with pairing-related scope after its node token is revoked. Impact A device that should have lost node WebSocket authority could regain it without renewed approval. That weakens revocation as an operator control and can keep node-level access alive longer than intended. The impact is limited to devices that already had a legitimate pairing/session foothold. Patched Versions The first stable patched version is 2026.5.26. Mitigations Upgrade to openclaw@2026.5.26 or later. If a node token was revoked on an older version, restart the gateway and remove/re-pair the affected device to ensure no stale session remains active.", "affected": [ "openclaw@< 2026.5.26" ], "patched": [ "openclaw@2026.5.26" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:08Z", "updated": "2026-05-28T17:39:08Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-q99w-vh6v-q3v7" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q99w-vh6v-q3v7", "nvd_url": null, "cvss_score": 8.8, "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "cwe_ids": [ "CWE-284", "CWE-863" ], "credits": [ "cantinagen" ], "aliases": [ "GHSA-q99w-vh6v-q3v7" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-3c6j-hq33-3jv4", "ghsa_id": "GHSA-3c6j-hq33-3jv4", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "high", "type": "improper_access_control", "nvd_category_id": "CWE-284", "title": "Paired nodes could forge exec lifecycle events without system.run provenance", "description": "Summary OpenClaw nodes send lifecycle events back to the gateway. In affected releases, a paired node could send an exec lifecycle event that was accepted without enough provenance tying it to an authorized system.run request. This issue affects the node event boundary. It does not allow an unauthenticated caller to reach the gateway; the attacker must already control a paired node connection. Affected configurations This affects deployments with a paired node where that node can send crafted node.event messages to the gateway and the target agent/session can process exec lifecycle events. Impact A malicious or compromised paired node could make the gateway treat attacker-supplied event data as an exec lifecycle result. In the vulnerable flow, that could steer the target session into an exec-event path that exposed capabilities the reduced node surface should not have provided. The issue is a missing provenance check for node-originated lifecycle events. Patched Versions The first stable patched version is 2026.5.18. Mitigations Upgrade to openclaw@2026.5.18 or later. Pair nodes only from trusted environments, and remove/re-pair nodes that may have been compromised.", "affected": [ "openclaw@< 2026.5.18" ], "patched": [ "openclaw@2026.5.18" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:06Z", "updated": "2026-05-28T17:39:06Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-3c6j-hq33-3jv4" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3c6j-hq33-3jv4", "nvd_url": null, "cvss_score": 7.2, "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "cwe_ids": [ "CWE-284", "CWE-863" ], "credits": [ "cantinagen" ], "aliases": [ "GHSA-3c6j-hq33-3jv4" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-2hfg-4fh4-qp7f", "ghsa_id": "GHSA-2hfg-4fh4-qp7f", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "high", "type": "improper_access_control", "nvd_category_id": "CWE-284", "title": "Browser act interactions could bypass private-network navigation checks", "description": "Summary OpenClaw's browser control SSRF checks blocked direct navigation to private or loopback URLs, but some Playwright act interactions could trigger navigation after the initial check. A later browser evaluation could then read from the page reached by that action-triggered navigation. This issue is specific to browser control actions and private-network navigation policy. Browser evaluation remains an intentional trusted-operator feature when it is used on pages that policy allowed the browser to visit. Affected configurations This affects deployments where browser control is enabled and an authenticated browser-control caller can interact with an attacker-controlled page that redirects or navigates the tab to a private-network target through a UI action. Impact If the browser reached a private page through an unchecked action-triggered navigation, a caller with browser evaluation capability could read page content that direct navigation policy would have blocked. The issue does not grant access to OpenClaw without authentication. It bypasses the private-network navigation guard for a specific browser action path. Patched Versions The first stable patched version is 2026.5.18. Mitigations Upgrade to openclaw@2026.5.18 or later. Before upgrading, restrict browser-control access to trusted operators and avoid using browser control on untrusted pages in environments with sensitive private web services.", "affected": [ "openclaw@< 2026.5.18" ], "patched": [ "openclaw@2026.5.18" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:04Z", "updated": "2026-05-28T17:39:04Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-2hfg-4fh4-qp7f" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2hfg-4fh4-qp7f", "nvd_url": null, "cvss_score": 7.7, "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "cwe_ids": [ "CWE-284", "CWE-918" ], "credits": [ "cantinagen" ], "aliases": [ "GHSA-2hfg-4fh4-qp7f" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-v6r2-jh58-xx6w", "ghsa_id": "GHSA-v6r2-jh58-xx6w", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "os_command_injection", "nvd_category_id": "CWE-78", "title": "Marketplace runtime extension metadata could point at unscanned payloads", "description": "Summary Marketplace runtime extension metadata could point at unscanned payloads. In affected versions, a package selected for installation by a trusted operator could redirect runtime loading toward hidden package content that was not scanned as expected. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could load plugin code outside the reviewed package entry points. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.18. Mitigations install only trusted plugins and keep plugin allowlists explicit until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@< 2026.5.18" ], "patched": [ "openclaw@2026.5.18" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:03Z", "updated": "2026-05-28T17:39:03Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-v6r2-jh58-xx6w" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v6r2-jh58-xx6w", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-78", "CWE-94", "CWE-284", "CWE-829" ], "credits": [ "cantinagen" ], "aliases": [ "GHSA-v6r2-jh58-xx6w" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-mhq8-78pj-5j79", "ghsa_id": "GHSA-mhq8-78pj-5j79", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "high", "type": "os_command_injection", "nvd_category_id": "CWE-78", "title": "POSIX node system.run safe-bin allowlist could be widened by shell expansion", "description": "Summary On POSIX nodes, OpenClaw's system.run safe-bin checks could approve a command before shell expansion changed how the command was interpreted. A value that appeared to be a safe-bin argument could expand into additional shell words and become a file operand. This issue is limited to paired POSIX node execution through system.run with safe-bin or allowlist-style auto-approval. It is not an unauthenticated node takeover. Affected configurations This affects deployments where: - a POSIX node is paired to the gateway - system.run is reachable by an authenticated operator or agent flow - exec policy uses safe-bin or allowlist-based auto-approval - the approved command contains shell-expanded values that can change argv shape Impact A lower-privilege operator flow could cause an approved safe-bin command to read a node-local file that was not intended by the policy. Depending on the local files available to the node process, this could expose OpenClaw configuration data or other node-local information. The issue is a policy-enforcement gap in argv validation, not a general statement that every safe-bin command is unsafe. Patched Versions The first stable patched version is 2026.5.18. Mitigations Upgrade to openclaw@2026.5.18 or later. Before upgrading, avoid broad safe-bin auto-approval for commands that can read arbitrary paths, and prefer explicit approval for node commands that touch local files.", "affected": [ "openclaw@< 2026.5.18" ], "patched": [ "openclaw@2026.5.18" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:39:01Z", "updated": "2026-05-28T17:39:01Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-mhq8-78pj-5j79" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mhq8-78pj-5j79", "nvd_url": null, "cvss_score": 7.1, "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L", "cwe_ids": [ "CWE-78", "CWE-200", "CWE-284" ], "credits": [ "cantinagen" ], "aliases": [ "GHSA-mhq8-78pj-5j79" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-5cj2-3jr2-5h77", "ghsa_id": "GHSA-5cj2-3jr2-5h77", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "os_command_injection", "nvd_category_id": "CWE-78", "title": "Shell positional parameters could weaken strict inline-eval checks", "description": "Summary Shell positional parameters could weaken strict inline-eval checks. In affected versions, a command request that combines allowlisted tools with shell positional arguments could place inline-eval content in a shell carrier not covered by the strict check. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could run shell-provided content outside the intended allowlist rule. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.4.2. Mitigations avoid allowlisting shell carrier patterns and require approval for shell wrappers until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@< 2026.4.2" ], "patched": [ "openclaw@2026.4.2" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:38:59Z", "updated": "2026-05-28T17:38:59Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-5cj2-3jr2-5h77" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5cj2-3jr2-5h77", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-78", "CWE-269", "CWE-284", "CWE-863" ], "credits": [ "cantinagen" ], "aliases": [ "GHSA-5cj2-3jr2-5h77" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-xww8-gqvh-92x9", "ghsa_id": "GHSA-xww8-gqvh-92x9", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "high", "type": "improper_access_control", "nvd_category_id": "CWE-284", "title": "Exec approval display truncation could hide the command being approved", "description": "Summary OpenClaw exec approvals could show a shortened command in the approval UI while keeping the full original command for execution. For very long commands, an approver could see and approve a benign-looking prefix while a hidden suffix remained part of the command that would run after approval. This issue affects the approval display and binding for oversized exec commands. It does not make exec available to unauthenticated users, and it does not change OpenClaw's local-first trust model. Affected configurations This affects deployments where exec approval is enabled and an authenticated caller can create a pending host exec request with a command long enough to be truncated in the approval view. Impact An approver could make a decision from incomplete command text. If the hidden suffix contained additional shell operations, those operations could run after the approval was resolved. The practical impact depends on who can request exec approvals and who is allowed to approve them. The issue is an approval integrity problem: the approval surface did not faithfully represent the command that would execute. Patched Versions The first stable patched version is 2026.5.18. Mitigations Upgrade to openclaw@2026.5.18 or later. Before upgrading, avoid approving unusually long exec commands and keep approval capability limited to trusted operators.", "affected": [ "openclaw@< 2026.5.18" ], "patched": [ "openclaw@2026.5.18" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:38:57Z", "updated": "2026-05-28T17:38:57Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-xww8-gqvh-92x9" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xww8-gqvh-92x9", "nvd_url": null, "cvss_score": 8, "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "cwe_ids": [ "CWE-284", "CWE-863" ], "credits": [ "cantinagen" ], "aliases": [ "GHSA-xww8-gqvh-92x9" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-qh2f-99mv-mrcf", "ghsa_id": "GHSA-qh2f-99mv-mrcf", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "os_command_injection", "nvd_category_id": "CWE-78", "title": "Bundle MCP loopback could miss its exec denylist on session spawn", "description": "Summary Bundle MCP loopback could miss its exec denylist on session spawn. In affected versions, a caller that can reach the affected bundled MCP session-spawn path could bypass the denylist that was intended for that loopback MCP entry point. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could start a session with broader command reach than that MCP path should provide. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.12. Mitigations restrict bundled MCP loopback access to trusted operators until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@< 2026.5.12" ], "patched": [ "openclaw@2026.5.12" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:38:55Z", "updated": "2026-05-28T17:38:55Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-qh2f-99mv-mrcf" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qh2f-99mv-mrcf", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-78", "CWE-284" ], "credits": [ "cantinagen" ], "aliases": [ "GHSA-qh2f-99mv-mrcf" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-vxx3-6hc9-7cc3", "ghsa_id": "GHSA-vxx3-6hc9-7cc3", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-367", "title": "Combined POSIX shell options could confuse exec revalidation", "description": "Summary Combined POSIX shell options could confuse exec revalidation. In affected versions, a command request using combined shell flags could parse approval-time and execution-time shell options differently. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could run inline shell content without the intended allowlist decision. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.12. Mitigations avoid combined shell option forms in allowlisted commands until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<= 2026.5.7" ], "patched": [ "openclaw@2026.5.12" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:38:54Z", "updated": "2026-05-28T17:38:54Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-vxx3-6hc9-7cc3" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vxx3-6hc9-7cc3", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-367" ], "credits": [ "YLChen-007" ], "aliases": [ "GHSA-vxx3-6hc9-7cc3" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-2j8v-hwgc-x698", "ghsa_id": "GHSA-2j8v-hwgc-x698", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "improper_access_control", "nvd_category_id": "CWE-284", "title": "Shell wrapper argv could change between approval and execution", "description": "Summary Shell wrapper argv could change between approval and execution. In affected versions, a command request using a shell wrapper form could approve one resolved argv shape and rebuild another for execution. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could run a command shape that was not checked against the allowlist. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.18. Mitigations require explicit approval for shell wrappers and avoid durable allowlists for wrapper-heavy commands until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "Openclaw@<= 2026.5.16" ], "patched": [ "Openclaw@2026.5.18" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:38:52Z", "updated": "2026-05-28T17:38:52Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-2j8v-hwgc-x698" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2j8v-hwgc-x698", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-284" ], "credits": [], "aliases": [ "GHSA-2j8v-hwgc-x698" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-q7q8-3mgw-q67r", "ghsa_id": "GHSA-q7q8-3mgw-q67r", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "exposure_of_sensitive_information", "nvd_category_id": "CWE-200", "title": "Message read actions could skip channel allowlist checks", "description": "Summary Message read actions could skip channel allowlist checks. In affected versions, a lower-trust caller with access to the affected message read action could request messages without the same channel allowlist check used by normal delivery. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could expose messages from a channel that was not intended for that caller. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.19. Mitigations limit message read actions to trusted operators and keep channel allowlists narrow. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<= 2026.5.18", "openclaw@<= 2026.5.19-beta.2" ], "patched": [ "openclaw@2026.5.19" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:38:50Z", "updated": "2026-05-28T17:38:50Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-q7q8-3mgw-q67r" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q7q8-3mgw-q67r", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-200", "CWE-862" ], "credits": [ "samchodev" ], "aliases": [ "GHSA-q7q8-3mgw-q67r" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-gxg4-2rrr-jhc7", "ghsa_id": "GHSA-gxg4-2rrr-jhc7", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-20", "title": "Hostname checks could treat trailing-dot hosts inconsistently", "description": "Summary Hostname checks could treat trailing-dot hosts inconsistently. In affected versions, a request path that accepts model- or workspace-derived URLs could present the same hostname with a trailing dot and avoid a blocklist comparison. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could reach a destination that the operator expected the hostname policy to block. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.26. Mitigations keep private-network and metadata destinations blocked at the proxy or network layer until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<= 2026.5.22" ], "patched": [ "openclaw@2026.5.26" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:38:49Z", "updated": "2026-05-28T17:38:49Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-gxg4-2rrr-jhc7" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gxg4-2rrr-jhc7", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-20", "CWE-918" ], "credits": [ "nayakchinmohan" ], "aliases": [ "GHSA-gxg4-2rrr-jhc7" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-cwpp-5962-q4f6", "ghsa_id": "GHSA-cwpp-5962-q4f6", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "os_command_injection", "nvd_category_id": "CWE-78", "title": "Exec allowlist could miss side effects from transparent command wrappers", "description": "Summary Exec allowlist could miss side effects from transparent command wrappers. In affected versions, a command request that reaches the exec allowlist path could be evaluated against the inner command while the wrapper invocation still executed. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could perform wrapper-level side effects outside the intent of the allowlisted command. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.26. Mitigations review wrapper commands carefully and require approval for shell-like wrapper usage until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<= 2026.5.22" ], "patched": [ "openclaw@2026.5.26" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:38:46Z", "updated": "2026-05-28T17:38:46Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-cwpp-5962-q4f6" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cwpp-5962-q4f6", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-78", "CWE-184" ], "credits": [ "nayakchinmohan" ], "aliases": [ "GHSA-cwpp-5962-q4f6" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-ccwh-wwpp-6wg5", "ghsa_id": "GHSA-ccwh-wwpp-6wg5", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-184", "title": "Host environment sanitizer missed two Node.js control variables", "description": "Summary Host environment sanitizer missed two Node.js control variables. In affected versions, a lower-trust env source such as a workspace .env, tool env override, or skill env block could pass Node.js control variables through the shared sanitizer. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could influence a later Node.js child process or coverage output path when that process is launched under the accepted environment. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.26. Mitigations avoid inheriting workspace or tool-supplied env values from untrusted repositories until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", "affected": [ "openclaw@<= 2026.5.22" ], "patched": [ "openclaw@2026.5.26" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-05-28T17:38:45Z", "updated": "2026-05-28T17:38:45Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-ccwh-wwpp-6wg5" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-ccwh-wwpp-6wg5", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-184" ], "credits": [ "nayakchinmohan" ], "aliases": [ "GHSA-ccwh-wwpp-6wg5" ], "source_feed": "ghsa-without-cve" }, { "id": "CVE-2026-36045", "severity": "high", "type": "os_command_injection", "nvd_category_id": "CWE-78", "title": "picoclaw <=v0.1.2 and earlier is vulnerable to OS command injection via the ExecTool component (pkg/...", "description": "picoclaw <=v0.1.2 and earlier is vulnerable to OS command injection via the ExecTool component (pkg/tools/shell.go). The guardCommand() function attempts to restrict shell command execution using a denylist of 8 regular expressions, but the denylist is incomplete.", "affected": [ "picoclaw@*" ], "platforms": [ "picoclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-27T14:16:45.287", "references": [ "https://gist.github.com/NucleiAv/41899be6266a9813840301577792ed68", "https://github.com/sipeed/picoclaw/releases/tag/v0.1.2" ], "cvss_score": 7.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-36045", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.3); remotely exploitable without authentication; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-9369", "severity": "medium", "type": "unknown_cwe_697", "nvd_category_id": "CWE-697", "title": "A security flaw has been discovered in NousResearch hermes-agent 2026.4.23. Affected is the function...", "description": "A security flaw has been discovered in NousResearch hermes-agent 2026.4.23. Affected is the function _discover_dashboard_plugins of the file hermes_cli/web_server.py of the component CLI web-dashboard Interface. Performing a manipulation of the argument HERMES_ENABLE_PROJECT_PLUGINS results in incorrect comparison. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.", "affected": [ "hermes@*" ], "platforms": [ "hermes" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-24T09:16:33.140", "references": [ "https://gist.github.com/YLChen-007/062b77ceac6aa9844842a616f5d2ef30", "https://vuldb.com/submit/812230", "https://vuldb.com/vuln/365332" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9369", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.3); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-9368", "severity": "high", "type": "unknown_cwe_264", "nvd_category_id": "CWE-264", "title": "A vulnerability was identified in NousResearch hermes-agent up to 2026.4.16. This impacts the functi...", "description": "A vulnerability was identified in NousResearch hermes-agent up to 2026.4.16. This impacts the function execute_code of the file tools/code_execution_tool.py of the component Environment Variable Handler. Such manipulation leads to sandbox issue. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.", "affected": [ "hermes@*" ], "platforms": [ "hermes" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-24T09:16:32.963", "references": [ "https://gist.github.com/YLChen-007/43c72d19668421abe8ce10f299323a0a", "https://vuldb.com/submit/812229", "https://vuldb.com/vuln/365331" ], "cvss_score": 7.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9368", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.3); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-9367", "severity": "high", "type": "command_injection", "nvd_category_id": "CWE-77", "title": "A vulnerability was determined in NousResearch hermes-agent up to 5157f5427f19488b31c6fdebbacd15d798...", "description": "A vulnerability was determined in NousResearch hermes-agent up to 5157f5427f19488b31c6fdebbacd15d798ce7f63. This affects the function detect_dangerous_command of the file tools/approval.py of the component terminal_tool. This manipulation causes os command injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.", "affected": [ "hermes@*" ], "platforms": [ "hermes" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-24T09:16:32.793", "references": [ "https://gist.github.com/YLChen-007/75fb10319693e86106ced2ef3a472c80", "https://vuldb.com/submit/812228", "https://vuldb.com/vuln/365330" ], "cvss_score": 7.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9367", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.3); remotely exploitable without authentication; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-9366", "severity": "high", "type": "unknown_cwe_707", "nvd_category_id": "CWE-707", "title": "A vulnerability was found in NousResearch hermes-agent 2026.4.23. The impacted element is the functi...", "description": "A vulnerability was found in NousResearch hermes-agent 2026.4.23. The impacted element is the function _scan_context_content of the file agent/prompt_builder.py. The manipulation results in injection. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.", "affected": [ "hermes@*" ], "platforms": [ "hermes" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-24T09:16:32.617", "references": [ "https://gist.github.com/YLChen-007/581fd92de5548fbaacb2092e848a75cc", "https://vuldb.com/submit/812227", "https://vuldb.com/vuln/365329" ], "cvss_score": 7.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9366", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.3); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-9354", "severity": "medium", "type": "unknown_cwe_116", "nvd_category_id": "CWE-116", "title": "A vulnerability was detected in NousResearch hermes-agent up to 2026.4.16. The affected element is a...", "description": "A vulnerability was detected in NousResearch hermes-agent up to 2026.4.16. The affected element is an unknown function of the component Slack Agent/Mattermost Agent. The manipulation of the argument format_message results in escaping of output. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", "affected": [ "hermes@*" ], "platforms": [ "hermes" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-24T05:16:40.537", "references": [ "https://gist.github.com/YLChen-007/e90fb38ac03284176bae49898a3a46a4", "https://vuldb.com/submit/812226", "https://vuldb.com/vuln/365317" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9354", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-9353", "severity": "high", "type": "unknown_cwe_707", "nvd_category_id": "CWE-707", "title": "A security vulnerability has been detected in NousResearch hermes-agent up to 2026.4.23. Impacted is...", "description": "A security vulnerability has been detected in NousResearch hermes-agent up to 2026.4.23. Impacted is an unknown function of the file agent/skills_guard.py of the component Skills Guard Multi-Word Prompt Handler. The manipulation of the argument THREAT_PATTERNS leads to injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", "affected": [ "hermes@*" ], "platforms": [ "hermes" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-24T05:16:40.357", "references": [ "https://gist.github.com/YLChen-007/82a3539d6358842e69dfaef0a9fcf14a", "https://vuldb.com/submit/812216", "https://vuldb.com/vuln/365316" ], "cvss_score": 7.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9353", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.3); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-9352", "severity": "medium", "type": "exposure_of_sensitive_information", "nvd_category_id": "CWE-200", "title": "A weakness has been identified in NousResearch hermes-agent up to 2026.4.23. This issue affects the ...", "description": "A weakness has been identified in NousResearch hermes-agent up to 2026.4.23. This issue affects the function _make_run_env of the file tools/environments/local.py of the component Messaging Gateway Handler. Executing a manipulation can lead to information disclosure. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.", "affected": [ "hermes@*" ], "platforms": [ "hermes" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-24T05:16:40.180", "references": [ "https://gist.github.com/YLChen-007/760b3940f708990e535214529c0c7a27", "https://vuldb.com/submit/812215", "https://vuldb.com/vuln/365315" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9352", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-9351", "severity": "medium", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "A security flaw has been discovered in NousResearch hermes-agent up to 2026.4.16. This vulnerability...", "description": "A security flaw has been discovered in NousResearch hermes-agent up to 2026.4.16. This vulnerability affects the function _is_blocked_device of the file tools/file_tools.py of the component read_file Tool. Performing a manipulation results in path traversal. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.", "affected": [ "hermes@*" ], "platforms": [ "hermes" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-24T04:17:04.430", "references": [ "https://gist.github.com/YLChen-007/1d1aeff404cb88e06ec2fb3377f49fef", "https://vuldb.com/submit/812214", "https://vuldb.com/vuln/365314" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9351", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-9350", "severity": "high", "type": "missing_authorization", "nvd_category_id": "CWE-862", "title": "A vulnerability was identified in NousResearch hermes-agent up to 2026.4.16. This affects the functi...", "description": "A vulnerability was identified in NousResearch hermes-agent up to 2026.4.16. This affects the function check_all_command_guards of the file tools/approval.py of the component Batch Runner. Such manipulation leads to missing authorization. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.", "affected": [ "hermes@*" ], "platforms": [ "hermes" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-24T04:17:04.113", "references": [ "https://gist.github.com/YLChen-007/22cada4c9060f5123dde6185135ae3ab", "https://vuldb.com/submit/812213", "https://vuldb.com/vuln/365313" ], "cvss_score": 7.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9350", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.3); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-8305", "severity": "high", "type": "improper_authentication", "nvd_category_id": "CWE-287", "title": "A vulnerability was detected in OpenClaw up to 2026.1.24. The impacted element is the function handl...", "description": "A vulnerability was detected in OpenClaw up to 2026.1.24. The impacted element is the function handleBlueBubblesWebhookRequest of the file extensions/bluebubbles/src/monitor.ts of the component bluebubbles Webhook. Performing a manipulation results in improper authentication. It is possible to initiate the attack remotely. The exploit is now public and may be used. Upgrading to version 2026.2.12 is sufficient to resolve this issue. The patch is named a6653be0265f1f02b9de46c06f52ea7c81a836e6. The affected component should be upgraded.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-11T18:16:44.800", "references": [ "https://github.com/Dave-gilmore-aus/security-advisories/blob/main/ClawdBot(aka%20OpenClaw)-Auth-Bypass-SSRF", "https://github.com/openclaw/openclaw/", "https://github.com/openclaw/openclaw/commit/a6653be0265f1f02b9de46c06f52ea7c81a836e6" ], "cvss_score": 7.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8305", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.3); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-45006", "severity": "high", "type": "unknown_cwe_184", "nvd_category_id": "CWE-184", "title": "OpenClaw before 2026.4.23 contains an improper access control vulnerability in the gateway tool's co...", "description": "OpenClaw before 2026.4.23 contains an improper access control vulnerability in the gateway tool's config.apply and config.patch operations that allows compromised models to write unsafe configuration changes by bypassing an incomplete denylist protection. Attackers can persist malicious config modifications affecting command execution, network behavior, credentials, and operator policies that survive restart.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-11T18:16:40.980", "references": [ "https://github.com/openclaw/openclaw/commit/bceda6089aa7b3695cc7696b43c61ae3d01bb0ec", "https://github.com/openclaw/openclaw/security/advisories/GHSA-cwj3-vqpp-pmxr", "https://www.vulncheck.com/advisories/openclaw-unsafe-config-mutation-via-gateway-tool-denylist-bypass" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45006", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-45005", "severity": "medium", "type": "unknown_cwe_672", "nvd_category_id": "CWE-672", "title": "OpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing...", "description": "OpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to remain valid after rotation and reload. Attackers with previously valid webhook route secrets can continue authenticating requests and invoking configured webhook task flows until gateway or plugin restart.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-11T18:16:40.813", "references": [ "https://github.com/openclaw/openclaw/commit/36c4a372a0ad5dca8bfc0d93f7aab9c2f2de66fa", "https://github.com/openclaw/openclaw/security/advisories/GHSA-q8ff-7ffm-m3r9", "https://www.vulncheck.com/advisories/openclaw-webhook-route-secret-cache-not-invalidated-after-rotation" ], "cvss_score": 6, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45005", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.0); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-45004", "severity": "high", "type": "unknown_cwe_427", "nvd_category_id": "CWE-427", "title": "OpenClaw before 2026.4.23 contains an arbitrary code execution vulnerability in the bundled plugin s...", "description": "OpenClaw before 2026.4.23 contains an arbitrary code execution vulnerability in the bundled plugin setup resolver that loads setup-api.js from process.cwd() during provider setup metadata resolution. Attackers can execute arbitrary JavaScript under the current user account by placing a malicious extensions//setup-api.js file in a repository and convincing a user to run OpenClaw commands from that directory.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-11T18:16:40.673", "references": [ "https://github.com/openclaw/openclaw/commit/993781e6e6eaf50f033cfc3e3bf4f47059740707", "https://github.com/openclaw/openclaw/security/advisories/GHSA-r39h-4c2p-3jxp", "https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-setup-api-js-in-current-working-directory" ], "cvss_score": 7.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45004", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.8); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-45003", "severity": "medium", "type": "unknown_cwe_441", "nvd_category_id": "CWE-441", "title": "OpenClaw before 2026.4.22 allows workspace dotenv files to override connector endpoint hosts for Mat...", "description": "OpenClaw before 2026.4.22 allows workspace dotenv files to override connector endpoint hosts for Matrix, Mattermost, IRC, and Synology connectors. Attackers with workspace access can redirect runtime traffic to malicious endpoints by setting endpoint variables in dotenv files.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-11T18:16:40.523", "references": [ "https://github.com/openclaw/openclaw/commit/0623079e98abf7202591f1b04a89755eb7ec9272", "https://github.com/openclaw/openclaw/security/advisories/GHSA-55cf-xx38-4p9p", "https://www.vulncheck.com/advisories/openclaw-connector-endpoint-host-override-via-workspace-dotenv-files" ], "cvss_score": 5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45003", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.0); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-45002", "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.4.20 contains a hook session-key bypass vulnerability that allows attackers to ...", "description": "OpenClaw before 2026.4.20 contains a hook session-key bypass vulnerability that allows attackers to circumvent the hooks.allowRequestSessionKey opt-in restriction. Attackers can render externally influenced session keys through templated hook mappings to bypass webhook routing isolation controls.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-11T18:16:40.383", "references": [ "https://github.com/openclaw/openclaw/commit/5275d008ed33203dba3f98e969ad683a65c416c3", "https://github.com/openclaw/openclaw/security/advisories/GHSA-2xcp-x87w-q377", "https://www.vulncheck.com/advisories/openclaw-hook-session-key-bypass-via-template-mapping" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45002", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-45001", "severity": "high", "type": "missing_authorization", "nvd_category_id": "CWE-862", "title": "OpenClaw before 2026.4.20 contains a guard bypass vulnerability in the agent-facing gateway config.p...", "description": "OpenClaw before 2026.4.20 contains a guard bypass vulnerability in the agent-facing gateway config.patch and config.apply endpoints that fails to protect operator-trusted settings including sandbox policy, plugin enablement, gateway auth/TLS, hook routing, MCP server configuration, SSRF policy, and filesystem hardening. A prompt-injected model with access to the owner-only gateway tool can persist unauthorized changes to protected operator settings.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-11T18:16:40.237", "references": [ "https://github.com/openclaw/openclaw/commit/fe30b31a97a917ecc6e92f6c85378b6b20352422", "https://github.com/openclaw/openclaw/security/advisories/GHSA-7jm2-g593-4qrc", "https://www.vulncheck.com/advisories/openclaw-gateway-config-mutation-guard-bypass-via-agent-tool-access" ], "cvss_score": 7.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45001", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.1); network accessible; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-45000", "severity": "medium", "type": "server_side_request_forgery", "nvd_category_id": "CWE-918", "title": "OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in browser CDP profil...", "description": "OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in browser CDP profile creation that skips strict-mode SSRF policy checks. Attackers can create stored profiles pointing to private-network or metadata endpoints that bypass security policies and are later probed during normal profile status operations.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-11T18:16:40.087", "references": [ "https://github.com/openclaw/openclaw/commit/1fd049e3074cac72f6734a7fe88468c84f5f8bd7", "https://github.com/openclaw/openclaw/commit/e90c89cf8b1459f2aa1f3a665be67392b6c03fdf", "https://github.com/openclaw/openclaw/security/advisories/GHSA-j4c5-89f5-f3pm" ], "cvss_score": 5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45000", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.0); network accessible; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-44999", "severity": "medium", "type": "unknown_cwe_345", "nvd_category_id": "CWE-345", "title": "OpenClaw before 2026.4.20 fails to properly preserve untrusted labels for isolated cron awareness ev...", "description": "OpenClaw before 2026.4.20 fails to properly preserve untrusted labels for isolated cron awareness events, allowing webhook-triggered cron agent output to be recorded as trusted system events. Attackers can exploit this trust-labeling issue to strengthen prompt-injection attacks by rendering untrusted events as trusted System events.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-11T18:16:39.950", "references": [ "https://github.com/openclaw/openclaw/commit/f61896b03cc7031f51106a04566831f4ac2a0bd7", "https://github.com/openclaw/openclaw/security/advisories/GHSA-57r2-h2wj-g887", "https://www.vulncheck.com/advisories/openclaw-improper-trust-labeling-in-isolated-cron-awareness-events" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44999", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-44998", "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.4.20 contains a tool policy bypass vulnerability allowing bundled MCP and LSP t...", "description": "OpenClaw before 2026.4.20 contains a tool policy bypass vulnerability allowing bundled MCP and LSP tools to circumvent configured tool restrictions. Attackers with local agent access can append restricted tools to the effective tool set after policy filtering, bypassing profile policies, allow/deny lists, owner-only restrictions, sandbox policies, and subagent policies.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-11T18:16:39.817", "references": [ "https://github.com/openclaw/openclaw/commit/0e7a992d3f3155199c1acc2dd9a53c5b3a4d3ada", "https://github.com/openclaw/openclaw/security/advisories/GHSA-qrp5-gfw2-gxv4", "https://www.vulncheck.com/advisories/openclaw-tool-policy-bypass-via-bundled-mcp-lsp-tools" ], "cvss_score": 5.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44998", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.4); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-44997", "severity": "medium", "type": "unknown_cwe_266", "nvd_category_id": "CWE-266", "title": "OpenClaw before 2026.4.22 contains a security envelope constraint bypass vulnerability allowing rest...", "description": "OpenClaw before 2026.4.22 contains a security envelope constraint bypass vulnerability allowing restricted subagents to spawn ACP child sessions that fail to inherit depth, child-count limits, control scope, or target-agent restrictions. Attackers can exploit this by spawning child sessions that bypass subagent-only constraints, potentially escalating privileges or accessing restricted resources.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-11T18:16:39.670", "references": [ "https://github.com/openclaw/openclaw/commit/31160dc069b7cc5d833b39c53736a41ad3befda2", "https://github.com/openclaw/openclaw/security/advisories/GHSA-q3jj-46pq-826r", "https://www.vulncheck.com/advisories/openclaw-security-envelope-constraint-bypass-in-acp-child-sessions" ], "cvss_score": 4.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44997", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (4.3); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-44996", "severity": "low", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "OpenClaw before 2026.4.15 contains an arbitrary local file read vulnerability in the webchat audio e...", "description": "OpenClaw before 2026.4.15 contains an arbitrary local file read vulnerability in the webchat audio embedding helper that fails to apply local media root containment checks. Attackers can influence agent or tool-produced ReplyPayload.mediaUrl parameters to resolve absolute local paths or file URLs, read audio-like files, and embed them base64-encoded into webchat responses.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-11T18:16:39.530", "references": [ "https://github.com/openclaw/openclaw/commit/6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde", "https://github.com/openclaw/openclaw/security/advisories/GHSA-gfg9-5357-hv4c", "https://www.vulncheck.com/advisories/openclaw-arbitrary-local-file-read-via-webchat-audio-embedding" ], "cvss_score": 3.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44996", "exploitability_score": "low", "exploitability_rationale": "Low CVSS score (3.7); remotely exploitable without authentication; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-44995", "severity": "high", "type": "unknown_cwe_829", "nvd_category_id": "CWE-829", "title": "OpenClaw before 2026.4.20 contains an improper environment variable validation vulnerability in MCP ...", "description": "OpenClaw before 2026.4.20 contains an improper environment variable validation vulnerability in MCP stdio server configuration that allows attackers to execute arbitrary code. Malicious workspace configurations can pass dangerous startup variables like NODE_OPTIONS, LD_PRELOAD, or BASH_ENV to spawned MCP server processes, enabling code injection when operators start sessions using those servers.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-11T18:16:39.387", "references": [ "https://github.com/openclaw/openclaw/commit/62fa5071896e95edc7f67d1cebc70a2859e283af", "https://github.com/openclaw/openclaw/commit/85d86ebc4bf3d2226d39d132a484f4f7a299fa1b", "https://github.com/openclaw/openclaw/security/advisories/GHSA-mj59-h3q9-ghfh" ], "cvss_score": 7.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44995", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.3); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-44994", "severity": "medium", "type": "missing_authorization", "nvd_category_id": "CWE-862", "title": "OpenClaw before 2026.4.22 contains an authentication bypass vulnerability in the Control UI bootstra...", "description": "OpenClaw before 2026.4.22 contains an authentication bypass vulnerability in the Control UI bootstrap config endpoint that allows unauthenticated attackers to read sensitive configuration fields. Attackers can access the bootstrap config route without a valid Gateway token to expose sensitive bootstrap and config information intended only for authenticated Control UI sessions.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-11T18:16:39.250", "references": [ "https://github.com/openclaw/openclaw/commit/2321d67263bc710e357644d59f746b08d891051b", "https://github.com/openclaw/openclaw/security/advisories/GHSA-93rg-2xm5-2p9v", "https://www.vulncheck.com/advisories/openclaw-authentication-bypass-in-gateway-control-ui-bootstrap-config-endpoint" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44994", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-44993", "severity": "medium", "type": "unknown_cwe_184", "nvd_category_id": "CWE-184", "title": "OpenClaw before 2026.4.20 contains a message classification vulnerability in Feishu card-action call...", "description": "OpenClaw before 2026.4.20 contains a message classification vulnerability in Feishu card-action callbacks that misclassifies direct messages as group conversations. Attackers can bypass dmPolicy enforcement by triggering card-action flows in direct message conversations that should have been blocked by restrictive policies.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-11T18:16:39.103", "references": [ "https://github.com/openclaw/openclaw/commit/90979d7c3ef7ec30b9f8aa6963a5e38d2f17d166", "https://github.com/openclaw/openclaw/security/advisories/GHSA-72q8-jcmc-97wx", "https://www.vulncheck.com/advisories/openclaw-direct-message-misclassification-in-feishu-card-actions" ], "cvss_score": 5.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44993", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.4); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-44992", "severity": "medium", "type": "unknown_cwe_441", "nvd_category_id": "CWE-441", "title": "OpenClaw versions 2026.4.5 before 2026.4.20 contain an environment variable injection vulnerability ...", "description": "OpenClaw versions 2026.4.5 before 2026.4.20 contain an environment variable injection vulnerability allowing workspace dotenv to override MINIMAX_API_HOST. Attackers can redirect credentialed MiniMax API requests to attacker-controlled origins, exposing the MiniMax API key in Authorization headers.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-11T18:16:38.943", "references": [ "https://github.com/openclaw/openclaw/commit/2f06696579a1ab0cb5bbbbb6a900414a6b2e3cd1", "https://github.com/openclaw/openclaw/security/advisories/GHSA-h2vw-ph2c-jvwf", "https://www.vulncheck.com/advisories/openclaw-minimax-api-host-override-via-workspace-dotenv" ], "cvss_score": 5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44992", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.0); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-44991", "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.4.21 contains an authorization bypass vulnerability in command-auth.ts that all...", "description": "OpenClaw before 2026.4.21 contains an authorization bypass vulnerability in command-auth.ts that allows non-owner senders to execute owner-enforced slash commands when wildcard inbound senders are configured without explicit owner allowFrom settings. Attackers can exploit this by sending commands like /send, /config, or /debug on affected channels to bypass owner-only command authorization checks.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-11T18:16:38.780", "references": [ "https://github.com/openclaw/openclaw/commit/2aa93d44a1b2c7058c371f261fda2b5d4de4a882", "https://github.com/openclaw/openclaw/commit/995febb7b1e811ff6a1df5b18c22de94103f4c9f", "https://github.com/openclaw/openclaw/security/advisories/GHSA-c28g-vh7m-fm7v" ], "cvss_score": 4.2, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44991", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (4.2); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-44118", "severity": "high", "type": "unknown_cwe_290", "nvd_category_id": "CWE-290", "title": "OpenClaw before 2026.4.22 derives loopback MCP owner context from spoofable server-issued bearer tok...", "description": "OpenClaw before 2026.4.22 derives loopback MCP owner context from spoofable server-issued bearer tokens in request headers. Non-owner loopback clients can present themselves as owner to bypass owner-gated operations by manipulating the sender-owner header metadata.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-06T20:16:35.900", "references": [ "https://github.com/openclaw/openclaw/commit/3cb1a56bfc9579a0f2336f9cfa12a8a744332a19", "https://github.com/openclaw/openclaw/security/advisories/GHSA-r6xh-pqhr-v4xh", "https://www.vulncheck.com/advisories/openclaw-owner-context-spoofing-via-bearer-token-header" ], "cvss_score": 7.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44118", "exploitability_score": "medium", "exploitability_rationale": "High CVSS score (7.8); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-44117", "severity": "medium", "type": "server_side_request_forgery", "nvd_category_id": "CWE-918", "title": "OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in QQBot direct media...", "description": "OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in QQBot direct media upload that skips URL validation. Attackers can bypass SSRF protections by sending crafted image URLs to uploadC2CMedia and uploadGroupMedia endpoints to relay unintended requests.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-06T20:16:35.770", "references": [ "https://github.com/openclaw/openclaw/commit/49db424c8001f2f419aad85f434894d8d85c1a09", "https://github.com/openclaw/openclaw/security/advisories/GHSA-c4qg-j8jg-42q5", "https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-in-qqbot-direct-media-upload" ], "cvss_score": 5.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44117", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.8); remotely exploitable without authentication; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-44116", "severity": "high", "type": "server_side_request_forgery", "nvd_category_id": "CWE-918", "title": "OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's ...", "description": "OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthorized access to internal resources.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-06T20:16:35.637", "references": [ "https://github.com/openclaw/openclaw/commit/a65eb1b864b7630c1242a82de9e5799b80583c3f", "https://github.com/openclaw/openclaw/security/advisories/GHSA-2hh7-c75g-qj2r", "https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-in-zalo-photo-url-validation" ], "cvss_score": 8.6, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44116", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.6); remotely exploitable without authentication; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-44115", "severity": "high", "type": "unknown_cwe_184", "nvd_category_id": "CWE-184", "title": "OpenClaw before 2026.4.22 contains an exec allowlist analysis vulnerability allowing shell expansion...", "description": "OpenClaw before 2026.4.22 contains an exec allowlist analysis vulnerability allowing shell expansion hiding in unquoted heredoc bodies. Attackers can bypass allowlist validation by embedding shell expansion tokens in heredoc bodies to execute unapproved commands at runtime.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-06T20:16:35.497", "references": [ "https://github.com/openclaw/openclaw/commit/b2e8b7d4bb2f22eaa16f5c4b07547774e90b65a5", "https://github.com/openclaw/openclaw/security/advisories/GHSA-x3h8-jrgh-p8jx", "https://www.vulncheck.com/advisories/openclaw-shell-expansion-bypass-in-unquoted-heredocs-via-exec-allowlist" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44115", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-44114", "severity": "high", "type": "unknown_cwe_184", "nvd_category_id": "CWE-184", "title": "OpenClaw before 2026.4.20 fails to properly reserve the OPENCLAW_ runtime-control environment namesp...", "description": "OpenClaw before 2026.4.20 fails to properly reserve the OPENCLAW_ runtime-control environment namespace in workspace dotenv files, allowing attackers to override critical runtime variables. Malicious workspaces can set variables like OPENCLAW_GIT_DIR to manipulate trusted OpenClaw runtime behavior during source-update or installer flows.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-06T20:16:35.340", "references": [ "https://github.com/openclaw/openclaw/commit/018494fa3ebb9145112e68b56fe1cb2e9f9a9ed6", "https://github.com/openclaw/openclaw/security/advisories/GHSA-hxvm-xjvf-93f3", "https://www.vulncheck.com/advisories/openclaw-environment-variable-namespace-collision-via-workspace-dotenv" ], "cvss_score": 7.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44114", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.8); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-44113", "severity": "high", "type": "unknown_cwe_367", "nvd_category_id": "CWE-367", "title": "OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in the OpenShell files...", "description": "OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in the OpenShell filesystem bridge that allows attackers to read files outside the intended mount root. Attackers can exploit symlink swaps during filesystem operations to bypass sandbox restrictions and access unauthorized file contents.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-06T20:16:35.207", "references": [ "https://github.com/openclaw/openclaw/commit/95119017c847c737bd113f0bff728c4666d79c45", "https://github.com/openclaw/openclaw/security/advisories/GHSA-5h3g-6xhh-rg6p", "https://www.vulncheck.com/advisories/openclaw-time-of-check-time-of-use-race-condition-in-openshell-fs-bridge" ], "cvss_score": 7.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44113", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.3); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-44112", "severity": "critical", "type": "unknown_cwe_367", "nvd_category_id": "CWE-367", "title": "OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in OpenShell sandbox f...", "description": "OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in OpenShell sandbox filesystem writes that allows attackers to redirect writes outside the intended mount root. Attackers can exploit symlink swaps during filesystem operations to bypass sandbox restrictions and write files outside the local mount root.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-06T20:16:35.057", "references": [ "https://github.com/openclaw/openclaw/commit/7be82d4fd1193bcb7e44ee38838f00bf924ffa76", "https://github.com/openclaw/openclaw/security/advisories/GHSA-wppj-c6mr-83jj", "https://www.vulncheck.com/advisories/openclaw-symlink-swap-race-condition-in-openshell-fs-bridge-writes" ], "cvss_score": 9.6, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44112", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.3); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-44111", "severity": "medium", "type": "unknown_cwe_183", "nvd_category_id": "CWE-183", "title": "OpenClaw before 2026.4.15 contains an arbitrary file read vulnerability in the QMD backend memory_ge...", "description": "OpenClaw before 2026.4.15 contains an arbitrary file read vulnerability in the QMD backend memory_get function that allows callers to read any Markdown files within the workspace root. Attackers with access to the memory tool can bypass path restrictions by providing arbitrary workspace Markdown paths to read files outside canonical memory locations or indexed QMD result sets.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-06T20:16:34.907", "references": [ "https://github.com/openclaw/openclaw/commit/37d5971db36491d5050efd42c333cbe0b98ed292", "https://github.com/openclaw/openclaw/security/advisories/GHSA-f934-5rqf-xx47", "https://www.vulncheck.com/advisories/openclaw-arbitrary-markdown-file-read-via-qmd-memory-get" ], "cvss_score": 4.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44111", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (4.3); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-44110", "severity": "high", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.4.15 contains an authorization bypass vulnerability in Matrix room control-comm...", "description": "OpenClaw before 2026.4.15 contains an authorization bypass vulnerability in Matrix room control-command authorization that trusts DM pairing-store entries. Attackers with DM-paired sender IDs can execute room control commands without being in configured allowlists by posting in bot rooms, potentially enabling privileged OpenClaw behavior.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-06T20:16:34.760", "references": [ "https://github.com/openclaw/openclaw/commit/2bfd808a83116bd888e3e2633a61473fa2ed81b6", "https://github.com/openclaw/openclaw/commit/f8705f512b09043df02b5da372c33374734bd921", "https://github.com/openclaw/openclaw/security/advisories/GHSA-2gvc-4f3c-2855" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44110", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-44109", "severity": "critical", "type": "unknown_cwe_1188", "nvd_category_id": "CWE-1188", "title": "OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card...", "description": "OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting requests, enabling attackers to bypass signature verification and replay protection to execute arbitrary commands.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-06T20:16:34.620", "references": [ "https://github.com/openclaw/openclaw/commit/c8003f1b33ed2924be5f62131bd28742c5a41aae", "https://github.com/openclaw/openclaw/security/advisories/GHSA-xh72-v6v9-mwhc", "https://www.vulncheck.com/advisories/openclaw-authentication-bypass-in-feishu-webhook-and-card-action-validation" ], "cvss_score": 9.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44109", "exploitability_score": "high", "exploitability_rationale": "Critical CVSS score (9.8); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-43585", "severity": "high", "type": "unknown_cwe_672", "nvd_category_id": "CWE-672", "title": "OpenClaw before 2026.4.15 captures resolved bearer-auth configuration at startup, allowing revoked t...", "description": "OpenClaw before 2026.4.15 captures resolved bearer-auth configuration at startup, allowing revoked tokens to remain valid after SecretRef rotation. Gateway HTTP and WebSocket handlers fail to re-resolve authentication per-request, enabling attackers to use rotated-out bearer tokens for unauthorized gateway access.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-06T20:16:34.473", "references": [ "https://github.com/openclaw/openclaw/commit/acd4e0a32f12e1ad85f3130f63b42443ce90f094", "https://github.com/openclaw/openclaw/security/advisories/GHSA-xmxx-7p24-h892", "https://www.vulncheck.com/advisories/openclaw-bearer-token-validation-bypass-via-stale-secretref-resolution" ], "cvss_score": 8.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43585", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.1); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-43584", "severity": "high", "type": "unknown_cwe_184", "nvd_category_id": "CWE-184", "title": "OpenClaw before 2026.4.10 contains an insufficient environment variable denylist vulnerability in it...", "description": "OpenClaw before 2026.4.10 contains an insufficient environment variable denylist vulnerability in its exec environment policy that allows operator-supplied overrides of high-risk interpreter startup variables including VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES. Attackers can exploit this by manipulating these environment variables to influence downstream execution behavior or network connectivity.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-06T20:16:34.333", "references": [ "https://github.com/openclaw/openclaw/commit/2d126fc62343a7b6895351f96e4e1474bc358140", "https://github.com/openclaw/openclaw/security/advisories/GHSA-vfp4-8x56-j7c5", "https://www.vulncheck.com/advisories/openclaw-insufficient-environment-variable-denylist-in-exec-policy" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43584", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-43583", "severity": "medium", "type": "missing_authorization", "nvd_category_id": "CWE-862", "title": "OpenClaw versions 2026.4.10 before 2026.4.14 fail to persist session context during delivery queue r...", "description": "OpenClaw versions 2026.4.10 before 2026.4.14 fail to persist session context during delivery queue recovery for media replay. Attackers can exploit recovered queued outbound media to bypass group tool policy enforcement and weaken channel media restrictions after service restart or recovery.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-06T20:16:34.203", "references": [ "https://github.com/openclaw/openclaw/commit/48aae82bbc19ba8b0741e61a08063eb0d1df464e", "https://github.com/openclaw/openclaw/security/advisories/GHSA-r77c-2cmr-7p47", "https://www.vulncheck.com/advisories/openclaw-loss-of-group-tool-policy-context-in-delivery-queue-recovery" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43583", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-43582", "severity": "medium", "type": "unknown_cwe_367", "nvd_category_id": "CWE-367", "title": "OpenClaw before 2026.4.10 contains a server-side request forgery vulnerability in browser navigation...", "description": "OpenClaw before 2026.4.10 contains a server-side request forgery vulnerability in browser navigation policy that allows attackers to bypass hostname validation through DNS rebinding attacks. Attackers can exploit inconsistent hostname resolution between validation and actual network requests to pivot to internal resources via unallowlisted hostname URLs.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-06T20:16:34.050", "references": [ "https://github.com/openclaw/openclaw/commit/121c452d666d4749744dc2089287d0227aae2ed3", "https://github.com/openclaw/openclaw/security/advisories/GHSA-xq94-r468-qwgj", "https://www.vulncheck.com/advisories/openclaw-dns-rebinding-ssrf-via-hostname-validation-bypass" ], "cvss_score": 6.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43582", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.3); network accessible; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-43581", "severity": "critical", "type": "unknown_cwe_1188", "nvd_category_id": "CWE-1188", "title": "OpenClaw before 2026.4.10 contains an improper network binding vulnerability in the sandbox browser ...", "description": "OpenClaw before 2026.4.10 contains an improper network binding vulnerability in the sandbox browser CDP relay that exposes Chrome DevTools Protocol on 0.0.0.0. Attackers can access the DevTools protocol outside intended local sandbox boundaries by exploiting the overly broad binding configuration.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-06T20:16:33.920", "references": [ "https://github.com/openclaw/openclaw/commit/fbf11ebdb7110632f93926d0ac7b48f04cb44d77", "https://github.com/openclaw/openclaw/security/advisories/GHSA-525j-hqq2-66r4", "https://www.vulncheck.com/advisories/openclaw-chrome-devtools-protocol-exposure-via-overly-broad-cdp-relay-binding" ], "cvss_score": 9.6, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43581", "exploitability_score": "high", "exploitability_rationale": "Critical CVSS score (9.6); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-43580", "severity": "high", "type": "missing_authorization", "nvd_category_id": "CWE-862", "title": "OpenClaw before 2026.4.10 contains an incomplete navigation guard vulnerability that allows attacker...", "description": "OpenClaw before 2026.4.10 contains an incomplete navigation guard vulnerability that allows attackers to trigger navigation without complete SSRF policy enforcement. Browser press/type style interactions, including pressKey and type submit flows, can bypass post-action security checks to execute unauthorized navigation.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-06T20:16:33.783", "references": [ "https://github.com/openclaw/openclaw/commit/049acf23cb03e1b92f5c71cd99c6ec5f35cc56fe", "https://github.com/openclaw/openclaw/commit/5f5b3d733bdd791cb457f838514179e1288b10b3", "https://github.com/openclaw/openclaw/commit/e0b8ddc1a55185aff1cf9e0e095014d2e4f1d894" ], "cvss_score": 7.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43580", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.7); network accessible; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-43579", "severity": "medium", "type": "missing_authorization", "nvd_category_id": "CWE-862", "title": "OpenClaw before 2026.4.10 contains an insufficient access control vulnerability in Nostr plugin HTTP...", "description": "OpenClaw before 2026.4.10 contains an insufficient access control vulnerability in Nostr plugin HTTP profile routes that allows operators with write permissions to persist profile configuration without requiring admin authority. Attackers with operator.write scope can modify Nostr profile settings through unprotected mutation endpoints to gain unauthorized configuration persistence.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-06T20:16:33.643", "references": [ "https://github.com/openclaw/openclaw/commit/6517c700de9bb0ee11b41ab625ef3b63d01b6083", "https://github.com/openclaw/openclaw/security/advisories/GHSA-f3h5-h452-vp3j", "https://www.vulncheck.com/advisories/openclaw-insufficient-access-control-in-nostr-profile-mutation-routes" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43579", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.5); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-43578", "severity": "critical", "type": "unknown_cwe_184", "nvd_category_id": "CWE-184", "title": "OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where hear...", "description": "OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can exploit this by providing untrusted completion content to leave a run in a more privileged context than intended.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-06T20:16:33.510", "references": [ "https://github.com/openclaw/openclaw/commit/19a2e9ddb5a8a494abcba812bb11f51075026a27", "https://github.com/openclaw/openclaw/security/advisories/GHSA-g375-h3v6-4873", "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-missed-async-exec-completion-events-in-heartbeat-owner-downgrade" ], "cvss_score": 9.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43578", "exploitability_score": "high", "exploitability_rationale": "Critical CVSS score (9.1); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-43577", "severity": "medium", "type": "missing_authorization", "nvd_category_id": "CWE-862", "title": "OpenClaw before 2026.4.9 contains a file read vulnerability allowing attackers to bypass navigation ...", "description": "OpenClaw before 2026.4.9 contains a file read vulnerability allowing attackers to bypass navigation guards through browser act/evaluate interactions. Attackers can pivot into the local CDP origin and create or read disallowed file:// pages despite direct navigation policy restrictions.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-06T20:16:33.377", "references": [ "https://github.com/openclaw/openclaw/commit/5f5b3d733bdd791cb457f838514179e1288b10b3", "https://github.com/openclaw/openclaw/security/advisories/GHSA-qmwg-qprg-3j38", "https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-browser-interaction-routes" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43577", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.5); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-43576", "severity": "high", "type": "open_redirect", "nvd_category_id": "CWE-601", "title": "OpenClaw before 2026.4.5 contains a server-side request forgery vulnerability in the CDP /json/versi...", "description": "OpenClaw before 2026.4.5 contains a server-side request forgery vulnerability in the CDP /json/version WebSocket endpoint that allows attackers to pivot to untrusted second-hop targets. The webSocketDebuggerUrl response field is not properly validated, enabling attackers to redirect connections to arbitrary hosts and perform SSRF-style attacks.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-06T20:16:33.240", "references": [ "https://github.com/openclaw/openclaw/commit/bc356cc8c2beaa747c71dd86cceab8f804699665", "https://github.com/openclaw/openclaw/security/advisories/GHSA-f7fh-qg34-x2xh", "https://www.vulncheck.com/advisories/openclaw-second-hop-ssrf-via-cdp-json-version-websocket-url" ], "cvss_score": 7.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43576", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.7); network accessible; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-43575", "severity": "critical", "type": "missing_authorization", "nvd_category_id": "CWE-862", "title": "OpenClaw versions 2026.2.21 before 2026.4.10 contain an authentication bypass vulnerability in the s...", "description": "OpenClaw versions 2026.2.21 before 2026.4.10 contain an authentication bypass vulnerability in the sandbox noVNC helper route that exposes interactive browser session credentials. Attackers can access the noVNC helper route without bridge authentication to gain unauthorized access to the interactive browser session.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-06T20:16:33.100", "references": [ "https://github.com/openclaw/openclaw/commit/8dfbf3268bd224b7377d1ecca77a445100746085", "https://github.com/openclaw/openclaw/security/advisories/GHSA-92jp-89mq-4374", "https://www.vulncheck.com/advisories/openclaw-authentication-bypass-in-sandbox-novnc-helper-route" ], "cvss_score": 9.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43575", "exploitability_score": "high", "exploitability_rationale": "Critical CVSS score (9.8); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-7875", "severity": "high", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "NanoClaw version 1.2.0 and prior contains a host/container filesystem boundary vulnerability in outb...", "description": "NanoClaw version 1.2.0 and prior contains a host/container filesystem boundary vulnerability in outbound attachment handling and outbox cleanup that allows a compromised or prompt-injected container to read files outside the intended outbox directory by supplying crafted messages_out.id and content.files values or creating symlinked outbox files. Attackers can exploit this vulnerability to trigger host-side reads of arbitrary files and in some cases achieve recursive deletion of paths outside the intended cleanup target.", "affected": [ "cpe:2.3:a:nanoco:nanoclaw:*:*:*:*:*:*:*:*", "nanoclaw@*" ], "platforms": [ "nanoclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-06T17:16:24.250", "references": [ "https://github.com/qwibitai/nanoclaw/commit/7814e45570edf0024a1a5c2ba9fbc9cb3a49f7f7", "https://github.com/qwibitai/nanoclaw/pull/2001", "https://github.com/qwibitai/nanoclaw/releases/tag/v1.2.0" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7875", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); requires local access; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-43574", "severity": "medium", "type": "unknown_cwe_183", "nvd_category_id": "CWE-183", "title": "OpenClaw before 2026.4.12 contains an improper authorization vulnerability in helper-backed channels...", "description": "OpenClaw before 2026.4.12 contains an improper authorization vulnerability in helper-backed channels where empty resolved approver lists are interpreted as explicit approval authorization. Attackers can resolve pending approvals without proper authorization by exploiting this logic flaw if they know an approval id.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-05T12:16:21.307", "references": [ "https://github.com/openclaw/openclaw/commit/0a105c0900de701d2ee9f1abc96b017afbd0afdd", "https://github.com/openclaw/openclaw/security/advisories/GHSA-49cg-279w-m73x", "https://www.vulncheck.com/advisories/openclaw-improper-authorization-via-empty-approver-lists" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43574", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.5); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-43573", "severity": "high", "type": "missing_authorization", "nvd_category_id": "CWE-862", "title": "OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in exis...", "description": "OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in existing-session browser interaction routes. Attackers can bypass SSRF navigation guards to interact with or navigate to unauthorized targets without policy enforcement.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-05T12:16:21.163", "references": [ "https://github.com/openclaw/openclaw/commit/daeb74920d5ad986cb600625180037e23221e93a", "https://github.com/openclaw/openclaw/security/advisories/GHSA-527m-976r-jf79", "https://www.vulncheck.com/advisories/openclaw-ssrf-policy-bypass-in-existing-session-browser-interaction-routes" ], "cvss_score": 7.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43573", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.7); network accessible; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-43572", "severity": "medium", "type": "missing_authorization", "nvd_category_id": "CWE-862", "title": "OpenClaw versions 2026.4.10 before 2026.4.14 contain a missing authorization vulnerability in the Mi...", "description": "OpenClaw versions 2026.4.10 before 2026.4.14 contain a missing authorization vulnerability in the Microsoft Teams SSO invoke handler that fails to apply sender allowlist checks. Attackers can bypass sender authorization by sending SSO invoke requests that are processed without proper validation, allowing unauthorized access to Teams SSO signin functionality.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-05T12:16:21.023", "references": [ "https://github.com/openclaw/openclaw/commit/80b1fa17bfc3f6a668492f0326ea52f48bb89776", "https://github.com/openclaw/openclaw/security/advisories/GHSA-gc9r-867r-j85f", "https://www.vulncheck.com/advisories/openclaw-missing-sender-authorization-in-microsoft-teams-sso-invoke-handler" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43572", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-43571", "severity": "high", "type": "unknown_cwe_829", "nvd_category_id": "CWE-829", "title": "OpenClaw before 2026.4.10 contains a plugin trust bypass vulnerability that allows channel setup cat...", "description": "OpenClaw before 2026.4.10 contains a plugin trust bypass vulnerability that allows channel setup catalog lookups to resolve workspace plugin shadows before bundled channel plugins. Attackers can exploit this by crafting malicious workspace plugins that bypass intended trust gates during setup-time plugin loading.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-05T12:16:20.880", "references": [ "https://github.com/openclaw/openclaw/commit/1fede43b948df40ca8674511d4bd08d39f6c5837", "https://github.com/openclaw/openclaw/security/advisories/GHSA-82qx-6vj7-p8m2", "https://www.vulncheck.com/advisories/openclaw-untrusted-workspace-plugin-shadow-resolution-in-channel-setup" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43571", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-43570", "severity": "medium", "type": "unknown_cwe_61", "nvd_category_id": "CWE-61", "title": "OpenClaw versions 2026.3.22 before 2026.4.5 contain a symlink traversal vulnerability in remote mark...", "description": "OpenClaw versions 2026.3.22 before 2026.4.5 contain a symlink traversal vulnerability in remote marketplace repository path handling that allows attackers to escape the expected repository root. Attackers can exploit this by providing crafted symlink paths to access files outside the intended repository directory.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-05T12:16:20.710", "references": [ "https://github.com/openclaw/openclaw/commit/94b0062e90467e1582b47cc971f308457c537f3a", "https://github.com/openclaw/openclaw/commit/b1dd3ded3589f6fa60ab85b3930a82d538edaeae", "https://github.com/openclaw/openclaw/security/advisories/GHSA-cr8r-7g2h-6wr6" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43570", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.5); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-43569", "severity": "high", "type": "unknown_cwe_829", "nvd_category_id": "CWE-829", "title": "OpenClaw before 2026.4.9 contains an authentication bypass vulnerability allowing untrusted workspac...", "description": "OpenClaw before 2026.4.9 contains an authentication bypass vulnerability allowing untrusted workspace plugins to be auto-enabled during non-interactive onboarding when provider auth choices are shadowed. Attackers can exploit this by crafting malicious workspace plugins that are automatically selected and enabled during authentication setup without explicit user consent.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-05T12:16:20.493", "references": [ "https://github.com/openclaw/openclaw/commit/2d97eae53e212ae26f3aebcd6a50ffc6877f770d", "https://github.com/openclaw/openclaw/security/advisories/GHSA-939r-rj45-g2rj", "https://www.vulncheck.com/advisories/openclaw-untrusted-provider-plugin-auto-enablement-via-workspace-provider-auth" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43569", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-43568", "severity": "medium", "type": "missing_authorization", "nvd_category_id": "CWE-862", "title": "OpenClaw versions 2026.4.5 before 2026.4.10 contain a privilege escalation vulnerability allowing wr...", "description": "OpenClaw versions 2026.4.5 before 2026.4.10 contain a privilege escalation vulnerability allowing write-scoped operators to modify persistent memory dreaming settings. Attackers with write-scoped gateway access can toggle admin-class configuration mutations through the /dreaming endpoint to escalate privileges.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-05T12:16:20.343", "references": [ "https://github.com/openclaw/openclaw/commit/6af17b39e11f5f35e23b7e5a5f71a7d0aa3c7310", "https://github.com/openclaw/openclaw/security/advisories/GHSA-5gjc-grvm-m88j", "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-memory-dreaming-configuration-in-dreaming-endpoint" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43568", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.5); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-43567", "severity": "medium", "type": "missing_authorization", "nvd_category_id": "CWE-862", "title": "OpenClaw before 2026.4.10 contains a path traversal vulnerability in the screen_record tool's outPat...", "description": "OpenClaw before 2026.4.10 contains a path traversal vulnerability in the screen_record tool's outPath parameter that bypasses workspace-only filesystem guards. Attackers can exploit this by specifying an outPath outside the workspace boundary to write files to unintended locations on the system.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-05T12:16:20.190", "references": [ "https://github.com/openclaw/openclaw/commit/635bb35b68d8faa5bfa2fda35feadd315122748a", "https://github.com/openclaw/openclaw/security/advisories/GHSA-jf25-7968-h2h5", "https://www.vulncheck.com/advisories/openclaw-path-traversal-in-screen-record-outpath-parameter" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43567", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); network accessible; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-43566", "severity": "critical", "type": "unknown_cwe_184", "nvd_category_id": "CWE-184", "title": "OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heart...", "description": "OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can exploit this by sending untrusted webhook wake events to preserve owner-like execution context when the run should have been downgraded.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-05T12:16:20.040", "references": [ "https://github.com/openclaw/openclaw/commit/31281bc92f55796817a92bc43f722cba1e77ab42", "https://github.com/openclaw/openclaw/security/advisories/GHSA-g2hm-779g-vm32", "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-untrusted-webhook-wake-events" ], "cvss_score": 9.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43566", "exploitability_score": "high", "exploitability_rationale": "Critical CVSS score (9.1); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-43535", "severity": "medium", "type": "unknown_cwe_266", "nvd_category_id": "CWE-266", "title": "OpenClaw before 2026.4.14 contains an authorization context reuse vulnerability in collect-mode queu...", "description": "OpenClaw before 2026.4.14 contains an authorization context reuse vulnerability in collect-mode queue batches that allows messages from different senders to inherit the final sender's authorization context. Attackers can exploit this by sending multiple queued messages to drain batches using a more privileged sender's context, causing earlier messages to execute with elevated permissions.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-05T12:16:19.893", "references": [ "https://github.com/openclaw/openclaw/commit/43d4be902755c970b3d15608679761877718da69", "https://github.com/openclaw/openclaw/security/advisories/GHSA-jwrq-8g5x-5fhm", "https://www.vulncheck.com/advisories/openclaw-authorization-context-reuse-in-collect-mode-queue-batches" ], "cvss_score": 6.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43535", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.8); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-43534", "severity": "critical", "type": "unknown_cwe_345", "nvd_category_id": "CWE-345", "title": "OpenClaw before 2026.4.10 contains an input validation vulnerability that allows external hook metad...", "description": "OpenClaw before 2026.4.10 contains an input validation vulnerability that allows external hook metadata to be enqueued as trusted system events. Attackers can supply malicious hook names to escalate untrusted input into higher-trust agent context.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-05T12:16:19.750", "references": [ "https://github.com/openclaw/openclaw/commit/e3a845bde5b54f4f1e742d0a51ba9860f9619b29", "https://github.com/openclaw/openclaw/security/advisories/GHSA-7g8c-cfr3-vqqr", "https://www.vulncheck.com/advisories/openclaw-unsanitized-external-input-in-agent-hook-events" ], "cvss_score": 9.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43534", "exploitability_score": "high", "exploitability_rationale": "Critical CVSS score (9.1); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-43533", "severity": "high", "type": "unknown_cwe_23", "nvd_category_id": "CWE-23", "title": "OpenClaw before 2026.4.10 contains an arbitrary file read vulnerability in QQBot media tags that all...", "description": "OpenClaw before 2026.4.10 contains an arbitrary file read vulnerability in QQBot media tags that allows attackers to reference host-local paths outside the intended media storage boundary. Attackers can craft malicious reply text containing media tags to disclose arbitrary local files through outbound media handling.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-05T12:16:19.610", "references": [ "https://github.com/openclaw/openclaw/commit/604777e4414cc3b2ff8861f18f4fb04374c702c6", "https://github.com/openclaw/openclaw/security/advisories/GHSA-66r7-m7xm-v49h", "https://www.vulncheck.com/advisories/openclaw-arbitrary-local-file-read-via-qqbot-media-tags" ], "cvss_score": 8.6, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43533", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.6); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-43532", "severity": "high", "type": "unknown_cwe_184", "nvd_category_id": "CWE-184", "title": "OpenClaw versions 2026.4.7 before 2026.4.10 fail to normalize Discord event cover image parameters i...", "description": "OpenClaw versions 2026.4.7 before 2026.4.10 fail to normalize Discord event cover image parameters in sandbox media processing. Attackers can bypass media normalization to inject host-local media references into channel action paths expecting normalized media.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-05T12:16:19.473", "references": [ "https://github.com/openclaw/openclaw/commit/979c6f09d6fad96596feb91c905934be7e0b4f15", "https://github.com/openclaw/openclaw/security/advisories/GHSA-c9h3-5p7r-mrjh", "https://www.vulncheck.com/advisories/openclaw-sandbox-media-normalization-bypass-via-discord-event-cover-image" ], "cvss_score": 7.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43532", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.7); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-43531", "severity": "high", "type": "unknown_cwe_15", "nvd_category_id": "CWE-15", "title": "OpenClaw before 2026.4.9 contains an environment variable injection vulnerability allowing malicious...", "description": "OpenClaw before 2026.4.9 contains an environment variable injection vulnerability allowing malicious workspace .env files to set runtime-control variables. Attackers can inject variables affecting update sources, gateway URLs, ClawHub resolution, and browser executable paths to compromise application behavior.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-05T12:16:19.337", "references": [ "https://github.com/openclaw/openclaw/commit/dbfcef319618158fa40b31cdac386ea34c392c0c", "https://github.com/openclaw/openclaw/security/advisories/GHSA-7wv4-cc7p-jhxc", "https://www.vulncheck.com/advisories/openclaw-environment-variable-injection-via-workspace-env-file" ], "cvss_score": 7.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43531", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.3); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-43530", "severity": "high", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw versions 2026.2.23 before 2026.4.12 contain a weakened exec approval binding vulnerability ...", "description": "OpenClaw versions 2026.2.23 before 2026.4.12 contain a weakened exec approval binding vulnerability in busybox and toybox applet execution that allows attackers to obscure which applet would actually run. Attackers can exploit opaque multi-call binaries to bypass exec approval mechanisms and weaken risk classification of unsafe applet invocations.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-05T12:16:19.200", "references": [ "https://github.com/openclaw/openclaw/commit/666f48d9b882a8a1415ca53f9567c72499d850c9", "https://github.com/openclaw/openclaw/security/advisories/GHSA-2cq5-mf3v-mx44", "https://www.vulncheck.com/advisories/openclaw-weakened-exec-approval-binding-via-busybox-and-toybox-applet-execution" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43530", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-43529", "severity": "low", "type": "unknown_cwe_367", "nvd_category_id": "CWE-367", "title": "OpenClaw before 2026.4.10 contains a time-of-check-time-of-use vulnerability in the validateScriptFi...", "description": "OpenClaw before 2026.4.10 contains a time-of-check-time-of-use vulnerability in the validateScriptFileForShellBleed function that allows local attackers to bypass workspace boundary checks. An attacker with workspace write access can race-condition swap the target file between validation and preflight read, causing the validator to inspect a different file identity than the one that passed the initial boundary check.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-05T12:16:19.057", "references": [ "https://github.com/openclaw/openclaw/commit/b024fae9e5df43e9b69b2daebb72be3469d52e91", "https://github.com/openclaw/openclaw/security/advisories/GHSA-gj9q-8w99-mp8j", "https://www.vulncheck.com/advisories/openclaw-time-of-check-time-of-use-toctou-race-condition-in-exec-script-preflight-validator" ], "cvss_score": 2.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43529", "exploitability_score": "low", "exploitability_rationale": "Low CVSS score (2.5); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-43528", "severity": "medium", "type": "unknown_cwe_212", "nvd_category_id": "CWE-212", "title": "OpenClaw before 2026.4.14 contains a redaction bypass vulnerability that allows authenticated gatewa...", "description": "OpenClaw before 2026.4.14 contains a redaction bypass vulnerability that allows authenticated gateway clients to receive unredacted secrets through sourceConfig and runtimeConfig alias fields. Attackers with config read access can exploit this to obtain provider API keys, gateway authentication material, and channel credentials that should have been redacted.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-05T12:16:18.917", "references": [ "https://github.com/openclaw/openclaw/commit/86734ef93a2f25063371b04f1946eb300548acd4", "https://github.com/openclaw/openclaw/security/advisories/GHSA-8372-7vhw-cm6q", "https://www.vulncheck.com/advisories/openclaw-redaction-bypass-via-sourceconfig-and-runtimeconfig-aliases" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43528", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-43527", "severity": "high", "type": "unknown_cwe_1188", "nvd_category_id": "CWE-1188", "title": "OpenClaw before 2026.4.14 contains a server-side request forgery vulnerability in browser SSRF polic...", "description": "OpenClaw before 2026.4.14 contains a server-side request forgery vulnerability in browser SSRF policy that allows private-network navigation by default. Attackers can exploit this misconfiguration to access internal services or metadata endpoints through browser-driven requests.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-05T12:16:18.777", "references": [ "https://github.com/openclaw/openclaw/commit/024f4614a1a1831406e763adc40ef226e3d5e9ed", "https://github.com/openclaw/openclaw/commit/1dabfef28db523e7de81edeb3dd689e9171236a2", "https://github.com/openclaw/openclaw/commit/213c36cf51121ef6c05cfccd78037371f968f31a" ], "cvss_score": 7.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43527", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.7); network accessible; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-43526", "severity": "high", "type": "server_side_request_forgery", "nvd_category_id": "CWE-918", "title": "OpenClaw before 2026.4.12 contains a server-side request forgery vulnerability in QQBot reply media ...", "description": "OpenClaw before 2026.4.12 contains a server-side request forgery vulnerability in QQBot reply media URL handling that allows attackers to fetch arbitrary content. Attackers can exploit this by providing malicious media URLs that trigger SSRF requests, with fetched bytes subsequently re-uploaded through the channel.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-05T12:16:18.640", "references": [ "https://github.com/openclaw/openclaw/commit/08ae021d1f4f02e0ca5fd8a3b9659291c1ecf95a", "https://github.com/openclaw/openclaw/commit/ddb7a8dd80b8d5dd04aafa44ce7a4354b568bb2d", "https://github.com/openclaw/openclaw/security/advisories/GHSA-2767-2q9v-9326" ], "cvss_score": 8.2, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43526", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.2); remotely exploitable without authentication; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-42439", "severity": "high", "type": "missing_authorization", "nvd_category_id": "CWE-862", "title": "OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in the ...", "description": "OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in the browser tabs action select and close routes. Attackers can bypass configured browser SSRF policy protections by exploiting the /tabs/action endpoint to perform unauthorized tab navigation operations.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-05T12:16:18.490", "references": [ "https://github.com/openclaw/openclaw/commit/48c0347921b7e9438af0312968fc360ca88023f3", "https://github.com/openclaw/openclaw/security/advisories/GHSA-rj2p-j66c-mgqh", "https://www.vulncheck.com/advisories/openclaw-ssrf-policy-bypass-in-browser-tabs-action-routes" ], "cvss_score": 8.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42439", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.5); network accessible; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-42438", "severity": "high", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw versions 2026.4.9 before 2026.4.10 contain a sender policy bypass vulnerability in the outb...", "description": "OpenClaw versions 2026.4.9 before 2026.4.10 contain a sender policy bypass vulnerability in the outbound host-media attachment read helper that allows unauthorized local file disclosure. Attackers with denied read access via toolsBySender or group policy can trigger host-media attachment loading to bypass sender and group-scoped authorization boundaries and retrieve readable local files through the outbound media path.", "affected": [ "cpe:2.3:a:openclaw:openclaw:2026.4.9:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-05T12:16:18.327", "references": [ "https://github.com/openclaw/openclaw/commit/c949af9fabf3873b5b7c484090cb5f5ab6049a98", "https://github.com/openclaw/openclaw/security/advisories/GHSA-jhpv-5j76-m56h", "https://www.vulncheck.com/advisories/openclaw-sender-policy-bypass-in-host-media-attachment-reads" ], "cvss_score": 7.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42438", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.7); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-42437", "severity": "high", "type": "unknown_cwe_770", "nvd_category_id": "CWE-770", "title": "OpenClaw versions 2026.4.9 before 2026.4.10 contain a denial of service vulnerability in the voice-c...", "description": "OpenClaw versions 2026.4.9 before 2026.4.10 contain a denial of service vulnerability in the voice-call realtime WebSocket path that accepts oversized frames without proper validation. Remote attackers can send oversized WebSocket frames to cause service unavailability for deployments exposing the voice-call realtime WebSocket path.", "affected": [ "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-05T12:16:18.190", "references": [ "https://github.com/openclaw/openclaw/commit/afadb7dae6738819ad9c7d2597ace0516957d20e", "https://github.com/openclaw/openclaw/security/advisories/GHSA-vw3h-q6xq-jjm5", "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-oversized-websocket-frames-in-voice-call-realtime-path" ], "cvss_score": 7.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42437", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-42436", "severity": "high", "type": "missing_authorization", "nvd_category_id": "CWE-862", "title": "OpenClaw before 2026.4.14 contains an improper access control vulnerability in browser snapshot, scr...", "description": "OpenClaw before 2026.4.14 contains an improper access control vulnerability in browser snapshot, screenshot, and tab routes that fail to consistently validate the final browser target after navigation. Authenticated callers can bypass SSRF restrictions to expose internal or disallowed page content by exploiting route-driven navigation without proper policy re-validation.", "affected": [ "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-05T12:16:18.050", "references": [ "https://github.com/openclaw/openclaw/commit/b75ad800a59009fc47eaa3471410f69046150e59", "https://github.com/openclaw/openclaw/security/advisories/GHSA-c4qm-58hj-j6pj", "https://www.vulncheck.com/advisories/openclaw-internal-page-content-exposure-via-browser-snapshot-and-screenshot-routes" ], "cvss_score": 7.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42436", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.7); network accessible; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-42435", "severity": "high", "type": "unknown_cwe_184", "nvd_category_id": "CWE-184", "title": "OpenClaw versions from 2026.2.22 before 2026.4.12 contain an insufficient shell-wrapper detection vu...", "description": "OpenClaw versions from 2026.2.22 before 2026.4.12 contain an insufficient shell-wrapper detection vulnerability allowing attackers to inject environment variable assignments at the argv level. Attackers can bypass exec preflight handling to manipulate high-risk shell variables like SHELLOPTS and PS4, affecting execution semantics and security controls.", "affected": [ "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-05T12:16:17.910", "references": [ "https://github.com/openclaw/openclaw/commit/8f8492d172f4c5b4fd7dd9a47855ed620c8770ab", "https://github.com/openclaw/openclaw/security/advisories/GHSA-j6c7-3h5x-99g9", "https://www.vulncheck.com/advisories/openclaw-shell-wrapper-detection-bypass-via-environment-variable-assignment-injection" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42435", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-42434", "severity": "high", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw versions 2026.4.5 before 2026.4.10 contain a sandbox escape vulnerability allowing sandboxe...", "description": "OpenClaw versions 2026.4.5 before 2026.4.10 contain a sandbox escape vulnerability allowing sandboxed agents to override exec routing by specifying host=node. Attackers can bypass sandbox boundaries and route execution to remote nodes instead of intended sandbox paths.", "affected": [ "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-05T12:16:17.767", "references": [ "https://github.com/openclaw/openclaw/commit/dffad08529202edbf34e4808788e1182fe10f6a9", "https://github.com/openclaw/openclaw/security/advisories/GHSA-736r-jwj6-4w23", "https://www.vulncheck.com/advisories/openclaw-sandbox-escape-via-host-parameter-override-in-exec-routing" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42434", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-42433", "severity": "medium", "type": "missing_authorization", "nvd_category_id": "CWE-862", "title": "OpenClaw before 2026.4.10 contains an authorization bypass vulnerability allowing operator.write mes...", "description": "OpenClaw before 2026.4.10 contains an authorization bypass vulnerability allowing operator.write message-tool paths to access Matrix profile persistence requiring admin-level authority. Attackers can exploit insufficient access controls to mutate persistent profile configuration through non-owner message-tool runs.", "affected": [ "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-05-05T12:16:17.627", "references": [ "https://github.com/openclaw/openclaw/commit/fe0f686c9228fffcec6de4011da45e69a6e23e54", "https://github.com/openclaw/openclaw/security/advisories/GHSA-7jp6-r74r-995q", "https://www.vulncheck.com/advisories/openclaw-unauthorized-matrix-profile-config-persistence-access-via-operator-write-message-tools" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42433", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.5); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-7397", "severity": "medium", "type": "unknown_cwe_59", "nvd_category_id": "CWE-59", "title": "A security flaw has been discovered in NousResearch hermes-agent 0.8.0. This affects the function _c...", "description": "A security flaw has been discovered in NousResearch hermes-agent 0.8.0. This affects the function _check_sensitive_path of the file tools/file_tools.py. The manipulation results in symlink following. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. Upgrading to version 0.9.0 is able to mitigate this issue. The patch is identified as 311dac197145e19e07df68feba2cd55d896a3cd1. Upgrading the affected component is recommended.", "affected": [ "hermes@*" ], "platforms": [ "hermes" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-29T19:16:26.150", "references": [ "https://github.com/NousResearch/hermes-agent/", "https://github.com/NousResearch/hermes-agent/commit/311dac197145e19e07df68feba2cd55d896a3cd1", "https://github.com/NousResearch/hermes-agent/issues/8734" ], "cvss_score": 4.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7397", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (4.4); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-7396", "severity": "medium", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "A vulnerability was identified in NousResearch hermes-agent 0.8.0. Affected by this issue is some un...", "description": "A vulnerability was identified in NousResearch hermes-agent 0.8.0. Affected by this issue is some unknown functionality of the file gateway/platforms/wecom.py of the component WeChat Work Platform Adapter. The manipulation leads to path traversal. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.", "affected": [ "hermes@*" ], "platforms": [ "hermes" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-29T18:16:05.567", "references": [ "https://github.com/NousResearch/hermes-agent/", "https://github.com/NousResearch/hermes-agent/issues/8733", "https://github.com/bugmaker2/hermes-agent/issues/29" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7396", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-42432", "severity": "high", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.4.8 contains a privilege escalation vulnerability allowing previously paired no...", "description": "OpenClaw before 2026.4.8 contains a privilege escalation vulnerability allowing previously paired nodes to reconnect with exec-capable commands without the operator.admin scope requirement. Attackers can bypass re-pairing authentication to execute privileged commands on the local assistant system.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:47.190", "references": [ "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "https://github.com/openclaw/openclaw/security/advisories/GHSA-5wj5-87vq-39xm", "https://www.vulncheck.com/advisories/openclaw-command-escalation-via-node-pairing-reconnect-bypass" ], "cvss_score": 7.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42432", "exploitability_score": "medium", "exploitability_rationale": "High CVSS score (7.8); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-42431", "severity": "high", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invoke(browser.proxy) that...", "description": "OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invoke(browser.proxy) that allows mutation of persistent browser profiles. Attackers can exploit this path to circumvent the browser.request persistent profile-mutation guard and modify browser configurations.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:47.057", "references": [ "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "https://github.com/openclaw/openclaw/security/advisories/GHSA-cmfr-9m2r-xwhq", "https://www.vulncheck.com/advisories/openclaw-persistent-profile-mutation-via-node-invoke-browser-proxy-bypass" ], "cvss_score": 8.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42431", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.1); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-42430", "severity": "medium", "type": "server_side_request_forgery", "nvd_category_id": "CWE-918", "title": "OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in Playwright redirect...", "description": "OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in Playwright redirect handling that allows attackers to bypass strict SSRF checks. Attackers can exploit request-time navigation to reach private targets that should be restricted by browser SSRF protections.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:46.907", "references": [ "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "https://github.com/openclaw/openclaw/security/advisories/GHSA-w8g9-x8gx-crmm", "https://www.vulncheck.com/advisories/openclaw-strict-browser-ssrf-bypass-via-playwright-redirect-handling" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42430", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); network accessible; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": true, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-42429", "severity": "high", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.4.8 contains a privilege escalation vulnerability in the gateway plugin HTTP au...", "description": "OpenClaw before 2026.4.8 contains a privilege escalation vulnerability in the gateway plugin HTTP authentication mechanism that escalates identity-bearing operator.read requests to runtime operator.write permissions. Attackers can exploit this by sending read-scoped requests through the gateway auth route to gain unauthorized write access to runtime operations.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:46.773", "references": [ "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "https://github.com/openclaw/openclaw/security/advisories/GHSA-4f8g-77mw-3rxc", "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-gateway-plugin-http-authentication" ], "cvss_score": 7.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42429", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.1); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-42428", "severity": "high", "type": "unknown_cwe_353", "nvd_category_id": "CWE-353", "title": "OpenClaw versions before 2026.4.8 fail to enforce integrity verification on downloaded plugin archiv...", "description": "OpenClaw versions before 2026.4.8 fail to enforce integrity verification on downloaded plugin archives. Attackers can install malicious or tampered plugin packages without detection, compromising the local assistant environment.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:46.630", "references": [ "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "https://github.com/openclaw/openclaw/security/advisories/GHSA-3vvq-q2qc-7rmp", "https://www.vulncheck.com/advisories/openclaw-missing-integrity-verification-in-package-downloads" ], "cvss_score": 7.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42428", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.1); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": true, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-42427", "severity": "medium", "type": "unknown_cwe_184", "nvd_category_id": "CWE-184", "title": "OpenClaw before 2026.4.8 contains a remote code execution vulnerability caused by missing environmen...", "description": "OpenClaw before 2026.4.8 contains a remote code execution vulnerability caused by missing environment variable denylist entries for HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS. Attackers can inject malicious build tool environment variables to influence host exec commands and achieve arbitrary code execution.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:46.493", "references": [ "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "https://github.com/openclaw/openclaw/security/advisories/GHSA-7437-7hg8-frrw", "https://www.vulncheck.com/advisories/openclaw-remote-code-execution-via-build-tool-environment-variable-injection" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42427", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-42426", "severity": "high", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.4.8 contains an improper authorization vulnerability where the node.pair.approv...", "description": "OpenClaw before 2026.4.8 contains an improper authorization vulnerability where the node.pair.approve method accepts operator.write scope instead of the narrower operator.pairing scope, allowing unprivileged users to approve node pairing. Attackers with operator.write permissions can bypass pairing approval restrictions to gain unauthorized access to exec-capable nodes.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:46.360", "references": [ "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "https://github.com/openclaw/openclaw/security/advisories/GHSA-67mf-f936-ppxf", "https://www.vulncheck.com/advisories/openclaw-improper-authorization-in-node-pair-approve-via-operator-write-scope" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42426", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-42424", "severity": "medium", "type": "unknown_cwe_73", "nvd_category_id": "CWE-73", "title": "OpenClaw before 2026.4.8 treats shared reply MEDIA paths as trusted, allowing crafted references to ...", "description": "OpenClaw before 2026.4.8 treats shared reply MEDIA paths as trusted, allowing crafted references to trigger cross-channel local file exfiltration. Attackers can exploit this by crafting malicious shared reply MEDIA references to cause another channel to read local file paths as trusted generated media.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:46.217", "references": [ "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "https://github.com/openclaw/openclaw/security/advisories/GHSA-qqq7-4hxc-x63c", "https://www.vulncheck.com/advisories/openclaw-local-file-exfiltration-via-shared-reply-media-paths" ], "cvss_score": 5.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42424", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.7); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-42423", "severity": "high", "type": "unknown_cwe_636", "nvd_category_id": "CWE-636", "title": "OpenClaw before 2026.4.8 contains an approval-timeout fallback mechanism that bypasses strictInlineE...", "description": "OpenClaw before 2026.4.8 contains an approval-timeout fallback mechanism that bypasses strictInlineEval explicit-approval requirements on gateway and node exec hosts. Attackers can exploit this timeout fallback to execute inline eval commands that should require explicit user approval, circumventing the intended security boundary.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:46.083", "references": [ "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "https://github.com/openclaw/openclaw/security/advisories/GHSA-q2gc-xjqw-qp89", "https://www.vulncheck.com/advisories/openclaw-strictinlineeval-approval-boundary-bypass-via-approval-timeout-fallback" ], "cvss_score": 7.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42423", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.5); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-42422", "severity": "high", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function th...", "description": "OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function that allows minting tokens for unapproved roles. Attackers can bypass device role-upgrade pairing to preserve or mint roles and scopes that had not undergone intended approval.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:45.950", "references": [ "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "https://github.com/openclaw/openclaw/security/advisories/GHSA-whf9-3hcx-gq54", "https://www.vulncheck.com/advisories/openclaw-role-bypass-in-device-token-rotate-function" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42422", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-42421", "severity": "medium", "type": "unknown_cwe_613", "nvd_category_id": "CWE-613", "title": "OpenClaw before 2026.4.8 contains a session management vulnerability where existing WebSocket sessio...", "description": "OpenClaw before 2026.4.8 contains a session management vulnerability where existing WebSocket sessions survive shared gateway token rotation. Attackers can maintain unauthorized access to WebSocket connections after token rotation by exploiting the failure to disconnect existing shared-token sessions.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:45.820", "references": [ "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "https://github.com/openclaw/openclaw/security/advisories/GHSA-5h3f-885m-v22w", "https://www.vulncheck.com/advisories/openclaw-websocket-session-persistence-via-shared-gateway-token-rotation" ], "cvss_score": 5.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42421", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.4); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-42420", "severity": "medium", "type": "unknown_cwe_770", "nvd_category_id": "CWE-770", "title": "OpenClaw before 2026.4.8 contains improper input validation in base64 decode paths that allocate mem...", "description": "OpenClaw before 2026.4.8 contains improper input validation in base64 decode paths that allocate memory before enforcing decoded-size limits. Attackers can exploit multiple code paths to cause memory exhaustion or denial of service through crafted base64-encoded input.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:45.680", "references": [ "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "https://github.com/openclaw/openclaw/security/advisories/GHSA-ccx3-fw7q-rr2r", "https://www.vulncheck.com/advisories/openclaw-improper-base64-decoding-size-validation" ], "cvss_score": 4.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42420", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (4.3); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41916", "severity": "medium", "type": "unknown_cwe_613", "nvd_category_id": "CWE-613", "title": "OpenClaw before 2026.4.8 contains an authentication state management vulnerability where the resolve...", "description": "OpenClaw before 2026.4.8 contains an authentication state management vulnerability where the resolvedAuth closure becomes stale after configuration reload. Newly accepted gateway connections continue using outdated resolved auth state, allowing attackers to bypass authentication controls through config reload operations.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:45.540", "references": [ "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "https://github.com/openclaw/openclaw/security/advisories/GHSA-68x5-xx89-w9mm", "https://www.vulncheck.com/advisories/openclaw-stale-authentication-state-via-config-reload" ], "cvss_score": 5.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41916", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.4); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41915", "severity": "medium", "type": "unknown_cwe_184", "nvd_category_id": "CWE-184", "title": "OpenClaw before 2026.4.8 fails to remove git plumbing environment variables from the execution envir...", "description": "OpenClaw before 2026.4.8 fails to remove git plumbing environment variables from the execution environment before host exec operations. Attackers can exploit this by setting GIT_DIR and related variables to redirect git operations and compromise repository integrity.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:45.397", "references": [ "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "https://github.com/openclaw/openclaw/security/advisories/GHSA-cm8v-2vh9-cxf3", "https://www.vulncheck.com/advisories/openclaw-git-environment-variable-injection-via-unfiltered-exec-environment" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41915", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.3); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41914", "severity": "high", "type": "server_side_request_forgery", "nvd_category_id": "CWE-918", "title": "OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in QQ Bot media downlo...", "description": "OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in QQ Bot media download paths that bypass SSRF protection. Attackers can exploit unprotected media fetch endpoints to access internal resources and bypass allowlist policies.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:45.243", "references": [ "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "https://github.com/openclaw/openclaw/security/advisories/GHSA-3fv3-6p2v-gxwj", "https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-in-qq-bot-media-fetch-paths" ], "cvss_score": 8.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41914", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.5); network accessible; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41913", "severity": "low", "type": "race_condition", "nvd_category_id": "CWE-362", "title": "OpenClaw before 2026.4.4 contains a race condition vulnerability in shared-secret authentication tha...", "description": "OpenClaw before 2026.4.4 contains a race condition vulnerability in shared-secret authentication that allows concurrent asynchronous requests to bypass the per-key rate-limit budget. Attackers can exploit this by sending multiple simultaneous authentication attempts to circumvent intended rate-limiting protections on Tailscale-capable paths.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:45.103", "references": [ "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "https://github.com/openclaw/openclaw/security/advisories/GHSA-25wv-8phj-8p7r", "https://www.vulncheck.com/advisories/openclaw-rate-limit-bypass-via-concurrent-async-authentication-attempts" ], "cvss_score": 3.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41913", "exploitability_score": "low", "exploitability_rationale": "Low CVSS score (3.7); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41912", "severity": "high", "type": "server_side_request_forgery", "nvd_category_id": "CWE-918", "title": "OpenClaw before 2026.4.8 contains a server-side request forgery policy bypass vulnerability allowing...", "description": "OpenClaw before 2026.4.8 contains a server-side request forgery policy bypass vulnerability allowing attackers to trigger navigations bypassing normal SSRF checks. Attackers can exploit browser interactions to bypass SSRF protections and access restricted resources.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:44.970", "references": [ "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "https://github.com/openclaw/openclaw/security/advisories/GHSA-vr5g-mmx7-h897", "https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-policy-bypass-via-interaction-triggered-navigation" ], "cvss_score": 7.6, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41912", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.6); network accessible; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41911", "severity": "medium", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "OpenClaw before 2026.4.8 contains a filesystem policy bypass vulnerability in docx upload processing...", "description": "OpenClaw before 2026.4.8 contains a filesystem policy bypass vulnerability in docx upload processing that allows local file reads outside workspace boundaries. Attackers can exploit upload_file and upload_image endpoints to access files beyond the intended workspace-only filesystem policy.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:44.833", "references": [ "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "https://github.com/openclaw/openclaw/security/advisories/GHSA-5fc7-f62m-8983", "https://www.vulncheck.com/advisories/openclaw-workspace-only-filesystem-policy-bypass-via-docx-upload-file-upload-image" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41911", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); network accessible; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41910", "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.4.8 omits owner-only enforcement for cross-channel allowlist writes in the /all...", "description": "OpenClaw before 2026.4.8 omits owner-only enforcement for cross-channel allowlist writes in the /allowlist endpoint. An authorized non-owner sender can bypass access controls to perform allowlist modifications against different channels, violating the intended trust model.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:44.697", "references": [ "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "https://github.com/openclaw/openclaw/security/advisories/GHSA-vc32-h5mq-453v", "https://www.vulncheck.com/advisories/openclaw-missing-owner-only-enforcement-in-allowlist-cross-channel-writes" ], "cvss_score": 4.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41910", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (4.3); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41408", "severity": "medium", "type": "unknown_cwe_770", "nvd_category_id": "CWE-770", "title": "OpenClaw before 2026.3.31 contains a resource exhaustion vulnerability in media downloads that bypas...", "description": "OpenClaw before 2026.3.31 contains a resource exhaustion vulnerability in media downloads that bypasses core safety limits for file size, count, and cleanup operations. Attackers can exhaust disk space by downloading media files without triggering intended safety restrictions, causing availability impact.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:44.567", "references": [ "https://github.com/openclaw/openclaw/commit/2194587d70d2aef863508b945319c5a7c88b12ce", "https://github.com/openclaw/openclaw/security/advisories/GHSA-4g5x-2jfc-xm98", "https://www.vulncheck.com/advisories/openclaw-disk-exhaustion-via-media-download-bypass" ], "cvss_score": 4.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41408", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (4.3); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41407", "severity": "low", "type": "unknown_cwe_208", "nvd_category_id": "CWE-208", "title": "OpenClaw before 2026.4.2 contains a timing side channel vulnerability in shared-secret comparison ca...", "description": "OpenClaw before 2026.4.2 contains a timing side channel vulnerability in shared-secret comparison call sites that use early length-mismatch checks instead of fixed-length comparison helpers. Attackers can measure timing differences to leak secret-length information, weakening constant-time handling for shared secrets.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:44.433", "references": [ "https://github.com/openclaw/openclaw/commit/be10ecef770a4654519869c3641bbb91087c8c7b", "https://github.com/openclaw/openclaw/security/advisories/GHSA-jj6q-rrrf-h66h", "https://www.vulncheck.com/advisories/openclaw-timing-side-channel-in-shared-secret-comparison" ], "cvss_score": 3.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41407", "exploitability_score": "low", "exploitability_rationale": "Low CVSS score (3.7); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41406", "severity": "medium", "type": "insecure_direct_object_reference", "nvd_category_id": "CWE-639", "title": "OpenClaw before 2026.3.31 contains a sender allowlist bypass vulnerability that allows remote attack...", "description": "OpenClaw before 2026.3.31 contains a sender allowlist bypass vulnerability that allows remote attackers to access restricted messages. Attackers can exploit fetched quoted, root, and thread context messages to bypass sender allowlist restrictions and retrieve unauthorized content.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:44.280", "references": [ "https://github.com/openclaw/openclaw/commit/f45e5a6569aab1d58cc6de25b19f1dc4c8779b85", "https://github.com/openclaw/openclaw/security/advisories/GHSA-877v-w3f5-3pcq", "https://www.vulncheck.com/advisories/openclaw-sender-allowlist-bypass-via-thread-history-and-quoted-messages" ], "cvss_score": 5.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41406", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.4); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41405", "severity": "high", "type": "unknown_cwe_408", "nvd_category_id": "CWE-408", "title": "OpenClaw before 2026.3.31 parses MS Teams webhook request bodies before performing JWT validation, a...", "description": "OpenClaw before 2026.3.31 parses MS Teams webhook request bodies before performing JWT validation, allowing unauthenticated attackers to trigger resource exhaustion. Remote attackers can send malicious Teams webhook payloads to exhaust server resources by bypassing authentication checks.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:44.090", "references": [ "https://github.com/openclaw/openclaw/commit/3834d47099dd13c8244ed6de8b9ea9855c553623", "https://github.com/openclaw/openclaw/security/advisories/GHSA-p464-m8x6-vhv8", "https://www.vulncheck.com/advisories/openclaw-resource-exhaustion-via-unauthenticated-ms-teams-webhook-body-parsing" ], "cvss_score": 7.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41405", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41404", "severity": "high", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.3.31 contains an incomplete scope-clearing vulnerability in trusted-proxy authe...", "description": "OpenClaw before 2026.3.31 contains an incomplete scope-clearing vulnerability in trusted-proxy authentication mode that allows operator.admin privilege escalation. Attackers can exploit this by declaring operator scopes on non-Control-UI clients, allowing self-declared scopes to persist on identity-bearing authentication paths and escalate privileges.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:43.957", "references": [ "https://github.com/openclaw/openclaw/commit/8b88b927cb0747ad24d95b07d35682bf85dc5b0e", "https://github.com/openclaw/openclaw/security/advisories/GHSA-g374-mggx-p6xc", "https://www.vulncheck.com/advisories/openclaw-operator-admin-privilege-escalation-via-trusted-proxy-authentication" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41404", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41403", "severity": "low", "type": "unknown_cwe_807", "nvd_category_id": "CWE-807", "title": "OpenClaw before 2026.3.31 misclassifies proxied remote requests as loopback connections in the diffs...", "description": "OpenClaw before 2026.3.31 misclassifies proxied remote requests as loopback connections in the diffs viewer when allowRemoteViewer is disabled, allowing unauthorized access. Attackers can bypass access controls by sending proxied requests that are incorrectly identified as local loopback traffic, circumventing intended remote viewer restrictions.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:43.823", "references": [ "https://github.com/openclaw/openclaw/commit/30a1690323088fd291abd11643a264a6828a002c", "https://github.com/openclaw/openclaw/security/advisories/GHSA-3xv9-89fm-7h4r", "https://www.vulncheck.com/advisories/openclaw-access-control-bypass-via-proxied-remote-request-misclassification" ], "cvss_score": 2.9, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41403", "exploitability_score": "low", "exploitability_rationale": "Low CVSS score (2.9); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": false, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41402", "severity": "medium", "type": "unknown_cwe_706", "nvd_category_id": "CWE-706", "title": "OpenClaw before 2026.3.31 contains a scope bypass vulnerability in webhook replay cache deduplicatio...", "description": "OpenClaw before 2026.3.31 contains a scope bypass vulnerability in webhook replay cache deduplication that allows authenticated attackers to replay messages across sibling targets using the same messageId. Attackers can exploit overly broad cache keying to bypass replay protection and deliver duplicate webhook messages to unintended targets.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:43.690", "references": [ "https://github.com/openclaw/openclaw/commit/4d038bb242c11f39e45f6a4bde400e5fd42e4ebf", "https://github.com/openclaw/openclaw/security/advisories/GHSA-hhq4-97c2-p447", "https://www.vulncheck.com/advisories/openclaw-webhook-replay-cache-cross-target-messageid-scope-bypass" ], "cvss_score": 4.2, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41402", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (4.2); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41400", "severity": "medium", "type": "unknown_cwe_770", "nvd_category_id": "CWE-770", "title": "OpenClaw before 2026.3.31 contains an incomplete fix for CVE-2026-32062 where the voice-call compone...", "description": "OpenClaw before 2026.3.31 contains an incomplete fix for CVE-2026-32062 where the voice-call component parses large WebSocket frames before start validation. Remote attackers can send oversized pre-start WebSocket frames to cause resource consumption and denial of service.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:43.553", "references": [ "https://github.com/openclaw/openclaw/commit/9abcfdadf591bf266d85fbdfe14ae833e557a110", "https://github.com/openclaw/openclaw/security/advisories/GHSA-2w79-r9g8-wmcr", "https://www.vulncheck.com/advisories/openclaw-resource-consumption-via-oversized-websocket-frames-in-voice-call" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41400", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41399", "severity": "high", "type": "unknown_cwe_770", "nvd_category_id": "CWE-770", "title": "OpenClaw before 2026.3.28 accepts unbounded concurrent unauthenticated WebSocket upgrades without pr...", "description": "OpenClaw before 2026.3.28 accepts unbounded concurrent unauthenticated WebSocket upgrades without pre-authentication budget allocation. Unauthenticated network attackers can exhaust socket and worker capacity to disrupt WebSocket availability for legitimate clients.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:43.420", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-f44p-c7w9-7xr7", "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unbounded-pre-auth-websocket-upgrades" ], "cvss_score": 7.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41399", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41398", "severity": "medium", "type": "unknown_cwe_346", "nvd_category_id": "CWE-346", "title": "OpenClaw before 2026.4.2 contains an improper access control vulnerability in the iOS A2UI bridge th...", "description": "OpenClaw before 2026.4.2 contains an improper access control vulnerability in the iOS A2UI bridge that treats generic local-network pages as trusted origins. Attackers can inject unauthorized agent.request runs by loading attacker-controlled pages from local-network or tailnet hosts, polluting session state and consuming budget.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:43.287", "references": [ "https://github.com/openclaw/openclaw/commit/49d08382a90f71dabe2877b3f6729ad85f808d57", "https://github.com/openclaw/openclaw/security/advisories/GHSA-4p4f-fc8q-84m3", "https://www.vulncheck.com/advisories/openclaw-unauthorized-agent-request-dispatch-via-untrusted-local-network-pages-in-ios-a2ui-bridge" ], "cvss_score": 4.6, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41398", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (4.6); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41397", "severity": "medium", "type": "unknown_cwe_59", "nvd_category_id": "CWE-59", "title": "OpenClaw before 2026.3.31 contains a sandbox escape vulnerability allowing attackers to traverse dir...", "description": "OpenClaw before 2026.3.31 contains a sandbox escape vulnerability allowing attackers to traverse directory boundaries through symlink exploitation during file synchronization operations. Remote attackers can bypass sandbox restrictions by crafting malicious symlinks in mirror sync operations to access arbitrary files outside intended boundaries.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:43.153", "references": [ "https://github.com/openclaw/openclaw/commit/3b9dab0ece4643a9643e6a45459f5c709d3ce320", "https://github.com/openclaw/openclaw/commit/c02ee8a3a4cb390b23afdf21317aa8b2096854d1", "https://github.com/openclaw/openclaw/security/advisories/GHSA-cwf8-44x6-32c2" ], "cvss_score": 6.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41397", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.8); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41396", "severity": "high", "type": "unknown_cwe_829", "nvd_category_id": "CWE-829", "title": "OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_PLUGINS_DIR e...", "description": "OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_PLUGINS_DIR environment variable, compromising plugin trust verification. Attackers with control over workspace configuration can inject malicious plugins by overriding the bundled plugin trust root directory.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:43.013", "references": [ "https://github.com/openclaw/openclaw/commit/330a9f98cb29c79b1c16a2117e03d6276a0d6289", "https://github.com/openclaw/openclaw/security/advisories/GHSA-qcj9-wwgw-6gm8", "https://www.vulncheck.com/advisories/openclaw-environment-variable-override-of-plugin-trust-root" ], "cvss_score": 7.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41396", "exploitability_score": "medium", "exploitability_rationale": "High CVSS score (7.8); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41395", "severity": "high", "type": "unknown_cwe_325", "nvd_category_id": "CWE-325", "title": "OpenClaw before 2026.3.28 contains a webhook replay vulnerability in Plivo V3 signature verification...", "description": "OpenClaw before 2026.3.28 contains a webhook replay vulnerability in Plivo V3 signature verification that canonicalizes query ordering for signatures but hashes raw URLs for replay detection. Attackers can reorder query parameters to bypass replay cache detection and trigger duplicate voice-call processing with a captured valid signed webhook.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:42.880", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-8689-gm9g-jgr6", "https://www.vulncheck.com/advisories/openclaw-webhook-replay-via-query-parameter-reordering-in-plivo-v3" ], "cvss_score": 7.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41395", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41394", "severity": "high", "type": "missing_authorization", "nvd_category_id": "CWE-862", "title": "OpenClaw before 2026.3.31 contains an authentication bypass vulnerability where unauthenticated plug...", "description": "OpenClaw before 2026.3.31 contains an authentication bypass vulnerability where unauthenticated plugin-auth HTTP routes receive operator runtime write scopes. Attackers can access these routes without authentication to perform privileged runtime actions intended for authorized operators.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:42.737", "references": [ "https://github.com/openclaw/openclaw/commit/2a1db0c0f1fa375004a95ba0ef030534790a6d47", "https://github.com/openclaw/openclaw/security/advisories/GHSA-mhgq-xpfq-6r66", "https://www.vulncheck.com/advisories/openclaw-unauthorized-operator-scope-access-in-unauthenticated-plugin-auth-routes" ], "cvss_score": 8.2, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41394", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.2); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41393", "severity": "medium", "type": "unknown_cwe_346", "nvd_category_id": "CWE-346", "title": "OpenClaw before 2026.3.31 contains a wide-area discovery vulnerability allowing arbitrary tailnet pe...", "description": "OpenClaw before 2026.3.31 contains a wide-area discovery vulnerability allowing arbitrary tailnet peers to be accepted as DNS authorities. Attackers with same-tailnet position and CA-trusted endpoint access can exfiltrate operator credentials through DNS steering manipulation.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:42.590", "references": [ "https://github.com/openclaw/openclaw/commit/a23c33a681f8c1b22dc793995acc4c5c4b568346", "https://github.com/openclaw/openclaw/security/advisories/GHSA-q9w8-cf67-r238", "https://www.vulncheck.com/advisories/openclaw-arbitrary-dns-authority-acceptance-and-credential-exfiltration-via-wide-area-discovery" ], "cvss_score": 4.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41393", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (4.8); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": true, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41392", "severity": "medium", "type": "unknown_cwe_184", "nvd_category_id": "CWE-184", "title": "OpenClaw before 2026.3.31 contains an exec allowlist bypass vulnerability allowing attackers to inhe...", "description": "OpenClaw before 2026.3.31 contains an exec allowlist bypass vulnerability allowing attackers to inherit allowlist trust via shell init-file wrapper invocations. Attackers can exploit shell options like --rcfile, --init-file, and --startup-file to load attacker-chosen initialization files while bypassing exec allowlist matching restrictions.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:42.447", "references": [ "https://github.com/openclaw/openclaw/commit/0c8375424620e12777ef24c162eedc7e9fcfd7e3", "https://github.com/openclaw/openclaw/security/advisories/GHSA-wpc6-37g7-8q4w", "https://www.vulncheck.com/advisories/openclaw-exec-allowlist-bypass-via-shell-init-file-options" ], "cvss_score": 6.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41392", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.7); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": true, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41391", "severity": "medium", "type": "unknown_cwe_184", "nvd_category_id": "CWE-184", "title": "OpenClaw before 2026.3.31 fails to properly sanitize PIP_INDEX_URL and UV_INDEX_URL environment vari...", "description": "OpenClaw before 2026.3.31 fails to properly sanitize PIP_INDEX_URL and UV_INDEX_URL environment variables in host execution contexts, allowing attackers to redirect Python package-index traffic. Attackers can exploit this bypass to intercept or manipulate package management operations by injecting malicious index URLs through unsanitized environment variables.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:42.310", "references": [ "https://github.com/openclaw/openclaw/commit/7ae1bb0c7799fd0cbd2d4de7b0f5b8039837ab8d", "https://github.com/openclaw/openclaw/security/advisories/GHSA-7ggg-pvrf-458v", "https://www.vulncheck.com/advisories/openclaw-environment-variable-bypass-in-package-index-url-handling" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41391", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41390", "severity": "high", "type": "unknown_cwe_807", "nvd_category_id": "CWE-807", "title": "OpenClaw before 2026.3.28 contains an exec allowlist bypass vulnerability where allow-always persist...", "description": "OpenClaw before 2026.3.28 contains an exec allowlist bypass vulnerability where allow-always persistence fails to unwrap /usr/bin/script and similar wrappers before storing trust decisions. Attackers can obtain user approval for one wrapped command to persist trust for wrapper binaries that execute different underlying programs.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:42.173", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-6pfc-6m7w-m8fx", "https://www.vulncheck.com/advisories/openclaw-exec-allowlist-bypass-via-unregistered-usr-bin-script-wrapper" ], "cvss_score": 7.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41390", "exploitability_score": "medium", "exploitability_rationale": "High CVSS score (7.3); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41388", "severity": "medium", "type": "unknown_cwe_372", "nvd_category_id": "CWE-372", "title": "OpenClaw before 2026.3.31 contains a configuration management vulnerability where startup migration ...", "description": "OpenClaw before 2026.3.31 contains a configuration management vulnerability where startup migration treats empty-array settings as missing values. Attackers can restart the application to rehydrate revoked Tlon configuration from file state, bypassing intended revocation controls.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:42.040", "references": [ "https://github.com/openclaw/openclaw/commit/a4d72a83f01fedd35964c352e3473c7712a3511b", "https://github.com/openclaw/openclaw/security/advisories/GHSA-3pm9-5j7m-59vc", "https://www.vulncheck.com/advisories/openclaw-configuration-rehydration-via-empty-array-revocation-handling" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41388", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41387", "severity": "high", "type": "unknown_cwe_183", "nvd_category_id": "CWE-183", "title": "OpenClaw before 2026.3.22 contains an incomplete host environment variable sanitization vulnerabilit...", "description": "OpenClaw before 2026.3.22 contains an incomplete host environment variable sanitization vulnerability in host-env-security-policy.json and host-env-security.ts that allows package-manager environment overrides. Attackers can exploit approved exec requests to redirect package resolution or runtime bootstrap to attacker-controlled infrastructure and execute trojanized content.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:41.910", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-j7p2-qcwm-94v4", "https://www.vulncheck.com/advisories/openclaw-supply-chain-redirection-via-incomplete-host-environment-sanitization" ], "cvss_score": 7.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41387", "exploitability_score": "medium", "exploitability_rationale": "High CVSS score (7.8); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41386", "severity": "critical", "type": "unknown_cwe_648", "nvd_category_id": "CWE-648", "title": "OpenClaw before 2026.3.22 contains a privilege escalation vulnerability where bootstrap setup codes ...", "description": "OpenClaw before 2026.3.22 contains a privilege escalation vulnerability where bootstrap setup codes are not bound to intended device roles and scopes during pairing. Attackers can exploit this during first-use device pairing to escalate privileges beyond their intended role and scope.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:41.770", "references": [ "https://github.com/openclaw/openclaw/commit/a600c72ed7d0045a27f58bf031d2b36ecb0141c9", "https://github.com/openclaw/openclaw/security/advisories/GHSA-gg9v-mgcp-v6m7", "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-unbound-bootstrap-setup-codes" ], "cvss_score": 9.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41386", "exploitability_score": "high", "exploitability_rationale": "Critical CVSS score (9.1); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41385", "severity": "medium", "type": "unknown_cwe_312", "nvd_category_id": "CWE-312", "title": "OpenClaw before 2026.3.31 stores Nostr privateKey as plaintext in configuration, allowing exposure t...", "description": "OpenClaw before 2026.3.31 stores Nostr privateKey as plaintext in configuration, allowing exposure through config.get method calls that bypass redaction mechanisms. Attackers can retrieve unredacted configuration data to obtain plaintext signing keys used for Nostr protocol operations.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:41.630", "references": [ "https://github.com/openclaw/openclaw/commit/57700d716f660591fb6e09727f3ca8041fa48b9d", "https://github.com/openclaw/openclaw/security/advisories/GHSA-jjw7-3vjf-fg5j", "https://www.vulncheck.com/advisories/openclaw-nostr-private-key-exposure-via-config-get-redaction-bypass" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41385", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.5); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41384", "severity": "high", "type": "unknown_cwe_15", "nvd_category_id": "CWE-15", "title": "OpenClaw before 2026.3.24 contains an environment variable injection vulnerability in the CLI backen...", "description": "OpenClaw before 2026.3.24 contains an environment variable injection vulnerability in the CLI backend runner that allows attackers to inject malicious environment variables through workspace configuration. Attackers can craft malicious workspace configs to inject arbitrary environment variables into the backend process spawning, enabling code execution or sensitive data exposure.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:41.497", "references": [ "https://github.com/openclaw/openclaw/commit/c2fb7f1948c3226732a630256b5179a60664ec24", "https://github.com/openclaw/openclaw/security/advisories/GHSA-vfw7-6rhc-6xxg", "https://www.vulncheck.com/advisories/openclaw-environment-variable-injection-via-workspace-config-in-cli-backend" ], "cvss_score": 7.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41384", "exploitability_score": "medium", "exploitability_rationale": "High CVSS score (7.8); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41383", "severity": "high", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "OpenClaw before 2026.4.2 contains an arbitrary directory deletion vulnerability in mirror mode that ...", "description": "OpenClaw before 2026.4.2 contains an arbitrary directory deletion vulnerability in mirror mode that allows attackers to delete remote directories by influencing remoteWorkspaceDir and remoteAgentWorkspaceDir configuration values. Attackers can manipulate these OpenShell config paths to cause mirror sync operations to delete unintended remote directory contents and replace them with uploaded workspace data.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:41.360", "references": [ "https://github.com/openclaw/openclaw/commit/b21c9840c2e38f4bb338d031511b479d5f07ca25", "https://github.com/openclaw/openclaw/security/advisories/GHSA-m34q-h93w-vg5x", "https://www.vulncheck.com/advisories/openclaw-arbitrary-remote-directory-deletion-via-mis-scoped-mirror-mode-paths" ], "cvss_score": 8.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41383", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.1); network accessible; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41382", "severity": "medium", "type": "missing_authorization", "nvd_category_id": "CWE-862", "title": "OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord voice ingress th...", "description": "OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord voice ingress that allows attackers to bypass channel and member allowlist restrictions. Attackers can exploit stale-role validation gaps and improper channel name validation to gain unauthorized access to restricted voice channels.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:41.230", "references": [ "https://github.com/openclaw/openclaw/commit/dba96e7507e0900f120e5e28e57755d69bf78759", "https://github.com/openclaw/openclaw/security/advisories/GHSA-x2m8-53h4-6hch", "https://www.vulncheck.com/advisories/openclaw-discord-voice-ingress-authorization-bypass-via-channel-and-role-validation-gaps" ], "cvss_score": 5.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41382", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.4); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41381", "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.3.31 contains an access control bypass vulnerability in the Discord voice manag...", "description": "OpenClaw before 2026.3.31 contains an access control bypass vulnerability in the Discord voice manager that allows attackers to bypass channel-level member access allowlist restrictions. Attackers can send Discord voice ingress requests before channel allowlist authorization is performed, gaining unauthorized access to restricted voice channels.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:41.097", "references": [ "https://github.com/openclaw/openclaw/commit/dba96e7507e0900f120e5e28e57755d69bf78759", "https://github.com/openclaw/openclaw/security/advisories/GHSA-cqgw-44wg-44rf", "https://www.vulncheck.com/advisories/openclaw-access-control-bypass-in-discord-voice-manager-via-channel-allowlist" ], "cvss_score": 5.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41381", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.4); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41380", "severity": "high", "type": "unknown_cwe_807", "nvd_category_id": "CWE-807", "title": "OpenClaw before 2026.3.28 contains an execution approval vulnerability in exec-approvals-allowlist.t...", "description": "OpenClaw before 2026.3.28 contains an execution approval vulnerability in exec-approvals-allowlist.ts that allows allow-always persistence to trust wrapper carrier executables instead of invoked targets. Attackers can exploit positional carrier executable routing through dispatch wrappers to establish broader allowlist entries than intended, weakening execution approval boundaries.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:40.957", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-p4x4-2r7f-wjxg", "https://www.vulncheck.com/advisories/openclaw-arbitrary-execution-allowlist-via-wrapper-carrier-executables" ], "cvss_score": 7.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41380", "exploitability_score": "medium", "exploitability_rationale": "High CVSS score (7.3); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41379", "severity": "high", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated opera...", "description": "OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Talk Voice configuration persistence. Attackers with operator.write privileges can exploit the chat.send endpoint to reach and modify sensitive voice configuration settings intended for administrators only.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:40.820", "references": [ "https://github.com/openclaw/openclaw/commit/e34694733fc64931ed4a543c73d84ad3435d5df1", "https://github.com/openclaw/openclaw/security/advisories/GHSA-3q42-xmxv-9vfr", "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-chat-send-to-admin-class-talk-voice-config" ], "cvss_score": 7.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41379", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.1); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41378", "severity": "high", "type": "missing_authorization", "nvd_category_id": "CWE-862", "title": "OpenClaw before 2026.3.31 contains a privilege escalation vulnerability allowing paired nodes with r...", "description": "OpenClaw before 2026.3.31 contains a privilege escalation vulnerability allowing paired nodes with role=node to dispatch node.event agent requests with unrestricted gateway-side tool access. Attackers with trusted paired node credentials can escalate privileges by leveraging unrestricted agent.request dispatch to achieve remote code execution on the gateway.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:40.687", "references": [ "https://github.com/openclaw/openclaw/commit/a77928b1087e90f2a8903f8e5aca6dec9237ac62", "https://github.com/openclaw/openclaw/security/advisories/GHSA-gjm7-hw8f-73rq", "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-to-remote-code-execution-via-unrestricted-node-event-agent-dispatch" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41378", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41377", "severity": "medium", "type": "unknown_cwe_636", "nvd_category_id": "CWE-636", "title": "OpenClaw before 2026.3.31 contains a fail-open vulnerability in the plugin installation flow where s...", "description": "OpenClaw before 2026.3.31 contains a fail-open vulnerability in the plugin installation flow where security scan failures do not block installation. Attackers can exploit scan failures to install untrusted plugins when operators proceed despite visible scan warnings.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:40.550", "references": [ "https://github.com/openclaw/openclaw/commit/0d7f1e2c84eca65df7dee890d9c30e2a841c030a", "https://github.com/openclaw/openclaw/commit/44b993613601280d46a5b88190e46669fc13d669", "https://github.com/openclaw/openclaw/commit/7a953a52271b9188a5fa830739a4366614ff9916" ], "cvss_score": 4.6, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41377", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (4.6); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41376", "severity": "medium", "type": "unknown_cwe_346", "nvd_category_id": "CWE-346", "title": "OpenClaw before 2026.3.31 contains an allowlist bypass vulnerability in Matrix thread root and reply...", "description": "OpenClaw before 2026.3.31 contains an allowlist bypass vulnerability in Matrix thread root and reply context handling that fails to properly validate message senders. Attackers can fetch thread-root and reply context messages that should be filtered by sender allowlists, bypassing access controls.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:40.413", "references": [ "https://github.com/openclaw/openclaw/commit/8a563d603b70ef6338915f0527bee87282c3bad5", "https://github.com/openclaw/openclaw/security/advisories/GHSA-rg8m-3943-vm6q", "https://www.vulncheck.com/advisories/openclaw-matrix-thread-context-allowlist-bypass-via-sender-validation" ], "cvss_score": 5.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41376", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.4); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41375", "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in the /phone arm and /phon...", "description": "OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in the /phone arm and /phone disarm endpoints that fails to properly enforce operator.admin scope checks for external channels. Attackers can bypass authentication restrictions to arm or disarm phone channels without proper administrative privileges.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:40.280", "references": [ "https://github.com/openclaw/openclaw/commit/aa66ae1fc797d3298cc409ed2c5da69a89950a45", "https://github.com/openclaw/openclaw/security/advisories/GHSA-h2v7-xc88-xx8c", "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-phone-arm-and-phone-disarm-endpoints" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41375", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41374", "severity": "medium", "type": "unknown_cwe_408", "nvd_category_id": "CWE-408", "title": "OpenClaw before 2026.3.31 performs Discord audio preflight transcription before validating member au...", "description": "OpenClaw before 2026.3.31 performs Discord audio preflight transcription before validating member authorization, allowing unauthenticated attackers to consume resources. Remote attackers can trigger audio preflight processing without member allowlist validation to cause resource exhaustion.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:40.140", "references": [ "https://github.com/openclaw/openclaw/commit/ee52f64226a03efadfdf1e3b759e13424a3d4e41", "https://github.com/openclaw/openclaw/security/advisories/GHSA-hhff-fj5f-qg48", "https://www.vulncheck.com/advisories/openclaw-resource-consumption-via-discord-audio-preflight-before-member-authorization" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41374", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41373", "severity": "medium", "type": "unknown_cwe_427", "nvd_category_id": "CWE-427", "title": "OpenClaw before 2026.3.31 contains an incomplete host-env-security-policy.json that fails to restric...", "description": "OpenClaw before 2026.3.31 contains an incomplete host-env-security-policy.json that fails to restrict compiler binary environment variables, allowing untrusted models to substitute CC, CXX, CARGO_BUILD_RUSTC, and CMAKE_C_COMPILER via environment overrides. Attackers with approved host-exec requests can override compiler binaries to execute arbitrary code during build processes.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T19:37:39.993", "references": [ "https://github.com/openclaw/openclaw/commit/e277a37f896b5011a1df06e6490c6630074d0afa", "https://github.com/openclaw/openclaw/security/advisories/GHSA-g8xp-qx39-9jq9", "https://www.vulncheck.com/advisories/openclaw-compiler-binary-substitution-via-environment-variable-override-in-host-execution-policy" ], "cvss_score": 6.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41373", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.1); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41372", "severity": "medium", "type": "insecure_direct_object_reference", "nvd_category_id": "CWE-639", "title": "OpenClaw before 2026.4.2 fails to normalize trailing-dot localhost hosts in remote CDP discovery res...", "description": "OpenClaw before 2026.4.2 fails to normalize trailing-dot localhost hosts in remote CDP discovery responses, allowing bypass of loopback protections. Attackers can craft hostile discovery responses returning localhost. to retarget authenticated browser control toward localhost endpoints and expose browser state.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T00:16:26.647", "references": [ "https://github.com/openclaw/openclaw/commit/9c22d636697336a6b22b0ae24798d8b8325d7828", "https://github.com/openclaw/openclaw/security/advisories/GHSA-fh32-73r9-rgh5", "https://www.vulncheck.com/advisories/openclaw-loopback-protection-bypass-via-trailing-dot-localhost-in-cdp-discovery" ], "cvss_score": 5.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41372", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.8); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41371", "severity": "high", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in chat.send that allows wri...", "description": "OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in chat.send that allows write-scoped gateway callers to trigger admin-only session reset operations. Attackers can rotate target sessions, archive prior transcript state, and force new session IDs without requiring admin scope by exploiting improper authorization checks in the chat.send path.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T00:16:26.497", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-5r8f-96gm-5j6g", "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-chat-send-reset-command" ], "cvss_score": 8.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41371", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.5); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41370", "severity": "medium", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "OpenClaw before 2026.3.31 contains a path traversal vulnerability in ACP dispatch that allows attack...", "description": "OpenClaw before 2026.3.31 contains a path traversal vulnerability in ACP dispatch that allows attackers to read arbitrary files by manipulating inbound channel attachment paths. Remote attackers can bypass attachment-cache and root directory checks to access files outside intended directories.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T00:16:26.347", "references": [ "https://github.com/openclaw/openclaw/commit/566fb73d9da2d73c0be0d9b8e5b762e4dcd8e81d", "https://github.com/openclaw/openclaw/security/advisories/GHSA-58q2-7r52-jq62", "https://www.vulncheck.com/advisories/openclaw-path-traversal-via-inbound-channel-attachment-path-in-acp-dispatch" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41370", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); network accessible; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41369", "severity": "medium", "type": "exposure_of_resource_to_wrong_sphere", "nvd_category_id": "CWE-668", "title": "OpenClaw before 2026.3.31 contains insufficient environment variable sanitization in host exec opera...", "description": "OpenClaw before 2026.3.31 contains insufficient environment variable sanitization in host exec operations, failing to filter package, registry, Docker, compiler, and TLS override variables. Attackers can exploit this by injecting malicious environment variables to override critical system configurations and compromise host execution integrity.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T00:16:26.200", "references": [ "https://github.com/openclaw/openclaw/commit/eb8de6715f02949c21c4e895fffc8a6dcb00975c", "https://github.com/openclaw/openclaw/security/advisories/GHSA-cg7q-fg22-4g98", "https://www.vulncheck.com/advisories/openclaw-insufficient-environment-variable-sanitization-in-host-execution" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41369", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41368", "severity": "medium", "type": "exposure_of_resource_to_wrong_sphere", "nvd_category_id": "CWE-668", "title": "OpenClaw before 2026.3.28 contains an environment variable disclosure vulnerability in the jq safe-b...", "description": "OpenClaw before 2026.3.28 contains an environment variable disclosure vulnerability in the jq safe-bin policy that fails to block the $ENV filter. Attackers can bypass safe-bin restrictions by using $ENV in jq programs to access sensitive environment variables that should be restricted.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T00:16:26.047", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-jccr-rrw2-vc8h", "https://www.vulncheck.com/advisories/openclaw-environment-variable-disclosure-via-jq-env-filter-bypass" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41368", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41367", "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw versions 2026.2.14 through 2026.3.24 fail to consistently apply guild and channel policy ga...", "description": "OpenClaw versions 2026.2.14 through 2026.3.24 fail to consistently apply guild and channel policy gates to Discord button and component interactions. Attackers can trigger privileged component actions from blocked contexts by bypassing channel policy enforcement.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T00:16:25.887", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-jp4j-q5fc-58gv", "https://www.vulncheck.com/advisories/openclaw-policy-enforcement-bypass-in-discord-component-interactions" ], "cvss_score": 5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41367", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.0); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41366", "severity": "medium", "type": "incorrect_permission_assignment", "nvd_category_id": "CWE-732", "title": "OpenClaw before 2026.3.31 contains a local roots self-whitelisting vulnerability in appendLocalMedia...", "description": "OpenClaw before 2026.3.31 contains a local roots self-whitelisting vulnerability in appendLocalMediaParentRoots that allows model-initiated arbitrary host file read. Attackers can exploit improper media parent directory validation to exfiltrate credentials and access sensitive files.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T00:16:25.717", "references": [ "https://github.com/openclaw/openclaw/commit/1ca4261d7e055d0be141ed79ebb1365d0fbc7364", "https://github.com/openclaw/openclaw/security/advisories/GHSA-57gh-m6rq-54cf", "https://www.vulncheck.com/advisories/openclaw-arbitrary-host-file-read-via-appendlocalmediaparentroots-self-whitelisting" ], "cvss_score": 5.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41366", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.5); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41365", "severity": "medium", "type": "unknown_cwe_441", "nvd_category_id": "CWE-441", "title": "OpenClaw before 2026.3.31 contains a sender allowlist bypass vulnerability in MS Teams thread histor...", "description": "OpenClaw before 2026.3.31 contains a sender allowlist bypass vulnerability in MS Teams thread history fetched via Graph API. Attackers can retrieve thread messages that should be filtered by sender allowlists, bypassing message filtering restrictions.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T00:16:25.563", "references": [ "https://github.com/openclaw/openclaw/commit/5cca38084074fb5095aa11b6a59820d63e4937c9", "https://github.com/openclaw/openclaw/security/advisories/GHSA-chfm-xgc4-47rj", "https://www.vulncheck.com/advisories/openclaw-sender-allowlist-bypass-via-graph-api-thread-history" ], "cvss_score": 5.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41365", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.4); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41364", "severity": "high", "type": "unknown_cwe_59", "nvd_category_id": "CWE-59", "title": "OpenClaw before 2026.3.31 contains a symlink following vulnerability in SSH sandbox tar upload that ...", "description": "OpenClaw before 2026.3.31 contains a symlink following vulnerability in SSH sandbox tar upload that allows remote attackers to write arbitrary files. Attackers can exploit this by uploading tar archives containing symlinks to escape the sandbox and overwrite files on the remote host.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T00:16:25.410", "references": [ "https://github.com/openclaw/openclaw/commit/3d5af14984ac1976c747a8e11581d697bd0829dc", "https://github.com/openclaw/openclaw/security/advisories/GHSA-fv94-qvg8-xqpw", "https://www.vulncheck.com/advisories/openclaw-arbitrary-file-write-via-symlink-following-in-ssh-sandbox-tar-upload" ], "cvss_score": 8.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41364", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.1); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41363", "severity": "medium", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "OpenClaw versions 2026.2.6 through 2026.3.24 contain a path traversal vulnerability in the Feishu ex...", "description": "OpenClaw versions 2026.2.6 through 2026.3.24 contain a path traversal vulnerability in the Feishu extension resolveUploadInput function that bypasses file-system sandbox restrictions. Attackers can exploit improper path resolution during upload_image operations to read arbitrary files outside configured localRoots boundaries.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T00:16:25.250", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-qf48-qfv4-jjm9", "https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-feishu-upload-image-parameter" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41363", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.3); network accessible; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41362", "severity": "medium", "type": "exposure_of_resource_to_wrong_sphere", "nvd_category_id": "CWE-668", "title": "OpenClaw versions 2026.2.19 before 2026.3.31 contain an improper cache isolation vulnerability in th...", "description": "OpenClaw versions 2026.2.19 before 2026.3.31 contain an improper cache isolation vulnerability in the Zalo webhook replay-dedupe mechanism that is shared across authenticated webhook targets. Attackers controlling one authenticated Zalo webhook path in multi-account deployments can suppress legitimate events on different accounts by matching event_name and message_id parameters.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-28T00:16:25.087", "references": [ "https://github.com/openclaw/openclaw/commit/4d038bb242c11f39e45f6a4bde400e5fd42e4ebf", "https://github.com/openclaw/openclaw/commit/7cea7c29705b188b464cc9cdc107c275b94b2a72", "https://github.com/openclaw/openclaw/security/advisories/GHSA-fqrj-m88p-qf3v" ], "cvss_score": 4.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41362", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (4.3); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-7113", "severity": "medium", "type": "improper_authentication", "nvd_category_id": "CWE-287", "title": "A vulnerability was found in NousResearch hermes-agent 0.8.0. Affected by this issue is some unknown...", "description": "A vulnerability was found in NousResearch hermes-agent 0.8.0. Affected by this issue is some unknown functionality of the file gateway/platforms/webhook.py of the component Webhooks Endpoint. The manipulation of the argument _INSECURE_NO_AUTH results in missing authentication. The attack can be launched remotely. A high complexity level is associated with this attack. The exploitation is known to be difficult. The exploit has been made public and could be used. The project was informed of the problem early through a pull request but has not reacted yet.", "affected": [ "hermes@*" ], "platforms": [ "hermes" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-27T11:16:02.173", "references": [ "https://github.com/NousResearch/hermes-agent/", "https://github.com/NousResearch/hermes-agent/issues/6440", "https://github.com/NousResearch/hermes-agent/pull/6445" ], "cvss_score": 5.6, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7113", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.6); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-7112", "severity": "medium", "type": "improper_authentication", "nvd_category_id": "CWE-287", "title": "A vulnerability has been found in NousResearch hermes-agent 0.8.0. Affected by this vulnerability is...", "description": "A vulnerability has been found in NousResearch hermes-agent 0.8.0. Affected by this vulnerability is the function _check_auth of the file gateway/platforms/api_server.py of the component API_SERVER_KEY Handler. The manipulation leads to improper authentication. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through a pull request but has not reacted yet.", "affected": [ "hermes@*" ], "platforms": [ "hermes" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-27T10:16:10.533", "references": [ "https://github.com/NousResearch/hermes-agent/", "https://github.com/NousResearch/hermes-agent/issues/6439", "https://github.com/NousResearch/hermes-agent/pull/6477" ], "cvss_score": 5.6, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7112", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.6); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-6987", "severity": "high", "type": "unknown_cwe_74", "nvd_category_id": "CWE-74", "title": "A vulnerability was detected in PicoClaw up to 0.2.4. Impacted is an unknown function of the file /a...", "description": "A vulnerability was detected in PicoClaw up to 0.2.4. Impacted is an unknown function of the file /api/gateway/restart of the component Web Launcher Management Plane. Performing a manipulation results in command injection. It is possible to initiate the attack remotely. The project was informed of the problem early through an issue report but has not responded yet.", "affected": [ "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:go:*:*", "picoclaw@*" ], "platforms": [ "picoclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-25T17:16:33.870", "references": [ "https://github.com/sipeed/picoclaw/issues/2307", "https://vuldb.com/submit/796336", "https://vuldb.com/vuln/359530" ], "cvss_score": 7.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6987", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.3); remotely exploitable without authentication; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41361", "severity": "high", "type": "unknown_cwe_184", "nvd_category_id": "CWE-184", "title": "OpenClaw before 2026.3.28 contains an SSRF guard bypass vulnerability that fails to block four IPv6 ...", "description": "OpenClaw before 2026.3.28 contains an SSRF guard bypass vulnerability that fails to block four IPv6 special-use ranges. Attackers can exploit this by crafting URLs targeting internal or non-routable IPv6 addresses to bypass SSRF protections.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-23T22:16:43.870", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-g86v-f9qv-rh6m", "https://www.vulncheck.com/advisories/openclaw-ssrf-guard-bypass-via-ipv6-special-use-ranges" ], "cvss_score": 7.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41361", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.1); network accessible; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41360", "severity": "medium", "type": "unknown_cwe_367", "nvd_category_id": "CWE-367", "title": "OpenClaw before 2026.4.2 contains an approval integrity vulnerability in pnpm dlx that fails to bind...", "description": "OpenClaw before 2026.4.2 contains an approval integrity vulnerability in pnpm dlx that fails to bind local script operands consistently with pnpm exec flows. Attackers can replace approved local scripts before execution without invalidating the approval plan, allowing execution of modified script contents.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-23T22:16:43.703", "references": [ "https://github.com/openclaw/openclaw/commit/176c059b05357df1bc09d4328a2380670859eeff", "https://github.com/openclaw/openclaw/security/advisories/GHSA-w6wx-jq6j-6mcj", "https://www.vulncheck.com/advisories/openclaw-approval-integrity-bypass-in-pnpm-dlx-local-script-binding" ], "cvss_score": 6.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41360", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.7); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": true, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41359", "severity": "high", "type": "improper_privilege_management", "nvd_category_id": "CWE-269", "title": "OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated opera...", "description": "OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Telegram configuration and cron persistence settings via the send endpoint. Attackers with operator.write credentials can exploit insufficient access controls to reach sensitive administrative functionality and modify persistence mechanisms.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-23T22:16:43.527", "references": [ "https://github.com/openclaw/openclaw/commit/b7d70ade3b9900dbe97bd73be9c02e924ff3c986", "https://github.com/openclaw/openclaw/security/advisories/GHSA-767m-xrhc-fxm7", "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-operator-write-to-admin-class-telegram-config-and-cron-persistence" ], "cvss_score": 7.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41359", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.1); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41358", "severity": "medium", "type": "unknown_cwe_346", "nvd_category_id": "CWE-346", "title": "OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non-allo...", "description": "OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non-allowlisted messages to enter agent context. Attackers can inject unauthorized thread messages through allowlisted user replies to bypass sender access controls and manipulate model context.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-23T22:16:43.350", "references": [ "https://github.com/openclaw/openclaw/commit/ac5bc4fb37becc64a2ec314864cca1565e921f2d", "https://github.com/openclaw/openclaw/security/advisories/GHSA-qm77-8qjp-4vcm", "https://www.vulncheck.com/advisories/openclaw-sender-allowlist-bypass-via-slack-thread-context" ], "cvss_score": 5.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41358", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.4); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41357", "severity": "low", "type": "unknown_cwe_214", "nvd_category_id": "CWE-214", "title": "OpenClaw before 2026.3.31 contains an environment variable leakage vulnerability in SSH-based sandbo...", "description": "OpenClaw before 2026.3.31 contains an environment variable leakage vulnerability in SSH-based sandbox backends that pass unsanitized process.env to child processes. Attackers can exploit this by leveraging non-default SSH environment forwarding configurations to leak sensitive environment variables from parent processes to SSH child processes.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-23T22:16:43.177", "references": [ "https://github.com/openclaw/openclaw/commit/cfe14459531e002a1c61c27d97ec7dc8aecddc1f", "https://github.com/openclaw/openclaw/security/advisories/GHSA-j9pv-rrcj-6pfx", "https://www.vulncheck.com/advisories/openclaw-unsanitized-environment-variable-leakage-in-ssh-sandbox-backends" ], "cvss_score": 3.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41357", "exploitability_score": "low", "exploitability_rationale": "Low CVSS score (3.3); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41356", "severity": "medium", "type": "unknown_cwe_613", "nvd_category_id": "CWE-613", "title": "OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. ...", "description": "OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-23T22:16:43.007", "references": [ "https://github.com/openclaw/openclaw/commit/91f7a6b0fd67b703897e6e307762d471ca09333d", "https://github.com/openclaw/openclaw/security/advisories/GHSA-rfqg-qgf8-xr9x", "https://www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-in-device-token-rotate" ], "cvss_score": 5.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41356", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.4); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41355", "severity": "high", "type": "unknown_cwe_829", "nvd_category_id": "CWE-829", "title": "OpenClaw before 2026.3.28 contains an arbitrary code execution vulnerability in mirror mode that con...", "description": "OpenClaw before 2026.3.28 contains an arbitrary code execution vulnerability in mirror mode that converts untrusted sandbox files into workspace hooks. Attackers with mirror mode access can execute arbitrary code on the host during gateway startup by exploiting enabled workspace hooks.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-23T22:16:42.840", "references": [ "https://github.com/openclaw/openclaw/commit/c02ee8a3a4cb390b23afdf21317aa8b2096854d1", "https://github.com/openclaw/openclaw/security/advisories/GHSA-42mx-vp8m-j7qh", "https://www.vulncheck.com/advisories/openshell-arbitrary-code-execution-via-mirror-mode-sandbox-file-conversion" ], "cvss_score": 7.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41355", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.3); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41354", "severity": "low", "type": "unknown_cwe_706", "nvd_category_id": "CWE-706", "title": "OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe ...", "description": "OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate events from different conversations or senders to collide. Attackers can exploit weak deduplication scoping to cause silent message suppression and disrupt bot workflows across chat sessions.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-23T22:16:42.670", "references": [ "https://github.com/openclaw/openclaw/commit/ef7c553dd16ee579f1d1a363f5881a99726c1412", "https://github.com/openclaw/openclaw/security/advisories/GHSA-rxmx-g7hr-8mx4", "https://www.vulncheck.com/advisories/openclaw-insufficient-scope-in-zalo-webhook-replay-dedupe-keys" ], "cvss_score": 3.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41354", "exploitability_score": "low", "exploitability_rationale": "Low CVSS score (3.7); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41353", "severity": "high", "type": "unknown_cwe_472", "nvd_category_id": "CWE-472", "title": "OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles featu...", "description": "OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to circumvent profile restrictions through persistent profile mutation and runtime profile selection. Remote attackers can exploit this by manipulating browser proxy profiles at runtime to access restricted profiles and bypass intended access controls.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-23T22:16:42.493", "references": [ "https://github.com/openclaw/openclaw/commit/eac93507c36ccd0c359fba18fa466ef6448be8a5", "https://github.com/openclaw/openclaw/security/advisories/GHSA-h5hg-h7rr-gpf3", "https://www.vulncheck.com/advisories/openclaw-allowprofiles-bypass-via-profile-mutation-and-runtime-selection" ], "cvss_score": 8.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41353", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.1); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41352", "severity": "high", "type": "missing_authorization", "nvd_category_id": "CWE-862", "title": "OpenClaw before 2026.3.31 contains a remote code execution vulnerability where a device-paired node ...", "description": "OpenClaw before 2026.3.31 contains a remote code execution vulnerability where a device-paired node can bypass the node scope gate authentication mechanism. Attackers with device pairing credentials can execute arbitrary node commands on the host system without proper node pairing validation.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-23T22:16:42.327", "references": [ "https://github.com/openclaw/openclaw/commit/3886b65ef21d02808c1a106fa1f9f69e22f71c32", "https://github.com/openclaw/openclaw/security/advisories/GHSA-xj9w-5r6q-x6v4", "https://www.vulncheck.com/advisories/openclaw-remote-code-execution-via-node-scope-gate-bypass" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41352", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41351", "severity": "medium", "type": "unknown_cwe_294", "nvd_category_id": "CWE-294", "title": "OpenClaw before 2026.3.31 contains a replay detection bypass vulnerability in webhook signature hand...", "description": "OpenClaw before 2026.3.31 contains a replay detection bypass vulnerability in webhook signature handling that treats Base64 and Base64URL encoded signatures as distinct requests. Attackers can re-encode Telnyx webhook signatures to bypass replay detection while maintaining valid signature verification.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-23T22:16:42.160", "references": [ "https://github.com/openclaw/openclaw/commit/ad77666054651c1fd77b1dc60fd6a8db6600a29a", "https://github.com/openclaw/openclaw/security/advisories/GHSA-37v6-fxx8-xjmx", "https://www.vulncheck.com/advisories/openclaw-webhook-replay-detection-bypass-via-base64-signature-re-encoding" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41351", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41350", "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.3.31 contains a session visibility bypass vulnerability where the session_statu...", "description": "OpenClaw before 2026.3.31 contains a session visibility bypass vulnerability where the session_status function fails to enforce configured tools.sessions.visibility restrictions for unsandboxed invocations. Attackers can invoke session_status without sandbox constraints to bypass session-policy controls and access restricted session information.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-23T22:16:42.000", "references": [ "https://github.com/openclaw/openclaw/commit/4d369a3400dc9b737fbe8daa63f09d909ce7beb8", "https://github.com/openclaw/openclaw/security/advisories/GHSA-fwjq-xwfj-gv75", "https://www.vulncheck.com/advisories/openclaw-session-visibility-bypass-via-session-status-in-unsandboxed-invocations" ], "cvss_score": 4.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41350", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (4.3); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41349", "severity": "high", "type": "missing_authorization", "nvd_category_id": "CWE-862", "title": "OpenClaw before 2026.3.28 contains an agentic consent bypass vulnerability allowing LLM agents to si...", "description": "OpenClaw before 2026.3.28 contains an agentic consent bypass vulnerability allowing LLM agents to silently disable execution approval via config.patch parameter. Remote attackers can exploit this to bypass security controls and execute unauthorized operations without user consent.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-23T22:16:41.827", "references": [ "https://github.com/openclaw/openclaw/commit/76411b2afc4ae721e36c12e0ea24fd23e2fed61e", "https://github.com/openclaw/openclaw/security/advisories/GHSA-v3qc-wrwx-j3pw", "https://www.vulncheck.com/advisories/openclaw-agentic-consent-bypass-via-config-patch" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41349", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41348", "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord slash command an...", "description": "OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord slash command and autocomplete paths that fail to enforce group DM channel allowlist restrictions. Authorized Discord users can bypass channel restrictions by invoking slash commands, allowing access to restricted group DM channels.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-23T22:16:41.660", "references": [ "https://github.com/openclaw/openclaw/commit/8fdb19676ab44cf85d47ee13c578195f2e527591", "https://github.com/openclaw/openclaw/security/advisories/GHSA-rvvf-6vh3-9j43", "https://www.vulncheck.com/advisories/openclaw-group-dm-channel-allowlist-bypass-via-discord-slash-commands" ], "cvss_score": 5.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41348", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.4); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41347", "severity": "high", "type": "cross_site_request_forgery", "nvd_category_id": "CWE-352", "title": "OpenClaw before 2026.3.31 lacks browser-origin validation in HTTP operator endpoints when operating ...", "description": "OpenClaw before 2026.3.31 lacks browser-origin validation in HTTP operator endpoints when operating in trusted-proxy mode, allowing cross-site request forgery attacks. Attackers can exploit this by sending malicious requests from a browser in trusted-proxy deployments to perform unauthorized actions on HTTP operator endpoints.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-23T22:16:41.483", "references": [ "https://github.com/openclaw/openclaw/commit/6b3f99a11f4d070fa5ed2533abbb3d7329ea4f0d", "https://github.com/openclaw/openclaw/security/advisories/GHSA-mhr7-2xmv-4c4q", "https://www.vulncheck.com/advisories/openclaw-cross-site-request-forgery-via-missing-browser-origin-validation-in-http-operator-endpoints" ], "cvss_score": 7.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41347", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.1); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41346", "severity": "medium", "type": "unknown_cwe_799", "nvd_category_id": "CWE-799", "title": "OpenClaw 2026.2.26 before 2026.3.31 enforces pending pairing-request caps per channel file instead o...", "description": "OpenClaw 2026.2.26 before 2026.3.31 enforces pending pairing-request caps per channel file instead of per account, allowing attackers to exhaust the shared pending window. Remote attackers can submit pairing requests from other accounts to block new pairing challenges on unaffected accounts, causing denial of service.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-23T22:16:41.313", "references": [ "https://github.com/openclaw/openclaw/commit/9bc1f896c8cd325dd4761681e9bdb8c425f69785", "https://github.com/openclaw/openclaw/security/advisories/GHSA-wwfp-w96m-c6x8", "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-improper-pending-pairing-request-cap-enforcement" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41346", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41345", "severity": "medium", "type": "unknown_cwe_522", "nvd_category_id": "CWE-522", "title": "OpenClaw before 2026.3.31 contains a credential exposure vulnerability in media download functionali...", "description": "OpenClaw before 2026.3.31 contains a credential exposure vulnerability in media download functionality that forwards Authorization headers across cross-origin redirects. Attackers can exploit this by crafting malicious cross-origin redirect chains to intercept sensitive authorization credentials intended for legitimate requests.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-23T22:16:41.147", "references": [ "https://github.com/openclaw/openclaw/commit/e704323ff388ed21f6963f9b8e0b1b8dfaaabc5f", "https://github.com/openclaw/openclaw/security/advisories/GHSA-68v4-hmwv-f43h", "https://www.vulncheck.com/advisories/openclaw-authorization-header-leak-via-cross-origin-redirect-in-media-download" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41345", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": true, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41344", "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the chat.send endpoint th...", "description": "OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the chat.send endpoint that allows write-scoped gateway callers to persist admin-only verboseLevel session overrides. Attackers can exploit the /verbose parameter to bypass access controls and expose sensitive reasoning or tool output intended to be restricted to administrators.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-23T22:16:40.970", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-5h2w-qmfp-ggp6", "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-chat-send-verbose-parameter" ], "cvss_score": 5.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41344", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.4); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41343", "severity": "medium", "type": "unknown_cwe_799", "nvd_category_id": "CWE-799", "title": "OpenClaw before 2026.3.31 lacks a shared pre-auth concurrency budget on the public LINE webhook path...", "description": "OpenClaw before 2026.3.31 lacks a shared pre-auth concurrency budget on the public LINE webhook path, allowing attackers to cause transient availability loss. Remote attackers can flood the webhook endpoint with concurrent requests before signature verification to exhaust resources and degrade service availability.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-23T22:16:40.803", "references": [ "https://github.com/openclaw/openclaw/commit/57c47d8c7fbf5a2e70cc4dec2380977968903cad", "https://github.com/openclaw/openclaw/security/advisories/GHSA-qcc3-jqwp-5vh2", "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-line-webhook-handler-pre-auth-concurrency" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41343", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41342", "severity": "high", "type": "unknown_cwe_346", "nvd_category_id": "CWE-346", "title": "OpenClaw before 2026.3.28 contains an authentication bypass vulnerability in the remote onboarding c...", "description": "OpenClaw before 2026.3.28 contains an authentication bypass vulnerability in the remote onboarding component that persists unauthenticated discovery endpoints without explicit trust confirmation. Attackers can spoof discovery endpoints to redirect onboarding toward malicious gateways and capture gateway credentials or traffic.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-23T22:16:40.640", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-3cw3-5vxw-g2h3", "https://www.vulncheck.com/advisories/openclaw-unauthenticated-discovery-endpoint-credential-exfiltration-via-remote-onboarding" ], "cvss_score": 7.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41342", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.3); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41341", "severity": "medium", "type": "unknown_cwe_351", "nvd_category_id": "CWE-351", "title": "OpenClaw before 2026.3.31 contains a logic error in Discord component interaction routing that miscl...", "description": "OpenClaw before 2026.3.31 contains a logic error in Discord component interaction routing that misclassifies group direct messages as direct messages in extensions/discord/src/monitor/agent-components-helpers.ts. Attackers can exploit this misclassification to bypass group DM policy enforcement or trigger incorrect session handling.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-23T22:16:40.477", "references": [ "https://github.com/openclaw/openclaw/commit/8c83128fc38d5a3642b8ccbea58550755fdbbbaf", "https://github.com/openclaw/openclaw/security/advisories/GHSA-6336-qqw9-v6x6", "https://www.vulncheck.com/advisories/openclaw-component-interaction-misclassification-in-discord-extension" ], "cvss_score": 5.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41341", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.4); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41340", "severity": "medium", "type": "unknown_cwe_372", "nvd_category_id": "CWE-372", "title": "OpenClaw before 2026.3.31 contains an authentication boundary vulnerability where Telegram legacy al...", "description": "OpenClaw before 2026.3.31 contains an authentication boundary vulnerability where Telegram legacy allowFrom migration incorrectly fans default-account trust into all named accounts. Attackers can exploit this trust propagation to bypass authentication controls and gain unauthorized access to named accounts.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-23T22:16:40.307", "references": [ "https://github.com/openclaw/openclaw/commit/d8c68c8d4265ea6fa5e8c5e056534c351bddef37", "https://github.com/openclaw/openclaw/security/advisories/GHSA-f693-58pc-2gfr", "https://www.vulncheck.com/advisories/openclaw-authentication-boundary-bypass-via-telegram-legacy-allowfrom-migration" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41340", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41339", "severity": "medium", "type": "unknown_cwe_497", "nvd_category_id": "CWE-497", "title": "OpenClaw before 2026.4.2 exposes configPath and stateDir metadata in Gateway connect success snapsho...", "description": "OpenClaw before 2026.4.2 exposes configPath and stateDir metadata in Gateway connect success snapshots to non-admin authenticated clients. Non-admin clients can recover host-specific filesystem paths and deployment details, enabling host fingerprinting and facilitating chained attacks.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-23T22:16:40.140", "references": [ "https://github.com/openclaw/openclaw/commit/676b748056b5efca6f1255708e9dd9469edf5e2e", "https://github.com/openclaw/openclaw/security/advisories/GHSA-2f7j-rp58-mr42", "https://www.vulncheck.com/advisories/openclaw-information-disclosure-via-gateway-connect-snapshot" ], "cvss_score": 4.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41339", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (4.3); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41338", "severity": "medium", "type": "unknown_cwe_367", "nvd_category_id": "CWE-367", "title": "OpenClaw before 2026.3.31 contains a time-of-check-time-of-use vulnerability in sandbox file operati...", "description": "OpenClaw before 2026.3.31 contains a time-of-check-time-of-use vulnerability in sandbox file operations that allows attackers to bypass fd-based defenses. Attackers can exploit check-then-act patterns in apply_patch, remove, and mkdir operations to manipulate files between validation and execution.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-23T22:16:39.957", "references": [ "https://github.com/openclaw/openclaw/commit/32a4a47d602e0618f87b3e59f94d8c142767f860", "https://github.com/openclaw/openclaw/security/advisories/GHSA-rm5c-4rmf-vvhw", "https://www.vulncheck.com/advisories/openclaw-time-of-check-time-of-use-toctou-vulnerability-in-sandbox-file-operations" ], "cvss_score": 5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41338", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.0); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": true, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41337", "severity": "medium", "type": "unknown_cwe_367", "nvd_category_id": "CWE-367", "title": "OpenClaw before 2026.3.31 contains a callback origin mutation vulnerability in Plivo voice-call repl...", "description": "OpenClaw before 2026.3.31 contains a callback origin mutation vulnerability in Plivo voice-call replay that allows attackers to mutate in-process callback origin before replay rejection. Attackers with captured valid callbacks for live calls can exploit this to manipulate callback origins during the replay process.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-23T22:16:39.780", "references": [ "https://github.com/openclaw/openclaw/commit/efe9183f9d2fd5e01c8068fa01f4a07a58a63c0b", "https://github.com/openclaw/openclaw/security/advisories/GHSA-89r3-6x4j-v7wf", "https://www.vulncheck.com/advisories/openclaw-callback-origin-mutation-in-plivo-voice-call-replay" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41337", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41336", "severity": "high", "type": "unknown_cwe_829", "nvd_category_id": "CWE-829", "title": "OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_HOOKS_DIR env...", "description": "OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_HOOKS_DIR environment variable, enabling loading of attacker-controlled hook code. Attackers can replace trusted default-on bundled hooks from untrusted workspaces to execute arbitrary code.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-23T22:16:39.603", "references": [ "https://github.com/openclaw/openclaw/commit/330a9f98cb29c79b1c16a2117e03d6276a0d6289", "https://github.com/openclaw/openclaw/security/advisories/GHSA-3qpv-xf3v-mm45", "https://www.vulncheck.com/advisories/openclaw-arbitrary-hook-code-execution-via-openclaw-bundled-hooks-dir-environment-variable-override" ], "cvss_score": 7.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41336", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.8); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41335", "severity": "medium", "type": "unknown_cwe_497", "nvd_category_id": "CWE-497", "title": "OpenClaw before 2026.3.31 contains an information disclosure vulnerability in the Control Interface ...", "description": "OpenClaw before 2026.3.31 contains an information disclosure vulnerability in the Control Interface bootstrap JSON that exposes version and assistant agent identifiers. Attackers can extract sensitive fingerprinting information from the Control UI bootstrap payload to identify system versions and agent configurations.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-23T22:16:39.430", "references": [ "https://github.com/openclaw/openclaw/commit/c5c10adc022f42eb75ebb3bf364dd607738683b3", "https://github.com/openclaw/openclaw/security/advisories/GHSA-hr8g-2q7x-3f4w", "https://www.vulncheck.com/advisories/openclaw-information-disclosure-via-control-ui-bootstrap-json" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41335", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41334", "severity": "medium", "type": "unknown_cwe_636", "nvd_category_id": "CWE-636", "title": "OpenClaw before 2026.3.31 contains a decompression bomb vulnerability in image processing that fails...", "description": "OpenClaw before 2026.3.31 contains a decompression bomb vulnerability in image processing that fails to properly enforce pixel-limit guards on sips. Attackers can exploit this by uploading oversized images to cause denial of service through excessive memory consumption.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-23T22:16:39.263", "references": [ "https://github.com/openclaw/openclaw/commit/0ed4f8a72bb140045962e97ab01c94c076b758a4", "https://github.com/openclaw/openclaw/security/advisories/GHSA-w85g-3h6x-4xh2", "https://www.vulncheck.com/advisories/openclaw-decompression-bomb-denial-of-service-via-image-pixel-limit-guard-bypass" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41334", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41333", "severity": "low", "type": "unknown_cwe_799", "nvd_category_id": "CWE-799", "title": "OpenClaw before 2026.3.31 contains an authentication rate limiting bypass vulnerability that allows ...", "description": "OpenClaw before 2026.3.31 contains an authentication rate limiting bypass vulnerability that allows attackers to circumvent shared authentication protections using fake device tokens. Attackers can exploit the mixed WebSocket authentication flow to bypass rate limiting controls and conduct brute force attacks against weak shared passwords.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-23T22:16:39.083", "references": [ "https://github.com/openclaw/openclaw/commit/af0c0862f22ca4492406a3103d05e3628f94cbe9", "https://github.com/openclaw/openclaw/security/advisories/GHSA-6p8r-6m93-557f", "https://www.vulncheck.com/advisories/openclaw-authentication-rate-limiting-bypass-via-fake-devicetoken" ], "cvss_score": 3.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41333", "exploitability_score": "high", "exploitability_rationale": "Low CVSS score (3.7); remotely exploitable without authentication; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41332", "severity": "medium", "type": "unknown_cwe_184", "nvd_category_id": "CWE-184", "title": "OpenClaw before 2026.3.28 contains an environment variable sanitization vulnerability where GIT_TEMP...", "description": "OpenClaw before 2026.3.28 contains an environment variable sanitization vulnerability where GIT_TEMPLATE_DIR and AWS_CONFIG_FILE are not blocked in the host-env blocklist. Attackers can exploit approved exec requests to redirect git or AWS CLI behavior through attacker-controlled configuration files to execute untrusted code or load malicious credentials.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-23T22:16:38.907", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-m866-6qv5-p2fg", "https://www.vulncheck.com/advisories/openclaw-code-execution-via-missing-environment-variable-blocklist" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41332", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.3); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41909", "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.4.20 contains an improper authorization vulnerability in paired-device pairing ...", "description": "OpenClaw before 2026.4.20 contains an improper authorization vulnerability in paired-device pairing management that allows limited-scope sessions to enumerate and act on pairing requests. Attackers with paired-device access can approve or operate on unrelated pending device requests within the same gateway scope.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-23T18:16:29.693", "references": [ "https://github.com/openclaw/openclaw/commit/5a12f30441d5b0b151f550daa2c5c9e8db61e2e6", "https://github.com/openclaw/openclaw/security/advisories/GHSA-xrq9-jm7v-g9h7", "https://www.vulncheck.com/advisories/openclaw-improper-authorization-in-paired-device-pairing-actions" ], "cvss_score": 5.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41909", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.4); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41908", "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media r...", "description": "OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows trusted-proxy callers without operator.read scope to access protected assistant-media files and metadata. Attackers can bypass identity-bearing HTTP auth path scope validation to retrieve sensitive media content within allowed media roots.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-23T18:16:29.543", "references": [ "https://github.com/openclaw/openclaw/commit/99ef3a63c58440d53f8e45ad861b846032fcb036", "https://github.com/openclaw/openclaw/security/advisories/GHSA-v8qf-fr4g-28p2", "https://www.vulncheck.com/advisories/openclaw-scope-enforcement-bypass-in-assistant-media-route" ], "cvss_score": 4.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41908", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (4.3); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41331", "severity": "medium", "type": "unknown_cwe_408", "nvd_category_id": "CWE-408", "title": "OpenClaw before 2026.3.31 contains a resource consumption vulnerability in Telegram audio preflight ...", "description": "OpenClaw before 2026.3.31 contains a resource consumption vulnerability in Telegram audio preflight transcription that allows unauthorized group senders to trigger transcription processing. Attackers can exploit insufficient allowlist enforcement to cause resource or billing consumption by initiating audio preflight operations before authorization checks are applied.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-21T00:16:31.740", "references": [ "https://github.com/openclaw/openclaw/commit/c4fa8635d03943ffe9e294d501089521dca635c5", "https://github.com/openclaw/openclaw/security/advisories/GHSA-m6fx-m8hc-572m", "https://www.vulncheck.com/advisories/openclaw-resource-consumption-via-unauthorized-telegram-audio-preflight-transcription" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41331", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41330", "severity": "medium", "type": "unknown_cwe_453", "nvd_category_id": "CWE-453", "title": "OpenClaw before 2026.3.31 contains an environment variable override vulnerability in host exec polic...", "description": "OpenClaw before 2026.3.31 contains an environment variable override vulnerability in host exec policy that fails to properly enforce proxy, TLS, Docker, and Git TLS controls. Attackers can bypass security controls by overriding environment variables to circumvent proxy settings, TLS verification, Docker restrictions, and Git TLS enforcement.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-21T00:16:31.557", "references": [ "https://github.com/openclaw/openclaw/commit/4d912e04519b4bd53b248437c53748cdebce9a41", "https://github.com/openclaw/openclaw/security/advisories/GHSA-9gp8-hjxr-6f34", "https://www.vulncheck.com/advisories/openclaw-environment-variable-override-via-host-exec-policy" ], "cvss_score": 4.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41330", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (4.4); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41329", "severity": "critical", "type": "unknown_cwe_648", "nvd_category_id": "CWE-648", "title": "OpenClaw before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate pri...", "description": "OpenClaw before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via heartbeat context inheritance and senderIsOwner parameter manipulation. Attackers can exploit improper context validation to bypass sandbox restrictions and achieve unauthorized privilege escalation.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-21T00:16:31.390", "references": [ "https://github.com/openclaw/openclaw/commit/a30214a624946fc5c85c9558a27c1580172374fd", "https://github.com/openclaw/openclaw/security/advisories/GHSA-g5cg-8x5w-7jpm", "https://www.vulncheck.com/advisories/openclaw-sandbox-bypass-via-heartbeat-context-inheritance-and-senderisowner-escalation" ], "cvss_score": 9.9, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41329", "exploitability_score": "high", "exploitability_rationale": "Critical CVSS score (9.9); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41303", "severity": "high", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in Discord text approval co...", "description": "OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in Discord text approval commands that allows non-approvers to resolve pending exec approvals. Attackers can send Discord text commands to bypass the channels.discord.execApprovals.approvers allowlist and approve pending host execution requests.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-21T00:16:31.223", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-98hh-7ghg-x6rq", "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-discord-text-approval-commands" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41303", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41302", "severity": "high", "type": "server_side_request_forgery", "nvd_category_id": "CWE-918", "title": "OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace pl...", "description": "OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows remote attackers to make arbitrary network requests. Attackers can exploit unguarded fetch() calls to access internal resources or interact with external services on behalf of the affected system.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-21T00:16:31.050", "references": [ "https://github.com/openclaw/openclaw/commit/8deb9522f3d2680820588b190adb4a2a52f3670b", "https://github.com/openclaw/openclaw/security/advisories/GHSA-9q7v-8mr7-g23p", "https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-unguarded-fetch-in-marketplace-plugin-download" ], "cvss_score": 7.6, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41302", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.6); network accessible; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41301", "severity": "medium", "type": "unknown_cwe_347", "nvd_category_id": "CWE-347", "title": "OpenClaw versions 2026.3.22 before 2026.3.31 contain a signature verification bypass vulnerability i...", "description": "OpenClaw versions 2026.3.22 before 2026.3.31 contain a signature verification bypass vulnerability in the Nostr DM ingress path that allows pairing challenges to be issued before event signature validation. An unauthenticated remote attacker can send forged direct messages to create pending pairing entries and trigger pairing-reply attempts, consuming shared pairing capacity and triggering bounded relay and logging work on the Nostr channel.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-21T00:16:30.873", "references": [ "https://github.com/openclaw/openclaw/commit/4ee742174f36b5445703e3b1ef2fbd6ae6700fa4", "https://github.com/openclaw/openclaw/security/advisories/GHSA-h43v-27wg-5mf9", "https://www.vulncheck.com/advisories/openclaw-forged-nostr-dm-pairing-state-creation-via-signature-verification-bypass" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41301", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41300", "severity": "medium", "type": "unknown_cwe_372", "nvd_category_id": "CWE-372", "title": "OpenClaw before 2026.3.31 contains a trust-decline vulnerability that preserves attacker-discovered ...", "description": "OpenClaw before 2026.3.31 contains a trust-decline vulnerability that preserves attacker-discovered endpoints in remote onboarding flows. Attackers can route gateway credentials to malicious endpoints by having their discovered URL survive the trust decline process into manual prompts requiring operator acceptance.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-21T00:16:30.690", "references": [ "https://github.com/openclaw/openclaw/commit/2a75416634837c21ed05b8c3ed906eb7a7807060", "https://github.com/openclaw/openclaw/security/advisories/GHSA-9f4w-67g7-mqwv", "https://www.vulncheck.com/advisories/openclaw-attacker-discovered-endpoint-preservation-in-remote-onboarding" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41300", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.5); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41299", "severity": "high", "type": "unknown_cwe_807", "nvd_category_id": "CWE-807", "title": "OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in the chat.send gateway me...", "description": "OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in the chat.send gateway method where ACP-only provenance fields are gated by self-declared client metadata from WebSocket handshake rather than verified authorization state. Authenticated operator clients can spoof ACP identity labels and inject reserved provenance fields intended only for the ACP bridge by manipulating client metadata during connection.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-21T00:16:30.517", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-6xg4-82hv-cp6f", "https://www.vulncheck.com/advisories/openclaw-client-identity-spoofing-in-chat-send-gateway-provenance-guard" ], "cvss_score": 7.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41299", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.1); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41298", "severity": "medium", "type": "missing_authorization", "nvd_category_id": "CWE-862", "title": "OpenClaw before 2026.4.2 fails to enforce write scopes on the POST /sessions/:sessionKey/kill endpoi...", "description": "OpenClaw before 2026.4.2 fails to enforce write scopes on the POST /sessions/:sessionKey/kill endpoint in identity-bearing HTTP modes. Read-scoped callers can terminate running subagent sessions by sending requests to this endpoint, bypassing authorization controls.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-21T00:16:30.350", "references": [ "https://github.com/openclaw/openclaw/commit/54a0878517167c6e49900498cf77420dadb74beb", "https://github.com/openclaw/openclaw/security/advisories/GHSA-5hff-46vh-rxmw", "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-session-termination-endpoint" ], "cvss_score": 5.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41298", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.4); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41297", "severity": "high", "type": "server_side_request_forgery", "nvd_category_id": "CWE-918", "title": "OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace pl...", "description": "OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows attackers to access internal resources by following unvalidated redirects. The marketplace.ts module fails to restrict redirect destinations during archive downloads, enabling remote attackers to redirect requests to arbitrary internal or external servers.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-21T00:16:30.163", "references": [ "https://github.com/openclaw/openclaw/commit/2ce44ca6a1302b166a128abbd78f72114f2f4f52", "https://github.com/openclaw/openclaw/security/advisories/GHSA-vjx8-8p7h-82gr", "https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-marketplace-plugin-download-redirect" ], "cvss_score": 7.6, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41297", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.6); network accessible; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41296", "severity": "high", "type": "unknown_cwe_367", "nvd_category_id": "CWE-367", "title": "OpenClaw before 2026.3.31 contains a time-of-check-time-of-use race condition in the remote filesyst...", "description": "OpenClaw before 2026.3.31 contains a time-of-check-time-of-use race condition in the remote filesystem bridge readFile function that allows sandbox escape. Attackers can exploit the separate path validation and file read operations to bypass sandbox restrictions and read arbitrary files.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-21T00:16:29.993", "references": [ "https://github.com/openclaw/openclaw/commit/121870a08583033ed6a0ed73d9ffea32991252bb", "https://github.com/openclaw/openclaw/security/advisories/GHSA-9p3r-hh9g-5cmg", "https://www.vulncheck.com/advisories/openclaw-sandbox-escape-via-toctou-race-in-remote-fs-bridge-readfile" ], "cvss_score": 8.2, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41296", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.2); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41295", "severity": "high", "type": "unknown_cwe_829", "nvd_category_id": "CWE-829", "title": "OpenClaw before 2026.4.2 contains an improper trust boundary vulnerability allowing untrusted worksp...", "description": "OpenClaw before 2026.4.2 contains an improper trust boundary vulnerability allowing untrusted workspace channel shadows to execute during built-in channel setup and login. Attackers can clone a workspace with a malicious plugin claiming a bundled channel id to achieve unintended in-process code execution before the plugin is explicitly trusted.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-21T00:16:29.803", "references": [ "https://github.com/openclaw/openclaw/commit/53c29df2a9eb242a70d0ff29f3d1e67c8d6801f0", "https://github.com/openclaw/openclaw/security/advisories/GHSA-2qrv-rc5x-2g2h", "https://www.vulncheck.com/advisories/openclaw-untrusted-workspace-channel-shadow-code-execution-during-built-in-channel-setup" ], "cvss_score": 7.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41295", "exploitability_score": "medium", "exploitability_rationale": "High CVSS score (7.8); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41294", "severity": "high", "type": "unknown_cwe_15", "nvd_category_id": "CWE-15", "title": "OpenClaw before 2026.3.28 loads the current working directory .env file before trusted state-dir con...", "description": "OpenClaw before 2026.3.28 loads the current working directory .env file before trusted state-dir configuration, allowing environment variable injection. Attackers can place a malicious .env file in a repository or workspace to override runtime configuration and security-sensitive environment settings during OpenClaw startup.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-21T00:16:29.637", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-8rh7-6779-cjqq", "https://www.vulncheck.com/advisories/openclaw-environment-variable-injection-via-cwd-env-file" ], "cvss_score": 8.6, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41294", "exploitability_score": "medium", "exploitability_rationale": "High CVSS score (8.6); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-40045", "severity": "medium", "type": "cleartext_transmission_of_sensitive_information", "nvd_category_id": "CWE-319", "title": "OpenClaw before 2026.4.2 accepts non-loopback cleartext ws:// gateway endpoints and transmits stored...", "description": "OpenClaw before 2026.4.2 accepts non-loopback cleartext ws:// gateway endpoints and transmits stored gateway credentials over unencrypted connections. Attackers can forge discovery results or craft setup codes to redirect clients to malicious endpoints, disclosing plaintext gateway credentials.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-21T00:16:29.300", "references": [ "https://github.com/openclaw/openclaw/commit/a941a4fef9bc43b2973c92d0dcff5b8a426210c5", "https://github.com/openclaw/openclaw/security/advisories/GHSA-83f3-hh45-vfw9", "https://www.vulncheck.com/advisories/openclaw-cleartext-credential-transmission-via-unencrypted-websocket-gateway-endpoints" ], "cvss_score": 5.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40045", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.7); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-41389", "severity": "medium", "type": "unknown_cwe_73", "nvd_category_id": "CWE-73", "title": "OpenClaw versions 2026.4.7 before 2026.4.15 fail to enforce local-root containment on tool-result me...", "description": "OpenClaw versions 2026.4.7 before 2026.4.15 fail to enforce local-root containment on tool-result media paths, allowing arbitrary local and UNC file access. Attackers can craft malicious tool-result media references to trigger host-side file reads or Windows network path access, potentially disclosing sensitive files or exposing credentials.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-20T18:16:27.980", "references": [ "https://github.com/openclaw/openclaw/commit/1470de5d3e0970856d86cd99336bb8ada3fe87da", "https://github.com/openclaw/openclaw/commit/52ef42302ead9e183e6c8810e0a04ee4ef8ae9fc", "https://github.com/openclaw/openclaw/commit/6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde" ], "cvss_score": 5.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41389", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.8); remotely exploitable without authentication; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "GHSA-mr34-9552-qr95", "ghsa_id": "GHSA-mr34-9552-qr95", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "Webchat media embedding enforces local-root containment for tool-result files", "description": "Summary Webchat tool-result media normalization could pass local and UNC-style file paths into the host-side media embedding path without applying the configured local-root containment policy. Impact A crafted tool-result media reference could cause the host to attempt local file reads or Windows UNC/network path access while preparing webchat media blocks. This could disclose allowed host files or trigger network credential exposure on affected Windows deployments. Severity remains medium because exploitation depends on a tool-result media path reaching the webchat embedding path, but the sink is a host-side file read before the user sees the rendered result. Affected versions - Affected: = 2026.4.7, < 2026.4.15 - Patched: 2026.4.15 Fix OpenClaw 2026.4.15 hardens the webchat media path and the shared media resolver. Remote-host file:// URLs and Windows network paths are rejected before filesystem access, and audio embedding now enforces configured localRoots containment before stat or read operations. Verified in v2026.4.15: - src/gateway/server-methods/chat-webchat-media.ts uses safe file-URL parsing, rejects Windows network paths, and calls assertLocalMediaAllowed before probing local audio files. - src/media/web-media.ts rejects remote-host file:// URLs, Windows network paths, and local-root bypasses on the shared media path. - src/gateway/server-methods/chat-webchat-media.test.ts covers both remote-host file:// rejection and local-root denial before filesystem access. Fix commits included in v2026.4.15 and absent from v2026.4.14: - 1470de5d3e0970856d86cd99336bb8ada3fe87da via PR #67293 - 6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde via PR #67298 - 52ef42302ead9e183e6c8810e0a04ee4ef8ae9fc via PR #67303 as defense-in-depth for trusted media passthrough anchoring Thanks to @Kherrisan for reporting this issue.", "affected": [ "openclaw@>= 2026.4.7, < 2026.4.15" ], "patched": [ "openclaw@2026.4.15" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-04-16T23:40:33Z", "updated": "2026-04-16T23:40:33Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-mr34-9552-qr95" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mr34-9552-qr95", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-22", "CWE-73" ], "credits": [ "Kherrisan" ], "aliases": [ "GHSA-mr34-9552-qr95" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-536q-mj95-h29h", "ghsa_id": "GHSA-536q-mj95-h29h", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": null, "title": "Browser press/type interaction routes missed complete navigation guard coverage", "description": "Summary Browser press/type interaction routes missed complete navigation guard coverage. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: < 2026.4.10 - Patched versions: = 2026.4.10 Impact Some browser press/type style interactions could trigger navigation without complete post-action SSRF policy enforcement. Technical Details The fix applies a three-phase interaction navigation guard to navigation-capable interactions, including pressKey and type submit flows. Fix The issue was fixed in #62023 and #63226 and #63889. The first stable tag containing the fix is v2026.4.10, and openclaw@2026.4.14 includes the fix. Fix Commit(s) - 049acf23cb03e1b92f5c71cd99c6ec5f35cc56fe - 5f5b3d733bdd791cb457f838514179e1288b10b3 - e0b8ddc1a55185aff1cf9e0e095014d2e4f1d894 - PR: #62023, #63226, #63889 Release Process Note Users should upgrade to openclaw 2026.4.10 or newer. The latest npm release, 2026.4.14, already includes the fix. Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.", "affected": [ "openclaw@< 2026.4.10" ], "patched": [ "openclaw@>= 2026.4.10" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-04-16T15:19:51Z", "updated": "2026-04-16T15:19:52Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-536q-mj95-h29h" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-536q-mj95-h29h", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [], "credits": [ "zsxsoft", "KeenSecurityLab", "qclawer" ], "aliases": [ "GHSA-536q-mj95-h29h" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-53vx-pmqw-863c", "ghsa_id": "GHSA-53vx-pmqw-863c", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "high", "type": "server_side_request_forgery", "nvd_category_id": "CWE-918", "title": "Browser SSRF policy default allowed private-network navigation", "description": "Summary Browser SSRF policy default allowed private-network navigation. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: < 2026.4.14 - Patched versions: = 2026.4.14 Impact Browser SSRF protection could allow private-network navigation by default in paths where restrictive behavior was expected, exposing internal services or metadata endpoints through browser-driven requests. Technical Details The fix preserves strict SSRF configuration semantics, keeps private-network access disabled unless explicitly opted in, and updates loopback CDP readiness handling for the stricter default. Fix The issue was fixed in #66354 and #66386. The first stable tag containing the fix is v2026.4.14, and openclaw@2026.4.14 includes the fix. Fix Commit(s) - 024f4614a1a1831406e763adc40ef226e3d5e9ed - 1dabfef28db523e7de81edeb3dd689e9171236a2 - 213c36cf51121ef6c05cfccd78037371f968f31a - 7eecfa411df3d12e6b810e6ca5df47254fc3db3f - PR: #66354, #66386 Release Process Note Users should upgrade to openclaw 2026.4.14 or newer. The latest npm release, 2026.4.14, already includes the fix. Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.", "affected": [ "openclaw@< 2026.4.14" ], "patched": [ "openclaw@>= 2026.4.14" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-04-16T15:19:27Z", "updated": "2026-04-16T15:19:27Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-53vx-pmqw-863c" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-53vx-pmqw-863c", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-918", "CWE-1188" ], "credits": [ "dhyabi2" ], "aliases": [ "GHSA-53vx-pmqw-863c" ], "source_feed": "ghsa-without-cve" }, { "id": "CVE-2026-3691", "severity": "medium", "type": "exposure_of_sensitive_information", "nvd_category_id": "CWE-200", "title": "OpenClaw Client PKCE Verifier Information Disclosure Vulnerability. This vulnerability allows remote...", "description": "OpenClaw Client PKCE Verifier Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose stored credentials on affected installations of OpenClaw. User interaction is required to exploit this vulnerability in that the target must initiate an OAuth authorization flow.\n\nThe specific flaw exists within the implementation of OAuth authorization. The issue results from the exposure of sensitive data in the authorization URL query string. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-29381.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-11T01:16:16.123", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-6g25-pc82-vfwp", "https://www.zerodayinitiative.com/advisories/ZDI-26-229/" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3691", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.3); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": true, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-3690", "severity": "high", "type": "unknown_cwe_291", "nvd_category_id": "CWE-291", "title": "OpenClaw Canvas Authentication Bypass Vulnerability. This vulnerability allows remote attackers to b...", "description": "OpenClaw Canvas Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of OpenClaw. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the the authentication function for canvas endpoints. The issue results from improper implementation of authentication. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-29311.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-11T01:16:15.990", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-vvjh-f6p9-5vcf", "https://www.zerodayinitiative.com/advisories/ZDI-26-228/" ], "cvss_score": 7.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3690", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.4); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-3689", "severity": "medium", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "OpenClaw Canvas Path Traversal Information Disclosure Vulnerability. This vulnerability allows remot...", "description": "OpenClaw Canvas Path Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of OpenClaw. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of the path parameters provided to the canvas gateway endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the service account. Was ZDI-CAN-29312.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-11T01:16:15.837", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-jq4x-98m3-ggq6", "https://www.zerodayinitiative.com/advisories/ZDI-26-227/" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3689", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); network accessible; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35670", "severity": "medium", "type": "unknown_cwe_807", "nvd_category_id": "CWE-807", "title": "OpenClaw before 2026.3.22 contains a webhook reply delivery vulnerability that allows attackers to r...", "description": "OpenClaw before 2026.3.22 contains a webhook reply delivery vulnerability that allows attackers to rebind chat replies to unintended users by exploiting mutable username matching instead of stable numeric user identifiers. Attackers can manipulate username changes to redirect webhook-triggered replies to different users, bypassing the intended recipient binding recorded in webhook events.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-10T17:17:09.413", "references": [ "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87", "https://github.com/openclaw/openclaw/commit/7ade3553b74ee3f461c4acd216653d5ba411f455", "https://github.com/openclaw/openclaw/security/advisories/GHSA-wv46-v6xc-2qhf" ], "cvss_score": 5.9, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35670", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.9); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35669", "severity": "high", "type": "unknown_cwe_648", "nvd_category_id": "CWE-648", "title": "OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in gateway-authenticated plu...", "description": "OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in gateway-authenticated plugin HTTP routes that incorrectly mint operator.admin runtime scope regardless of caller-granted scopes. Attackers can exploit this scope boundary bypass to gain elevated privileges and perform unauthorized administrative actions.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-10T17:17:09.240", "references": [ "https://github.com/openclaw/openclaw/commit/ec2dbcff9afd8a52e00de054b506c91726d9fbbe", "https://github.com/openclaw/openclaw/security/advisories/GHSA-qm2m-28pf-hgjw", "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-gateway-plugin-http-authentication-scope" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35669", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35668", "severity": "high", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "OpenClaw before 2026.3.24 contains a path traversal vulnerability in sandbox enforcement allowing sa...", "description": "OpenClaw before 2026.3.24 contains a path traversal vulnerability in sandbox enforcement allowing sandboxed agents to read arbitrary files from other agents' workspaces via unnormalized mediaUrl or fileUrl parameter keys. Attackers can exploit incomplete parameter validation in normalizeSandboxMediaParams and missing mediaLocalRoots context to access sensitive files including API keys and configuration data outside designated sandbox roots.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-10T17:17:09.060", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-hr5v-j9h9-xjhg", "https://www.vulncheck.com/advisories/openclaw-sandbox-media-root-bypass-via-unnormalized-mediaurl-and-fileurl-parameters" ], "cvss_score": 7.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35668", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.7); network accessible; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35667", "severity": "medium", "type": "unknown_cwe_404", "nvd_category_id": "CWE-404", "title": "OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-27486 where the !stop chat command...", "description": "OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-27486 where the !stop chat command uses an unpatched killProcessTree function from shell-utils.ts that sends SIGKILL immediately without graceful SIGTERM shutdown. Attackers can trigger process termination via the !stop command, causing data corruption, resource leaks, and skipped security-sensitive cleanup operations.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-10T17:17:08.883", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-3298-56p6-rpw2", "https://www.vulncheck.com/advisories/openclaw-improper-process-termination-via-unpatched-killprocesstree-in-shell-utils-ts" ], "cvss_score": 6.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35667", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.1); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35666", "severity": "high", "type": "unknown_cwe_706", "nvd_category_id": "CWE-706", "title": "OpenClaw before 2026.3.22 contains an allowlist bypass vulnerability in system.run approvals that fa...", "description": "OpenClaw before 2026.3.22 contains an allowlist bypass vulnerability in system.run approvals that fails to unwrap /usr/bin/time wrappers. Attackers can bypass executable binding restrictions by using an unregistered time wrapper to reuse approval state for inner commands.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-10T17:17:08.680", "references": [ "https://github.com/openclaw/openclaw/commit/39409b6a6dd4239deea682e626bac9ba547bfb14", "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87", "https://github.com/openclaw/openclaw/security/advisories/GHSA-qm9x-v7cx-7rq4" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35666", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35665", "severity": "medium", "type": "unknown_cwe_405", "nvd_category_id": "CWE-405", "title": "OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-32011 where the Feishu webhook han...", "description": "OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-32011 where the Feishu webhook handler accepts request bodies with permissive limits of 1MB and 30-second timeout before signature verification. An unauthenticated attacker can exhaust server connection resources by sending concurrent slow HTTP POST requests to the Feishu webhook endpoint, blocking legitimate webhook deliveries.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-10T17:17:08.437", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-w6m8-cqvj-pg5v", "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-feishu-webhook-pre-auth-body-parsing" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35665", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35664", "severity": "medium", "type": "unknown_cwe_288", "nvd_category_id": "CWE-288", "title": "OpenClaw before 2026.3.25 contains an authentication bypass vulnerability in raw card send surface t...", "description": "OpenClaw before 2026.3.25 contains an authentication bypass vulnerability in raw card send surface that allows unpaired recipients to mint legacy callback payloads. Attackers can send raw card commands to bypass DM pairing restrictions and reach callback handling without proper authorization.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-10T17:17:08.240", "references": [ "https://github.com/openclaw/openclaw/commit/81c45976db532324b5a0918a70decc19520dc354", "https://github.com/openclaw/openclaw/security/advisories/GHSA-77w2-crqv-cmv3", "https://www.vulncheck.com/advisories/openclaw-dm-pairing-bypass-via-legacy-card-callbacks" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35664", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35663", "severity": "high", "type": "unknown_cwe_648", "nvd_category_id": "CWE-648", "title": "OpenClaw before 2026.3.25 contains a privilege escalation vulnerability allowing non-admin operators...", "description": "OpenClaw before 2026.3.25 contains a privilege escalation vulnerability allowing non-admin operators to self-request broader scopes during backend reconnect. Attackers can bypass pairing requirements to reconnect as operator.admin, gaining unauthorized administrative privileges.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-10T17:17:08.047", "references": [ "https://github.com/openclaw/openclaw/commit/d3d8e316bd819d3c7e34253aeb7eccb2510f5f48", "https://github.com/openclaw/openclaw/security/advisories/GHSA-9hjh-fr4f-gxc4", "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-backend-reconnect-scope-self-claim" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35663", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35662", "severity": "medium", "type": "missing_authorization", "nvd_category_id": "CWE-862", "title": "OpenClaw before 2026.3.22 fails to enforce controlScope restrictions on the send action, allowing le...", "description": "OpenClaw before 2026.3.22 fails to enforce controlScope restrictions on the send action, allowing leaf subagents to message controlled child sessions beyond their authorized scope. Attackers can exploit this by using the send action to communicate with child sessions without proper scope validation, bypassing intended access control restrictions.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-10T17:17:07.867", "references": [ "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87", "https://github.com/openclaw/openclaw/commit/7679eb375294941b02214c234aff3948796969d0", "https://github.com/openclaw/openclaw/security/advisories/GHSA-x2cm-hg9c-mf5w" ], "cvss_score": 4.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35662", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (4.3); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35661", "severity": "medium", "type": "unknown_cwe_288", "nvd_category_id": "CWE-288", "title": "OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Telegram callback query ...", "description": "OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Telegram callback query handling that allows attackers to mutate session state without satisfying normal DM pairing requirements. Remote attackers can exploit weaker callback-only authorization in direct messages to bypass DM pairing and modify session state.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-10T17:17:07.687", "references": [ "https://github.com/openclaw/openclaw/commit/269282ac69ab6030d5f30d04822668f607f13065", "https://github.com/openclaw/openclaw/security/advisories/GHSA-j4c9-w69r-cw33", "https://www.vulncheck.com/advisories/openclaw-telegram-dm-scoped-inline-button-callback-authorization-bypass" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35661", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35660", "severity": "high", "type": "missing_authorization", "nvd_category_id": "CWE-862", "title": "OpenClaw before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent...", "description": "OpenClaw before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent /reset endpoint that allows callers with operator.write permission to reset admin sessions. Attackers with operator.write privileges can invoke /reset or /new messages with an explicit sessionKey to bypass operator.admin requirements and reset arbitrary sessions.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-10T17:17:07.493", "references": [ "https://github.com/openclaw/openclaw/commit/50f6a2f136fed85b58548a38f7a3dbb98d2cd1a0", "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87", "https://github.com/openclaw/openclaw/security/advisories/GHSA-wq58-2pvg-5h4f" ], "cvss_score": 8.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35660", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.1); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35659", "severity": "medium", "type": "unknown_cwe_345", "nvd_category_id": "CWE-345", "title": "OpenClaw before 2026.3.22 contains a service discovery vulnerability where TXT metadata from Bonjour...", "description": "OpenClaw before 2026.3.22 contains a service discovery vulnerability where TXT metadata from Bonjour and DNS-SD could influence CLI routing even when actual service resolution failed. Attackers can exploit unresolved hints to steer routing decisions to unintended targets by providing malicious discovery metadata.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-10T17:17:07.277", "references": [ "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87", "https://github.com/openclaw/openclaw/commit/deecf68b59a9b7eea978e40fd3c2fe543087b569", "https://github.com/openclaw/openclaw/security/advisories/GHSA-rvqr-hrcc-j9vv" ], "cvss_score": 4.6, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35659", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (4.6); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35658", "severity": "medium", "type": "exposure_of_resource_to_wrong_sphere", "nvd_category_id": "CWE-668", "title": "OpenClaw before 2026.3.2 contains a filesystem boundary bypass vulnerability in the image tool that ...", "description": "OpenClaw before 2026.3.2 contains a filesystem boundary bypass vulnerability in the image tool that fails to honor tools.fs.workspaceOnly restrictions. Attackers can traverse sandbox bridge mounts outside the workspace to read files that other filesystem tools would reject.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-10T17:17:07.090", "references": [ "https://github.com/openclaw/openclaw/commit/14baadda2c456f3cf749f1f97e8678746a34a7f4", "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87", "https://github.com/openclaw/openclaw/commit/ccfeecb6887cd97937e33a71877ad512741e82b2" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35658", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35657", "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in the HTTP /sessions/:sess...", "description": "OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in the HTTP /sessions/:sessionKey/history route that skips operator.read scope validation. Attackers can access session history without proper operator read permissions by sending HTTP requests to the vulnerable endpoint.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-10T17:17:06.913", "references": [ "https://github.com/openclaw/openclaw/commit/1c45123231516fa50f8cf8522ba5ff2fb2ca7aea", "https://github.com/openclaw/openclaw/security/advisories/GHSA-5jvj-hxmh-6h6j", "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-http-session-history-route" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35657", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.5); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35656", "severity": "medium", "type": "unknown_cwe_290", "nvd_category_id": "CWE-290", "title": "OpenClaw before 2026.3.22 contains an authentication bypass vulnerability in the X-Forwarded-For hea...", "description": "OpenClaw before 2026.3.22 contains an authentication bypass vulnerability in the X-Forwarded-For header processing when trustedProxies is configured, allowing attackers to spoof loopback hops. Remote attackers can inject forged forwarding headers to bypass canvas authentication and rate-limiting protections by masquerading as loopback clients.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-10T17:17:06.733", "references": [ "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87", "https://github.com/openclaw/openclaw/commit/fc2d29ea926f47c428c556e92ec981441228d2a4", "https://github.com/openclaw/openclaw/security/advisories/GHSA-844j-xrrq-wgh4" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35656", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35655", "severity": "medium", "type": "unknown_cwe_807", "nvd_category_id": "CWE-807", "title": "OpenClaw before 2026.3.22 contains an identity spoofing vulnerability in ACP permission resolution t...", "description": "OpenClaw before 2026.3.22 contains an identity spoofing vulnerability in ACP permission resolution that trusts conflicting tool identity hints from rawInput and metadata. Attackers can spoof tool identities through rawInput parameters to suppress dangerous-tool prompting and bypass security restrictions.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-10T17:17:06.550", "references": [ "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87", "https://github.com/openclaw/openclaw/commit/e4c61723cd2d530680cc61789311d464ab8cdf60", "https://github.com/openclaw/openclaw/security/advisories/GHSA-74wf-h43j-vvmj" ], "cvss_score": 5.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35655", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.7); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35654", "severity": "medium", "type": "unknown_cwe_288", "nvd_category_id": "CWE-288", "title": "OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Microsoft Teams feedback...", "description": "OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Microsoft Teams feedback invokes that allows unauthorized senders to record session feedback. Attackers can bypass sender allowlist checks via feedback invoke endpoints to trigger unauthorized feedback recording or reflection.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-10T17:17:06.370", "references": [ "https://github.com/openclaw/openclaw/commit/c5415a474bb085404c20f8b312e436997977b1ea", "https://github.com/openclaw/openclaw/security/advisories/GHSA-rf6h-5gpw-qrgq", "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-microsoft-teams-feedback-invoke" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35654", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35653", "severity": "high", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profi...", "description": "OpenClaw before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profile endpoint that allows authenticated callers with operator.write access to browser.request to bypass profile mutation restrictions. Attackers can invoke POST /reset-profile through the browser.request surface to stop the running browser, close Playwright connections, and move profile directories to Trash, crossing intended privilege boundaries.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-10T17:17:06.170", "references": [ "https://github.com/openclaw/openclaw/commit/4dcc39c25c6cc63fedfd004f52d173716576fcf0", "https://github.com/openclaw/openclaw/commit/e7d11f6c33e223a0dd8a21cfe01076bd76cef87a", "https://github.com/openclaw/openclaw/security/advisories/GHSA-xp9r-prpg-373r" ], "cvss_score": 8.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35653", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.1); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35652", "severity": "medium", "type": "unknown_cwe_696", "nvd_category_id": "CWE-696", "title": "OpenClaw before 2026.3.22 contains an authorization bypass vulnerability in interactive callback dis...", "description": "OpenClaw before 2026.3.22 contains an authorization bypass vulnerability in interactive callback dispatch that allows non-allowlisted senders to execute action handlers. Attackers can bypass sender authorization checks by dispatching callbacks before normal security validation completes, enabling unauthorized actions.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-10T17:17:05.987", "references": [ "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87", "https://github.com/openclaw/openclaw/commit/a47722de7e3c9cbda8d5512747ca7e3bb8f6ee66", "https://github.com/openclaw/openclaw/security/advisories/GHSA-8883-9w57-vwv6" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35652", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35651", "severity": "medium", "type": "unknown_cwe_150", "nvd_category_id": "CWE-150", "title": "OpenClaw versions 2026.2.13 through 2026.3.24 contain an ANSI escape sequence injection vulnerabilit...", "description": "OpenClaw versions 2026.2.13 through 2026.3.24 contain an ANSI escape sequence injection vulnerability in approval prompts that allows attackers to spoof terminal output. Untrusted tool metadata can carry ANSI control sequences into approval prompts and permission logs, enabling attackers to manipulate displayed information through malicious tool titles.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-10T17:17:05.803", "references": [ "https://github.com/openclaw/openclaw/commit/464e2c10a5edceb380d815adb6ff56e1a4c50f60", "https://github.com/openclaw/openclaw/security/advisories/GHSA-4hmj-39m8-jwc7", "https://www.vulncheck.com/advisories/openclaw-ansi-escape-sequence-injection-in-approval-prompt" ], "cvss_score": 4.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35651", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (4.3); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35650", "severity": "high", "type": "unknown_cwe_15", "nvd_category_id": "CWE-15", "title": "OpenClaw before 2026.3.22 contains an environment variable override handling vulnerability that allo...", "description": "OpenClaw before 2026.3.22 contains an environment variable override handling vulnerability that allows attackers to bypass the shared host environment policy through inconsistent sanitization paths. Attackers can supply blocked or malformed override keys that slip through inconsistent validation to execute arbitrary code with unintended environment variables.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-10T17:17:05.627", "references": [ "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87", "https://github.com/openclaw/openclaw/commit/7abfff756d6c68d17e21d1657bbacbaec86de232", "https://github.com/openclaw/openclaw/security/advisories/GHSA-39pp-xp36-q6mg" ], "cvss_score": 7.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35650", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.5); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35649", "severity": "medium", "type": "unknown_cwe_183", "nvd_category_id": "CWE-183", "title": "OpenClaw before 2026.3.22 contains a settings reconciliation vulnerability that allows attackers to ...", "description": "OpenClaw before 2026.3.22 contains a settings reconciliation vulnerability that allows attackers to bypass intended deny-all revocations by exploiting empty allowlist handling. The vulnerability treats explicit empty allowlists as unset during reconciliation, silently undoing intended access control denials and restoring previously revoked permissions.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-10T17:17:05.437", "references": [ "https://github.com/openclaw/openclaw/commit/3cbf932413e41d1836cb91aed1541a28a3122f93", "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87", "https://github.com/openclaw/openclaw/security/advisories/GHSA-pw7h-9g6p-c378" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35649", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35648", "severity": "low", "type": "unknown_cwe_367", "nvd_category_id": "CWE-367", "title": "OpenClaw before 2026.3.22 contains a policy bypass vulnerability where queued node actions are not r...", "description": "OpenClaw before 2026.3.22 contains a policy bypass vulnerability where queued node actions are not revalidated against current command policy when delivered. Attackers can exploit stale allowlists or declarations that survive policy tightening to execute unauthorized commands.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-10T17:17:05.253", "references": [ "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87", "https://github.com/openclaw/openclaw/commit/ec2c6d83b9f5f91d6d9094842e0f19b88e63e3e2", "https://github.com/openclaw/openclaw/security/advisories/GHSA-wj55-88gf-x564" ], "cvss_score": 3.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35648", "exploitability_score": "low", "exploitability_rationale": "Low CVSS score (3.7); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35647", "severity": "medium", "type": "unknown_cwe_288", "nvd_category_id": "CWE-288", "title": "OpenClaw before 2026.3.25 contains an access control vulnerability where verification notices bypass...", "description": "OpenClaw before 2026.3.25 contains an access control vulnerability where verification notices bypass DM policy checks and reply to unpaired peers. Attackers can send verification notices to users outside allowed direct message policies by exploiting insufficient access validation before message transmission.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-10T17:17:05.077", "references": [ "https://github.com/openclaw/openclaw/commit/2383daf5c4a4e08d9553e0e949552ad755ef9ec2", "https://github.com/openclaw/openclaw/security/advisories/GHSA-9wqx-g2cw-vc7r", "https://www.vulncheck.com/advisories/openclaw-direct-message-policy-bypass-via-verification-notices" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35647", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35643", "severity": "high", "type": "unknown_cwe_940", "nvd_category_id": "CWE-940", "title": "OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing...", "description": "OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary instructions. Untrusted pages can invoke the canvas bridge to execute malicious code within the Android application context.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-10T17:17:04.887", "references": [ "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87", "https://github.com/openclaw/openclaw/commit/8b02ef133275be96d8aac2283100016c8a7f32e5", "https://github.com/openclaw/openclaw/security/advisories/GHSA-cxmw-p77q-wchg" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35643", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35641", "severity": "high", "type": "unknown_cwe_349", "nvd_category_id": "CWE-349", "title": "OpenClaw before 2026.3.24 contains an arbitrary code execution vulnerability in local plugin and hoo...", "description": "OpenClaw before 2026.3.24 contains an arbitrary code execution vulnerability in local plugin and hook installation that allows attackers to execute malicious code by crafting a .npmrc file with a git executable override. During npm install execution in the staged package directory, attackers can leverage git dependencies to trigger execution of arbitrary programs specified in the attacker-controlled .npmrc configuration file.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-10T17:17:04.697", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-m3mh-3mpg-37hw", "https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-npmrc-in-local-plugin-hook-installation" ], "cvss_score": 7.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35641", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.8); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35621", "severity": "medium", "type": "missing_authorization", "nvd_category_id": "CWE-862", "title": "OpenClaw before 2026.3.24 contains a privilege escalation vulnerability where the /allowlist command...", "description": "OpenClaw before 2026.3.24 contains a privilege escalation vulnerability where the /allowlist command fails to re-validate gateway client scopes for internal callers, allowing operator.write-scoped clients to mutate channel authorization policy. Attackers can exploit chat.send to build an internal command-authorized context and persist channel allowFrom and groupAllowFrom policy changes reserved for operator.admin scope.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-10T17:17:04.520", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-94pw-c6m8-p9p9", "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-chat-send-to-allowlist-persistence" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35621", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.5); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35620", "severity": "medium", "type": "missing_authorization", "nvd_category_id": "CWE-862", "title": "OpenClaw before 2026.3.24 contains missing authorization vulnerabilities in the /send and /allowlist...", "description": "OpenClaw before 2026.3.24 contains missing authorization vulnerabilities in the /send and /allowlist chat command handlers. The /send command allows non-owner command-authorized senders to change owner-only session delivery policy settings, and the /allowlist mutating commands fail to enforce operator.admin scope. Attackers with operator.write scope can invoke /send on|off|inherit to persistently mutate the current session's sendPolicy, and execute /allowlist add commands to modify config-backed allowFrom entries and pairing-store allowlist entries without proper admin authorization.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-10T17:17:04.320", "references": [ "https://github.com/openclaw/openclaw/commit/555b2578a8cc6e1b93f717496935ead97bfbed8b", "https://github.com/openclaw/openclaw/commit/ccfeecb6887cd97937e33a71877ad512741e82b2", "https://github.com/openclaw/openclaw/commit/ea018a68ccb92dbc735bc1df9880d5c95c63ca35" ], "cvss_score": 5.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35620", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.4); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35619", "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.3.24 contains an authorization bypass vulnerability in the HTTP /v1/models endp...", "description": "OpenClaw before 2026.3.24 contains an authorization bypass vulnerability in the HTTP /v1/models endpoint that fails to enforce operator read scope requirements. Attackers with only operator.approvals scope can enumerate gateway model metadata through the HTTP compatibility route, bypassing the stricter WebSocket RPC authorization checks.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-10T17:17:04.140", "references": [ "https://github.com/openclaw/openclaw/commit/06de515b6c42816b62ec752e1c221cab67b38501", "https://github.com/openclaw/openclaw/security/advisories/GHSA-68f8-9mhj-h2mp", "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-http-v1-models-endpoint" ], "cvss_score": 4.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35619", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (4.3); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-6011", "severity": "medium", "type": "server_side_request_forgery", "nvd_category_id": "CWE-918", "title": "A weakness has been identified in OpenClaw up to 2026.1.26. Affected by this issue is some unknown f...", "description": "A weakness has been identified in OpenClaw up to 2026.1.26. Affected by this issue is some unknown functionality of the file src/agents/tools/web-fetch.ts of the component assertPublicHostname Handler. Executing a manipulation can lead to server-side request forgery. The attack can be executed remotely. This attack is characterized by high complexity. The exploitation is known to be difficult. The exploit has been made available to the public and could be used for attacks. Upgrading to version 2026.1.29 can resolve this issue. This patch is called b623557a2ec7e271bda003eb3ac33fbb2e218505. Upgrading the affected component is advised.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-10T05:16:06.757", "references": [ "https://github.com/openclaw/openclaw/", "https://github.com/openclaw/openclaw/commit/b623557a2ec7e271bda003eb3ac33fbb2e218505#diff-06572a96a58dc510037d5efa622f9bec8519bc1beab13c9f251e97e657a9d4edR44", "https://github.com/openclaw/openclaw/releases/tag/v2026.1.29" ], "cvss_score": 5.6, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6011", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.6); remotely exploitable without authentication; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35646", "severity": "medium", "type": "unknown_cwe_307", "nvd_category_id": "CWE-307", "title": "OpenClaw before 2026.3.25 contains a pre-authentication rate-limit bypass vulnerability in webhook t...", "description": "OpenClaw before 2026.3.25 contains a pre-authentication rate-limit bypass vulnerability in webhook token validation that allows attackers to brute-force weak webhook secrets. The vulnerability exists because invalid webhook tokens are rejected without throttling repeated authentication attempts, enabling attackers to guess weak tokens through rapid successive requests.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-09T22:16:34.223", "references": [ "https://github.com/openclaw/openclaw/commit/0b4d07337467f4d40a0cc1ced83d45ceaec0863c", "https://github.com/openclaw/openclaw/security/advisories/GHSA-mf5g-6r6f-ghhm", "https://www.vulncheck.com/advisories/openclaw-pre-authentication-rate-limit-bypass-in-webhook-token-validation" ], "cvss_score": 4.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35646", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (4.8); remotely exploitable without authentication; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35645", "severity": "high", "type": "unknown_cwe_648", "nvd_category_id": "CWE-648", "title": "OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in the gateway plugin subage...", "description": "OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in the gateway plugin subagent fallback deleteSession function that uses a synthetic operator.admin runtime scope. Attackers can exploit this by triggering session deletion without a request-scoped client to execute privileged operations with unintended administrative scope.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-09T22:16:34.050", "references": [ "https://github.com/openclaw/openclaw/commit/b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7", "https://github.com/openclaw/openclaw/security/advisories/GHSA-h4jx-hjr3-fhgc", "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-synthetic-operator-admin-in-deletesession" ], "cvss_score": 8.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35645", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.1); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35644", "severity": "medium", "type": "unknown_cwe_312", "nvd_category_id": "CWE-312", "title": "OpenClaw before 2026.3.22 contains an information disclosure vulnerability that allows attackers wit...", "description": "OpenClaw before 2026.3.22 contains an information disclosure vulnerability that allows attackers with operator.read scope to expose credentials embedded in channel baseUrl and httpUrl fields. Attackers can access gateway snapshots via config.get and channels.status endpoints to retrieve sensitive authentication information from URL userinfo components.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-09T22:16:33.873", "references": [ "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87", "https://github.com/openclaw/openclaw/commit/f0202264d0de7ad345382b9008c5963bcefb01b7", "https://github.com/openclaw/openclaw/security/advisories/GHSA-ppwq-6v66-5m6j" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35644", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.5); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35642", "severity": "medium", "type": "unknown_cwe_288", "nvd_category_id": "CWE-288", "title": "OpenClaw before 2026.3.25 contains an authorization bypass vulnerability where group reaction events...", "description": "OpenClaw before 2026.3.25 contains an authorization bypass vulnerability where group reaction events bypass the requireMention access control mechanism. Attackers can trigger reactions in mention-gated groups to enqueue agent-visible system events that should remain restricted.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-09T22:16:33.697", "references": [ "https://github.com/openclaw/openclaw/commit/f8c98630785288cc1f1d0893503ef3b653a3cede", "https://github.com/openclaw/openclaw/security/advisories/GHSA-mw7w-g3mg-xqm7", "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-group-reactions-via-requiremention-bypass" ], "cvss_score": 4.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35642", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (4.3); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35640", "severity": "medium", "type": "unknown_cwe_696", "nvd_category_id": "CWE-696", "title": "OpenClaw before 2026.3.25 parses JSON request bodies before validating webhook signatures, allowing ...", "description": "OpenClaw before 2026.3.25 parses JSON request bodies before validating webhook signatures, allowing unauthenticated attackers to force resource-intensive parsing operations. Remote attackers can send malicious webhook requests to trigger denial of service by exhausting server resources through forced JSON parsing before signature rejection.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-09T22:16:33.507", "references": [ "https://github.com/openclaw/openclaw/commit/5e8cb22176e9235e224be0bc530699261eb60e53", "https://github.com/openclaw/openclaw/security/advisories/GHSA-3h52-cx59-c456", "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unauthenticated-webhook-request-parsing" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35640", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35639", "severity": "high", "type": "unknown_cwe_648", "nvd_category_id": "CWE-648", "title": "OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the device.pair.approve m...", "description": "OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the device.pair.approve method that allows an operator.pairing approver to approve pending device requests with broader operator scopes than the approver actually holds. Attackers can exploit insufficient scope validation to escalate privileges to operator.admin and achieve remote code execution on the Node infrastructure.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-09T22:16:33.317", "references": [ "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87", "https://github.com/openclaw/openclaw/commit/fc2d29ea926f47c428c556e92ec981441228d2a4", "https://github.com/openclaw/openclaw/security/advisories/GHSA-hf68-49fm-59cq" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35639", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35638", "severity": "high", "type": "unknown_cwe_286", "nvd_category_id": "CWE-286", "title": "OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the Control UI that allow...", "description": "OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the Control UI that allows unauthenticated sessions to retain self-declared privileged scopes without device identity verification. Attackers can exploit the device-less allow path in the trusted-proxy mechanism to maintain elevated permissions by declaring arbitrary scopes, bypassing device identity requirements.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-09T22:16:33.123", "references": [ "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87", "https://github.com/openclaw/openclaw/commit/ccf16cd8892402022439346ae1d23352e3707e9e", "https://github.com/openclaw/openclaw/security/advisories/GHSA-48vw-m3qc-wr99" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35638", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35637", "severity": "high", "type": "unknown_cwe_696", "nvd_category_id": "CWE-696", "title": "OpenClaw before 2026.3.22 performs cite expansion before completing channel and DM authorization che...", "description": "OpenClaw before 2026.3.22 performs cite expansion before completing channel and DM authorization checks, allowing cite work and content handling prior to final auth decisions. Attackers can exploit this timing vulnerability to access or manipulate content before proper authorization validation occurs.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-09T22:16:32.933", "references": [ "https://github.com/openclaw/openclaw/commit/3cbf932413e41d1836cb91aed1541a28a3122f93", "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87", "https://github.com/openclaw/openclaw/commit/ebee4e2210e1f282a982c7ef2ad79d77a572fc87" ], "cvss_score": 7.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35637", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.3); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35636", "severity": "medium", "type": "unknown_cwe_696", "nvd_category_id": "CWE-696", "title": "OpenClaw versions 2026.3.11 through 2026.3.24 contain a session isolation bypass vulnerability where...", "description": "OpenClaw versions 2026.3.11 through 2026.3.24 contain a session isolation bypass vulnerability where session_status resolves sessionId to canonical session keys before enforcing visibility checks. Sandboxed child sessions can exploit this to access parent or sibling sessions that should be blocked by explicit sessionKey restrictions.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-09T22:16:32.750", "references": [ "https://github.com/openclaw/openclaw/commit/d9810811b6c3c9266d7580f00574e5e02f7663de", "https://github.com/openclaw/openclaw/security/advisories/GHSA-q2qc-744p-66r2", "https://www.vulncheck.com/advisories/openclaw-session-isolation-bypass-via-sessionid-resolution" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35636", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.5); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35635", "severity": "medium", "type": "unknown_cwe_706", "nvd_category_id": "CWE-706", "title": "OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in the Synology Ch...", "description": "OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in the Synology Chat extension that allows attackers to collapse multi-account configurations onto shared webhook paths. Attackers can exploit inherited or duplicate webhook paths to bypass per-account DM access control policies and replace route ownership across accounts.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-09T22:16:32.567", "references": [ "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87", "https://github.com/openclaw/openclaw/commit/980940aa58f862da4e19372597bbc2a9f268d70b", "https://github.com/openclaw/openclaw/security/advisories/GHSA-rqp8-q22p-5j9q" ], "cvss_score": 4.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35635", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (4.8); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35634", "severity": "medium", "type": "unknown_cwe_288", "nvd_category_id": "CWE-288", "title": "OpenClaw before 2026.3.23 contains an authentication bypass vulnerability in the Canvas gateway wher...", "description": "OpenClaw before 2026.3.23 contains an authentication bypass vulnerability in the Canvas gateway where authorizeCanvasRequest() unconditionally allows local-direct requests without validating bearer tokens or canvas capabilities. Attackers can send unauthenticated loopback HTTP and WebSocket requests to Canvas routes to bypass authentication and gain unauthorized access.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-09T22:16:32.380", "references": [ "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87", "https://github.com/openclaw/openclaw/commit/d5dc6b6573ae489bc7e5651090f4767b93537c9e", "https://github.com/openclaw/openclaw/security/advisories/GHSA-6mqc-jqh6-x8fc" ], "cvss_score": 5.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35634", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.1); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35633", "severity": "medium", "type": "unknown_cwe_770", "nvd_category_id": "CWE-770", "title": "OpenClaw before 2026.3.22 contains an unbounded memory allocation vulnerability in remote media HTTP...", "description": "OpenClaw before 2026.3.22 contains an unbounded memory allocation vulnerability in remote media HTTP error handling that allows attackers to trigger excessive memory consumption. Attackers can send crafted HTTP error responses with large bodies to remote media endpoints, causing the application to allocate unbounded memory before failure handling occurs.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-09T22:16:32.187", "references": [ "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87", "https://github.com/openclaw/openclaw/commit/81445a901091a5d27ef0b56fceedbe4724566438", "https://github.com/openclaw/openclaw/security/advisories/GHSA-4qwc-c7g9-4xcw" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35633", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35632", "severity": "high", "type": "unknown_cwe_61", "nvd_category_id": "CWE-61", "title": "OpenClaw through 2026.2.22 contains a symlink traversal vulnerability in agents.create and agents.up...", "description": "OpenClaw through 2026.2.22 contains a symlink traversal vulnerability in agents.create and agents.update handlers that use fs.appendFile on IDENTITY.md without symlink containment checks. Attackers with workspace access can plant symlinks to append attacker-controlled content to arbitrary files, enabling remote code execution via crontab injection or unauthorized access via SSH key manipulation.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-09T22:16:32.003", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-7xr2-q9vf-x4r5", "https://www.vulncheck.com/advisories/openclaw-symlink-traversal-via-identity-md-appendfile-in-agents-create-update" ], "cvss_score": 7.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35632", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.1); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35631", "severity": "medium", "type": "missing_authorization", "nvd_category_id": "CWE-862", "title": "OpenClaw before 2026.3.22 fails to enforce operator.admin scope on mutating internal ACP chat comman...", "description": "OpenClaw before 2026.3.22 fails to enforce operator.admin scope on mutating internal ACP chat commands, allowing unauthorized modifications. Attackers without admin privileges can execute mutating control-plane actions by directly invoking affected ACP commands to bypass authorization gates.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-09T22:16:31.790", "references": [ "https://github.com/openclaw/openclaw/commit/229426a257e49694a59fa4e3895861d02a4d767f", "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87", "https://github.com/openclaw/openclaw/security/advisories/GHSA-3w6x-gv34-mqpf" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35631", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35629", "severity": "high", "type": "server_side_request_forgery", "nvd_category_id": "CWE-918", "title": "OpenClaw before 2026.3.25 contains a server-side request forgery vulnerability in multiple channel e...", "description": "OpenClaw before 2026.3.25 contains a server-side request forgery vulnerability in multiple channel extensions that fail to properly guard configured base URLs against SSRF attacks. Attackers can exploit unprotected fetch() calls against configured endpoints to rebind requests to blocked internal destinations and access restricted resources.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-09T22:16:31.603", "references": [ "https://github.com/openclaw/openclaw/commit/f92c92515bd439a71bd03eb1bc969c1964f17acf", "https://github.com/openclaw/openclaw/security/advisories/GHSA-rhfg-j8jq-7v2h", "https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-unguarded-configured-base-urls-in-channel-extensions" ], "cvss_score": 7.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35629", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.4); network accessible; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35628", "severity": "medium", "type": "unknown_cwe_307", "nvd_category_id": "CWE-307", "title": "OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in Telegram webhook authent...", "description": "OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in Telegram webhook authentication that allows attackers to brute-force weak webhook secrets. The vulnerability enables repeated authentication guesses without throttling, permitting attackers to systematically guess webhook secrets through brute-force attacks.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-09T22:16:31.423", "references": [ "https://github.com/openclaw/openclaw/commit/c2c136ae9517ddd0789d742a0fdf4c10e8c729a7", "https://github.com/openclaw/openclaw/security/advisories/GHSA-vcx4-4qxg-mfp4", "https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-telegram-webhook-rate-limiting" ], "cvss_score": 4.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35628", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (4.8); remotely exploitable without authentication; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35627", "severity": "medium", "type": "unknown_cwe_696", "nvd_category_id": "CWE-696", "title": "OpenClaw before 2026.3.22 performs cryptographic and dispatch operations on inbound Nostr direct mes...", "description": "OpenClaw before 2026.3.22 performs cryptographic and dispatch operations on inbound Nostr direct messages before enforcing sender and pairing policy validation. Attackers can trigger unauthorized pre-authentication computation by sending crafted DM messages, enabling denial of service through resource exhaustion.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-09T22:16:31.240", "references": [ "https://github.com/openclaw/openclaw/commit/1ee9611079e81b9122f4bed01abb3d9f56206c77", "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87", "https://github.com/openclaw/openclaw/security/advisories/GHSA-65h8-27jh-q8wv" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35627", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35626", "severity": "medium", "type": "unknown_cwe_405", "nvd_category_id": "CWE-405", "title": "OpenClaw before 2026.3.22 contains an unauthenticated resource exhaustion vulnerability in voice cal...", "description": "OpenClaw before 2026.3.22 contains an unauthenticated resource exhaustion vulnerability in voice call webhook handling that buffers request bodies before provider signature checks. Attackers can send large or malicious webhook requests to exhaust server resources without authentication by bypassing signature validation.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-09T22:16:31.047", "references": [ "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87", "https://github.com/openclaw/openclaw/commit/651dc7450b68a5396a009db78ef9382633707ead", "https://github.com/openclaw/openclaw/security/advisories/GHSA-rm59-992w-x2mv" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35626", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35625", "severity": "high", "type": "unknown_cwe_648", "nvd_category_id": "CWE-648", "title": "OpenClaw before 2026.3.25 contains a privilege escalation vulnerability where silent local shared-au...", "description": "OpenClaw before 2026.3.25 contains a privilege escalation vulnerability where silent local shared-auth reconnects auto-approve scope-upgrade requests, widening paired device permissions from operator.read to operator.admin. Attackers can exploit this by triggering local reconnection to silently escalate privileges and achieve remote code execution on the node.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-09T22:16:30.867", "references": [ "https://github.com/openclaw/openclaw/commit/81ebc7e0344fd19c85778e883bad45e2da972229", "https://github.com/openclaw/openclaw/security/advisories/GHSA-fqw4-mph7-2vr8", "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-silent-local-shared-auth-reconnect" ], "cvss_score": 7.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35625", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.8); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35624", "severity": "medium", "type": "unknown_cwe_807", "nvd_category_id": "CWE-807", "title": "OpenClaw before 2026.3.22 contains a policy confusion vulnerability in room authorization that match...", "description": "OpenClaw before 2026.3.22 contains a policy confusion vulnerability in room authorization that matches colliding room names instead of stable room tokens. Attackers can exploit similarly named rooms to bypass allowlist policies and gain unauthorized access to protected Nextcloud Talk rooms.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-09T22:16:30.683", "references": [ "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87", "https://github.com/openclaw/openclaw/commit/a47722de7e3c9cbda8d5512747ca7e3bb8f6ee66", "https://github.com/openclaw/openclaw/security/advisories/GHSA-xhq5-45pm-2gjr" ], "cvss_score": 4.2, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35624", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (4.2); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35623", "severity": "medium", "type": "unknown_cwe_307", "nvd_category_id": "CWE-307", "title": "OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in webhook authentication t...", "description": "OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in webhook authentication that allows attackers to brute-force weak webhook passwords without throttling. Remote attackers can repeatedly submit incorrect password guesses to the webhook endpoint to compromise authentication and gain unauthorized access.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-09T22:16:30.530", "references": [ "https://github.com/openclaw/openclaw/commit/5e08ce36d522a1c96df2bfe88e39303ae2643d92", "https://github.com/openclaw/openclaw/security/advisories/GHSA-xq8g-hgh6-87hv", "https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-webhook-password-rate-limiting" ], "cvss_score": 4.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35623", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (4.8); remotely exploitable without authentication; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35622", "severity": "medium", "type": "unknown_cwe_290", "nvd_category_id": "CWE-290", "title": "OpenClaw before 2026.3.22 contains an improper authentication verification vulnerability in Google C...", "description": "OpenClaw before 2026.3.22 contains an improper authentication verification vulnerability in Google Chat app-url webhook handling that accepts add-on principals outside intended deployment bindings. Attackers can bypass webhook authentication by providing non-deployment add-on principals to execute unauthorized actions through the Google Chat integration.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-09T22:16:30.340", "references": [ "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87", "https://github.com/openclaw/openclaw/commit/a47722de7e3c9cbda8d5512747ca7e3bb8f6ee66", "https://github.com/openclaw/openclaw/security/advisories/GHSA-mp66-rf4f-mhh8" ], "cvss_score": 5.9, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35622", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.9); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35618", "severity": "medium", "type": "unknown_cwe_294", "nvd_category_id": "CWE-294", "title": "OpenClaw before 2026.3.23 contains a replay identity vulnerability in Plivo V2 signature verificatio...", "description": "OpenClaw before 2026.3.23 contains a replay identity vulnerability in Plivo V2 signature verification that allows attackers to bypass replay protection by modifying query parameters. The verification path derives replay keys from the full URL including query strings instead of the canonicalized base URL, enabling attackers to mint new verified request keys through unsigned query-only changes to signed requests.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-09T22:16:30.143", "references": [ "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87", "https://github.com/openclaw/openclaw/commit/b0ce53a79cf63834660270513e26d921899b4e5b", "https://github.com/openclaw/openclaw/security/advisories/GHSA-cg6c-q2hx-69h7" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35618", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-35617", "severity": "medium", "type": "unknown_cwe_807", "nvd_category_id": "CWE-807", "title": "OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Google Chat group policy...", "description": "OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Google Chat group policy enforcement that relies on mutable space display names. Attackers can rebind group policies by changing or colliding space display names to gain unauthorized access to protected resources.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-09T22:16:29.950", "references": [ "https://github.com/openclaw/openclaw/commit/11ea1f67863d88b6cbcb229dd368a45e07094bff", "https://github.com/openclaw/openclaw/security/advisories/GHSA-52q4-3xjc-6778", "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-group-policy-rebinding-with-mutable-space-displayname" ], "cvss_score": 4.2, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35617", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (4.2); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-34512", "severity": "high", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.3.25 contains an improper access control vulnerability in the HTTP /sessions/:s...", "description": "OpenClaw before 2026.3.25 contains an improper access control vulnerability in the HTTP /sessions/:sessionKey/kill route that allows any bearer-authenticated user to invoke admin-level session termination functions without proper scope validation. Attackers can exploit this by sending authenticated requests to kill arbitrary subagent sessions via the killSubagentRunAdmin function, bypassing ownership and operator scope restrictions.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-09T22:16:29.757", "references": [ "https://github.com/openclaw/openclaw/commit/02cf12371f9353a16455da01cc02e6c4ecfc4152", "https://github.com/openclaw/openclaw/security/advisories/GHSA-9p93-7j67-5pc2", "https://www.vulncheck.com/advisories/openclaw-improper-access-control-in-sessions-sessionkey-kill-endpoint" ], "cvss_score": 8.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34512", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.1); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-40037", "severity": "medium", "type": "open_redirect", "nvd_category_id": "CWE-601", "title": "OpenClaw before 2026.3.31 (patched in 2026.4.8) contains a request body replay vulnerability in fetc...", "description": "OpenClaw before 2026.3.31 (patched in 2026.4.8) contains a request body replay vulnerability in fetchWithSsrFGuard that allows unsafe request bodies to be resent across cross-origin redirects. Attackers can exploit this by triggering redirects to exfiltrate sensitive request data or headers to unintended origins.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-08T22:16:24.370", "references": [ "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "https://github.com/openclaw/openclaw/security/advisories/GHSA-qx8j-g322-qj6m", "https://www.vulncheck.com/advisories/openclaw-unsafe-request-body-replay-via-fetchwithssrfguard-cross-origin-redirects" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40037", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); network accessible; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "GHSA-jf56-mccx-5f3f", "ghsa_id": "GHSA-jf56-mccx-5f3f", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "high", "type": "github_security_advisory", "nvd_category_id": "CWE-501", "title": "Authenticated /hooks/wake and mapped wake payloads are promoted into the trusted System: prompt channel", "description": "Impact Authenticated /hooks/wake and mapped wake payloads are promoted into the trusted System: prompt channel. An authenticated wake hook or mapped wake payload could be promoted into the trusted System prompt channel instead of an untrusted event. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.2 - Patched versions: 2026.4.8 Fix The issue was fixed on main and is available in the patched npm version listed above. The verified fixed tree is commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5. Verification The fix was re-checked against main before publication, including targeted regression tests for the affected security boundary. Credits Thanks @tdjackey for reporting.", "affected": [ "openclaw@<= 2026.4.2" ], "patched": [ "openclaw@2026.4.8" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-04-08T05:33:37Z", "updated": "2026-04-08T05:33:37Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-jf56-mccx-5f3f" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jf56-mccx-5f3f", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-501" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-jf56-mccx-5f3f" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-gfmx-pph7-g46x", "ghsa_id": "GHSA-gfmx-pph7-g46x", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "high", "type": "github_security_advisory", "nvd_category_id": "CWE-501", "title": "Lower-trust background runtime output is injected into trusted System: events, and local async exec completion misses the intended exec-event downgrade", "description": "Impact Lower-trust background runtime output is injected into trusted System: events, and local async exec completion misses the intended exec-event downgrade. Lower-trust runtime/background output could be promoted into trusted System events, allowing prompt-injection into later agent turns. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.2 - Patched versions: 2026.4.8 Fix The issue was fixed on main and is available in the patched npm version listed above. The verified fixed tree is commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5. Verification The fix was re-checked against main before publication, including targeted regression tests for the affected security boundary. Credits Thanks @tdjackey for reporting.", "affected": [ "openclaw@<= 2026.4.2" ], "patched": [ "openclaw@2026.4.8" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-04-08T05:33:36Z", "updated": "2026-04-08T05:33:36Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-gfmx-pph7-g46x" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gfmx-pph7-g46x", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-501" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-gfmx-pph7-g46x" ], "source_feed": "ghsa-without-cve" }, { "id": "CVE-2026-34511", "severity": "medium", "type": "unknown_cwe_330", "nvd_category_id": "CWE-330", "title": "OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth f...", "description": "OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling token redemption.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-03T21:17:11.517", "references": [ "https://github.com/openclaw/openclaw/commit/a26f4d0f3ef0757db6c6c40277cc06a5de76c52f", "https://github.com/openclaw/openclaw/security/advisories/GHSA-9jpj-g8vv-j5mf", "https://www.vulncheck.com/advisories/openclaw-pkce-verifier-exposure-via-oauth-state-parameter" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34511", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.3); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": true, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "GHSA-846p-hgpv-vphc", "ghsa_id": "GHSA-846p-hgpv-vphc", "cve_id": null, "status": "active", "stale": false, "stale_after_days": 60, "severity": "high", "type": "github_security_advisory", "nvd_category_id": null, "title": "QQ Bot structured payloads could read arbitrary local files", "description": "Summary Before OpenClaw 2026.4.2, QQ Bot structured media payloads could read local files from attacker-chosen paths. A crafted structured payload could escape QQ Bot-owned media roots and cause arbitrary file reads on the host. Impact Prompt-influenced structured payload output could exfiltrate any host file readable by the OpenClaw process through the QQ Bot media-send path. This was a real confidentiality bug on the host filesystem boundary. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.1 - Patched versions: = 2026.4.2 - Latest published npm version: 2026.4.1 Fix Commit(s) - 2c45b06afdd6f7c621038b5419d8e661cff34a7f — restrict QQ Bot structured payload local paths Release Process Note The fix is present on main and is staged for OpenClaw 2026.4.2. Publish this advisory after the 2026.4.2 npm release is live. Thanks @feiyang666 of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.", "affected": [ "openclaw@<= 2026.4.1" ], "patched": [ "openclaw@>= 2026.4.2" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-04-02T19:21:36Z", "updated": "2026-04-03T01:33:55Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-846p-hgpv-vphc" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-846p-hgpv-vphc", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [], "credits": [ "feiyang666" ], "aliases": [ "GHSA-846p-hgpv-vphc" ], "source_feed": "ghsa-without-cve" }, { "id": "CVE-2026-34426", "severity": "high", "type": "unknown_cwe_184", "nvd_category_id": "CWE-184", "title": "OpenClaw versions prior to commit b57b680 contain an approval bypass vulnerability due to inconsiste...", "description": "OpenClaw versions prior to commit b57b680 contain an approval bypass vulnerability due to inconsistent environment variable normalization between approval and execution paths, allowing attackers to inject attacker-controlled environment variables into execution without approval system validation. Attackers can exploit differing normalization logic to discard non-portable keys during approval processing while accepting them at execution time, bypassing operator review and potentially influencing runtime behavior including execution of attacker-controlled binaries.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-02T19:21:31.727", "references": [ "https://github.com/openclaw/openclaw/commit/b57b680c0c34de907d57f60c38fb358e82aef8f7", "https://github.com/openclaw/openclaw/pull/59182", "https://github.com/openclaw/openclaw/security/advisories/GHSA-98ch-45wp-ch47" ], "cvss_score": 7.6, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34426", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.6); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-34425", "severity": "medium", "type": "unknown_cwe_184", "nvd_category_id": "CWE-184", "title": "OpenClaw versions prior to commit 8aceaf5 contain a preflight validation bypass vulnerability in she...", "description": "OpenClaw versions prior to commit 8aceaf5 contain a preflight validation bypass vulnerability in shell-bleed protection that allows attackers to execute blocked script content by using piped or complex command forms that the parser fails to recognize. Attackers can craft commands such as piped execution, command substitution, or subshell invocation to bypass the validateScriptFileForShellBleed() validation checks and execute arbitrary script content that would otherwise be blocked.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-02T19:21:31.507", "references": [ "https://github.com/openclaw/openclaw/commit/8aceaf5d0f0ec552b75a792f7f0a3bfa5b091513", "https://github.com/openclaw/openclaw/security/advisories/GHSA-fvx6-pj3r-5q4q", "https://www.vulncheck.com/advisories/openclaw-shell-bleed-protection-preflight-validation-bypass" ], "cvss_score": 5.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34425", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.4); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-34510", "severity": "medium", "type": "unknown_cwe_41", "nvd_category_id": "CWE-41", "title": "OpenClaw before 2026.3.22 contains a path traversal vulnerability in Windows media loaders that acce...", "description": "OpenClaw before 2026.3.22 contains a path traversal vulnerability in Windows media loaders that accepts remote-host file URLs and UNC-style paths before local-path validation. Attackers can exploit this by providing network-hosted file targets that are treated as local content, bypassing intended access restrictions.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-04-01T16:23:50.567", "references": [ "https://github.com/openclaw/openclaw/commit/4fd7feb0fd4ec16c48ed983980dba79a09b3aaf5", "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87", "https://github.com/openclaw/openclaw/commit/93880717f1cd34feaa45e74e939b7a5256288901" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34510", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "GHSA-cwq8-6f96-g3q4", "ghsa_id": "GHSA-cwq8-6f96-g3q4", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "low", "type": "github_security_advisory", "nvd_category_id": "CWE-636", "title": "Security Scan Failure Does Not Block Plugin Installation (Fail-Open)", "description": "Summary Security Scan Failure Does Not Block Plugin Installation (Fail-Open) Current Maintainer Triage - Status: open - Normalized severity: low - Assessment: Real in shipped v2026.3.28 plugin install flow, but low severity fits because it still requires an operator to choose installation of an untrusted package and the scan failure was visible rather than silent. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version: 2026.3.31 - Vulnerable version range: <=2026.3.28 - Patched versions: = 2026.3.31 - First stable tag containing the fix: v2026.3.31 Fix Commit(s) - 7a953a52271b9188a5fa830739a4366614ff9916 — 2026-03-30T15:36:08+01:00 - 44b993613601280d46a5b88190e46669fc13d669 — 2026-03-31T23:16:11+09:00 - 0d7f1e2c84eca65df7dee890d9c30e2a841c030a — 2026-03-31T23:27:20+09:00 - bf96c67fd1954740aeabfadc7cfe3098bcfc6b68 — 2026-03-31T15:53:29+01:00 Release Process Note - The fix is already present in released version 2026.3.31. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @davidluzsilva for reporting.", "affected": [ "openclaw@<=2026.3.28" ], "patched": [ "openclaw@>= 2026.3.31" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-03-31T21:45:37Z", "updated": "2026-03-31T21:45:37Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-cwq8-6f96-g3q4" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cwq8-6f96-g3q4", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-636", "CWE-754" ], "credits": [ "davidluzsilva" ], "aliases": [ "GHSA-cwq8-6f96-g3q4" ], "source_feed": "ghsa-without-cve" }, { "id": "CVE-2026-34504", "severity": "high", "type": "server_side_request_forgery", "nvd_category_id": "CWE-918", "title": "OpenClaw before 2026.3.28 contains a server-side request forgery vulnerability in the fal provider i...", "description": "OpenClaw before 2026.3.28 contains a server-side request forgery vulnerability in the fal provider image-generation-provider.ts component that allows attackers to fetch internal URLs. A malicious or compromised fal relay can exploit unguarded image download fetches to expose internal service metadata and responses through the image pipeline.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-31T15:16:19.687", "references": [ "https://github.com/openclaw/openclaw/commit/80d1e8a11a2ac118c7f7a70bba9c862b6141d928", "https://github.com/openclaw/openclaw/security/advisories/GHSA-qxgf-hmcj-3xw3", "https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-unguarded-image-download-in-fal-provider" ], "cvss_score": 8.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34504", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.3); remotely exploitable without authentication; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-34503", "severity": "high", "type": "unknown_cwe_613", "nvd_category_id": "CWE-613", "title": "OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or ...", "description": "OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-31T15:16:19.470", "references": [ "https://github.com/openclaw/openclaw/commit/7a801cc451e9e667b705eeccff651923a1b8c863", "https://github.com/openclaw/openclaw/security/advisories/GHSA-2pr2-hcv6-7gwv", "https://www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-on-device-removal-and-token-revocation" ], "cvss_score": 8.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34503", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.1); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-33581", "severity": "medium", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows at...", "description": "OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows attackers to read arbitrary local files by using mediaUrl and fileUrl alias parameters that bypass localRoots validation. Remote attackers can exploit this by routing file requests through unvalidated alias parameters to access files outside the intended sandbox directory.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-31T15:16:15.373", "references": [ "https://github.com/openclaw/openclaw/commit/1d7cb6fc03552bbba00e7cffb3aa9741f5556416", "https://github.com/openclaw/openclaw/security/advisories/GHSA-v8wv-jg3q-qwpq", "https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-mediaurl-and-fileurl-parameters" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33581", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); network accessible; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-33580", "severity": "medium", "type": "unknown_cwe_307", "nvd_category_id": "CWE-307", "title": "OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webho...", "description": "OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication that allows attackers to brute-force weak shared secrets. Attackers who can reach the webhook endpoint can exploit this to forge inbound webhook events by repeatedly attempting authentication without throttling.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-31T15:16:15.170", "references": [ "https://github.com/openclaw/openclaw/commit/e403decb6e20091b5402780a7ccd2085f98aa3cd", "https://github.com/openclaw/openclaw/security/advisories/GHSA-9528-x887-j2fp", "https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-rate-limiting-on-webhook-shared-secret-authentication" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33580", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-33579", "severity": "critical", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command...", "description": "OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privileges but without admin privileges can approve pending device requests asking for broader scopes including admin access by exploiting the missing scope validation in extensions/device-pair/index.ts and src/infra/device-pairing.ts.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-31T15:16:14.960", "references": [ "https://github.com/openclaw/openclaw/commit/e403decb6e20091b5402780a7ccd2085f98aa3cd", "https://github.com/openclaw/openclaw/security/advisories/GHSA-hc5h-pmr3-3497", "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-missing-caller-scope-validation-in-device-pair-approval" ], "cvss_score": 9.9, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33579", "exploitability_score": "high", "exploitability_rationale": "Critical CVSS score (9.9); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-33578", "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalou...", "description": "OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy. Attackers can exploit this policy resolution flaw to bypass sender restrictions and interact with bots despite configured allowlist restrictions.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-31T15:16:14.757", "references": [ "https://github.com/openclaw/openclaw/commit/e64a881ae0fb8af18e451163f4c2d611d60cc8e4", "https://github.com/openclaw/openclaw/security/advisories/GHSA-63mg-xp9j-jfcm", "https://www.vulncheck.com/advisories/openclaw-sender-policy-allowlist-bypass-via-policy-downgrade-in-google-chat-and-zalouser-extensions" ], "cvss_score": 4.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33578", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (4.3); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-33577", "severity": "high", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.3.28 contains an insufficient scope validation vulnerability in the node pairin...", "description": "OpenClaw before 2026.3.28 contains an insufficient scope validation vulnerability in the node pairing approval path that allows low-privilege operators to approve nodes with broader scopes. Attackers can exploit missing callerScopes validation in node-pairing.ts to extend privileges onto paired nodes beyond their authorization level.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-31T15:16:14.530", "references": [ "https://github.com/openclaw/openclaw/commit/4d7cc6bb4fac68b5a5fadd1c5a23168281221f34", "https://github.com/openclaw/openclaw/security/advisories/GHSA-2x4x-cc5g-qmmg", "https://www.vulncheck.com/advisories/openclaw-insufficient-scope-validation-in-node-pair-approve" ], "cvss_score": 8.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33577", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.1); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-33576", "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.3.28 downloads and stores inbound media from Zalo channels before validating se...", "description": "OpenClaw before 2026.3.28 downloads and stores inbound media from Zalo channels before validating sender authorization. Unauthorized senders can force network fetches and disk writes to the media store by sending messages that are subsequently rejected.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-31T15:16:14.327", "references": [ "https://github.com/openclaw/openclaw/commit/68ceaf7a5f64a23e78b95eff055e4b497218312a", "https://github.com/openclaw/openclaw/security/advisories/GHSA-v2v2-f783-358j", "https://www.vulncheck.com/advisories/openclaw-unauthorized-media-download-via-zalo-channel" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33576", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-34506", "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plu...", "description": "OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message handler synthesizes wildcard sender authorization, permitting any sender in the matched team/channel to trigger replies in allowlisted Teams routes.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-31T12:16:30.440", "references": [ "https://github.com/openclaw/openclaw/commit/88aee9161e0e6d32e810a25711e32a808a1777b2", "https://github.com/openclaw/openclaw/security/advisories/GHSA-g7cr-9h7q-4qxq", "https://www.vulncheck.com/advisories/openclaw-sender-allowlist-bypass-in-microsoft-teams-plugin-via-route-allowlist-configuration" ], "cvss_score": 4.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34506", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (4.3); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-34505", "severity": "medium", "type": "unknown_cwe_307", "nvd_category_id": "CWE-307", "title": "OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowi...", "description": "OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to bypass rate limits and brute-force webhook secrets. Attackers can submit repeated authentication requests with invalid secrets without triggering rate limit responses, enabling systematic secret guessing and subsequent forged webhook submission.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-31T12:16:30.237", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-5m9r-p9g7-679c", "https://www.vulncheck.com/advisories/openclaw-webhook-rate-limiting-bypass-via-pre-authentication-secret-validation" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34505", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32988", "severity": "high", "type": "unknown_cwe_367", "nvd_category_id": "CWE-367", "title": "OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in fs-bridge staged write...", "description": "OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in fs-bridge staged writes where temporary file creation and population are not pinned to a verified parent directory. Attackers can exploit a race condition in parent-path alias changes to write attacker-controlled bytes outside the intended validated path before the final guarded replace step executes.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-31T12:16:30.047", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-mj4p-rc52-m843", "https://www.vulncheck.com/advisories/openclaw-sandbox-boundary-bypass-via-unvalidated-temporary-file-creation" ], "cvss_score": 7.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32988", "exploitability_score": "medium", "exploitability_rationale": "High CVSS score (7.5); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32982", "severity": "high", "type": "unknown_cwe_532", "nvd_category_id": "CWE-532", "title": "OpenClaw before 2026.3.13 contains an information disclosure vulnerability in the fetchRemoteMedia f...", "description": "OpenClaw before 2026.3.13 contains an information disclosure vulnerability in the fetchRemoteMedia function that exposes Telegram bot tokens in error messages. When media downloads fail, the original Telegram file URLs containing bot tokens are embedded in MediaFetchError strings and leaked to logs and error surfaces.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-31T12:16:29.850", "references": [ "https://github.com/openclaw/openclaw/commit/7a53eb7ea8295b08be137e231c9a98c1a79b5cd5", "https://github.com/openclaw/openclaw/security/advisories/GHSA-xwcj-hwhf-h378", "https://www.vulncheck.com/advisories/openclaw-telegram-bot-token-exposure-in-media-fetch-error-logs" ], "cvss_score": 7.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32982", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32977", "severity": "medium", "type": "unknown_cwe_367", "nvd_category_id": "CWE-367", "title": "OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in the fs-bridge writeFil...", "description": "OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in the fs-bridge writeFile commit step that uses an unanchored container path during the final move operation. An attacker can exploit a time-of-check-time-of-use race condition by modifying parent paths inside the sandbox to redirect committed files outside the validated writable path within the container mount namespace.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-31T12:16:29.660", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-xvx8-77m6-gwg6", "https://www.vulncheck.com/advisories/openclaw-sandbox-boundary-bypass-via-unanchored-writefile-commit-path" ], "cvss_score": 6.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32977", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.3); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32976", "severity": "medium", "type": "insecure_direct_object_reference", "nvd_category_id": "CWE-639", "title": "OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing channel commands t...", "description": "OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing channel commands to mutate protected sibling-account configuration despite configWrites restrictions. Attackers with authorized access on one account can execute channel commands like /config set channels..accounts. to modify configuration on target accounts with configWrites: false.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-31T12:16:29.470", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-8jhh-jcqg-mj5p", "https://www.vulncheck.com/advisories/openclaw-account-scoped-configwrites-policy-bypass-via-channel-commands" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32976", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.5); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32971", "severity": "high", "type": "unknown_cwe_451", "nvd_category_id": "CWE-451", "title": "OpenClaw before 2026.3.11 contains an approval-integrity vulnerability in node-host system.run appro...", "description": "OpenClaw before 2026.3.11 contains an approval-integrity vulnerability in node-host system.run approvals that displays extracted shell payloads instead of the executed argv. Attackers can place wrapper binaries and induce wrapper-shaped commands to execute local code after operators approve misleading command text.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-31T12:16:29.280", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-rw39-5899-8mxp", "https://www.vulncheck.com/advisories/openclaw-node-host-approval-ui-mismatch-allows-execution-of-unintended-commands" ], "cvss_score": 7.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32971", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.1); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": true, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32970", "severity": "low", "type": "unknown_cwe_636", "nvd_category_id": "CWE-636", "title": "OpenClaw before 2026.3.11 contains a credential fallback vulnerability where unavailable local gatew...", "description": "OpenClaw before 2026.3.11 contains a credential fallback vulnerability where unavailable local gateway.auth.token and gateway.auth.password SecretRefs are treated as unset, allowing fallback to remote credentials in local mode. Attackers can exploit misconfigured local auth references to cause CLI and helper paths to select incorrect credential sources, potentially bypassing intended local authentication boundaries.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-31T12:16:29.113", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-qvr7-g57c-mrc7", "https://www.vulncheck.com/advisories/openclaw-credential-fallback-logic-bypass-via-unavailable-local-auth-secretrefs" ], "cvss_score": 2.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32970", "exploitability_score": "high", "exploitability_rationale": "Low CVSS score (2.5); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32921", "severity": "medium", "type": "unknown_cwe_367", "nvd_category_id": "CWE-367", "title": "OpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run where mutable scrip...", "description": "OpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run where mutable script operands are not bound across approval and execution phases. Attackers can obtain approval for script execution, modify the approved script file before execution, and execute different content while maintaining the same approved command shape.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-31T12:16:28.920", "references": [ "https://github.com/openclaw/openclaw/commit/c76d29208bf6a7f058d2cf582519d28069e42240", "https://github.com/openclaw/openclaw/commit/cf3a479bd1204f62eef7dd82b4aa328749ae6c91", "https://github.com/openclaw/openclaw/security/advisories/GHSA-8g75-q649-6pv6" ], "cvss_score": 6.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32921", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.3); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32920", "severity": "high", "type": "unknown_cwe_829", "nvd_category_id": "CWE-829", "title": "OpenClaw before 2026.3.12 automatically discovers and loads plugins from .OpenClaw/extensions/ witho...", "description": "OpenClaw before 2026.3.12 automatically discovers and loads plugins from .OpenClaw/extensions/ without explicit trust verification, allowing arbitrary code execution. Attackers can execute malicious code by including crafted workspace plugins in cloned repositories that execute when users run OpenClaw from the directory.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-31T12:16:28.727", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-99qw-6mr3-36qr", "https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-auto-discovery-of-workspace-plugins" ], "cvss_score": 8.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32920", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.4); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32917", "severity": "critical", "type": "os_command_injection", "nvd_category_id": "CWE-78", "title": "OpenClaw before 2026.3.13 contains a remote command injection vulnerability in the iMessage attachme...", "description": "OpenClaw before 2026.3.13 contains a remote command injection vulnerability in the iMessage attachment staging flow that allows attackers to execute arbitrary commands on configured remote hosts. The vulnerability exists because unsanitized remote attachment paths containing shell metacharacters are passed directly to the SCP remote operand without validation, enabling command execution when remote attachment staging is enabled.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-31T12:16:28.487", "references": [ "https://github.com/openclaw/openclaw/commit/a54bf71b4c0cbe554a84340b773df37ee8e959de", "https://github.com/openclaw/openclaw/security/advisories/GHSA-g2f6-pwvx-r275", "https://www.vulncheck.com/advisories/openclaw-remote-command-injection-via-unsanitized-imessage-attachment-paths-in-scp" ], "cvss_score": 9.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32917", "exploitability_score": "high", "exploitability_rationale": "Critical CVSS score (9.8); remotely exploitable without authentication; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32916", "severity": "critical", "type": "unknown_cwe_266", "nvd_category_id": "CWE-266", "title": "OpenClaw versions 2026.3.7 before 2026.3.11 contain an authorization bypass vulnerability where plug...", "description": "OpenClaw versions 2026.3.7 before 2026.3.11 contain an authorization bypass vulnerability where plugin subagent routes execute gateway methods through a synthetic operator client with broad administrative scopes. Remote unauthenticated requests to plugin-owned routes can invoke runtime.subagent methods to perform privileged gateway actions including session deletion and agent execution.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-31T12:16:28.197", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-xw77-45gv-p728", "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-plugin-subagent-routes-via-synthetic-admin-scopes" ], "cvss_score": 9.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32916", "exploitability_score": "high", "exploitability_rationale": "Critical CVSS score (9.4); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-33575", "severity": "high", "type": "unknown_cwe_522", "nvd_category_id": "CWE-522", "title": "OpenClaw before 2026.3.12 embeds long-lived shared gateway credentials directly in pairing setup cod...", "description": "OpenClaw before 2026.3.12 embeds long-lived shared gateway credentials directly in pairing setup codes generated by /pair endpoint and OpenClaw qr command. Attackers with access to leaked setup codes from chat history, logs, or screenshots can recover and reuse the shared gateway credential outside the intended one-time pairing flow.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-29T13:17:03.370", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-7h7g-x2px-94hj", "https://www.vulncheck.com/advisories/openclaw-long-lived-credential-exposure-in-pairing-setup-codes" ], "cvss_score": 7.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33575", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-33574", "severity": "medium", "type": "unknown_cwe_367", "nvd_category_id": "CWE-367", "title": "OpenClaw before 2026.3.8 contains a path traversal vulnerability in the skills download installer th...", "description": "OpenClaw before 2026.3.8 contains a path traversal vulnerability in the skills download installer that validates the tools root lexically but reuses the mutable path during archive download and copy operations. A local attacker can rebind the tools-root path between validation and final write to redirect the installer outside the intended tools directory.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-29T13:17:03.173", "references": [ "https://github.com/openclaw/openclaw/commit/9abf014f3502009faf9c73df5ca2cff719e54639", "https://github.com/openclaw/openclaw/security/advisories/GHSA-vhwf-4x96-vqx2", "https://www.vulncheck.com/advisories/openclaw-path-traversal-via-tools-root-rebinding-in-skills-download" ], "cvss_score": 6.2, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33574", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.2); requires local access; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-33573", "severity": "high", "type": "exposure_of_resource_to_wrong_sphere", "nvd_category_id": "CWE-668", "title": "OpenClaw before 2026.3.11 contains an authorization bypass vulnerability in the gateway agent RPC th...", "description": "OpenClaw before 2026.3.11 contains an authorization bypass vulnerability in the gateway agent RPC that allows authenticated operators with operator.write permission to override workspace boundaries by supplying attacker-controlled spawnedBy and workspaceDir values. Remote operators can escape the configured workspace boundary and execute arbitrary file and exec operations from any process-accessible directory.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-29T13:17:02.980", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-2rqg-gjgv-84jm", "https://www.vulncheck.com/advisories/openclaw-workspace-boundary-bypass-via-agent-rpc-parameters" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33573", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-33572", "severity": "high", "type": "unknown_cwe_378", "nvd_category_id": "CWE-378", "title": "OpenClaw before 2026.2.17 creates session transcript JSONL files with overly broad default permissio...", "description": "OpenClaw before 2026.2.17 creates session transcript JSONL files with overly broad default permissions, allowing local users to read transcript contents. Attackers with local access can read transcript files to extract sensitive information including secrets from tool output.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-29T13:17:02.770", "references": [ "https://github.com/openclaw/openclaw/commit/095d522099653367e1b76fa5bb09d4ddf7c8a57c", "https://github.com/openclaw/openclaw/security/advisories/GHSA-vr7j-g7jv-h5mp", "https://www.vulncheck.com/advisories/openclaw-insufficient-file-permissions-in-session-transcript-files" ], "cvss_score": 8.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33572", "exploitability_score": "medium", "exploitability_rationale": "High CVSS score (8.4); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32987", "severity": "critical", "type": "unknown_cwe_294", "nvd_category_id": "CWE-294", "title": "OpenClaw before 2026.3.13 allows bootstrap setup codes to be replayed during device pairing verifica...", "description": "OpenClaw before 2026.3.13 allows bootstrap setup codes to be replayed during device pairing verification in src/infra/device-bootstrap.ts. Attackers can verify a valid bootstrap code multiple times before approval to escalate pending pairing scopes, including privilege escalation to operator.admin.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-29T13:17:02.563", "references": [ "https://github.com/openclaw/openclaw/commit/1803d16d5cec970c54b0e1ac46b31b1cbade335c", "https://github.com/openclaw/openclaw/security/advisories/GHSA-63f5-hhc7-cx6p", "https://www.vulncheck.com/advisories/openclaw-bootstrap-setup-code-replay-via-device-pairing" ], "cvss_score": 9.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32987", "exploitability_score": "high", "exploitability_rationale": "Critical CVSS score (9.8); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32980", "severity": "high", "type": "unknown_cwe_770", "nvd_category_id": "CWE-770", "title": "OpenClaw before 2026.3.13 reads and buffers Telegram webhook request bodies before validating the x-...", "description": "OpenClaw before 2026.3.13 reads and buffers Telegram webhook request bodies before validating the x-telegram-bot-api-secret-token header, allowing unauthenticated attackers to exhaust server resources. Attackers can send POST requests to the webhook endpoint to force memory consumption, socket time, and JSON parsing work before authentication validation occurs.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-29T13:17:02.353", "references": [ "https://github.com/openclaw/openclaw/commit/7e49e98f79073b11134beac27fdff547ba5a4a02", "https://github.com/openclaw/openclaw/security/advisories/GHSA-jq3f-vjww-8rq7", "https://www.vulncheck.com/advisories/openclaw-resource-exhaustion-via-unauthenticated-telegram-webhook-request" ], "cvss_score": 7.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32980", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32979", "severity": "high", "type": "unknown_cwe_367", "nvd_category_id": "CWE-367", "title": "OpenClaw before 2026.3.11 contains an approval integrity vulnerability allowing attackers to execute...", "description": "OpenClaw before 2026.3.11 contains an approval integrity vulnerability allowing attackers to execute rewritten local code by modifying scripts between approval and execution when exact file binding cannot occur. Remote attackers can change approved local scripts before execution to achieve unintended code execution as the OpenClaw runtime user.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-29T13:17:02.157", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-xf99-j42q-5w5p", "https://www.vulncheck.com/advisories/openclaw-unbound-interpreter-and-runtime-commands-bypass-in-node-host-approval" ], "cvss_score": 7.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32979", "exploitability_score": "medium", "exploitability_rationale": "High CVSS score (7.3); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32978", "severity": "high", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.3.11 contains an approval integrity vulnerability where system.run approvals fa...", "description": "OpenClaw before 2026.3.11 contains an approval integrity vulnerability where system.run approvals fail to bind mutable file operands for certain script runners like tsx and jiti. Attackers can obtain approval for benign script commands, rewrite referenced scripts on disk, and execute modified code under the approved run context.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-29T13:17:01.963", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-qc36-x95h-7j53", "https://www.vulncheck.com/advisories/openclaw-approval-bypass-via-unrecognized-script-runners" ], "cvss_score": 8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32978", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.0); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": true, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32975", "severity": "critical", "type": "unknown_cwe_807", "nvd_category_id": "CWE-807", "title": "OpenClaw before 2026.3.12 contains a weak authorization vulnerability in Zalouser allowlist mode tha...", "description": "OpenClaw before 2026.3.12 contains a weak authorization vulnerability in Zalouser allowlist mode that matches mutable group display names instead of stable group identifiers. Attackers can create groups with identical names to allowlisted groups to bypass channel authorization and route messages from unintended groups to the agent.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-29T13:17:01.763", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-f5mf-3r52-r83w", "https://www.vulncheck.com/advisories/openclaw-weak-authorization-via-mutable-group-names-in-zalouser-allowlist" ], "cvss_score": 9.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32975", "exploitability_score": "high", "exploitability_rationale": "Critical CVSS score (9.8); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32974", "severity": "high", "type": "unknown_cwe_347", "nvd_category_id": "CWE-347", "title": "OpenClaw before 2026.3.12 contains an authentication bypass vulnerability in Feishu webhook mode whe...", "description": "OpenClaw before 2026.3.12 contains an authentication bypass vulnerability in Feishu webhook mode when only verificationToken is configured without encryptKey, allowing acceptance of forged events. Unauthenticated network attackers can inject forged Feishu events and trigger downstream tool execution by reaching the webhook endpoint.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-29T13:17:01.570", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-g353-mgv3-8pcj", "https://www.vulncheck.com/advisories/openclaw-forged-event-injection-via-feishu-webhook-verification-token" ], "cvss_score": 8.6, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32974", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.6); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32973", "severity": "critical", "type": "unknown_cwe_625", "nvd_category_id": "CWE-625", "title": "OpenClaw before 2026.3.11 contains an exec allowlist bypass vulnerability where matchesExecAllowlist...", "description": "OpenClaw before 2026.3.11 contains an exec allowlist bypass vulnerability where matchesExecAllowlistPattern improperly normalizes patterns with lowercasing and glob matching that overmatches on POSIX paths. Attackers can exploit the ? wildcard matching across path segments to execute commands or paths not intended by operators.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-29T13:17:01.367", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-f8r2-vg7x-gh8m", "https://www.vulncheck.com/advisories/openclaw-exec-allowlist-pattern-overmatch-via-posix-path-normalization" ], "cvss_score": 9.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32973", "exploitability_score": "high", "exploitability_rationale": "Critical CVSS score (9.8); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32972", "severity": "high", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing authenticated oper...", "description": "OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing authenticated operators with only operator.write permission to access admin-only browser profile management routes through browser.request. Attackers can create or modify browser profiles and persist attacker-controlled remote CDP endpoints to disk without holding operator.admin privileges.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-29T13:17:01.167", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-vmhq-cqm9-6p7q", "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-browser-profile-management-via-browser-request" ], "cvss_score": 7.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32972", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.1); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32924", "severity": "critical", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.3.12 contains an authorization bypass vulnerability where Feishu reaction event...", "description": "OpenClaw before 2026.3.12 contains an authorization bypass vulnerability where Feishu reaction events with omitted chat_type are misclassified as p2p conversations instead of group chats. Attackers can exploit this misclassification to bypass groupAllowFrom and requireMention protections in group chat reaction-derived events.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-29T13:17:00.963", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-m69h-jm2f-2pv8", "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-misclassified-reaction-events-in-feishu" ], "cvss_score": 9.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32924", "exploitability_score": "high", "exploitability_rationale": "Critical CVSS score (9.8); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32923", "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.3.11 contains an authorization bypass vulnerability in Discord guild reaction i...", "description": "OpenClaw before 2026.3.11 contains an authorization bypass vulnerability in Discord guild reaction ingestion that fails to enforce member users and roles allowlist checks. Non-allowlisted guild members can trigger reaction events accepted as trusted system events, injecting reaction text into downstream session context.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-29T13:17:00.767", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-9vvh-2768-c8vp", "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-discord-guild-reaction-allowlist-enforcement" ], "cvss_score": 5.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32923", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.4); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32922", "severity": "critical", "type": "unknown_cwe_266", "nvd_category_id": "CWE-266", "title": "OpenClaw before 2026.3.11 contains a privilege escalation vulnerability in device.token.rotate that ...", "description": "OpenClaw before 2026.3.11 contains a privilege escalation vulnerability in device.token.rotate that allows callers with operator.pairing scope to mint tokens with broader scopes by failing to constrain newly minted scopes to the caller's current scope set. Attackers can obtain operator.admin tokens for paired devices and achieve remote code execution on connected nodes via system.run or gain unauthorized gateway-admin access.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-29T13:17:00.573", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-4jpw-hj22-2xmc", "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-unvalidated-scope-in-device-token-rotate" ], "cvss_score": 9.9, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32922", "exploitability_score": "high", "exploitability_rationale": "Critical CVSS score (9.9); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32919", "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing write-scoped calle...", "description": "OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing write-scoped callers to reach admin-only session reset logic. Attackers with operator.write scope can issue agent requests containing /new or /reset slash commands to reset targeted conversation state without holding operator.admin privileges.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-29T13:17:00.380", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-jf6w-m8jw-jfxc", "https://www.vulncheck.com/advisories/openclaw-unauthorized-session-reset-via-agent-slash-commands" ], "cvss_score": 6.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32919", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.1); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32918", "severity": "high", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.3.11 contains a session sandbox escape vulnerability in the session_status tool...", "description": "OpenClaw before 2026.3.11 contains a session sandbox escape vulnerability in the session_status tool that allows sandboxed subagents to access parent or sibling session state. Attackers can supply arbitrary sessionKey values to read or modify session data outside their sandbox scope, including persisted model overrides.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-29T13:17:00.173", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-wcxr-59v9-rxr8", "https://www.vulncheck.com/advisories/openclaw-session-sandbox-escape-via-session-status-tool" ], "cvss_score": 8.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32918", "exploitability_score": "medium", "exploitability_rationale": "High CVSS score (8.4); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32915", "severity": "high", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability allowing leaf subagents t...", "description": "OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability allowing leaf subagents to access the subagents control surface and resolve against parent requester scope instead of their own session tree. A low-privilege sandboxed leaf worker can steer or kill sibling runs and cause execution with broader tool policies by exploiting insufficient authorization checks on subagent control requests.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-29T13:16:59.973", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-4w7m-58cg-cmff", "https://www.vulncheck.com/advisories/openclaw-sandbox-boundary-bypass-via-subagent-control-surface" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32915", "exploitability_score": "medium", "exploitability_rationale": "High CVSS score (8.8); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32914", "severity": "high", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw before 2026.3.12 contains an insufficient access control vulnerability in the /config and /...", "description": "OpenClaw before 2026.3.12 contains an insufficient access control vulnerability in the /config and /debug command handlers that allows command-authorized non-owners to access owner-only surfaces. Attackers with command authorization can read or modify privileged configuration settings restricted to owners by exploiting missing owner-level permission checks.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-29T13:16:59.767", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-r7vr-gr74-94p8", "https://www.vulncheck.com/advisories/openclaw-insufficient-access-control-in-config-and-debug-endpoints" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32914", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "GHSA-39mp-545q-w789", "ghsa_id": "GHSA-39mp-545q-w789", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-285", "title": "Non-owner command-authorized sender can change the owner-only /send session delivery policy", "description": "Fixed in OpenClaw 2026.3.24, the current shipping release. Title Non-owner command-authorized sender can change the owner-only /send session delivery policy CWE CWE-285 Improper Authorization CVSS v3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L Base score: 5.4 (Medium) Severity Assessment Medium. This is a real owner-only authorization bypass, but the demonstrated impact is limited to persistent mutation of the current session’s delivery policy rather than direct code execution, sandbox escape, or cross-host compromise. Impact A non-owner sender who is allowed to run commands can invoke /send on|off|inherit and persistently change the current session’s sendPolicy, even though OpenClaw documents /send as owner-only. That lets a lower-trust participant: - disable reply delivery for the current session (/send off), suppressing future replies in that chat; - re-enable reply delivery (/send on) after the owner intentionally disabled it; - remove the session override (/send inherit). Affected Component Verified against the latest published GitHub release tag v2026.3.23 (ccfeecb6887cd97937e33a71877ad512741e82b2), published 2026-03-23T23:15:50Z. Exact vulnerable path on the shipped tag: - src/auto-reply/reply/commands-session.ts:212-239 - handleSendPolicyCommand(...) checks only params.command.isAuthorizedSender. - when true, it mutates params.sessionEntry.sendPolicy and persists the session entry. Authorization behavior that makes this reachable: - src/auto-reply/command-auth.ts:401-407 - senderIsOwner is computed separately from general command authorization. - src/auto-reply/command-auth.ts:420-429 - command authorization can succeed even when senderIsOwner === false. - src/auto-reply/command-auth.owner-default.test.ts:10-47 - existing coverage confirms a sender can be command-authorized while not treated as owner. Documented owner-only contract: - docs/tools/slash-commands.md:112 - /send on|off|inherit is documented as owner-only. - docs/concepts/session-tool.md:156 - sendPolicy is documented as settable via sessions.patch or owner-only /send on|off|inherit. Related privilege model: - src/gateway/method-scopes.ts:131-133 - sessions.patch is admin-scoped, which reinforces that session-delivery-policy mutation is treated as privileged state. Version history: - The vulnerable handler exists in release history going back at least to commit ea018a68ccb92dbc735bc1df9880d5c95c63ca35 (refactor(auto-reply): split reply pipeline). - Earliest released affected tag found: v2026.1.14-1 - Latest released affected tag verified: v2026.3.23 Technical Reproduction 1. Check out the shipped release tag v2026.3.23. 2. Configure a channel where: - a non-owner sender is allowed to run commands, for example through commands.allowFrom; - the owner identity is distinct, for example via commands.ownerAllowFrom. 3. Start or reuse a session with a live sessionEntry and sessionStore. 4. Send /send off as the non-owner but command-authorized sender. 5. Confirm the resolved command context has: - isAuthorizedSender === true - senderIsOwner === false 6. Observe that the handler still accepts the command, mutates sessionEntry.sendPolicy, and persists the session entry. Demonstrated Impact The vulnerable handler performs a real persistent session-state change: - src/auto-reply/reply/commands-session.ts:232-238 - /send inherit deletes sessionEntry.sendPolicy - other modes assign sessionEntry.sendPolicy = sendPolicyCommand.mode - the handler then calls persistSessionEntry(params) The mutation is not gated by owner status, only by general command authorization. That changes subsequent delivery behavior for the current session, which matches the documented meaning of sendPolicy. Environment - Product: OpenClaw - Verified shipped tag: v2026.3.23 - Shipped tag commit: ccfeecb6887cd97937e33a71877ad512741e82b2 - Published GitHub release time: 2026-03-23T23:15:50Z - Verification date: 2026-03-24 Duplicate Check I did not find an existing GHSA for /send. This is distinct from: - GHSA-r7vr-gr74-94p8 - that advisory covered owner-only authorization bypasses for /config and /debug, not /send. This is the same authorization class, but a different privileged command surface that still lacks the owner check. In Scope Check This report is in scope under SECURITY.md because: - it does not rely on adversarial operators sharing one gateway host or config; - it does not rely on trusted local state tampering; - SECURITY.md:151-152 explicitly says non-owner sender status matters for owner-only tools and commands; - /send is explicitly documented as owner-only, so this is a direct owner-only authorization bypass, not a complaint about normal shared-agent steering. This is therefore a concrete authorization flaw against a documented product boundary. Remediation Advice 1. Change /send to require owner status, not just command authorization. 2. Reuse the same owner-only rejection pattern already used by privileged command surfaces such as /config, /debug, and owner-only /plugins writes. 3. Add regression coverage for the exact case where: - a non-owner sender is command-authorized; - /send must still be rejected unless senderIsOwner === true. 4. Verify that the owner can still use /send on|off|inherit normally.", "affected": [ "openclaw@<= 2026.3.22" ], "patched": [ "openclaw@>= 2026.3.24" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-03-27T15:52:20Z", "updated": "2026-03-27T15:52:20Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-39mp-545q-w789" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-39mp-545q-w789", "nvd_url": null, "cvss_score": 5.4, "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "cwe_ids": [ "CWE-285" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-39mp-545q-w789" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-vqvg-86cc-cg83", "ghsa_id": "GHSA-vqvg-86cc-cg83", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "missing_authorization", "nvd_category_id": "CWE-862", "title": "Mutating internal /allowlist chat commands missed operator.admin scope enforcement", "description": "Fixed in OpenClaw 2026.3.24, the current shipping release. Title Mutating internal /allowlist chat commands missed operator.admin scope enforcement CWE CWE-862 Missing Authorization CVSS v3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Base score: 6.5 (Medium) Severity Assessment Medium. This is a real authorization flaw in OpenClaw’s internal control plane. The issue does not require host access, trusted local state tampering, or multi-tenant assumptions, but exploitation does require an already authenticated internal Gateway caller with operator.write. Impact An authenticated internal Gateway caller limited to operator.write can perform state-changing /allowlist actions without operator.admin, even though comparable mutating internal chat commands already require operator.admin. The reachable effects are persistent changes to config-backed allowFrom entries and pairing-store-backed allowlist entries. This is not a semantic-modeling complaint and not a generic “trusted operator can do things” claim. It is a missing authorization check inside OpenClaw’s own internal scope model, where peer mutating command surfaces already distinguish operator.write from operator.admin. Affected Component Verified against the latest published GitHub release tag v2026.3.23 (ccfeecb6887cd97937e33a71877ad512741e82b2), published 2026-03-23T23:15:50Z. Exact vulnerable path on the shipped tag: - src/auto-reply/reply/commands-allowlist.ts:251-254 - /allowlist authorization uses only rejectUnauthorizedCommand(...). - src/auto-reply/reply/commands-allowlist.ts:386-524 - mutating config and pairing-store writes happen here, but there is no requireGatewayClientScopeForInternalChannel(..., operator.admin, ...). Reachability and scope model: - src/gateway/method-scopes.ts:94-109 - chat.send is a write-scoped method. - src/gateway/server.chat.gateway-server-chat.test.ts:539-559 - existing runtime coverage proves chat.send routes slash commands without an agent run. - src/auto-reply/command-auth.ts:574-577 - internal callers become senderIsOwner only when GatewayClientScopes includes operator.admin. Comparable internal mutating command paths already enforce operator.admin: - src/auto-reply/reply/commands-config.ts:64-73 - src/auto-reply/reply/commands-mcp.ts:89-96 - src/auto-reply/reply/commands-plugins.ts:387-394 - src/auto-reply/reply/commands-acp.ts:98-106 Version history: - Introduced by commit 555b2578a8cc6e1b93f717496935ead97bfbed8b (feat: add /allowlist command) - Earliest released affected tag found: v2026.1.20 - Latest released affected tag verified: v2026.3.23 Technical Reproduction 1. Check out the shipped release tag v2026.3.23. 2. Use an internal command context with: - Provider = \"webchat\" - Surface = \"webchat\" - GatewayClientScopes = [\"operator.write\"] - params.command.channel = \"webchat\" 3. Route a slash command through chat.send. 4. Execute either of these mutating commands: - /allowlist add dm channel=telegram 789 - /allowlist add dm --store channel=telegram 789 5. Confirm the command context is authorized but not owner-equivalent: - isAuthorizedSender === true - senderIsOwner === false 6. Observe that the commands still succeed and perform persistent writes. Demonstrated Impact The vulnerable handler performs real state mutation for a low-scope internal caller: - Config-backed mutation path: - src/auto-reply/reply/commands-allowlist.ts:398-503 - reads the config snapshot, applies the edit, validates, and writes the updated config to disk. - Store-backed mutation path: - src/auto-reply/reply/commands-allowlist.ts:479-485 - src/auto-reply/reply/commands-allowlist.ts:513-518 - updates the pairing-store allowlist without any admin-scope gate. The result is successful persistence, not just a misleading success message. Environment - Product: OpenClaw - Verified shipped tag: v2026.3.23 - Shipped tag commit: ccfeecb6887cd97937e33a71877ad512741e82b2 - Published GitHub release time: 2026-03-23T23:15:50Z - Verification date: 2026-03-24 Duplicate Check This is not a duplicate of: - GHSA-pjvx-rx66-r3fg - that advisory covered cross-account scoping in /allowlist ... --store, not missing internal operator.admin enforcement. - GHSA-hfpr-jhpq-x4rm - that advisory covered /config writes through chat.send, not /allowlist. - GHSA-3w6x-gv34-mqpf - same authorization class, but different command path (/acp, not /allowlist). In Scope Check This report is in scope under SECURITY.md because: - it does not rely on adversarial operators sharing one gateway host or config; - it does not target the HTTP compatibility endpoints that SECURITY.md explicitly treats as full operator-access surfaces; - it demonstrates a real authorization mismatch inside OpenClaw’s own internal control-plane scope model (operator.write vs operator.admin); - peer mutating internal chat commands already enforce operator.admin, so this is not a request for a new boundary but a missing check on an existing one. This is therefore a concrete authorization bug, not a trusted-operator hardening suggestion. Remediation Advice 1. Add requireGatewayClientScopeForInternalChannel(..., allowedScopes: [\"operator.admin\"], ...) to the mutating internal /allowlist paths. 2. Add regression coverage for both mutation modes: - internal operator.write must be rejected; - internal operator.admin must be allowed. 3. Cover both config-backed and store-backed writes. 4. Audit other mutating internal chat-command paths for the same missing-scope pattern.", "affected": [ "openclaw@<= 2026.3.22" ], "patched": [ "openclaw@>= 2026.3.24" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-03-27T15:52:18Z", "updated": "2026-03-27T15:52:18Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-vqvg-86cc-cg83" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vqvg-86cc-cg83", "nvd_url": null, "cvss_score": 6.5, "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "cwe_ids": [ "CWE-862" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-vqvg-86cc-cg83" ], "source_feed": "ghsa-without-cve" }, { "id": "CVE-2026-32846", "severity": "high", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "OpenClaw before 2026.3.28 contains a path traversal vulnerability in media parsing that allows attac...", "description": "OpenClaw before 2026.3.28 contains a path traversal vulnerability in media parsing that allows attackers to read arbitrary files by bypassing path validation in the isLikelyLocalPath() and isValidMedia() functions. Attackers can exploit incomplete validation and the allowBareFilename bypass to reference files outside the intended application sandbox, resulting in disclosure of sensitive information including system files, environment files, and SSH keys.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-26T17:16:37.640", "references": [ "https://github.com/openclaw/openclaw/commit/4797bbc5b96e2cca5532e43b58915c051746fe37", "https://github.com/openclaw/openclaw/pull/54642", "https://github.com/openclaw/openclaw/security/advisories/GHSA-f6pf-4gjx-c94r" ], "cvss_score": 7.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32846", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "GHSA-cfp9-w5v9-3q4h", "ghsa_id": "GHSA-cfp9-w5v9-3q4h", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "Image tool bypassed tools.fs.workspaceOnly and could read mounted files outside the workspace", "description": "Summary The image tool did not fully honor the tools.fs.workspaceOnly filesystem boundary. In affected releases, image-path resolution could still traverse sandbox bridge mounts outside the workspace and read files from mounted directories that the other file tools would reject. Affected Packages / Versions - Package: openclaw (npm) - Affected: < 2026.3.2 - Fixed: = 2026.3.2 - Latest released tags checked: v2026.3.23 (ccfeecb6887cd97937e33a71877ad512741e82b2) and v2026.3.23-2 (630f1479c44f78484dfa21bb407cbe6f171dac87) - Latest published npm version checked: 2026.3.23-2 Fix Commit(s) - dd9d9c1c609dcb4579f9e57bd7b5c879d0146b53 - 14baadda2c456f3cf749f1f97e8678746a34a7f4 Release Status The complete fix shipped in v2026.3.2 and remains present in v2026.3.23 and v2026.3.23-2. Code-Level Confirmation - src/agents/openclaw-tools.ts now passes fsPolicy into createImageTool, so the image tool receives the same workspace-only policy input as the other filesystem tools. - src/agents/tools/image-tool.ts, src/agents/tools/media-tool-shared.ts, and src/agents/sandbox-media-paths.ts now restrict local roots and sandbox-bridge resolution to the workspace when tools.fs.workspaceOnly is enabled. Thanks @YLChen-007 for reporting.", "affected": [ "openclaw@< 2026.3.2" ], "patched": [ "openclaw@>= 2026.3.2" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-03-24T18:07:14Z", "updated": "2026-03-24T18:07:14Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-cfp9-w5v9-3q4h" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cfp9-w5v9-3q4h", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-863" ], "credits": [ "YLChen-007" ], "aliases": [ "GHSA-cfp9-w5v9-3q4h" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-vfg3-pqpq-93m4", "ghsa_id": "GHSA-vfg3-pqpq-93m4", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "Tlon cite expansion happened before channel and DM authorization completed.", "description": "Summary Tlon cite expansion happened before channel and DM authorization completed, allowing cite work and content handling before the final auth decision. Affected Packages / Versions - Package: openclaw (npm) - Affected: < 2026.3.22 - Fixed: = 2026.3.22 - Latest released tag checked: v2026.3.23-2 (630f1479c44f78484dfa21bb407cbe6f171dac87) - Latest published npm version checked: 2026.3.23-2 Fix Commit(s) - 3cbf932413e41d1836cb91aed1541a28a3122f93 - ebee4e2210e1f282a982c7ef2ad79d77a572fc87 Release Status The fix shipped in v2026.3.22 and remains present in v2026.3.23 and v2026.3.23-2. Code-Level Confirmation - extensions/tlon/src/monitor/index.ts now defers cite expansion until after authorization and preserves explicit empty-allowlist semantics. - extensions/tlon/src/monitor/utils.ts and extensions/tlon/src/security.test.ts ship the deferred cite expansion behavior and regressions. Thanks @zpbrent for reporting.", "affected": [ "openclaw@< 2026.3.22" ], "patched": [ "openclaw@>= 2026.3.22" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-03-24T17:37:07Z", "updated": "2026-03-24T17:37:07Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-vfg3-pqpq-93m4" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vfg3-pqpq-93m4", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-863" ], "credits": [ "zpbrent" ], "aliases": [ "GHSA-vfg3-pqpq-93m4" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-h3x4-hc5v-v2gm", "ghsa_id": "GHSA-h3x4-hc5v-v2gm", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-40", "title": "Windows media loaders accepted remote-host file URLs before local path validation", "description": "Summary Windows local-media handling accepted remote-host file URLs and UNC-style paths before local-path validation, so network-hosted file targets could be treated as local content. Affected Packages / Versions - Package: openclaw (npm) - Affected: < 2026.3.22 - Fixed: = 2026.3.22 - Latest released tag checked: v2026.3.23-2 (630f1479c44f78484dfa21bb407cbe6f171dac87) - Latest published npm version checked: 2026.3.23-2 Fix Commit(s) - 4fd7feb0fd4ec16c48ed983980dba79a09b3aaf5 - 93880717f1cd34feaa45e74e939b7a5256288901 Release Status The fix shipped in v2026.3.22 and remains present in v2026.3.23 and v2026.3.23-2. Code-Level Confirmation - src/infra/local-file-access.ts now rejects remote-host file: URLs and UNC/network paths as non-local input. - src/media/web-media.ts, src/media-understanding/attachments.normalize.ts, and src/agents/sandbox-paths.ts all route through the shared local-file guard. Thanks @RacerZ-fighting, @Fushuling for reporting.", "affected": [ "openclaw@< 2026.3.22" ], "patched": [ "openclaw@>= 2026.3.22" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-03-24T17:36:44Z", "updated": "2026-03-24T17:36:44Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-h3x4-hc5v-v2gm" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h3x4-hc5v-v2gm", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-40" ], "credits": [ "RacerZ-fighting", "Fushuling" ], "aliases": [ "GHSA-h3x4-hc5v-v2gm" ], "source_feed": "ghsa-without-cve" }, { "id": "CVE-2026-32913", "severity": "critical", "type": "unknown_cwe_522", "nvd_category_id": "CWE-522", "title": "OpenClaw before 2026.3.7 contains an improper header validation vulnerability in fetchWithSsrFGuard ...", "description": "OpenClaw before 2026.3.7 contains an improper header validation vulnerability in fetchWithSsrFGuard that forwards custom authorization headers across cross-origin redirects. Attackers can trigger redirects to different origins to intercept sensitive headers like X-Api-Key and Private-Token intended for the original destination.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-23T22:16:30.433", "references": [ "https://github.com/openclaw/openclaw/commit/46715371b0612a6f9114dffd1466941ac476cef5", "https://github.com/openclaw/openclaw/security/advisories/GHSA-6mgf-v5j7-45cr", "https://vulncheck.com/advisories/openclaw-mar-custom-authorization-header-leakage-via-cross-origin-redirects" ], "cvss_score": 9.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32913", "exploitability_score": "high", "exploitability_rationale": "Critical CVSS score (9.3); remotely exploitable without authentication; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-27646", "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw versions prior to 2026.3.7 contain a sandbox escape vulnerability in the /acp spawn command...", "description": "OpenClaw versions prior to 2026.3.7 contain a sandbox escape vulnerability in the /acp spawn command that allows authorized sandboxed sessions to initialize host-side ACP runtime. Attackers can bypass sandbox restrictions by invoking the /acp spawn slash-command to cross from sandboxed chat context into host-side ACP session initialization when ACP is enabled.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-23T22:16:25.660", "references": [ "https://github.com/openclaw/openclaw/commit/61000b8e4ded919ca1a825d4700db4cb3fdc56e3", "https://github.com/openclaw/openclaw/security/advisories/GHSA-9q36-67vc-rrwg", "https://vulncheck.com/advisories/openclaw-mar-sandbox-escape-via-acp-spawn-command" ], "cvss_score": 6.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27646", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.1); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-27183", "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw versions prior to 2026.3.7 contain a shell approval gating bypass vulnerability in system.r...", "description": "OpenClaw versions prior to 2026.3.7 contain a shell approval gating bypass vulnerability in system.run dispatch-wrapper handling that allows attackers to skip shell wrapper approval requirements. The approval classifier and execution planner apply different depth-boundary rules, permitting exactly four transparent dispatch wrappers like repeated env invocations before /bin/sh -c to bypass security=allowlist approval gating by misaligning classification with execution planning.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-23T22:16:25.443", "references": [ "https://github.com/openclaw/openclaw/commit/2fc95a7cfc1eb9306356510b0251b6d51fb1c0b0", "https://github.com/openclaw/openclaw/security/advisories/GHSA-r6qf-8968-wj9q", "https://vulncheck.com/advisories/openclaw-mar-shell-approval-gating-bypass-via-dispatch-wrapper-depth-mismatch" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27183", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.3); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32899", "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw versions prior to 2026.2.25 fail to consistently apply sender-policy checks to reaction_* a...", "description": "OpenClaw versions prior to 2026.2.25 fail to consistently apply sender-policy checks to reaction_* and pin_* non-message events before adding them to system-event context. Attackers can bypass configured DM policies and channel user allowlists to inject unauthorized reaction and pin events from restricted senders.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-21T01:17:11.067", "references": [ "https://github.com/openclaw/openclaw/commit/75dfb71e4e8b7c2feba5a8ca662f92ea840e0147", "https://github.com/openclaw/openclaw/commit/aedf62ac7e669a89c7b299201bf6537dc6b12e0e", "https://github.com/openclaw/openclaw/security/advisories/GHSA-rm2p-j3r7-4x4j" ], "cvss_score": 4.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32899", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (4.3); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32898", "severity": "medium", "type": "unknown_cwe_807", "nvd_category_id": "CWE-807", "title": "OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP client...", "description": "OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP client that auto-approves tool calls based on untrusted toolCall.kind metadata and permissive name heuristics. Attackers can bypass interactive approval prompts for read-class operations by spoofing tool metadata or using non-core read-like names to reach auto-approve paths.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-21T01:17:10.870", "references": [ "https://github.com/openclaw/openclaw/commit/12cc754332f9a7c92e158ce7644aa22df79c0904", "https://github.com/openclaw/openclaw/commit/63dcd28ae0be2de1c75af09cc81841cebeec068f", "https://github.com/openclaw/openclaw/security/advisories/GHSA-7jx5-9fjg-hp4m" ], "cvss_score": 5.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32898", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.4); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32897", "severity": "low", "type": "unknown_cwe_320", "nvd_category_id": "CWE-320", "title": "OpenClaw versions prior to 2026.2.22 reuse gateway.auth.token as a fallback hash secret for owner-ID...", "description": "OpenClaw versions prior to 2026.2.22 reuse gateway.auth.token as a fallback hash secret for owner-ID prompt obfuscation when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset, creating dual-use of authentication secrets across security domains. Attackers with access to system prompts sent to third-party model providers can derive the gateway authentication token from the hash outputs, compromising gateway authentication security.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-21T01:17:10.673", "references": [ "https://github.com/openclaw/openclaw/commit/c99e7696e6893083b256f0a6c88fb060f3a76fb7", "https://github.com/openclaw/openclaw/security/advisories/GHSA-v6x2-2qvm-6gv8", "https://www.vulncheck.com/advisories/openclaw-authentication-token-reuse-in-owner-id-prompt-hashing-fallback" ], "cvss_score": 3.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32897", "exploitability_score": "low", "exploitability_rationale": "Low CVSS score (3.7); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32896", "severity": "medium", "type": "missing_authentication_for_critical_function", "nvd_category_id": "CWE-306", "title": "The BlueBubbles webhook handler in OpenClaw versions prior to 2026.2.21 contains a passwordless fall...", "description": "The BlueBubbles webhook handler in OpenClaw versions prior to 2026.2.21 contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local routing configurations. Attackers can bypass webhook authentication by exploiting the loopback/proxy heuristics to send unauthenticated webhook events to the BlueBubbles plugin.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-21T01:17:10.510", "references": [ "https://github.com/openclaw/openclaw/commit/283029bdea23164ab7482b320cb420d1b90df806", "https://github.com/openclaw/openclaw/commit/6b2f2811dc623e5faaf2f76afaa9279637174590", "https://github.com/openclaw/openclaw/security/advisories/GHSA-5mx2-2mgw-x8rm" ], "cvss_score": 4.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32896", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (4.8); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32895", "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw versions prior to 2026.2.26 fail to enforce sender authorization in member and message subt...", "description": "OpenClaw versions prior to 2026.2.26 fail to enforce sender authorization in member and message subtype system event handlers, allowing unauthorized events to be enqueued. Attackers can bypass Slack DM allowlists and per-channel user allowlists by sending system events from non-allowlisted senders through message_changed, message_deleted, and thread_broadcast events.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-21T01:17:10.303", "references": [ "https://github.com/openclaw/openclaw/commit/3d30ba18a2aba1e1b302e77ff33145c3b06c01c8", "https://github.com/openclaw/openclaw/security/advisories/GHSA-v8cg-4474-49v8", "https://www.vulncheck.com/advisories/openclaw-sender-authorization-bypass-in-slack-system-event-handlers" ], "cvss_score": 5.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32895", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.4); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32067", "severity": "low", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability in the pairing-st...", "description": "OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability in the pairing-store access control for direct message pairing policy that allows attackers to reuse pairing approvals across multiple accounts. An attacker approved as a sender in one account can be automatically accepted in another account in multi-account deployments without explicit approval, bypassing authorization boundaries.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-21T01:17:10.093", "references": [ "https://github.com/openclaw/openclaw/commit/a0c5e28f3bf0cc0cd9311f9e9ec2ca0352550dcf", "https://github.com/openclaw/openclaw/commit/bce643a0bd145d3e9cb55400af33bd1b85baeb02", "https://github.com/openclaw/openclaw/security/advisories/GHSA-vjp8-wprm-2jw9" ], "cvss_score": 3.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32067", "exploitability_score": "low", "exploitability_rationale": "Low CVSS score (3.7); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": true, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32065", "severity": "medium", "type": "unknown_cwe_436", "nvd_category_id": "CWE-436", "title": "OpenClaw versions prior to 2026.2.25 contain an approval-integrity bypass vulnerability in system.ru...", "description": "OpenClaw versions prior to 2026.2.25 contain an approval-integrity bypass vulnerability in system.run where rendered command text is used as approval identity while trimming argv token whitespace, but runtime execution uses raw argv. An attacker can craft a trailing-space executable token to execute a different binary than what the approver displayed, allowing unexpected command execution under the OpenClaw runtime user when they can influence command argv and reuse an approval context.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-21T01:17:09.893", "references": [ "https://github.com/openclaw/openclaw/commit/03e689fc89bbecbcd02876a95957ef1ad9caa176", "https://github.com/openclaw/openclaw/security/advisories/GHSA-hwpq-rrpf-pgcq", "https://www.vulncheck.com/advisories/openclaw-approval-identity-mismatch-in-system-run-command-execution" ], "cvss_score": 4.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32065", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (4.8); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": true, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32064", "severity": "high", "type": "missing_authentication_for_critical_function", "nvd_category_id": "CWE-306", "title": "OpenClaw versions prior to 2026.2.21 sandbox browser entrypoint launches x11vnc without authenticati...", "description": "OpenClaw versions prior to 2026.2.21 sandbox browser entrypoint launches x11vnc without authentication for noVNC observer sessions, allowing unauthenticated access to the VNC interface. Remote attackers on the host loopback interface can connect to the exposed noVNC port to observe or interact with the sandbox browser without credentials.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-21T01:17:09.697", "references": [ "https://github.com/openclaw/openclaw/commit/621d8e1312482f122f18c43c72c67211b141da01", "https://github.com/openclaw/openclaw/commit/8c1518f0f3e0533593cd2dec3a46c9b746753661", "https://github.com/openclaw/openclaw/security/advisories/GHSA-25gx-x37c-7pph" ], "cvss_score": 7.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32064", "exploitability_score": "medium", "exploitability_rationale": "High CVSS score (7.7); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32058", "severity": "low", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness in system.run exec...", "description": "OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness in system.run execution flows with host=node that allows reuse of previously approved requests with modified environment variables. Attackers with access to an approval id can exploit this by reusing an approval with changed env input, bypassing execution-integrity controls in approval-enabled workflows.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-21T01:17:09.500", "references": [ "https://github.com/openclaw/openclaw/commit/10481097f8e6dd0346db9be0b5f27570e1bdfcfa", "https://github.com/openclaw/openclaw/security/advisories/GHSA-hjvp-qhm6-wrh2", "https://www.vulncheck.com/advisories/openclaw-approval-context-binding-weakness-in-system-run-via-host-node" ], "cvss_score": 2.6, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32058", "exploitability_score": "low", "exploitability_rationale": "Low CVSS score (2.6); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": true, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32057", "severity": "high", "type": "unknown_cwe_807", "nvd_category_id": "CWE-807", "title": "OpenClaw versions prior to 2026.2.25 contain an authentication bypass vulnerability in the trusted-p...", "description": "OpenClaw versions prior to 2026.2.25 contain an authentication bypass vulnerability in the trusted-proxy Control UI pairing mechanism that accepts client.id=control-ui without proper device identity verification. An authenticated node role websocket client can exploit this by using the control-ui client identifier to skip pairing requirements and gain unauthorized access to node event execution flows.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-21T01:17:09.310", "references": [ "https://github.com/openclaw/openclaw/commit/ec45c317f5d0631a3d333b236da58c4749ede2a3", "https://github.com/openclaw/openclaw/security/advisories/GHSA-vvgp-4c28-m3jm", "https://www.vulncheck.com/advisories/openclaw-authentication-bypass-via-control-ui-client-id-parameter" ], "cvss_score": 7.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32057", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.1); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32056", "severity": "high", "type": "os_command_injection", "nvd_category_id": "CWE-78", "title": "OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and Z...", "description": "OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the system.run function, allowing attackers to bypass command allowlist protections. Remote attackers can inject malicious startup files such as .bash_profile or .zshenv to achieve arbitrary code execution before allowlist-evaluated commands are executed.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-21T01:17:09.103", "references": [ "https://github.com/openclaw/openclaw/commit/c2c7114ed39a547ab6276e1e933029b9530ee906", "https://github.com/openclaw/openclaw/security/advisories/GHSA-xgf2-vxv2-rrmg", "https://www.vulncheck.com/advisories/openclaw-remote-code-execution-via-shell-startup-environment-variable-injection-in-system-run" ], "cvss_score": 7.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32056", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.5); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32055", "severity": "high", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "OpenClaw versions prior to 2026.2.26 contain a path traversal vulnerability in workspace boundary va...", "description": "OpenClaw versions prior to 2026.2.26 contain a path traversal vulnerability in workspace boundary validation that allows attackers to write files outside the workspace through in-workspace symlinks pointing to non-existent out-of-root targets. The vulnerability exists because the boundary check improperly resolves aliases, permitting the first write operation to escape the workspace boundary and create files in arbitrary locations.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-21T01:17:08.903", "references": [ "https://github.com/openclaw/openclaw/commit/1aef45bc060b28a0af45a67dc66acd36aef763c9", "https://github.com/openclaw/openclaw/commit/46eba86b45e9db05b7b792e914c4fe0de1b40a23", "https://github.com/openclaw/openclaw/security/advisories/GHSA-mgrq-9f93-wpp5" ], "cvss_score": 7.6, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32055", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.6); network accessible; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32054", "severity": "medium", "type": "unknown_cwe_59", "nvd_category_id": "CWE-59", "title": "OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in browser trace and ...", "description": "OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in browser trace and download output path handling that allows local attackers to escape the managed temp root directory. An attacker with local access can create symlinks to route file writes outside the intended temp directory, enabling arbitrary file overwrite on the affected system.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-21T01:17:08.703", "references": [ "https://github.com/openclaw/openclaw/commit/496a76c03ba85e15ea715e5a583e498ae04d36e3", "https://github.com/openclaw/openclaw/security/advisories/GHSA-36h3-7c54-j27r", "https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-browser-trace-download-path-handling" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32054", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.5); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32053", "severity": "medium", "type": "unknown_cwe_294", "nvd_category_id": "CWE-294", "title": "OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication w...", "description": "OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized event IDs are randomized per parse, allowing replay events to bypass manager dedupe checks. Attackers can replay Twilio webhook events to trigger duplicate or stale call-state transitions, potentially causing incorrect call handling and state corruption.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-21T01:17:08.503", "references": [ "https://github.com/openclaw/openclaw/commit/1d28da55a5d0ff409e34999e0961157e9db0a2ab", "https://github.com/openclaw/openclaw/security/advisories/GHSA-vqx8-9xxw-f2m7", "https://www.vulncheck.com/advisories/openclaw-twilio-webhook-replay-bypass-via-randomized-event-id-normalization" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32053", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32052", "severity": "medium", "type": "unknown_cwe_436", "nvd_category_id": "CWE-436", "title": "OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run she...", "description": "OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run shell-wrapper that allows attackers to execute hidden commands by injecting positional argv carriers after inline shell payloads. Attackers can craft misleading approval text while executing arbitrary commands through trailing positional arguments that bypass display context validation.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-21T01:17:08.287", "references": [ "https://github.com/openclaw/openclaw/commit/0f0a680d3df81739ea5088a2f88e65f938b7936b", "https://github.com/openclaw/openclaw/commit/55cf92578d266987e390c4bf688196af98eac748", "https://github.com/openclaw/openclaw/security/advisories/GHSA-6rcp-vxwf-3mfp" ], "cvss_score": 6.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32052", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.4); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": true, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32051", "severity": "high", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw versions prior to 2026.3.1 contain an authorization mismatch vulnerability that allows auth...", "description": "OpenClaw versions prior to 2026.3.1 contain an authorization mismatch vulnerability that allows authenticated callers with operator.write scope to invoke owner-only tool surfaces including gateway and cron through agent runs in scoped-token deployments. Attackers with write-scope access can perform control-plane actions beyond their intended authorization level by exploiting inconsistent owner-only gating during agent execution.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-21T01:17:08.087", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-jr6x-2q95-fh2g", "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-agent-runs-via-owner-only-tool-access" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32051", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32050", "severity": "low", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw versions prior to 2026.2.25 contain an access control vulnerability in signal reaction noti...", "description": "OpenClaw versions prior to 2026.2.25 contain an access control vulnerability in signal reaction notification handling that allows unauthorized senders to enqueue status events before authorization checks are applied. Attackers can exploit the reaction-only event path in event-handler.ts to queue signal reaction status lines for sessions without proper DM or group access validation.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-21T01:17:07.897", "references": [ "https://github.com/openclaw/openclaw/commit/2aa7842adeedef423be7ce283a9144b9f1a0a669", "https://github.com/openclaw/openclaw/security/advisories/GHSA-792q-qw95-f446", "https://www.vulncheck.com/advisories/openclaw-unauthorized-reaction-status-event-enqueue-via-access-check-bypass" ], "cvss_score": 3.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32050", "exploitability_score": "low", "exploitability_rationale": "Low CVSS score (3.7); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32049", "severity": "high", "type": "unknown_cwe_770", "nvd_category_id": "CWE-770", "title": "OpenClaw versions prior to 2026.2.22 fail to consistently enforce configured inbound media byte limi...", "description": "OpenClaw versions prior to 2026.2.22 fail to consistently enforce configured inbound media byte limits before buffering remote media across multiple channel ingestion paths. Remote attackers can send oversized media payloads to trigger elevated memory usage and potential process instability.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-21T01:17:07.700", "references": [ "https://github.com/openclaw/openclaw/commit/73d93dee64127a26f1acd09d0403b794cdeb4f5c", "https://github.com/openclaw/openclaw/security/advisories/GHSA-rxxp-482v-7mrh", "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-inbound-media-download-byte-limit-bypass" ], "cvss_score": 7.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32049", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32048", "severity": "high", "type": "incorrect_permission_assignment", "nvd_category_id": "CWE-732", "title": "OpenClaw versions prior to 2026.3.1 fail to enforce sandbox inheritance during cross-agent sessions_...", "description": "OpenClaw versions prior to 2026.3.1 fail to enforce sandbox inheritance during cross-agent sessions_spawn operations, allowing sandboxed sessions to create child processes under unsandboxed agents. An attacker with a sandboxed session can exploit this to spawn child runtimes with sandbox.mode set to off, bypassing runtime confinement restrictions.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-21T01:17:07.510", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-p7gr-f84w-hqg5", "https://www.vulncheck.com/advisories/openclaw-sandbox-escape-via-cross-agent-sessions-spawn" ], "cvss_score": 7.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32048", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.5); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32046", "severity": "medium", "type": "unknown_cwe_1188", "nvd_category_id": "CWE-1188", "title": "OpenClaw versions prior to 2026.2.21 contain an improper sandbox configuration vulnerability that al...", "description": "OpenClaw versions prior to 2026.2.21 contain an improper sandbox configuration vulnerability that allows attackers to execute arbitrary code by exploiting renderer-side vulnerabilities without requiring a sandbox escape. Attackers can leverage the disabled OS-level sandbox protections in the Chromium browser container to achieve code execution on the host system.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-21T01:17:07.313", "references": [ "https://github.com/openclaw/openclaw/commit/1835dec2004fe7a62c6a7ba46b8485f124ec6199", "https://github.com/openclaw/openclaw/commit/e7eba01efc4c3c400e9cfd3ce3d661cbc788a631", "https://github.com/openclaw/openclaw/security/advisories/GHSA-43x4-g22p-3hrq" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32046", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32045", "severity": "medium", "type": "unknown_cwe_290", "nvd_category_id": "CWE-290", "title": "OpenClaw versions prior to 2026.2.21 incorrectly apply tokenless Tailscale header authentication to ...", "description": "OpenClaw versions prior to 2026.2.21 incorrectly apply tokenless Tailscale header authentication to HTTP gateway routes, allowing bypass of token and password requirements. Attackers on trusted networks can exploit this misconfiguration to access HTTP gateway routes without proper authentication credentials.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-21T01:17:07.140", "references": [ "https://github.com/openclaw/openclaw/commit/356d61aacfa5b0f1d5830716ec59d70682a3e7b8", "https://github.com/openclaw/openclaw/security/advisories/GHSA-hff7-ccv5-52f8", "https://www.vulncheck.com/advisories/openclaw-authentication-bypass-in-http-gateway-routes-via-tokenless-tailscale-auth" ], "cvss_score": 5.9, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32045", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.9); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32044", "severity": "medium", "type": "unknown_cwe_409", "nvd_category_id": "CWE-409", "title": "OpenClaw versions prior to 2026.3.2 contain an archive extraction vulnerability in the tar.bz2 insta...", "description": "OpenClaw versions prior to 2026.3.2 contain an archive extraction vulnerability in the tar.bz2 installer path that bypasses safety checks enforced on other archive formats. Attackers can craft malicious tar.bz2 skill archives to bypass special-entry blocking and extracted-size guardrails, causing local denial of service during skill installation.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-21T01:17:06.950", "references": [ "https://github.com/openclaw/openclaw/commit/0dbb92dd2bcf9a32379d11c0f11ed016669dae3e", "https://github.com/openclaw/openclaw/security/advisories/GHSA-77hf-7fqf-f227", "https://www.vulncheck.com/advisories/openclaw-tar-archive-safety-bypass-in-skills-installation" ], "cvss_score": 5.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32044", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.5); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32043", "severity": "medium", "type": "unknown_cwe_367", "nvd_category_id": "CWE-367", "title": "OpenClaw versions prior to 2026.2.25 contain a time-of-check-time-of-use vulnerability in approval-b...", "description": "OpenClaw versions prior to 2026.2.25 contain a time-of-check-time-of-use vulnerability in approval-bound system.run execution where the cwd parameter is validated at approval time but resolved at execution time. Attackers can retarget a symlinked cwd between approval and execution to bypass command execution restrictions and execute arbitrary commands on node hosts.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-21T01:17:06.747", "references": [ "https://github.com/openclaw/openclaw/commit/f789f880c934caa8be25b38832f27f90f37903db", "https://github.com/openclaw/openclaw/security/advisories/GHSA-mwcg-wfq3-4gjc", "https://www.vulncheck.com/advisories/openclaw-time-of-check-time-of-use-via-mutable-symlink-in-system-run-cwd-parameter" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32043", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.5); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32042", "severity": "high", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw versions 2026.2.22 prior to 2026.2.25 contain a privilege escalation vulnerability allowing...", "description": "OpenClaw versions 2026.2.22 prior to 2026.2.25 contain a privilege escalation vulnerability allowing unpaired device identities to bypass operator pairing requirements and self-assign elevated operator scopes including operator.admin. Attackers with valid shared gateway authentication can present a self-signed unpaired device identity to request and obtain higher operator scopes before pairing approval is granted.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-21T01:17:06.547", "references": [ "https://github.com/openclaw/openclaw/commit/8d1481cb4a9d31bd617e52dc8c392c35689d9dea", "https://github.com/openclaw/openclaw/security/advisories/GHSA-553v-f69r-656j", "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-unpaired-device-identity-in-shared-gateway-authentication" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32042", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-22172", "severity": "critical", "type": "missing_authorization", "nvd_category_id": "CWE-862", "title": "OpenClaw versions prior to 2026.3.12 contain an authorization bypass vulnerability in the WebSocket ...", "description": "OpenClaw versions prior to 2026.3.12 contain an authorization bypass vulnerability in the WebSocket connect path that allows shared-token or password-authenticated connections to self-declare elevated scopes without server-side binding. Attackers can exploit this logic flaw to present unauthorized scopes such as operator.admin and perform admin-only gateway operations.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-20T15:16:15.490", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-rqpp-rjj8-7wv8", "https://www.vulncheck.com/advisories/openclaw-scope-elevation-in-websocket-shared-auth-connections" ], "cvss_score": 9.9, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22172", "exploitability_score": "high", "exploitability_rationale": "Critical CVSS score (9.9); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32041", "severity": "medium", "type": "missing_authentication_for_critical_function", "nvd_category_id": "CWE-306", "title": "OpenClaw versions prior to 2026.3.1 fail to properly handle authentication bootstrap errors during s...", "description": "OpenClaw versions prior to 2026.3.1 fail to properly handle authentication bootstrap errors during startup, allowing browser-control routes to remain accessible without authentication. Local processes or loopback-reachable SSRF paths can exploit this to access browser-control routes including evaluate-capable actions without valid credentials.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:40.643", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-vpj2-69hf-rppw", "https://www.vulncheck.com/advisories/openclaw-unauthenticated-browser-control-access-via-failed-auth-bootstrap" ], "cvss_score": 6.9, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32041", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.9); requires local access; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": false, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32040", "severity": "medium", "type": "cross_site_scripting", "nvd_category_id": "CWE-79", "title": "OpenClaw versions prior to 2026.2.23 contain an html injection vulnerability in the HTML session exp...", "description": "OpenClaw versions prior to 2026.2.23 contain an html injection vulnerability in the HTML session exporter that allows attackers to execute arbitrary javascript by injecting malicious mimeType values in image content blocks. Attackers can craft session entries with specially crafted mimeType attributes that break out of the img src data-URL context to achieve cross-site scripting when exported HTML is opened.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:40.420", "references": [ "https://github.com/openclaw/openclaw/pull/24140", "https://github.com/openclaw/openclaw/security/advisories/GHSA-2ww6-868g-2c56", "https://www.vulncheck.com/advisories/openclaw-html-injection-via-unvalidated-image-mime-type-in-data-url-interpolation" ], "cvss_score": 4.6, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32040", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (4.6); requires local access; XSS has limited impact in headless agents", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32039", "severity": "medium", "type": "insecure_direct_object_reference", "nvd_category_id": "CWE-639", "title": "OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the toolsBySen...", "description": "OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the toolsBySender group policy matching that allows attackers to inherit elevated tool permissions through identifier collision attacks. Attackers can exploit untyped sender keys by forcing collisions with mutable identity values such as senderName or senderUsername to bypass sender-authorization policies and gain unauthorized access to privileged tools.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:40.207", "references": [ "https://github.com/openclaw/openclaw/commit/5547a2275cb69413af3b62c795b93214fe913b57", "https://github.com/openclaw/openclaw/security/advisories/GHSA-wpph-cjgr-7c39", "https://www.vulncheck.com/advisories/openclaw-sender-authorization-bypass-via-identity-collision-in-toolsbysender" ], "cvss_score": 5.9, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32039", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.9); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32038", "severity": "critical", "type": "improper_access_control", "nvd_category_id": "CWE-284", "title": "OpenClaw before 2026.2.24 contains a sandbox network isolation bypass vulnerability that allows trus...", "description": "OpenClaw before 2026.2.24 contains a sandbox network isolation bypass vulnerability that allows trusted operators to join another container's network namespace. Attackers can configure the docker.network parameter with container: values to reach services in target container namespaces and bypass network hardening controls.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:39.997", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-ww6v-v748-x7g9", "https://www.vulncheck.com/advisories/openclaw-sandbox-network-isolation-bypass-via-docker-network-container-parameter" ], "cvss_score": 9.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32038", "exploitability_score": "high", "exploitability_rationale": "Critical CVSS score (9.8); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32037", "severity": "medium", "type": "server_side_request_forgery", "nvd_category_id": "CWE-918", "title": "OpenClaw versions prior to 2026.2.22 fail to consistently validate redirect chains against configure...", "description": "OpenClaw versions prior to 2026.2.22 fail to consistently validate redirect chains against configured mediaAllowHosts allowlists during MSTeams media downloads. Attackers can supply or influence attachment URLs to force redirects to non-allowlisted targets, bypassing SSRF boundary controls.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:39.790", "references": [ "https://github.com/openclaw/openclaw/commit/73d93dee64127a26f1acd09d0403b794cdeb4f5c", "https://github.com/openclaw/openclaw/commit/b34097f62df9d1960cc22600269cd3f3284e2124", "https://github.com/openclaw/openclaw/security/advisories/GHSA-w76h-8m22-hpgh" ], "cvss_score": 6, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32037", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.0); network accessible; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32036", "severity": "medium", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "OpenClaw gateway plugin versions prior to 2026.2.26 contain a path traversal vulnerability that allo...", "description": "OpenClaw gateway plugin versions prior to 2026.2.26 contain a path traversal vulnerability that allows remote attackers to bypass route authentication checks by manipulating /api/channels paths with encoded dot-segment traversal sequences. Attackers can craft alternate paths using encoded traversal patterns to access protected plugin channel routes when handlers normalize the incoming path, circumventing security controls.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:39.583", "references": [ "https://github.com/openclaw/openclaw/commit/258d615c45527ffda37cecd08cd268f97461bde0", "https://github.com/openclaw/openclaw/security/advisories/GHSA-mwxv-35wr-4vvj", "https://www.vulncheck.com/advisories/openclaw-authentication-bypass-via-encoded-dot-segment-traversal-in-api-channels" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32036", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32035", "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw versions prior to 2026.3.2 fail to pass the senderIsOwner flag when processing Discord voic...", "description": "OpenClaw versions prior to 2026.3.2 fail to pass the senderIsOwner flag when processing Discord voice transcripts in agentCommand, causing the flag to default to true. Non-owner voice participants can exploit this omission to access owner-only tools including gateway and cron functionality in mixed-trust channels.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:39.373", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-wpg9-4g4v-f9rc", "https://www.vulncheck.com/advisories/openclaw-missing-owner-flag-validation-in-discord-voice-transcript-handler" ], "cvss_score": 5.9, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32035", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.9); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": true, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32034", "severity": "high", "type": "os_command_injection", "nvd_category_id": "CWE-78", "title": "OpenClaw versions prior to 2026.2.21 contain an authentication bypass vulnerability in the Control U...", "description": "OpenClaw versions prior to 2026.2.21 contain an authentication bypass vulnerability in the Control UI when allowInsecureAuth is explicitly enabled and the gateway is exposed over plaintext HTTP, allowing attackers to bypass device identity and pairing verification. An attacker with leaked or intercepted credentials can obtain high-privilege Control UI access by exploiting the lack of secure authentication enforcement over unencrypted HTTP connections.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:39.167", "references": [ "https://github.com/openclaw/openclaw/commit/40a292619e1f2be3a3b1db663d7494c9c2dc0abf", "https://github.com/openclaw/openclaw/security/advisories/GHSA-3cvx-236h-m9fj", "https://www.vulncheck.com/advisories/openclaw-insecure-control-ui-authentication-over-plaintext-http" ], "cvss_score": 8.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32034", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.1); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32033", "severity": "medium", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "OpenClaw versions prior to 2026.2.24 contain a path traversal vulnerability where @-prefixed absolut...", "description": "OpenClaw versions prior to 2026.2.24 contain a path traversal vulnerability where @-prefixed absolute paths bypass workspace-only file-system boundary validation due to canonicalization mismatch. Attackers can exploit this by crafting @-prefixed paths like @/etc/passwd to read files outside the intended workspace boundary when tools.fs.workspaceOnly is enabled.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:38.957", "references": [ "https://github.com/openclaw/openclaw/commit/9ef0fc2ff8fa7b145d1e746d6eb030b1bf692260", "https://github.com/openclaw/openclaw/security/advisories/GHSA-27cr-4p5m-74rj", "https://www.vulncheck.com/advisories/openclaw-path-traversal-via-prefixed-absolute-paths-in-workspace-boundary-validation" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32033", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); network accessible; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32032", "severity": "high", "type": "unknown_cwe_426", "nvd_category_id": "CWE-426", "title": "OpenClaw versions prior to 2026.2.22 contain an arbitrary shell execution vulnerability in shell env...", "description": "OpenClaw versions prior to 2026.2.22 contain an arbitrary shell execution vulnerability in shell environment fallback that trusts the unvalidated SHELL path from the host environment. An attacker with local environment access can inject a malicious SHELL variable to execute arbitrary commands with the privileges of the OpenClaw process.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:38.750", "references": [ "https://github.com/openclaw/openclaw/commit/25e89cc86338ef475d26be043aa541dfdb95e52a", "https://github.com/openclaw/openclaw/security/advisories/GHSA-f8mp-vj46-cq8v", "https://www.vulncheck.com/advisories/openclaw-arbitrary-shell-execution-via-unvalidated-shell-environment-variable" ], "cvss_score": 7.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32032", "exploitability_score": "medium", "exploitability_rationale": "High CVSS score (7.8); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32031", "severity": "medium", "type": "unknown_cwe_288", "nvd_category_id": "CWE-288", "title": "OpenClaw versions prior to 2026.2.26 server-http contains an authentication bypass vulnerability in ...", "description": "OpenClaw versions prior to 2026.2.26 server-http contains an authentication bypass vulnerability in gateway authentication for plugin channel endpoints due to path canonicalization mismatch between the gateway guard and plugin handler routing. Attackers can bypass authentication by sending requests with alternative path encodings to access protected plugin channel APIs without proper gateway authentication.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:38.550", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-8j2w-6fmm-m587", "https://www.vulncheck.com/advisories/openclaw-authentication-bypass-via-path-canonicalization-mismatch-in-api-channels-gateway" ], "cvss_score": 4.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32031", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (4.8); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32030", "severity": "high", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the stageSandboxMedia...", "description": "OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the stageSandboxMedia function that accepts arbitrary absolute paths when iMessage remote attachment fetching is enabled. An attacker who can tamper with attachment path metadata can disclose files readable by the OpenClaw process on the configured remote host via SCP.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:38.340", "references": [ "https://github.com/openclaw/openclaw/commit/1316e5740382926e45a42097b4bfe0aef7d63e8e", "https://github.com/openclaw/openclaw/security/advisories/GHSA-x9cf-3w63-rpq9", "https://www.vulncheck.com/advisories/openclaw-sensitive-file-disclosure-via-stagesandboxmedia-path-traversal" ], "cvss_score": 7.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32030", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32029", "severity": "medium", "type": "unknown_cwe_345", "nvd_category_id": "CWE-345", "title": "OpenClaw versions prior to 2026.2.21 improperly parse the left-most X-Forwarded-For header value whe...", "description": "OpenClaw versions prior to 2026.2.21 improperly parse the left-most X-Forwarded-For header value when requests originate from configured trusted proxies, allowing attackers to spoof client IP addresses. In proxy chains that append or preserve header values, attackers can inject malicious header content to influence security decisions including authentication rate-limiting and IP-based access controls.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:38.123", "references": [ "https://github.com/openclaw/openclaw/commit/07039dc089e51589a213ec0d16f8d6f2cd871fa1", "https://github.com/openclaw/openclaw/commit/8877bfd11ec7760b115b2d0d7500a45da2749747", "https://github.com/openclaw/openclaw/security/advisories/GHSA-2rgf-hm63-5qph" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32029", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32028", "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw versions prior to 2026.2.25 fail to enforce dmPolicy and allowFrom authorization checks on ...", "description": "OpenClaw versions prior to 2026.2.25 fail to enforce dmPolicy and allowFrom authorization checks on Discord direct-message reaction notifications, allowing non-allowlisted users to enqueue reaction-derived system events. Attackers can exploit this inconsistency by reacting to bot-authored DM messages to bypass DM authorization restrictions and trigger downstream automation or tool policies.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:37.917", "references": [ "https://github.com/openclaw/openclaw/commit/aedf62ac7e669a89c7b299201bf6537dc6b12e0e", "https://github.com/openclaw/openclaw/security/advisories/GHSA-354r-7mfh-7rh2", "https://www.vulncheck.com/advisories/openclaw-missing-authorization-check-in-discord-dm-reaction-ingress" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32028", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32027", "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-...", "description": "OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-store identities are incorrectly eligible for group allowlist authorization checks. Attackers can exploit this cross-context authorization flaw by using a sender approved via DM pairing to satisfy group sender allowlist checks without explicit presence in groupAllowFrom, bypassing group message access controls.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:37.713", "references": [ "https://github.com/openclaw/openclaw/commit/051fdcc428129446e7c084260f837b7284279ce9", "https://github.com/openclaw/openclaw/commit/8bdda7a651c21e98faccdbbd73081e79cffe8be0", "https://github.com/openclaw/openclaw/security/advisories/GHSA-jv6r-27ww-4gw4" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32027", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.5); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32026", "severity": "medium", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "OpenClaw versions prior to 2026.2.24 contain an improper path validation vulnerability in sandbox me...", "description": "OpenClaw versions prior to 2026.2.24 contain an improper path validation vulnerability in sandbox media handling that allows absolute paths under the host temporary directory outside the active sandbox root. Attackers can exploit this by providing malicious media references to read and exfiltrate arbitrary files from the host temporary directory through attachment delivery mechanisms.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:37.510", "references": [ "https://github.com/openclaw/openclaw/commit/79a7b3d22ef92e36a4031093d80a0acb0d82f351", "https://github.com/openclaw/openclaw/commit/d3da67c7a9b463edc1a9b1c1f7af107a34ca32f5", "https://github.com/openclaw/openclaw/commit/def993dbd843ff28f2b3bad5cc24603874ba9f1e" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32026", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); network accessible; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32025", "severity": "high", "type": "unknown_cwe_307", "nvd_category_id": "CWE-307", "title": "OpenClaw versions prior to 2026.2.25 contain an authentication hardening gap in browser-origin WebSo...", "description": "OpenClaw versions prior to 2026.2.25 contain an authentication hardening gap in browser-origin WebSocket clients that allows attackers to bypass origin checks and auth throttling on loopback deployments. An attacker can trick a user into opening a malicious webpage and perform password brute-force attacks against the gateway to establish an authenticated operator session and invoke control-plane methods.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:37.210", "references": [ "https://github.com/openclaw/openclaw/commit/c736f11a16d6bc27ea62a0fe40fffae4cb071fdb", "https://github.com/openclaw/openclaw/security/advisories/GHSA-jmmg-jqc7-5qf4", "https://www.vulncheck.com/advisories/openclaw-password-brute-force-via-browser-origin-websocket-authentication-bypass" ], "cvss_score": 7.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32025", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.5); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": true, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32024", "severity": "medium", "type": "unknown_cwe_59", "nvd_category_id": "CWE-59", "title": "OpenClaw versions prior to 2026.2.22 contain a symlink traversal vulnerability in avatar handling th...", "description": "OpenClaw versions prior to 2026.2.22 contain a symlink traversal vulnerability in avatar handling that allows attackers to read arbitrary files outside the configured workspace boundary. Remote attackers can exploit this by requesting avatar resources through gateway surfaces to disclose local files accessible to the OpenClaw process.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:36.737", "references": [ "https://github.com/openclaw/openclaw/commit/3d0337504349954237d09e4d957df5cb844d5e77", "https://github.com/openclaw/openclaw/commit/6970c2c2db3ee069ef0fff0ade5cfbdd0134f9d2", "https://github.com/openclaw/openclaw/security/advisories/GHSA-rx3g-mvc3-qfjf" ], "cvss_score": 5.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32024", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.5); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32023", "severity": "high", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw versions prior to 2026.2.24 contain an approval gating bypass vulnerability in system.run a...", "description": "OpenClaw versions prior to 2026.2.24 contain an approval gating bypass vulnerability in system.run allowlist mode where nested transparent dispatch wrappers can suppress shell-wrapper detection. Attackers can exploit this by chaining multiple dispatch wrappers like /usr/bin/env to execute /bin/sh -c commands without triggering the expected approval prompt in allowlist plus ask=on-miss configurations.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:36.520", "references": [ "https://github.com/openclaw/openclaw/commit/57c9a18180c8b14885bbd95474cbb17ff2d03f0b", "https://github.com/openclaw/openclaw/security/advisories/GHSA-ccg8-46r6-9qgj", "https://www.vulncheck.com/advisories/openclaw-approval-gating-bypass-via-dispatch-wrapper-depth-cap-mismatch-in-system-run" ], "cvss_score": 7.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32023", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.1); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32022", "severity": "medium", "type": "unknown_cwe_184", "nvd_category_id": "CWE-184", "title": "OpenClaw versions prior to 2026.2.21 contain a stdin-only policy bypass vulnerability in the grep to...", "description": "OpenClaw versions prior to 2026.2.21 contain a stdin-only policy bypass vulnerability in the grep tool within tools.exec.safeBins that allows attackers to read arbitrary files by supplying a pattern via the -e flag parameter. Attackers can include a positional filename operand to bypass file access restrictions and read sensitive files.env from the working directory.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:36.310", "references": [ "https://github.com/openclaw/openclaw/commit/c6ee14d60e4cbd6a82f9b2d74ebeb1e8ee814964", "https://github.com/openclaw/openclaw/security/advisories/GHSA-3xfw-4pmr-4xc5", "https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-grep-e-flag-policy-bypass" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32022", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.5); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32021", "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the Feishu all...", "description": "OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the Feishu allowFrom allowlist implementation that accepts mutable sender display names instead of enforcing ID-only matching. An attacker can set a display name equal to an allowlisted ID string to bypass authorization checks and gain unauthorized access.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:36.103", "references": [ "https://github.com/openclaw/openclaw/commit/4ed87a667263ed2d422b9d5d5a5d326e099f92c7", "https://github.com/openclaw/openclaw/security/advisories/GHSA-j4xf-96qf-rx69", "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-display-name-collision-in-feishu-allowfrom" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32021", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32020", "severity": "low", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "OpenClaw versions prior to 2026.2.22 contain a path traversal vulnerability in the static file handl...", "description": "OpenClaw versions prior to 2026.2.22 contain a path traversal vulnerability in the static file handler that follows symbolic links, allowing out-of-root file reads. Attackers can place symlinks under the Control UI root directory to bypass directory confinement checks and read arbitrary files outside the intended root.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:35.897", "references": [ "https://github.com/openclaw/openclaw/commit/7c500ff6236fa087ec1ec88696ca9f6881e90dc5", "https://github.com/openclaw/openclaw/security/advisories/GHSA-5ghc-98wh-gwwf", "https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-symlink-following-in-static-file-handler" ], "cvss_score": 3.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32020", "exploitability_score": "low", "exploitability_rationale": "Low CVSS score (3.3); requires local access; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32019", "severity": "high", "type": "server_side_request_forgery", "nvd_category_id": "CWE-918", "title": "OpenClaw versions prior to 2026.2.22 contain incomplete IPv4 special-use range validation in the isP...", "description": "OpenClaw versions prior to 2026.2.22 contain incomplete IPv4 special-use range validation in the isPrivateIpv4() function, allowing requests to RFC-reserved ranges to bypass SSRF policy checks. Attackers with network reachability to special-use IPv4 ranges can exploit web_fetch functionality to access blocked addresses such as 198.18.0.0/15 and other non-global ranges.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:35.680", "references": [ "https://github.com/openclaw/openclaw/commit/333fbb86347998526dd514290adfd5f727caa6d9", "https://github.com/openclaw/openclaw/commit/44dfbd23df453e51b71ef79a148c28c53e89168c", "https://github.com/openclaw/openclaw/commit/71bd15bb4294d3d1b54386064d69cd0f5f731bd8" ], "cvss_score": 7.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32019", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.4); network accessible; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32018", "severity": "low", "type": "race_condition", "nvd_category_id": "CWE-362", "title": "OpenClaw versions prior to 2026.2.19 contain a race condition vulnerability in concurrent updateRegi...", "description": "OpenClaw versions prior to 2026.2.19 contain a race condition vulnerability in concurrent updateRegistry and removeRegistryEntry operations for sandbox containers and browsers. Attackers can exploit unsynchronized read-modify-write operations without locking to cause registry updates to lose data, resurrect removed entries, or corrupt sandbox state affecting list, prune, and recreate operations.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:35.463", "references": [ "https://github.com/openclaw/openclaw/commit/cc29be8c9bcdfaecb90f0ab13124c8f5362a6741", "https://github.com/openclaw/openclaw/security/advisories/GHSA-gq83-8q7q-9hfx", "https://www.vulncheck.com/advisories/openclaw-race-condition-in-sandbox-registry-write-operations" ], "cvss_score": 3.6, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32018", "exploitability_score": "low", "exploitability_rationale": "Low CVSS score (3.6); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32017", "severity": "high", "type": "unknown_cwe_184", "nvd_category_id": "CWE-184", "title": "OpenClaw versions prior to 2026.2.19 contain an allowlist bypass vulnerability in the exec safeBins ...", "description": "OpenClaw versions prior to 2026.2.19 contain an allowlist bypass vulnerability in the exec safeBins policy that allows attackers to write arbitrary files using short-option payloads. Attackers can bypass argument validation by attaching short options like -o to whitelisted binaries, enabling unauthorized file-write operations that should be denied by safeBins checks.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:35.237", "references": [ "https://github.com/openclaw/openclaw/commit/bafdbb6f112409a65decd3d4e7350fbd637c7754", "https://github.com/openclaw/openclaw/commit/cfe8457a0f4aae5324daec261d3b0aad1461a4bc", "https://github.com/openclaw/openclaw/commit/fec48a5006eab37c6a5821726ccaeec886486b13" ], "cvss_score": 7.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32017", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.1); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32016", "severity": "high", "type": "unknown_cwe_426", "nvd_category_id": "CWE-426", "title": "OpenClaw versions prior to 2026.2.22 on macOS contain a path validation bypass vulnerability in the ...", "description": "OpenClaw versions prior to 2026.2.22 on macOS contain a path validation bypass vulnerability in the exec-approval allowlist mode that allows local attackers to execute unauthorized binaries by exploiting basename-only allowlist entries. Attackers can execute same-name local binaries ./echo without approval when security=allowlist and ask=on-miss are configured, bypassing intended path-based policy restrictions.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:35.027", "references": [ "https://github.com/openclaw/openclaw/commit/dd41fadcaf58fd9deb963d6e163c56161e7b35dd", "https://github.com/openclaw/openclaw/security/advisories/GHSA-7f4q-9rqh-x36p", "https://www.vulncheck.com/advisories/openclaw-path-traversal-via-basename-only-allowlist-matching-on-macos" ], "cvss_score": 7.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32016", "exploitability_score": "medium", "exploitability_rationale": "High CVSS score (7.8); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32015", "severity": "high", "type": "unknown_cwe_426", "nvd_category_id": "CWE-426", "title": "OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a path hijacking vulnerability in tools.exec....", "description": "OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a path hijacking vulnerability in tools.exec.safeBins that allows attackers to bypass allowlist checks by controlling process PATH resolution. Attackers who can influence the gateway process PATH or launch environment can execute trojan binaries with allowlisted names, such as jq, circumventing executable validation controls.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:34.810", "references": [ "https://github.com/openclaw/openclaw/commit/28bac46c92069dc728524fbf383024c1b64e5c23", "https://github.com/openclaw/openclaw/security/advisories/GHSA-g75x-8qqm-2vxp", "https://www.vulncheck.com/advisories/openclaw-path-hijacking-bypass-in-tools-exec-safebins-allowlist-validation" ], "cvss_score": 7.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32015", "exploitability_score": "medium", "exploitability_rationale": "High CVSS score (7.8); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32014", "severity": "high", "type": "unknown_cwe_290", "nvd_category_id": "CWE-290", "title": "OpenClaw versions prior to 2026.2.26 contain a metadata spoofing vulnerability where reconnect platf...", "description": "OpenClaw versions prior to 2026.2.26 contain a metadata spoofing vulnerability where reconnect platform and deviceFamily fields are accepted from the client without being bound into the device-auth signature. An attacker with a paired node identity on the trusted network can spoof reconnect metadata to bypass platform-based node command policies and gain access to restricted commands.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:34.610", "references": [ "https://github.com/openclaw/openclaw/commit/7d8aeaaf06e2e616545d2c2cec7fa27f36b59b6a", "https://github.com/openclaw/openclaw/security/advisories/GHSA-r65x-2hqr-j5hf", "https://www.vulncheck.com/advisories/openclaw-node-reconnect-metadata-spoofing-via-unsigned-platform-fields" ], "cvss_score": 8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32014", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.0); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32013", "severity": "high", "type": "unknown_cwe_59", "nvd_category_id": "CWE-59", "title": "OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in the agents.files.g...", "description": "OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in the agents.files.get and agents.files.set methods that allows reading and writing files outside the agent workspace. Attackers can exploit symlinked allowlisted files to access arbitrary host files within gateway process permissions, potentially enabling code execution through file overwrite attacks.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:34.410", "references": [ "https://github.com/openclaw/openclaw/commit/125f4071bcbc0de32e769940d07967db47f09d3d", "https://github.com/openclaw/openclaw/security/advisories/GHSA-fgvx-58p6-gjwc", "https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-agents-files-methods" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32013", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32011", "severity": "high", "type": "unknown_cwe_770", "nvd_category_id": "CWE-770", "title": "OpenClaw versions prior to 2026.3.2 contain a denial of service vulnerability in webhook handlers fo...", "description": "OpenClaw versions prior to 2026.3.2 contain a denial of service vulnerability in webhook handlers for BlueBubbles and Google Chat that parse request bodies before performing authentication and signature validation. Unauthenticated attackers can exploit this by sending slow or oversized request bodies to exhaust parser resources and degrade service availability.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:34.197", "references": [ "https://github.com/openclaw/openclaw/commit/d3e8b17aa6432536806b4853edc7939d891d0f25", "https://github.com/openclaw/openclaw/security/advisories/GHSA-x4vp-4235-65hg", "https://www.vulncheck.com/advisories/openclaw-slow-request-denial-of-service-via-pre-auth-webhook-body-parsing" ], "cvss_score": 7.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32011", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32010", "severity": "medium", "type": "os_command_injection", "nvd_category_id": "CWE-78", "title": "OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the safe-bin confi...", "description": "OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the safe-bin configuration when sort is manually added to tools.exec.safeBins. Attackers can invoke sort with the --compress-program flag to execute arbitrary external programs without operator approval in allowlist mode with ask=on-miss enabled.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:33.990", "references": [ "https://github.com/openclaw/openclaw/commit/57fbbaebca4d34d17549accf6092ae26eb7b605c", "https://github.com/openclaw/openclaw/security/advisories/GHSA-4gc7-qcvf-38wg", "https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-sort-compress-program-parameter" ], "cvss_score": 6.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32010", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.3); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32009", "severity": "medium", "type": "unknown_cwe_426", "nvd_category_id": "CWE-426", "title": "OpenClaw versions prior to 2026.2.24 contain a policy bypass vulnerability in the safeBins allowlist...", "description": "OpenClaw versions prior to 2026.2.24 contain a policy bypass vulnerability in the safeBins allowlist evaluation that trusts static default directories including writable package-manager paths like /opt/homebrew/bin and /usr/local/bin. An attacker with write access to these trusted directories can place a malicious binary with the same name as an allowed executable to achieve arbitrary command execution within the OpenClaw runtime context.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:33.787", "references": [ "https://github.com/openclaw/openclaw/commit/b67e600bff696ff2ed9b470826590c0ce6b3bb0a", "https://github.com/openclaw/openclaw/security/advisories/GHSA-5gj7-jf77-q2q2", "https://www.vulncheck.com/advisories/openclaw-binary-hijacking-via-static-default-trusted-directories-in-safebins" ], "cvss_score": 5.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32009", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.7); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32008", "severity": "medium", "type": "unknown_cwe_610", "nvd_category_id": "CWE-610", "title": "OpenClaw versions prior to 2026.2.21 contain an improper URL scheme validation vulnerability in the ...", "description": "OpenClaw versions prior to 2026.2.21 contain an improper URL scheme validation vulnerability in the assertBrowserNavigationAllowed() function that allows authenticated users with browser-tool access to navigate to file:// URLs. Attackers can exploit this by accessing local files readable by the OpenClaw process user through browser snapshot and extraction actions to exfiltrate sensitive data.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:33.577", "references": [ "https://github.com/openclaw/openclaw/commit/220bd95eff6838234e8b4b711f86d4565e16e401", "https://github.com/openclaw/openclaw/security/advisories/GHSA-45cg-2683-gfmq", "https://www.vulncheck.com/advisories/openclaw-arbitrary-local-file-read-via-browser-navigation-guard" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32008", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.5); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32007", "severity": "medium", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "OpenClaw versions prior to 2026.2.23 contain a path traversal vulnerability in the experimental appl...", "description": "OpenClaw versions prior to 2026.2.23 contain a path traversal vulnerability in the experimental apply_patch tool that allows attackers with sandbox access to modify files outside the workspace directory by exploiting inconsistent enforcement of workspace-only checks on mounted paths. Attackers can use apply_patch operations on writable mounts outside the workspace root to access and modify arbitrary files on the system.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:33.370", "references": [ "https://github.com/openclaw/openclaw/commit/6634030be31e1a1842967df046c2f2e47490e6bf", "https://github.com/openclaw/openclaw/security/advisories/GHSA-h9xm-j4qg-fvpg", "https://www.vulncheck.com/advisories/openclaw-sandbox-bypass-in-apply-patch-tool-via-workspace-only-check-bypass" ], "cvss_score": 6.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32007", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.8); network accessible; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32006", "severity": "low", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-...", "description": "OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-store identities are incorrectly treated as group allowlist identities when dmPolicy=pairing and groupPolicy=allowlist. Remote attackers can send messages and reactions as DM-paired identities without explicit groupAllowFrom membership to bypass group sender authorization checks.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:33.157", "references": [ "https://github.com/openclaw/openclaw/commit/051fdcc428129446e7c084260f837b7284279ce9", "https://github.com/openclaw/openclaw/security/advisories/GHSA-25pw-4h6w-qwvm", "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-dm-pairing-store-fallback-in-group-allowlist" ], "cvss_score": 3.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32006", "exploitability_score": "low", "exploitability_rationale": "Low CVSS score (3.1); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32005", "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw versions prior to 2026.2.25 fail to enforce sender authorization checks for interactive cal...", "description": "OpenClaw versions prior to 2026.2.25 fail to enforce sender authorization checks for interactive callbacks including block_action, view_submission, and view_closed in shared workspace deployments. Unauthorized workspace members can bypass allowFrom restrictions and channel user allowlists to enqueue system-event text into active sessions.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:32.950", "references": [ "https://github.com/openclaw/openclaw/commit/ce8c67c314b93f570f53c2a9abc124e1e3a54715", "https://github.com/openclaw/openclaw/security/advisories/GHSA-x2ff-j5c2-ggpr", "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-interactive-callbacks-via-sender-check-skip" ], "cvss_score": 6.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32005", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.8); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32004", "severity": "medium", "type": "unknown_cwe_288", "nvd_category_id": "CWE-288", "title": "OpenClaw versions prior to 2026.3.2 contain an authentication bypass vulnerability in the /api/chann...", "description": "OpenClaw versions prior to 2026.3.2 contain an authentication bypass vulnerability in the /api/channels route classification due to canonicalization depth mismatch between auth-path classification and route-path canonicalization. Attackers can bypass plugin route authentication checks by submitting deeply encoded slash variants such as multi-encoded %2f to access protected /api/channels endpoints.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:32.730", "references": [ "https://github.com/openclaw/openclaw/commit/2fd8264ab03bd178e62a5f0c50d1c8556c17f12d", "https://github.com/openclaw/openclaw/commit/7a7eee920a176a0043398c6b37bf4cc6eb983eeb", "https://github.com/openclaw/openclaw/commit/93b07240257919f770d1e263e1f22753937b80ea" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32004", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32003", "severity": "medium", "type": "os_command_injection", "nvd_category_id": "CWE-78", "title": "OpenClaw versions prior to 2026.2.22 contain an environment variable injection vulnerability in the ...", "description": "OpenClaw versions prior to 2026.2.22 contain an environment variable injection vulnerability in the system.run function that allows attackers to bypass command allowlist restrictions via SHELLOPTS and PS4 environment variables. An attacker who can invoke system.run with request-scoped environment variables can execute arbitrary shell commands outside the intended allowlisted command body through bash xtrace expansion.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:32.527", "references": [ "https://github.com/openclaw/openclaw/commit/e80c803fa887f9699ad87a9e906ab5c1ff85bd9a", "https://github.com/openclaw/openclaw/security/advisories/GHSA-2fgq-7j6h-9rm4", "https://www.vulncheck.com/advisories/openclaw-remote-code-execution-via-shellopts-ps4-environment-injection-in-system-run" ], "cvss_score": 6.6, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32003", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.6); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32002", "severity": "medium", "type": "exposure_of_sensitive_information", "nvd_category_id": "CWE-200", "title": "OpenClaw versions prior to 2026.2.23 contain a sandbox bypass vulnerability in the sandboxed image t...", "description": "OpenClaw versions prior to 2026.2.23 contain a sandbox bypass vulnerability in the sandboxed image tool that fails to enforce tools.fs.workspaceOnly restrictions on mounted sandbox paths, allowing attackers to read out-of-workspace files. Attackers can load restricted mounted images and exfiltrate them through vision model provider requests to bypass sandbox confidentiality controls.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:32.327", "references": [ "https://github.com/openclaw/openclaw/commit/dd9d9c1c609dcb4579f9e57bd7b5c879d0146b53", "https://github.com/openclaw/openclaw/security/advisories/GHSA-q6qf-4p5j-r25g", "https://www.vulncheck.com/advisories/openclaw-sandbox-boundary-bypass-via-image-tool-workspaceonly-bypass" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32002", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32001", "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw versions prior to 2026.2.22 contain an authentication bypass vulnerability that allows clie...", "description": "OpenClaw versions prior to 2026.2.22 contain an authentication bypass vulnerability that allows clients authenticated with a shared gateway token to connect as role=node without device identity verification. Attackers can exploit this by claiming the node role during WebSocket handshake to inject unauthorized node.event calls, triggering agent.request and voice.transcript flows without proper device pairing.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T22:16:32.113", "references": [ "https://github.com/openclaw/openclaw/commit/ddcb2d79b17bf2a42c5037d8aeff1537a12b931e", "https://github.com/openclaw/openclaw/security/advisories/GHSA-rv2q-f2h5-6xmg", "https://www.vulncheck.com/advisories/openclaw-node-role-device-identity-bypass-via-websocket-authentication" ], "cvss_score": 5.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32001", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.4); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32000", "severity": "high", "type": "os_command_injection", "nvd_category_id": "CWE-78", "title": "OpenClaw versions prior to 2026.2.19 contain a command injection vulnerability in the Lobster extens...", "description": "OpenClaw versions prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension tool execution that uses Windows shell fallback with shell: true after spawn failures. Attackers can inject shell metacharacters in command arguments to execute arbitrary commands when subprocess launch fails with EINVAL or ENOENT errors.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T02:16:05.793", "references": [ "https://github.com/openclaw/openclaw/commit/ba7be018da354ea9f803ed356d20464df0437916", "https://github.com/openclaw/openclaw/security/advisories/GHSA-7fcc-cw49-xm78", "https://www.vulncheck.com/advisories/openclaw-command-injection-via-windows-shell-fallback-in-lobster-tool-execution" ], "cvss_score": 7.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32000", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.1); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-31999", "severity": "medium", "type": "os_command_injection", "nvd_category_id": "CWE-78", "title": "OpenClaw versions 2026.2.26 prior to 2026.3.1 on Windows contain a current working directory injecti...", "description": "OpenClaw versions 2026.2.26 prior to 2026.3.1 on Windows contain a current working directory injection vulnerability in wrapper resolution for .cmd/.bat files that allows attackers to influence execution behavior through cwd manipulation. Remote attackers can exploit improper shell execution fallback mechanisms to achieve command execution integrity loss by controlling the current working directory during wrapper resolution.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T02:16:05.580", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-6f6j-wx9w-ff4j", "https://www.vulncheck.com/advisories/openclaw-current-working-directory-injection-via-windows-wrapper-resolution-fallback" ], "cvss_score": 6.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31999", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.3); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-31998", "severity": "high", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw versions 2026.2.22 and 2026.2.23 contain an authorization bypass vulnerability in the synol...", "description": "OpenClaw versions 2026.2.22 and 2026.2.23 contain an authorization bypass vulnerability in the synology-chat channel plugin where dmPolicy set to allowlist with empty allowedUserIds fails open. Attackers with Synology sender access can bypass authorization checks and trigger unauthorized agent dispatch and downstream tool actions.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T02:16:05.347", "references": [ "https://github.com/openclaw/openclaw/commit/0ee30361b8f6ef3f110f3a7b001da6dd3df96bb5", "https://github.com/openclaw/openclaw/commit/7655c0cb3a47d0647cbbf5284e177f90b4b82ddb", "https://github.com/openclaw/openclaw/security/advisories/GHSA-gw85-xp4q-5gp9" ], "cvss_score": 8.6, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31998", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.6); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-31997", "severity": "medium", "type": "unknown_cwe_367", "nvd_category_id": "CWE-367", "title": "OpenClaw versions prior to 2026.3.1 fail to pin executable identity for non-path-like argv[0] tokens...", "description": "OpenClaw versions prior to 2026.3.1 fail to pin executable identity for non-path-like argv[0] tokens in system.run approvals, allowing post-approval executable rebind attacks. Attackers can modify PATH resolution after approval to execute a different binary than the operator approved, enabling arbitrary command execution.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T02:16:05.130", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-q399-23r3-hfx4", "https://www.vulncheck.com/advisories/openclaw-executable-rebind-via-unbound-path-token-in-system-run-approvals" ], "cvss_score": 6, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31997", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.0); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": true, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-31996", "severity": "medium", "type": "os_command_injection", "nvd_category_id": "CWE-78", "title": "OpenClaw versions prior to 2026.2.19 tools.exec.safeBins contains an input validation bypass vulnera...", "description": "OpenClaw versions prior to 2026.2.19 tools.exec.safeBins contains an input validation bypass vulnerability that allows attackers to execute unintended filesystem operations through sort output flags or recursive grep flags. Attackers with command execution access can leverage sort -o flag for arbitrary file writes or grep -R flag for recursive file reads, circumventing intended stdin-only restrictions.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T02:16:04.917", "references": [ "https://github.com/openclaw/openclaw/commit/2c05cbb43e48ebad03626d3125746fb1b9a8520f", "https://github.com/openclaw/openclaw/security/advisories/GHSA-4685-c5cp-vp95", "https://www.vulncheck.com/advisories/openclaw-safebins-stdin-only-bypass-via-sort-output-and-recursive-grep-flags" ], "cvss_score": 4.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31996", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (4.4); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-31995", "severity": "medium", "type": "os_command_injection", "nvd_category_id": "CWE-78", "title": "OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobs...", "description": "OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism that allows attackers to inject arbitrary commands through tool-provided arguments. When spawn failures trigger shell fallback with shell: true, attackers can exploit cmd.exe command interpretation to execute malicious commands by controlling workflow arguments.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T02:16:04.707", "references": [ "https://github.com/openclaw/openclaw/commit/ba7be018da354ea9f803ed356d20464df0437916", "https://github.com/openclaw/openclaw/security/advisories/GHSA-fg3m-vhrr-8gj6", "https://www.vulncheck.com/advisories/openclaw-command-injection-via-windows-shell-fallback-in-lobster-extension" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31995", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-31994", "severity": "high", "type": "os_command_injection", "nvd_category_id": "CWE-78", "title": "OpenClaw versions prior to 2026.2.19 contain a local command injection vulnerability in Windows sche...", "description": "OpenClaw versions prior to 2026.2.19 contain a local command injection vulnerability in Windows scheduled task script generation due to unsafe handling of cmd metacharacters and expansion-sensitive characters in gateway.cmd files. Local attackers with control over service script generation arguments can inject arbitrary commands by providing metacharacter-only values or CR/LF sequences that execute unintended code in the scheduled task context.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T02:16:04.493", "references": [ "https://github.com/openclaw/openclaw/commit/280c6b117b2f0e24f398e5219048cd4cc3b82396", "https://github.com/openclaw/openclaw/security/advisories/GHSA-mqr9-vqhq-3jxw", "https://www.vulncheck.com/advisories/openclaw-local-command-injection-via-unsafe-cmd-argument-handling-in-windows-scheduled-task" ], "cvss_score": 7.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31994", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.1); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-31993", "severity": "medium", "type": "unknown_cwe_184", "nvd_category_id": "CWE-184", "title": "OpenClaw versions prior to 2026.2.22 contain an allowlist parsing mismatch vulnerability in the macO...", "description": "OpenClaw versions prior to 2026.2.22 contain an allowlist parsing mismatch vulnerability in the macOS companion app that allows authenticated operators to bypass exec approval checks. Attackers with operator.write privileges and a paired macOS beta node can craft shell-chain payloads that pass incomplete allowlist validation and execute arbitrary commands on the paired host.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T02:16:04.277", "references": [ "https://github.com/openclaw/openclaw/commit/5da03e622119fa012285cdb590fcf4264c965cb5", "https://github.com/openclaw/openclaw/commit/e371da38aab99521c4e076cd3d95fd775e00b784", "https://github.com/openclaw/openclaw/security/advisories/GHSA-5f9p-f3w2-fwch" ], "cvss_score": 4.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31993", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (4.8); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": true, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-31992", "severity": "high", "type": "unknown_cwe_184", "nvd_category_id": "CWE-184", "title": "OpenClaw versions prior to 2026.2.23 contain an allowlist bypass vulnerability in system.run guardra...", "description": "OpenClaw versions prior to 2026.2.23 contain an allowlist bypass vulnerability in system.run guardrails that allows authenticated operators to execute unintended commands. When /usr/bin/env is allowlisted, attackers can use env -S to bypass policy analysis and execute shell wrapper payloads at runtime.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T02:16:04.070", "references": [ "https://github.com/openclaw/openclaw/commit/3f923e831364d83d0f23499ee49961de334cf58b", "https://github.com/openclaw/openclaw/commit/a1c4bf07c6baad3ef87a0e710fe9aef127b1f606", "https://github.com/openclaw/openclaw/security/advisories/GHSA-48wf-g7cp-gr3m" ], "cvss_score": 7.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31992", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.1); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-31991", "severity": "low", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where Signal grou...", "description": "OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where Signal group allowlist policy incorrectly accepts sender identities from DM pairing-store approvals. Attackers can exploit this boundary weakness by obtaining DM pairing approval to bypass group allowlist checks and gain unauthorized group access.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T02:16:03.863", "references": [ "https://github.com/openclaw/openclaw/commit/64de4b6d6ae81e269ceb4ca16f53cda99ced967a", "https://github.com/openclaw/openclaw/commit/8bdda7a651c21e98faccdbbd73081e79cffe8be0", "https://github.com/openclaw/openclaw/security/advisories/GHSA-wm8r-w8pf-2v6w" ], "cvss_score": 3.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31991", "exploitability_score": "low", "exploitability_rationale": "Low CVSS score (3.7); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": true, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-31990", "severity": "medium", "type": "unknown_cwe_59", "nvd_category_id": "CWE-59", "title": "OpenClaw versions prior to 2026.3.2 contain a vulnerability in the stageSandboxMedia function in whi...", "description": "OpenClaw versions prior to 2026.3.2 contain a vulnerability in the stageSandboxMedia function in which it fails to validate destination symlinks during media staging, allowing writes to follow symlinks outside the sandbox workspace. Attackers can exploit this by placing symlinks in the media/inbound directory to overwrite arbitrary files on the host system outside sandbox boundaries.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T02:16:03.647", "references": [ "https://github.com/openclaw/openclaw/commit/17ede52a4be3034f6ec4b883ac6b81ad0101558a", "https://github.com/openclaw/openclaw/security/advisories/GHSA-cfvj-7rx7-fc7c", "https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-stagesandboxmedia-destination" ], "cvss_score": 6.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31990", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.1); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-31989", "severity": "high", "type": "server_side_request_forgery", "nvd_category_id": "CWE-918", "title": "OpenClaw versions prior to 2026.3.1 contain a server-side request forgery vulnerability in web_searc...", "description": "OpenClaw versions prior to 2026.3.1 contain a server-side request forgery vulnerability in web_search citation redirect resolution that uses a private-network-allowing SSRF policy. An attacker who can influence citation redirect targets can trigger internal-network requests from the OpenClaw host to loopback, private, or internal destinations.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T02:16:03.430", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-g99v-8hwm-g76g", "https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-web-search-citation-redirect" ], "cvss_score": 7.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31989", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.4); network accessible; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-29608", "severity": "medium", "type": "unknown_cwe_88", "nvd_category_id": "CWE-88", "title": "OpenClaw 2026.3.1 contains an approval integrity vulnerability in system.run node-host execution whe...", "description": "OpenClaw 2026.3.1 contains an approval integrity vulnerability in system.run node-host execution where argv rewriting changes command semantics. Attackers can place malicious local scripts in the working directory to execute unintended code despite operator approval of different command text.", "affected": [ "cpe:2.3:a:openclaw:openclaw:2026.3.1:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T02:16:03.223", "references": [ "https://github.com/openclaw/openclaw/commit/dded569626b0d8e7bdab10b5e7528b6caf73a0f1", "https://github.com/openclaw/openclaw/security/advisories/GHSA-h3rm-6x7g-882f", "https://www.vulncheck.com/advisories/openclaw-approval-integrity-bypass-via-system-run-argv-rewriting" ], "cvss_score": 6.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29608", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.7); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": true, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-29607", "severity": "medium", "type": "os_command_injection", "nvd_category_id": "CWE-78", "title": "OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in allow-always w...", "description": "OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in allow-always wrapper persistence that allows attackers to bypass approval checks by persisting wrapper-level allowlist entries instead of validating inner executable intent. Remote attackers can approve benign wrapped system.run commands and subsequently execute different payloads without approval, enabling remote code execution on gateway and node-host execution flows.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T02:16:03.010", "references": [ "https://github.com/openclaw/openclaw/commit/24c954d972400f508814532dea0e4dcb38418bb0", "https://github.com/openclaw/openclaw/security/advisories/GHSA-6j27-pc5c-m8w8", "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-allow-always-wrapper-persistence" ], "cvss_score": 6.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29607", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.8); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28461", "severity": "high", "type": "unknown_cwe_770", "nvd_category_id": "CWE-770", "title": "OpenClaw versions prior to 2026.3.1 contain an unbounded memory growth vulnerability in the Zalo web...", "description": "OpenClaw versions prior to 2026.3.1 contain an unbounded memory growth vulnerability in the Zalo webhook endpoint that allows unauthenticated attackers to trigger in-memory key accumulation by varying query strings. Remote attackers can exploit this by sending repeated requests with different query parameters to cause memory pressure, process instability, or out-of-memory conditions that degrade service availability.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T02:16:02.810", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-wr6m-jg37-68xh", "https://www.vulncheck.com/advisories/openclaw-unbounded-memory-growth-in-zalo-webhook-via-query-string-key-churn" ], "cvss_score": 7.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28461", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28460", "severity": "high", "type": "os_command_injection", "nvd_category_id": "CWE-78", "title": "OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run that al...", "description": "OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run that allows attackers to execute non-allowlisted commands by splitting command substitution using shell line-continuation characters. Attackers can bypass security analysis by injecting $\\\\ followed by a newline and opening parenthesis inside double quotes, causing the shell to fold the line continuation into executable command substitution that circumvents approval boundaries.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T02:16:02.603", "references": [ "https://github.com/openclaw/openclaw/commit/3f0b9dbb36c86e308267924c0d3d4a4e1fc4d1e9", "https://github.com/openclaw/openclaw/security/advisories/GHSA-9868-vxmx-w862", "https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-shell-line-continuation-command-substitution-in-system-run" ], "cvss_score": 7.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28460", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.1); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28449", "severity": "medium", "type": "unknown_cwe_294", "nvd_category_id": "CWE-294", "title": "OpenClaw versions prior to 2026.2.25 lack durable replay state for Nextcloud Talk webhook events, al...", "description": "OpenClaw versions prior to 2026.2.25 lack durable replay state for Nextcloud Talk webhook events, allowing valid signed webhook requests to be replayed without suppression. Attackers can capture and replay previously valid signed webhook requests to trigger duplicate inbound message processing and cause integrity or availability issues.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T02:16:02.390", "references": [ "https://github.com/openclaw/openclaw/commit/d512163d686ad6741783e7119ddb3437f493dbbc", "https://github.com/openclaw/openclaw/security/advisories/GHSA-r9q5-c7qc-p26w", "https://www.vulncheck.com/advisories/openclaw-webhook-replay-attack-via-missing-durable-replay-suppression" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28449", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-27670", "severity": "medium", "type": "unknown_cwe_367", "nvd_category_id": "CWE-367", "title": "OpenClaw versions prior to 2026.3.2 contain a race condition vulnerability in ZIP extraction that al...", "description": "OpenClaw versions prior to 2026.3.2 contain a race condition vulnerability in ZIP extraction that allows local attackers to write files outside the intended destination directory. Attackers can exploit a time-of-check-time-of-use race between path validation and file write operations by rebinding parent directory symlinks to redirect writes outside the extraction root.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T02:16:02.173", "references": [ "https://github.com/openclaw/openclaw/commit/7dac9b05dd9d38dd3929637f26fa356fd8bdd107", "https://github.com/openclaw/openclaw/security/advisories/GHSA-r54r-wmmq-mh84", "https://www.vulncheck.com/advisories/openclaw-arbitrary-file-write-via-zip-extraction-parent-symlink-race-condition" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27670", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.3); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-27566", "severity": "high", "type": "os_command_injection", "nvd_category_id": "CWE-78", "title": "OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run exec an...", "description": "OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run exec analysis that fails to unwrap env and shell-dispatch wrapper chains. Attackers can route execution through wrapper binaries like env bash to smuggle payloads that satisfy allowlist entries while executing non-allowlisted commands.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T02:16:01.967", "references": [ "https://github.com/openclaw/openclaw/commit/2b63592be57782c8946e521bc81286933f0f99c7", "https://github.com/openclaw/openclaw/security/advisories/GHSA-jj82-76v6-933r", "https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-wrapper-binary-unwrapping-in-system-run" ], "cvss_score": 7.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27566", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.1); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-22176", "severity": "medium", "type": "os_command_injection", "nvd_category_id": "CWE-78", "title": "OpenClaw versions prior to 2026.2.19 contain a command injection vulnerability in Windows Scheduled ...", "description": "OpenClaw versions prior to 2026.2.19 contain a command injection vulnerability in Windows Scheduled Task script generation where environment variables are written to gateway.cmd using unquoted set KEY=VALUE assignments, allowing shell metacharacters to break out of assignment context. Attackers can inject arbitrary commands through environment variable values containing metacharacters like &, |, ^, %, or ! to achieve command execution when the scheduled task script is generated and executed.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-19T02:16:01.733", "references": [ "https://github.com/openclaw/openclaw/commit/dafe52e8cf1a041d898cfb304a485fa05e5f58fb", "https://github.com/openclaw/openclaw/security/advisories/GHSA-pj5x-38rw-6fph", "https://www.vulncheck.com/advisories/openclaw-command-injection-via-unescaped-environment-variables-in-windows-scheduled-task" ], "cvss_score": 6.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22176", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.1); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-27545", "severity": "medium", "type": "unknown_cwe_367", "nvd_category_id": "CWE-367", "title": "OpenClaw versions prior to 2026.2.26 contain an approval bypass vulnerability in system.run executio...", "description": "OpenClaw versions prior to 2026.2.26 contain an approval bypass vulnerability in system.run execution that allows attackers to execute commands from unintended filesystem locations by rebinding writable parent symlinks in the current working directory after approval. An attacker can modify mutable parent symlink path components between approval and execution time to redirect command execution to a different location while preserving the visible working directory string.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-18T02:16:23.837", "references": [ "https://github.com/openclaw/openclaw/commit/4b4718c8dfce2e2c48404aa5088af7c013bed60b", "https://github.com/openclaw/openclaw/commit/4e690e09c746408b5e27617a20cb3fdc5190dbda", "https://github.com/openclaw/openclaw/commit/78a7ff2d50fb3bcef351571cb5a0f21430a340c1" ], "cvss_score": 6.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27545", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.1); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-27524", "severity": "medium", "type": "unknown_cwe_1321", "nvd_category_id": "CWE-1321", "title": "OpenClaw versions prior to 2026.2.21 accept prototype-reserved keys in runtime /debug set override o...", "description": "OpenClaw versions prior to 2026.2.21 accept prototype-reserved keys in runtime /debug set override object values, allowing prototype pollution attacks. Authorized /debug set callers can inject __proto__, constructor, or prototype keys to manipulate object prototypes and bypass command gate restrictions.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-18T02:16:23.627", "references": [ "https://github.com/openclaw/openclaw/commit/fbb79d4013000552d6a2c23b9613d8b3cb92f6b6", "https://github.com/openclaw/openclaw/security/advisories/GHSA-62f6-mrcj-v8h5", "https://www.vulncheck.com/advisories/openclaw-prototype-pollution-via-debug-override-path" ], "cvss_score": 4.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27524", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (4.3); network accessible; prototype pollution can escalate in Node.js agents", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-27523", "severity": "medium", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "OpenClaw versions prior to 2026.2.24 contain a sandbox bind validation vulnerability allowing attack...", "description": "OpenClaw versions prior to 2026.2.24 contain a sandbox bind validation vulnerability allowing attackers to bypass allowed-root and blocked-path checks via symlinked parent directories with non-existent leaf paths. Attackers can craft bind source paths that appear within allowed roots but resolve outside sandbox boundaries once missing leaf components are created, weakening bind-source isolation enforcement.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-18T02:16:23.420", "references": [ "https://github.com/openclaw/openclaw/commit/b5787e4abba0dcc6baf09051099f6773c1679ec1", "https://github.com/openclaw/openclaw/security/advisories/GHSA-m8v2-6wwh-r4gc", "https://www.vulncheck.com/advisories/openclaw-sandbox-bind-validation-bypass-via-symlink-parent-missing-leaf-paths" ], "cvss_score": 6.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27523", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.1); requires local access; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-27522", "severity": "medium", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "OpenClaw versions prior to 2026.2.24 contain a local media root bypass vulnerability in sendAttachme...", "description": "OpenClaw versions prior to 2026.2.24 contain a local media root bypass vulnerability in sendAttachment and setGroupIcon message actions when sandboxRoot is unset. Attackers can hydrate media from local absolute paths to read arbitrary host files accessible by the runtime user.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-18T02:16:23.220", "references": [ "https://github.com/openclaw/openclaw/commit/270ab03e379f9653e15f7033c9830399b66b7e51", "https://github.com/openclaw/openclaw/security/advisories/GHSA-fqcm-97m6-w7rm", "https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-sendattachment-and-setgroupicon-message-actions" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27522", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); network accessible; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-22217", "severity": "medium", "type": "unknown_cwe_829", "nvd_category_id": "CWE-829", "title": "OpenClaw version 2026.2.22 prior to 2026.2.23 contains an arbitrary code execution vulnerability in ...", "description": "OpenClaw version 2026.2.22 prior to 2026.2.23 contains an arbitrary code execution vulnerability in shell-env that allows attackers to execute attacker-controlled binaries by exploiting trusted-prefix fallback logic for the $SHELL variable. An attacker can influence the $SHELL environment variable on systems with writable trusted-prefix directories such as /opt/homebrew/bin to execute arbitrary binaries in the OpenClaw process context.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-18T02:16:23.003", "references": [ "https://github.com/openclaw/openclaw/commit/ff10fe8b91670044a6bb0cd85deb736a0ec8fb55", "https://github.com/openclaw/openclaw/security/advisories/GHSA-p4wh-cr8m-gm6c", "https://www.vulncheck.com/advisories/openclaw-arbitrary-binary-execution-via-shell-environment-variable-trusted-prefix-fallback" ], "cvss_score": 6.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22217", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.1); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-22181", "severity": "high", "type": "server_side_request_forgery", "nvd_category_id": "CWE-918", "title": "OpenClaw versions prior to 2026.3.2 contain a DNS pinning bypass vulnerability in strict URL fetch p...", "description": "OpenClaw versions prior to 2026.3.2 contain a DNS pinning bypass vulnerability in strict URL fetch paths that allows attackers to circumvent SSRF guards when environment proxy variables are configured. When HTTP_PROXY, HTTPS_PROXY, or ALL_PROXY environment variables are present, attacker-influenced URLs can be routed through proxy behavior instead of pinned-destination routing, enabling access to internal targets reachable from the proxy environment.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-18T02:16:22.800", "references": [ "https://github.com/openclaw/openclaw/commit/345abf0b2e0f43b0f229e96f252ebf56f1e5549e", "https://github.com/openclaw/openclaw/security/advisories/GHSA-8mvx-p2r9-r375", "https://www.vulncheck.com/advisories/openclaw-dns-pinning-bypass-via-environment-proxy-configuration-in-web-fetch" ], "cvss_score": 7.6, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22181", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.6); network accessible; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-22180", "severity": "medium", "type": "unknown_cwe_59", "nvd_category_id": "CWE-59", "title": "OpenClaw versions prior to 2026.3.2 contain a path-confinement bypass vulnerability in browser outpu...", "description": "OpenClaw versions prior to 2026.3.2 contain a path-confinement bypass vulnerability in browser output handling that allows writes outside intended root directories. Attackers can exploit insufficient canonical path-boundary validation in file write operations to escape root-bound restrictions and write files to arbitrary locations.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-18T02:16:22.583", "references": [ "https://github.com/openclaw/openclaw/commit/104d32bb64cdf19d5e77f70553a511a2ae90ad1c", "https://github.com/openclaw/openclaw/security/advisories/GHSA-3pxq-f3cp-jmxp", "https://www.vulncheck.com/advisories/openclaw-path-confinement-bypass-in-browser-output-and-file-write-operations" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22180", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.3); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-22179", "severity": "high", "type": "os_command_injection", "nvd_category_id": "CWE-78", "title": "OpenClaw versions prior to 2026.2.22 in macOS node-host system.run contain an allowlist bypass vulne...", "description": "OpenClaw versions prior to 2026.2.22 in macOS node-host system.run contain an allowlist bypass vulnerability that allows remote attackers to execute non-allowlisted commands by exploiting improper parsing of command substitution tokens. Attackers can craft shell payloads with command substitution syntax within double-quoted text to bypass security restrictions and execute arbitrary commands on the system.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-18T02:16:22.377", "references": [ "https://github.com/openclaw/openclaw/commit/90a378ca3a9ecbf1634cd247f17a35f4612c6ca6", "https://github.com/openclaw/openclaw/security/advisories/GHSA-9p38-94jf-hgjj", "https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-command-substitution-in-system-run" ], "cvss_score": 7.2, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22179", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.2); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-22178", "severity": "medium", "type": "unknown_cwe_1333", "nvd_category_id": "CWE-1333", "title": "OpenClaw versions prior to 2026.2.19 construct RegExp objects directly from unescaped Feishu mention...", "description": "OpenClaw versions prior to 2026.2.19 construct RegExp objects directly from unescaped Feishu mention metadata in the stripBotMention function, allowing regex injection and denial of service. Attackers can craft nested-quantifier patterns or metacharacters in mention metadata to trigger catastrophic backtracking, block message processing, or remove unintended content before model processing.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-18T02:16:22.160", "references": [ "https://github.com/openclaw/openclaw/commit/74268489137510b6f6349919d1e197b17290d92c", "https://github.com/openclaw/openclaw/commit/7e67ab75cc2f0e93569d12fecd1411c2961fcc8c", "https://github.com/openclaw/openclaw/security/advisories/GHSA-c6hr-w26q-c636" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22178", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-22177", "severity": "medium", "type": "unknown_cwe_15", "nvd_category_id": "CWE-15", "title": "OpenClaw versions prior to 2026.2.21 fail to filter dangerous process-control environment variables ...", "description": "OpenClaw versions prior to 2026.2.21 fail to filter dangerous process-control environment variables from config env.vars, allowing startup-time code execution. Attackers can inject variables like NODE_OPTIONS or LD_* through configuration to execute arbitrary code in the OpenClaw gateway service runtime context.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-18T02:16:21.957", "references": [ "https://github.com/openclaw/openclaw/commit/2cdbadee1f8fcaa93302d7debbfc529e19868ea4", "https://github.com/openclaw/openclaw/security/advisories/GHSA-8fmp-37rc-p5g7", "https://github.com/openclaw/openclaw/security/advisories/GHSA-w9j9-w4cp-6wgr" ], "cvss_score": 6.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22177", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.1); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-22175", "severity": "high", "type": "unknown_cwe_184", "nvd_category_id": "CWE-184", "title": "OpenClaw versions prior to 2026.2.23 contain an exec approval bypass vulnerability in allowlist mode...", "description": "OpenClaw versions prior to 2026.2.23 contain an exec approval bypass vulnerability in allowlist mode where allow-always grants could be circumvented through unrecognized multiplexer shell wrappers like busybox and toybox sh -c commands. Attackers can exploit this by invoking arbitrary payloads under the same multiplexer wrapper to satisfy stored allowlist rules, bypassing intended execution restrictions.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-18T02:16:21.733", "references": [ "https://github.com/openclaw/openclaw/commit/a67689a7e3ad494b6637c76235a664322d526f9e", "https://github.com/openclaw/openclaw/security/advisories/GHSA-gwqp-86q6-w47g", "https://www.vulncheck.com/advisories/openclaw-exec-approval-bypass-via-unrecognized-multiplexer-shell-wrappers" ], "cvss_score": 7.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22175", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.1); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-22174", "severity": "medium", "type": "missing_authentication_for_critical_function", "nvd_category_id": "CWE-306", "title": "OpenClaw versions prior to 2026.2.22 inject the x-OpenClaw-relay-token header into Chrome CDP probe ...", "description": "OpenClaw versions prior to 2026.2.22 inject the x-OpenClaw-relay-token header into Chrome CDP probe traffic on loopback interfaces, allowing local processes to capture the Gateway authentication token. An attacker controlling a loopback port can intercept CDP reachability probes to the /json/version endpoint and reuse the leaked token as Gateway bearer authentication.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-18T02:16:21.517", "references": [ "https://github.com/openclaw/openclaw/commit/afa22acc4a09fdf32be8a167ae216bee85c30dad", "https://github.com/openclaw/openclaw/security/advisories/GHSA-v3j7-34xh-6g3w", "https://www.vulncheck.com/advisories/openclaw-gateway-token-disclosure-via-chrome-cdp-probe" ], "cvss_score": 6.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22174", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.8); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-22171", "severity": "high", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the Feishu media down...", "description": "OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the Feishu media download flow where untrusted media keys are interpolated directly into temporary file paths in extensions/feishu/src/media.ts. An attacker who can control Feishu media key values returned to the client can use traversal segments to escape os.tmpdir() and write arbitrary files within the OpenClaw process permissions.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-18T02:16:21.310", "references": [ "https://github.com/openclaw/openclaw/commit/c821099157a9767d4df208c6b12f214946507871", "https://github.com/openclaw/openclaw/commit/cdb00fe2428000e7a08f9b7848784a0049176705", "https://github.com/openclaw/openclaw/commit/ec232a9e2dff60f0e3d7e827a7c868db5254473f" ], "cvss_score": 8.2, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22171", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.2); remotely exploitable without authentication; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-22170", "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw versions prior to 2026.2.22 with the optional BlueBubbles plugin contain an access control ...", "description": "OpenClaw versions prior to 2026.2.22 with the optional BlueBubbles plugin contain an access control bypass vulnerability where empty allowFrom configuration causes dmPolicy pairing and allowlist restrictions to be ineffective. Remote attackers can send direct messages to BlueBubbles accounts by exploiting the misconfigured allowlist validation logic to bypass intended sender authorization checks.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-18T02:16:21.100", "references": [ "https://github.com/openclaw/openclaw/commit/2ba6de7eaad812e5e8603018e14e54e96bdd57dd", "https://github.com/openclaw/openclaw/commit/4540790cb62412676f7b61cfc6e47443f84a251e", "https://github.com/openclaw/openclaw/commit/51c0893673de8e5cea64e64351dbfa4680ba0dec" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22170", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-22169", "severity": "medium", "type": "os_command_injection", "nvd_category_id": "CWE-78", "title": "OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the safeBins confi...", "description": "OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the safeBins configuration that allows attackers to invoke external helpers through the compress-program option. When sort is explicitly added to tools.exec.safeBins, remote attackers can bypass intended safe-bin approval constraints by leveraging the compress-program parameter to execute unauthorized external programs.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-18T02:16:20.893", "references": [ "https://github.com/openclaw/openclaw/commit/57fbbaebca4d34d17549accf6092ae26eb7b605c", "https://github.com/openclaw/openclaw/security/advisories/GHSA-vmqr-rc7x-3446", "https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-sort-configuration-in-safebins" ], "cvss_score": 6.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22169", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.7); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-22168", "severity": "medium", "type": "unknown_cwe_88", "nvd_category_id": "CWE-88", "title": "OpenClaw versions prior to 2026.2.21 contain an approval-integrity mismatch vulnerability in system....", "description": "OpenClaw versions prior to 2026.2.21 contain an approval-integrity mismatch vulnerability in system.run that allows authenticated operators to execute arbitrary trailing arguments after cmd.exe /c while approval text reflects only a benign command. Attackers can smuggle malicious arguments through cmd.exe /c to achieve local command execution on trusted Windows nodes with mismatched audit logs.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-18T02:16:20.680", "references": [ "https://github.com/openclaw/openclaw/commit/6007941f04df1edcca679dd6c95949744fdbd4df", "https://github.com/openclaw/openclaw/security/advisories/GHSA-5v6x-rfc3-7qfr", "https://www.vulncheck.com/advisories/openclaw-command-injection-via-cmd-exe-c-trailing-arguments-in-system-run" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22168", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.5); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32302", "severity": "high", "type": "unknown_cwe_346", "nvd_category_id": "CWE-346", "title": "OpenClaw is a personal AI assistant. Prior to 2026.3.11, browser-originated WebSocket connections co...", "description": "OpenClaw is a personal AI assistant. Prior to 2026.3.11, browser-originated WebSocket connections could bypass origin validation when gateway.auth.mode was set to trusted-proxy and the request arrived with proxy headers. A page served from an untrusted origin could connect through a trusted reverse proxy, inherit proxy-authenticated identity, and establish a privileged operator session. This vulnerability is fixed in 2026.3.11.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-13T19:54:41.650", "references": [ "https://github.com/openclaw/openclaw/commit/ebed3bbde1a72a1aaa9b87b63b91e7c04a50036b", "https://github.com/openclaw/openclaw/releases/tag/v2026.3.11", "https://github.com/openclaw/openclaw/security/advisories/GHSA-5wcw-8jjv-m286" ], "cvss_score": 8.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32302", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.1); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-4040", "severity": "low", "type": "exposure_of_sensitive_information", "nvd_category_id": "CWE-200", "title": "A vulnerability was identified in OpenClaw up to 2026.2.17. This issue affects the function tools.ex...", "description": "A vulnerability was identified in OpenClaw up to 2026.2.17. This issue affects the function tools.exec.safeBins of the component File Existence Handler. The manipulation leads to information exposure through discrepancy. The attack needs to be performed locally. Upgrading to version 2026.2.19-beta.1 is capable of addressing this issue. The identifier of the patch is bafdbb6f112409a65decd3d4e7350fbd637c7754. Upgrading the affected component is advised.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-12T12:15:59.990", "references": [ "https://github.com/openclaw/openclaw/", "https://github.com/openclaw/openclaw/commit/bafdbb6f112409a65decd3d4e7350fbd637c7754", "https://github.com/openclaw/openclaw/releases/tag/v2026.2.19-beta.1" ], "cvss_score": 3.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4040", "exploitability_score": "low", "exploitability_rationale": "Low CVSS score (3.3); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-4039", "severity": "medium", "type": "unknown_cwe_74", "nvd_category_id": "CWE-74", "title": "A vulnerability was determined in OpenClaw 2026.2.19-2. This vulnerability affects the function appl...", "description": "A vulnerability was determined in OpenClaw 2026.2.19-2. This vulnerability affects the function applySkillConfigenvOverrides of the component Skill Env Handler. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. Upgrading to version 2026.2.21-beta.1 is able to resolve this issue. This patch is called 8c9f35cdb51692b650ddf05b259ccdd75cc9a83c. It is recommended to upgrade the affected component.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-12T12:15:59.740", "references": [ "https://github.com/openclaw/openclaw/", "https://github.com/openclaw/openclaw/commit/8c9f35cdb51692b650ddf05b259ccdd75cc9a83c", "https://github.com/openclaw/openclaw/releases/tag/v2026.2.21-beta.1" ], "cvss_score": 6.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4039", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.3); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-30741", "severity": "critical", "type": "code_injection", "nvd_category_id": "CWE-94", "title": "A remote code execution (RCE) vulnerability in OpenClaw Agent Platform v2026.2.6 allows attackers to...", "description": "A remote code execution (RCE) vulnerability in OpenClaw Agent Platform v2026.2.6 allows attackers to execute arbitrary code via a Request-Side prompt injection attack.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-11T16:16:41.530", "references": [ "https://github.com/Named1ess/CVE-2026-30741", "https://github.com/OpenClaw/OpenClaw", "https://www.bilibili.com/video/BV1LoFazeEBM" ], "cvss_score": 9.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30741", "exploitability_score": "high", "exploitability_rationale": "Critical CVSS score (9.8); remotely exploitable without authentication; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32063", "severity": "high", "type": "command_injection", "nvd_category_id": "CWE-77", "title": "OpenClaw version 2026.2.19-2 prior to 2026.2.21 contains a command injection vulnerability in system...", "description": "OpenClaw version 2026.2.19-2 prior to 2026.2.21 contains a command injection vulnerability in systemd unit file generation where attacker-controlled environment values are not validated for CR/LF characters, allowing newline injection to break out of Environment= lines and inject arbitrary systemd directives. An attacker who can influence config.env.vars and trigger service install or restart can execute arbitrary commands with the privileges of the OpenClaw gateway service user.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-11T14:16:28.580", "references": [ "https://github.com/openclaw/openclaw/commit/61f646c41fb43cd87ed48f9125b4718a30d38e84", "https://github.com/openclaw/openclaw/security/advisories/GHSA-vffc-f7r7-rx2w", "https://www.vulncheck.com/advisories/openclaw-command-injection-via-newline-in-systemd-unit-generation" ], "cvss_score": 7.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32063", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.1); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32062", "severity": "high", "type": "unknown_cwe_770", "nvd_category_id": "CWE-770", "title": "OpenClaw versions 2026.2.21-2 up to, but not including, 2026.2.22, and @openclaw/voice-call versions...", "description": "OpenClaw versions 2026.2.21-2 up to, but not including, 2026.2.22, and @openclaw/voice-call versions 2026.2.21 up to, but not including, 2026.2.22 accept media-stream WebSocket upgrades before stream validation, allowing unauthenticated clients to establish connections. Remote attackers can hold idle pre-authenticated sockets open to consume connection resources and degrade service availability for legitimate streams.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "cpe:2.3:a:openclaw:openclaw\\/voice-call:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-11T14:16:28.340", "references": [ "https://github.com/openclaw/openclaw/commit/1d8968c8a821ff1a05c294a1846b3bcb6f343794", "https://github.com/openclaw/openclaw/security/advisories/GHSA-mfg5-7q5g-f37j", "https://www.vulncheck.com/advisories/openclaw-unauthenticated-websocket-resource-exhaustion-via-media-stream" ], "cvss_score": 7.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32062", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32061", "severity": "medium", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directiv...", "description": "OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows reading arbitrary local files outside the config directory boundary. Attackers with config modification capabilities can exploit this by specifying absolute paths, traversal sequences, or symlinks to access sensitive files readable by the OpenClaw process user, including API keys and credentials.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-11T14:16:28.140", "references": [ "https://github.com/openclaw/openclaw/commit/d1c00dbb7c64a39e205464dae7f2a068420e91c1", "https://github.com/openclaw/openclaw/security/advisories/GHSA-56pc-6hvp-4gv4", "https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-include-directive-path-traversal" ], "cvss_score": 4.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32061", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (4.4); requires local access; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32060", "severity": "high", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in apply_patch that allo...", "description": "OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in apply_patch that allows attackers to write or delete files outside the configured workspace directory. When apply_patch is enabled without filesystem sandbox containment, attackers can exploit crafted paths including directory traversal sequences or absolute paths to escape workspace boundaries and modify arbitrary files.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-11T14:16:27.943", "references": [ "https://github.com/openclaw/openclaw/commit/5544646a09c0121fca7d7093812dc2de8437c7f1", "https://github.com/openclaw/openclaw/security/advisories/GHSA-r5fq-947m-xm57", "https://www.vulncheck.com/advisories/openclaw-path-traversal-in-apply-patch-via-crafted-paths" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32060", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); network accessible; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-32059", "severity": "high", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw version 2026.2.22-2 prior to 2026.2.23 tools.exec.safeBins validation for sort command fail...", "description": "OpenClaw version 2026.2.22-2 prior to 2026.2.23 tools.exec.safeBins validation for sort command fails to properly validate GNU long-option abbreviations, allowing attackers to bypass denied-flag checks via abbreviated options. Remote attackers can execute sort commands with abbreviated long options to skip approval requirements in allowlist mode.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-11T14:16:27.743", "references": [ "https://github.com/openclaw/openclaw/commit/3b8e33037ae2e12af7beb56fcf0346f1f8cbde6f", "https://github.com/openclaw/openclaw/security/advisories/GHSA-3c6h-g97w-fg78", "https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-sort-long-option-abbreviation-in-toolsexecsafebins" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32059", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "GHSA-3h2q-j2v4-6w5r", "ghsa_id": "GHSA-3h2q-j2v4-6w5r", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-184", "title": "system.run allowlist approval parsing missed PowerShell encoded-command wrappers", "description": "OpenClaw's system.run shell-wrapper detection did not recognize PowerShell -EncodedCommand forms as inline-command wrappers. In allowlist mode, a caller with access to system.run could invoke pwsh or powershell using -EncodedCommand, -enc, or -e, and the request would fall back to plain argv analysis instead of the normal shell-wrapper approval path. This could allow a PowerShell inline payload to execute without the approval step that equivalent -Command invocations would require. Latest published npm version: 2026.3.2 Fixed on main on March 7, 2026 in 1d1757b16f48f1a93cd16ab0ad7e2c3c63ce727d by recognizing PowerShell encoded-command aliases during shell-wrapper parsing, so allowlist mode continues to require approval for those payloads. Normal approved PowerShell wrapper flows continue to work. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.3.2 - Patched version: = 2026.3.7 Fix Commit(s) - 1d1757b16f48f1a93cd16ab0ad7e2c3c63ce727d Release Process Note npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package. Thanks @tdjackey for reporting.", "affected": [ "openclaw@<= 2026.3.2" ], "patched": [ "openclaw@>= 2026.3.7" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-03-08T14:26:58Z", "updated": "2026-03-08T14:26:58Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-3h2q-j2v4-6w5r" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3h2q-j2v4-6w5r", "nvd_url": null, "cvss_score": 5, "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "cwe_ids": [ "CWE-184", "CWE-863" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-3h2q-j2v4-6w5r" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-9q2p-vc84-2rwm", "ghsa_id": "GHSA-9q2p-vc84-2rwm", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-436", "title": "system.run allow-always persistence included shell-commented payload tails", "description": "OpenClaw's system.run allowlist analysis did not honor POSIX shell comment semantics when deriving allow-always persistence entries. A caller in security=allowlist mode who received an allow-always decision could submit a shell command whose tail was commented out at runtime, for example by using an unquoted # before a chained payload. The runtime shell would execute only the pre-comment portion, but allowlist persistence could still analyze and store the non-executed tail as a trusted follow-up command. Latest published npm version: 2026.3.2 Fixed on main on March 7, 2026 in 939b18475d734ed75173f59507e3ebbdfe1992b7 by teaching shell tokenization and chain/pipeline analysis to stop at unquoted shell comments, so allow-always persistence now tracks only commands that the shell can actually execute. Normal real chained commands and quoted # literals continue to work. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.3.2 - Patched version: = 2026.3.7 Fix Commit(s) - 939b18475d734ed75173f59507e3ebbdfe1992b7 Release Process Note npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package. Thanks @tdjackey for reporting.", "affected": [ "openclaw@<= 2026.3.2" ], "patched": [ "openclaw@>= 2026.3.7" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-03-08T14:26:57Z", "updated": "2026-03-08T14:26:57Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-9q2p-vc84-2rwm" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9q2p-vc84-2rwm", "nvd_url": null, "cvss_score": 5, "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "cwe_ids": [ "CWE-436", "CWE-863" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-9q2p-vc84-2rwm" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-hfpr-jhpq-x4rm", "ghsa_id": "GHSA-hfpr-jhpq-x4rm", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "operator.write chat.send could reach admin-only config writes", "description": "Summary A gateway client authenticated with operator.write could route /config set or /config unset through chat.send and reach persistent config mutation even though direct config RPC methods are admin-scoped. Affected Packages / Versions - Package: openclaw (npm) - Latest published vulnerable version: 2026.3.2 - Affected range: <= 2026.3.2 - Patched in: 2026.3.7 Details Before the fix, chat.send ran slash commands in an internal gateway-chat context with CommandAuthorized: true, and /config write paths only checked command authorization plus commands.config / channels.= 2026.3.7" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-03-08T14:26:56Z", "updated": "2026-03-08T14:26:56Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-hfpr-jhpq-x4rm" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hfpr-jhpq-x4rm", "nvd_url": null, "cvss_score": 4.3, "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "cwe_ids": [ "CWE-863" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-hfpr-jhpq-x4rm" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-j425-whc4-4jgc", "ghsa_id": "GHSA-j425-whc4-4jgc", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-15", "title": "system.run env override filtering allowed dangerous helper-command pivots", "description": "Summary system.run env override sanitization allowed dangerous override-only helper-command pivots to reach subprocesses. A caller who could invoke system.run with env overrides could bypass allowlist/approval intent by steering an allowlisted tool through helper-command or config-loading environment variables such as GITSSHCOMMAND, editor/pager hooks, and GITCONFIG / NPMCONFIG. Affected Packages / Versions - Package: openclaw (npm) - Latest published vulnerable version: 2026.3.2 - Affected range: <= 2026.3.2 - Patched in: 2026.3.7 Details Before the fix, src/infra/host-env-security.ts blocked only a narrow set of override-only environment variables. Dangerous request-scoped overrides such as GITSSHCOMMAND and prefix families such as GITCONFIG and NPMCONFIG could still survive sanitizeSystemRunEnvOverrides(...) / sanitizeHostExecEnv(...) and reach the spawned process. That mattered for system.run allowlist and approval flows because approval evaluation was tied to the reviewed binary/argv, while the launched process could still inherit attacker-controlled env overrides that changed helper-command execution or config resolution. For allowlisted tools such as git, this allowed behavior outside the reviewed command semantics. The fix extends the shared TypeScript and macOS policy to block dangerous override-only exact keys and prefixes while preserving trusted inherited base-environment behavior. Impact This is a real protection-bypass issue, but exploitation requires an already tool-enabled caller who can invoke system.run and supply env overrides. In affected deployments, that caller could bypass allowlist/approval intent and trigger helper-command execution or config-loading behavior that is not represented by the approved command line. Maintainer severity is set to medium because the bug still requires that existing execution capability; the vulnerability is the mismatch between reviewed command semantics and the actual spawned-process behavior. Fix Commit(s) - e27bbe4982439da6864160fd1b66445058f74801 Release Process Note npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package. Thanks @tdjackey and @SnailSploit for reporting.", "affected": [ "openclaw@<= 2026.3.2" ], "patched": [ "openclaw@>= 2026.3.7" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-03-08T14:26:56Z", "updated": "2026-03-08T14:26:56Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-j425-whc4-4jgc" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-j425-whc4-4jgc", "nvd_url": null, "cvss_score": 6.3, "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "cwe_ids": [ "CWE-15", "CWE-693" ], "credits": [ "tdjackey", "SnailSploit", "zpbrent" ], "aliases": [ "GHSA-j425-whc4-4jgc" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-pjvx-rx66-r3fg", "ghsa_id": "GHSA-pjvx-rx66-r3fg", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-639", "title": "Cross-account sender authorization expansion in /allowlist ... --store account scoping", "description": "Summary /allowlist ... --store resolved the selected channel accountId for reads, but store writes still dropped that accountId and wrote into the legacy unscoped pairing allowlist store. Because default-account reads still merge legacy unscoped entries, a store entry intended for one account could silently authorize the same sender on the default account. This is a real cross-account sender-authorization scoping bug. Severity is set to medium because exploitation requires an already-authorized user who can run /allowlist edits. Affected Packages / Versions - Package: openclaw (npm) - Latest published version checked: 2026.3.2 - Affected versions: <= 2026.3.2 - Fixed on main: March 7, 2026 in 70da80bcb5574a10925469048d2ebb2abf882e73 - Patched release: 2026.3.7 Details The affected path was: - src/auto-reply/reply/commands-allowlist.ts:386-393 resolved accountId and read store state with it - src/auto-reply/reply/commands-allowlist.ts:697-702 and src/auto-reply/reply/commands-allowlist.ts:730-733 wrote store state without passing accountId - src/pairing/pairing-store.ts:231-234 and src/pairing/pairing-store.ts:534-554 still merged legacy unscoped allowlist entries into the default account The fix scopes /allowlist ... --store writes to the resolved account and clears legacy default-account store entries on removal so legacy reads no longer create cross-account authorization bleed-through. Impact - Vulnerability class: improper authorization scoping / incorrect authorization - Exploitation requires: an already-authorized sender who can run /allowlist edits - Security effect: unintended authorization expansion from one channel account into default Fix Commit(s) - 70da80bcb5574a10925469048d2ebb2abf882e73 — scope /allowlist ... --store writes by account and clean up legacy default-account removals Release Process Note npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package. Thanks @tdjackey for reporting.", "affected": [ "openclaw@<= 2026.3.2" ], "patched": [ "openclaw@>= 2026.3.7" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-03-08T14:26:55Z", "updated": "2026-03-08T14:26:55Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-pjvx-rx66-r3fg" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-pjvx-rx66-r3fg", "nvd_url": null, "cvss_score": 5.4, "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "cwe_ids": [ "CWE-639", "CWE-863" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-pjvx-rx66-r3fg" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-6rmx-gvvg-vh6j", "ghsa_id": "GHSA-6rmx-gvvg-vh6j", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-307", "title": "hooks count non-POST requests toward auth lockout", "description": "OpenClaw's hooks HTTP handler counted hook authentication failures before rejecting unsupported HTTP methods. An unauthenticated client could send repeated non-POST requests (for example GET) with an invalid token to consume the hook auth failure budget and trigger the temporary lockout window for that client key. The fix moves the hook method gate ahead of auth-failure accounting so unsupported methods return 405 Method Not Allowed without incrementing the hook auth limiter. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.3.2 - Patched version: 2026.3.7 - Latest published npm version at patch time: 2026.3.2 Impact An unauthenticated network client that could reach /hooks/ could temporarily lock out legitimate webhook delivery when requests collapsed to the same hook auth client key, such as shared proxy or NAT topologies. Impact is limited to temporary availability loss for hook-triggered wake or automation delivery. Fix Commit(s) - 44820dceadac65ac7c0ce8fc0ffba8c2bd9fae89 Verification - pnpm check passed - pnpm test:fast passed - focused hook regression tests passed - pnpm exec vitest run --config vitest.gateway.config.ts still has unrelated current-main failures in src/gateway/server-channels.test.ts and src/gateway/server-methods/agents-mutate.test.ts Release Process Note npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package. Thanks @JNX03 for reporting.", "affected": [ "openclaw@<= 2026.3.2" ], "patched": [ "openclaw@>= 2026.3.7" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-03-08T14:26:54Z", "updated": "2026-03-08T14:26:54Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-6rmx-gvvg-vh6j" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6rmx-gvvg-vh6j", "nvd_url": null, "cvss_score": 5.3, "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "cwe_ids": [ "CWE-307", "CWE-799" ], "credits": [ "JNX03" ], "aliases": [ "GHSA-6rmx-gvvg-vh6j" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-rchv-x836-w7xp", "ghsa_id": "GHSA-rchv-x836-w7xp", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "high", "type": "github_security_advisory", "nvd_category_id": null, "title": "Dashboard leaked gateway auth material via browser URL/query and localStorage", "description": "OpenClaw's macOS Dashboard flow exposed Gateway authentication material to browser-controlled surfaces. Before the fix, the macOS app appended the shared Gateway token and password to the Dashboard URL query string when opening the Control UI in the browser. The Control UI then imported the token and persisted it into browser localStorage under openclaw.control.settings.v1. This expanded exposure of reusable Gateway admin credentials into browser address-bar/query surfaces and persistent script-readable storage. Affected Packages / Versions - Package: openclaw (npm) - Latest published version verified vulnerable: 2026.3.2 - Affected range: <= 2026.3.2 - Patched version: = 2026.3.7 Impact An attacker with access to browser-controlled surfaces or persistent browser storage could recover a valid Gateway admin token and reuse it against the OpenClaw management interface. The exposure chain was: 1. macOS Open Dashboard constructed a URL with auth material. 2. The browser received that credential-bearing URL. 3. The Control UI imported the token from the URL. 4. The Control UI persisted the token in localStorage. Fix The fix aligns the macOS Dashboard flow with the safer existing CLI/bootstrap pattern and removes persistent browser token storage: - macOS Dashboard now passes the Gateway token via URL fragment instead of query parameters. - macOS Dashboard no longer propagates the shared Gateway password into browser URLs. - Control UI keeps Gateway tokens in memory only for the current tab. - Control UI scrubs legacy persisted tokens from openclaw.control.settings.v1 on load. - Regression tests cover fragment transport, password omission, and token-scrubbing behavior. Fix Commit(s) - 10d0e3f3ca92326df0ca071fabffe463742f263c (March 7, 2026) Release Process Note npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package. Thanks @whiter6666 for reporting.", "affected": [ "openclaw@<= 2026.3.2" ], "patched": [ "openclaw@>= 2026.3.7" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-03-08T14:26:54Z", "updated": "2026-03-08T14:26:54Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-rchv-x836-w7xp" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rchv-x836-w7xp", "nvd_url": null, "cvss_score": 7.1, "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "cwe_ids": [], "credits": [ "whiter6666" ], "aliases": [ "GHSA-rchv-x836-w7xp" ], "source_feed": "ghsa-without-cve" }, { "id": "CVE-2026-29613", "severity": "medium", "type": "missing_authentication_for_critical_function", "nvd_category_id": "CWE-306", "title": "OpenClaw versions prior to 2026.2.12 contain a vulnerability in the BlueBubbles (optional plugin) we...", "description": "OpenClaw versions prior to 2026.2.12 contain a vulnerability in the BlueBubbles (optional plugin) webhook handler in which it authenticates requests based solely on loopback remoteAddress without validating forwarding headers, allowing bypass of configured webhook passwords. When the gateway operates behind a reverse proxy, unauthenticated remote attackers can inject arbitrary BlueBubbles message and reaction events by reaching the proxy endpoint.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:24.850", "references": [ "https://github.com/openclaw/openclaw/commit/743f4b28495cdeb0d5bf76f6ebf4af01f6a02e5a", "https://github.com/openclaw/openclaw/commit/f836c385ffc746cb954e8ee409f99d079bfdcd2f", "https://github.com/openclaw/openclaw/security/advisories/GHSA-xc7w-v5x6-cc87" ], "cvss_score": 5.9, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29613", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.9); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-29612", "severity": "medium", "type": "unknown_cwe_770", "nvd_category_id": "CWE-770", "title": "OpenClaw versions prior to 2026.2.14 decode base64-backed media inputs into buffers before enforcing...", "description": "OpenClaw versions prior to 2026.2.14 decode base64-backed media inputs into buffers before enforcing decoded-size budget limits, allowing attackers to trigger large memory allocations. Remote attackers can supply oversized base64 payloads to cause memory pressure and denial of service.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:24.660", "references": [ "https://github.com/openclaw/openclaw/commit/31791233d60495725fa012745dde8d6ee69e9595", "https://github.com/openclaw/openclaw/security/advisories/GHSA-w2cg-vxx6-5xjg", "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-large-base-media-file-decoding" ], "cvss_score": 5.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29612", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.5); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-29611", "severity": "high", "type": "unknown_cwe_73", "nvd_category_id": "CWE-73", "title": "OpenClaw versions prior to 2026.2.14 contain a local file inclusion vulnerability in BlueBubbles ext...", "description": "OpenClaw versions prior to 2026.2.14 contain a local file inclusion vulnerability in BlueBubbles extension (must be installed and enabled) media path handling that allows attackers to read arbitrary files from the local filesystem. The sendBlueBubblesMedia function fails to validate mediaPath parameters against an allowlist, enabling attackers to request sensitive files like /etc/passwd and exfiltrate them as media attachments.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:24.460", "references": [ "https://github.com/openclaw/openclaw/commit/71f357d9498cebb0efe016b0496d5fbe807539fc", "https://github.com/openclaw/openclaw/security/advisories/GHSA-rwj8-p9vq-25gv", "https://www.vulncheck.com/advisories/openclaw-local-file-inclusion-via-mediapath-parameter-in-bluebubbles-media-handling" ], "cvss_score": 7.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29611", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-29610", "severity": "high", "type": "unknown_cwe_427", "nvd_category_id": "CWE-427", "title": "OpenClaw versions prior to 2026.2.14 contain a command hijacking vulnerability that allows attackers...", "description": "OpenClaw versions prior to 2026.2.14 contain a command hijacking vulnerability that allows attackers to execute unintended binaries by manipulating PATH environment variables through node-host execution or project-local bootstrapping. Attackers with authenticated access to node-host execution surfaces or those running OpenClaw in attacker-controlled directories can place malicious executables in PATH to override allowlisted safe-bin commands and achieve arbitrary command execution.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:24.253", "references": [ "https://github.com/openclaw/openclaw/commit/013e8f6b3be3333a229a066eef26a45fec47ffcc", "https://github.com/openclaw/openclaw/security/advisories/GHSA-jqpq-mgvm-f9r6", "https://www.vulncheck.com/advisories/openclaw-command-hijacking-via-unsafe-path-handling" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29610", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-29609", "severity": "high", "type": "unknown_cwe_770", "nvd_category_id": "CWE-770", "title": "OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the fetchWithGuard...", "description": "OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the fetchWithGuard function that allocates entire response payloads in memory before enforcing maxBytes limits. Remote attackers can trigger memory exhaustion by serving oversized responses without content-length headers to cause availability loss.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:24.043", "references": [ "https://github.com/openclaw/openclaw/commit/00a08908892d1743d1fc52e5cbd9499dd5da2fe0", "https://github.com/openclaw/openclaw/security/advisories/GHSA-j27p-hq53-9wgc", "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unbounded-url-backed-media-fetch" ], "cvss_score": 7.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29609", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-29606", "severity": "medium", "type": "missing_authentication_for_critical_function", "nvd_category_id": "CWE-306", "title": "OpenClaw versions prior to 2026.2.14 contain a webhook signature-verification bypass in the voice-ca...", "description": "OpenClaw versions prior to 2026.2.14 contain a webhook signature-verification bypass in the voice-call extension that allows unauthenticated requests when the tunnel.allowNgrokFreeTierLoopbackBypass option is explicitly enabled. An external attacker can send forged requests to the publicly reachable webhook endpoint without a valid X-Twilio-Signature header, resulting in unauthorized webhook event handling and potential request flooding attacks.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:23.850", "references": [ "https://github.com/openclaw/openclaw/commit/ff11d8793b90c52f8d84dae3fbb99307da51b5c9", "https://github.com/openclaw/openclaw/security/advisories/GHSA-c37p-4qqg-3p76", "https://www.vulncheck.com/advisories/openclaw-webhook-signature-verification-bypass-via-ngrok-loopback-compatibility" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29606", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28486", "severity": "medium", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "OpenClaw versions 2026.1.16-2 prior to 2026.2.14 contain a path traversal vulnerability in archive e...", "description": "OpenClaw versions 2026.1.16-2 prior to 2026.2.14 contain a path traversal vulnerability in archive extraction during installation commands that allows arbitrary file writes outside the intended directory. Attackers can craft malicious archives that, when extracted via skills install, hooks install, plugins install, or signal install commands, write files to arbitrary locations enabling persistence or code execution.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "cpe:2.3:a:openclaw:openclaw:2026.1.16-2:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:23.640", "references": [ "https://github.com/openclaw/openclaw/commit/3aa94afcfd12104c683c9cad81faf434d0dadf87", "https://github.com/openclaw/openclaw/security/advisories/GHSA-v892-hwpg-jwqp", "https://www.vulncheck.com/advisories/openclaw-path-traversal-zip-slip-in-archive-extraction-via-installation-commands" ], "cvss_score": 6.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28486", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.1); requires local access; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28485", "severity": "high", "type": "missing_authentication_for_critical_function", "nvd_category_id": "CWE-306", "title": "OpenClaw versions 2026.1.5 prior to 2026.2.12 fail to enforce mandatory authentication on the /agent...", "description": "OpenClaw versions 2026.1.5 prior to 2026.2.12 fail to enforce mandatory authentication on the /agent/act browser-control HTTP route, allowing unauthorized local callers to invoke privileged operations. Remote attackers on the local network or local processes can execute arbitrary browser-context actions and access sensitive in-session data by sending requests to unauthenticated endpoints.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:23.440", "references": [ "https://github.com/openclaw/openclaw/commit/9230a2ae14307740a13ada7afd6dcfab34e0287f", "https://github.com/openclaw/openclaw/security/advisories/GHSA-qpjj-47vm-64pj", "https://www.vulncheck.com/advisories/openclaw-missing-authentication-in-browser-control-http-endpoints" ], "cvss_score": 8.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28485", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.4); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28482", "severity": "high", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "OpenClaw versions prior to 2026.2.12 construct transcript file paths using unsanitized sessionId par...", "description": "OpenClaw versions prior to 2026.2.12 construct transcript file paths using unsanitized sessionId parameters and sessionFile paths without enforcing directory containment. Authenticated attackers can exploit path traversal sequences like ../../etc/passwd in sessionId or sessionFile parameters to read or write arbitrary files outside the agent sessions directory.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:23.013", "references": [ "https://github.com/openclaw/openclaw/commit/4199f9889f0c307b77096a229b9e085b8d856c26", "https://github.com/openclaw/openclaw/commit/cab0abf52ac91e12ea7a0cf04fff315cf0c94d64", "https://github.com/openclaw/openclaw/security/advisories/GHSA-5xfq-5mr7-426q" ], "cvss_score": 7.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28482", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.1); requires local access; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28481", "severity": "medium", "type": "unknown_cwe_201", "nvd_category_id": "CWE-201", "title": "OpenClaw versions 2026.1.30 and earlier, contain an information disclosure vulnerability, patched in...", "description": "OpenClaw versions 2026.1.30 and earlier, contain an information disclosure vulnerability, patched in 2026.2.1, in the MS Teams attachment downloader (optional extension must be enabled) that leaks bearer tokens to allowlisted suffix domains. When retrying downloads after receiving 401 or 403 responses, the application sends Authorization bearer tokens to untrusted hosts matching the permissive suffix-based allowlist, enabling token theft.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:22.810", "references": [ "https://github.com/openclaw/openclaw/commit/41cc5bcd4f1d434ad1bbdfa55b56f25025ecbf6b", "https://github.com/openclaw/openclaw/security/advisories/GHSA-7vwx-582j-j332", "https://www.vulncheck.com/advisories/openclaw-bearer-token-leakage-via-ms-teams-attachment-downloader-suffix-matching" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28481", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.5); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28480", "severity": "medium", "type": "unknown_cwe_290", "nvd_category_id": "CWE-290", "title": "OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram al...", "description": "OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram allowlist matching accepts mutable usernames instead of immutable numeric sender IDs. Attackers can spoof identity by obtaining recycled usernames to bypass allowlist restrictions and interact with bots as unauthorized senders.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:22.610", "references": [ "https://github.com/openclaw/openclaw/commit/9e147f00b48e63e7be6964e0e2a97f2980854128", "https://github.com/openclaw/openclaw/commit/e3b432e481a96b8fd41b91273818e514074e05c3", "https://github.com/openclaw/openclaw/security/advisories/GHSA-mj5r-hh7j-4gxf" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28480", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28479", "severity": "high", "type": "risky_cryptographic_algorithm", "nvd_category_id": "CWE-327", "title": "OpenClaw versions prior to 2026.2.15 use SHA-1 to hash sandbox identifier cache keys for Docker and ...", "description": "OpenClaw versions prior to 2026.2.15 use SHA-1 to hash sandbox identifier cache keys for Docker and browser sandbox configurations, which is deprecated and vulnerable to collision attacks. An attacker can exploit SHA-1 collisions to cause cache poisoning, allowing one sandbox configuration to be misinterpreted as another and enabling unsafe sandbox state reuse.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:-:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:22.410", "references": [ "https://github.com/openclaw/openclaw/commit/559c8d9930eebb5356506ff1a8cd3dbaec92be77", "https://github.com/openclaw/openclaw/security/advisories/GHSA-fh3f-q9qw-93j9", "https://www.vulncheck.com/advisories/openclaw-cache-poisoning-via-deprecated-sha-hash-in-sandbox-configuration" ], "cvss_score": 7.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28479", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28478", "severity": "high", "type": "unknown_cwe_770", "nvd_category_id": "CWE-770", "title": "OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers t...", "description": "OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies without strict byte or time limits. Remote unauthenticated attackers can send oversized JSON payloads or slow uploads to webhook endpoints causing memory pressure and availability degradation.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:22.210", "references": [ "https://github.com/openclaw/openclaw/commit/3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930", "https://github.com/openclaw/openclaw/security/advisories/GHSA-q447-rj3r-2cgh", "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unbounded-webhook-request-body-buffering" ], "cvss_score": 7.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28478", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28477", "severity": "high", "type": "cross_site_request_forgery", "nvd_category_id": "CWE-352", "title": "OpenClaw versions prior to 2026.2.14 contain an oauth state validation bypass vulnerability in the m...", "description": "OpenClaw versions prior to 2026.2.14 contain an oauth state validation bypass vulnerability in the manual Chutes login flow that allows attackers to bypass CSRF protection. An attacker can convince a user to paste attacker-controlled OAuth callback data, enabling credential substitution and token persistence for unauthorized accounts.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:22.007", "references": [ "https://github.com/openclaw/openclaw/commit/a99ad11a4107ba8eac58f54a3c1a8a0cf5686f47", "https://github.com/openclaw/openclaw/security/advisories/GHSA-7rcp-mxpq-72pj", "https://www.vulncheck.com/advisories/openclaw-oauth-state-validation-bypass-in-manual-chutes-login-flow" ], "cvss_score": 7.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28477", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.1); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28476", "severity": "high", "type": "server_side_request_forgery", "nvd_category_id": "CWE-918", "title": "OpenClaw versions prior to 2026.2.14 contain a server-side request forgery vulnerability in the opti...", "description": "OpenClaw versions prior to 2026.2.14 contain a server-side request forgery vulnerability in the optional Tlon Urbit extension that accepts user-provided base URLs for authentication without proper validation. Attackers who can influence the configured Urbit URL can induce the gateway to make HTTP requests to arbitrary hosts including internal addresses.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:21.807", "references": [ "https://github.com/openclaw/openclaw/commit/bfa7d21e997baa8e3437657d59b1e296815cc1b1", "https://github.com/openclaw/openclaw/security/advisories/GHSA-pg2v-8xwh-qhcc", "https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-in-tlon-extension-authentication" ], "cvss_score": 8.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28476", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.3); remotely exploitable without authentication; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28475", "severity": "medium", "type": "unknown_cwe_208", "nvd_category_id": "CWE-208", "title": "OpenClaw versions prior to 2026.2.13 use non-constant-time string comparison for hook token validati...", "description": "OpenClaw versions prior to 2026.2.13 use non-constant-time string comparison for hook token validation, allowing attackers to infer tokens through timing measurements. Remote attackers with network access to the hooks endpoint can exploit timing side-channels across multiple requests to gradually recover the authentication token.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:21.617", "references": [ "https://github.com/openclaw/openclaw/commit/113ebfd6a23c4beb8a575d48f7482593254506ec", "https://github.com/openclaw/openclaw/security/advisories/GHSA-47q7-97xp-m272", "https://www.vulncheck.com/advisories/openclaw-timing-attack-via-hook-token-comparison" ], "cvss_score": 4.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28475", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (4.8); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28474", "severity": "critical", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw's Nextcloud Talk plugin versions prior to 2026.2.6 accept equality matching on the mutable ...", "description": "OpenClaw's Nextcloud Talk plugin versions prior to 2026.2.6 accept equality matching on the mutable actor.name display name field for allowlist validation, allowing attackers to bypass DM and room allowlists. An attacker can change their Nextcloud display name to match an allowlisted user ID and gain unauthorized access to restricted conversations.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:21.423", "references": [ "https://github.com/openclaw/openclaw/commit/6b4b6049b47c3329a7014509594647826669892d", "https://github.com/openclaw/openclaw/security/advisories/GHSA-r5h9-vjqc-hq3r", "https://www.vulncheck.com/advisories/openclaw-nextcloud-talk-allowlist-bypass-via-actorname-display-name-spoofing" ], "cvss_score": 9.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28474", "exploitability_score": "high", "exploitability_rationale": "Critical CVSS score (9.8); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28473", "severity": "high", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw versions prior to 2026.2.2 contain an authorization bypass vulnerability where clients with...", "description": "OpenClaw versions prior to 2026.2.2 contain an authorization bypass vulnerability where clients with operator.write scope can approve or deny exec approval requests by sending the /approve chat command. The /approve command path invokes exec.approval.resolve through an internal privileged gateway client, bypassing the operator.approvals permission check that protects direct RPC calls.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:21.220", "references": [ "https://github.com/openclaw/openclaw/commit/efe2a464afcff55bb5a95b959e6bd9ec0fef086e", "https://github.com/openclaw/openclaw/security/advisories/GHSA-mqpw-46fh-299h", "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-approve-chat-command" ], "cvss_score": 8.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28473", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.1); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28472", "severity": "high", "type": "missing_authentication_for_critical_function", "nvd_category_id": "CWE-306", "title": "OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handsha...", "description": "OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when auth.token is present but not validated. Attackers can connect to the gateway without providing device identity or pairing by exploiting the presence check instead of validation, potentially gaining operator access in vulnerable deployments.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:21.017", "references": [ "https://github.com/openclaw/openclaw/commit/fe81b1d7125a014b8280da461f34efbf5f761575", "https://github.com/openclaw/openclaw/security/advisories/GHSA-rv39-79c4-7459", "https://www.vulncheck.com/advisories/openclaw-device-identity-check-bypass-in-gateway-websocket-connect-handshake" ], "cvss_score": 8.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28472", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.1); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28471", "severity": "medium", "type": "improper_authentication", "nvd_category_id": "CWE-287", "title": "OpenClaw version 2026.1.14-1 prior to 2026.2.2, with the Matrix plugin installed and enabled, contai...", "description": "OpenClaw version 2026.1.14-1 prior to 2026.2.2, with the Matrix plugin installed and enabled, contain a vulnerability in which DM allowlist matching could be bypassed by exact-matching against sender display names and localparts without homeserver validation. Remote Matrix users can impersonate allowed identities by using attacker-controlled display names or matching localparts from different homeservers to reach the routing and agent pipeline.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:20.817", "references": [ "https://github.com/openclaw/openclaw/commit/8f3bfbd1c4fb967a2ddb5b4b9a05784920814bcf", "https://github.com/openclaw/openclaw/security/advisories/GHSA-rmxw-jxxx-4cpc", "https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-displayname-and-cross-homeserver-localpart-matching-in-matrix" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28471", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28470", "severity": "critical", "type": "os_command_injection", "nvd_category_id": "CWE-78", "title": "OpenClaw versions prior to 2026.2.2 contain an exec approvals (must be enabled) allowlist bypass vul...", "description": "OpenClaw versions prior to 2026.2.2 contain an exec approvals (must be enabled) allowlist bypass vulnerability that allows attackers to execute arbitrary commands by injecting command substitution syntax. Attackers can bypass the allowlist protection by embedding unescaped $() or backticks inside double-quoted strings to execute unauthorized commands.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:20.607", "references": [ "https://github.com/openclaw/openclaw/commit/d1ecb46076145deb188abcba8f0699709ea17198", "https://github.com/openclaw/openclaw/security/advisories/GHSA-3hcm-ggvf-rch5", "https://www.vulncheck.com/advisories/openclaw-exec-allowlist-bypass-via-command-substitution-in-double-quotes" ], "cvss_score": 9.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28470", "exploitability_score": "high", "exploitability_rationale": "Critical CVSS score (9.8); remotely exploitable without authentication; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28469", "severity": "high", "type": "insecure_direct_object_reference", "nvd_category_id": "CWE-639", "title": "OpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat moni...", "description": "OpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat monitor component that allows cross-account policy context misrouting when multiple webhook targets share the same HTTP path. Attackers can exploit first-match request verification semantics to process inbound webhook events under incorrect account contexts, bypassing intended allowlists and session policies.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:20.407", "references": [ "https://github.com/openclaw/openclaw/commit/61d59a802869177d9cef52204767cd83357ab79e", "https://github.com/openclaw/openclaw/security/advisories/GHSA-rq6g-px6m-c248", "https://www.vulncheck.com/advisories/openclaw-cross-account-policy-context-misrouting-via-shared-webhook-path-ambiguity" ], "cvss_score": 7.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28469", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28468", "severity": "high", "type": "missing_authentication_for_critical_function", "nvd_category_id": "CWE-306", "title": "OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.14 contain a vulnerability in the sandbox browser...", "description": "OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.14 contain a vulnerability in the sandbox browser bridge server in which it accepts requests without requiring gateway authentication, allowing local attackers to access browser control endpoints. A local attacker can enumerate tabs, retrieve WebSocket URLs, execute JavaScript, and exfiltrate cookies and session data from authenticated browser contexts.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:20.197", "references": [ "https://github.com/openclaw/openclaw/commit/4711a943e30bc58016247152ba06472dab09d0b0", "https://github.com/openclaw/openclaw/commit/6dd6bce997c48752134f2d6ed89b27de01ced7e3", "https://github.com/openclaw/openclaw/commit/cd84885a4ac78eadb7bf321aae98db9519426d67" ], "cvss_score": 7.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28468", "exploitability_score": "medium", "exploitability_rationale": "High CVSS score (7.7); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28467", "severity": "medium", "type": "server_side_request_forgery", "nvd_category_id": "CWE-918", "title": "OpenClaw versions prior to 2026.2.2 contain a server-side request forgery vulnerability in attachmen...", "description": "OpenClaw versions prior to 2026.2.2 contain a server-side request forgery vulnerability in attachment and media URL hydration that allows remote attackers to fetch arbitrary HTTP(S) URLs. Attackers who can influence media URLs through model-controlled sendAttachment or auto-reply mechanisms can trigger SSRF to internal resources and exfiltrate fetched response bytes as outbound attachments.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:19.997", "references": [ "https://github.com/openclaw/openclaw/commit/81c68f582d4a9a20d9cca9f367d2da9edc5a65ae", "https://github.com/openclaw/openclaw/commit/9bd64c8a1f91dda602afc1d5246a2ff2be164647", "https://github.com/openclaw/openclaw/security/advisories/GHSA-wfp2-v9c7-fh79" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28467", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28466", "severity": "critical", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw versions prior to 2026.2.14 contain a vulnerability in the gateway in which it fails to san...", "description": "OpenClaw versions prior to 2026.2.14 contain a vulnerability in the gateway in which it fails to sanitize internal approval fields in node.invoke parameters, allowing authenticated clients to bypass exec approval gating for system.run commands. Attackers with valid gateway credentials can inject approval control fields to execute arbitrary commands on connected node hosts, potentially compromising developer workstations and CI runners.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:19.790", "references": [ "https://github.com/openclaw/openclaw/commit/0af76f5f0e93540efbdf054895216c398692afcd", "https://github.com/openclaw/openclaw/commit/318379cdb8d045da0009b0051bd0e712e5c65e2d", "https://github.com/openclaw/openclaw/commit/a7af646fdab124a7536998db6bd6ad567d2b06b0" ], "cvss_score": 9.9, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28466", "exploitability_score": "high", "exploitability_rationale": "Critical CVSS score (9.9); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28465", "severity": "medium", "type": "unknown_cwe_290", "nvd_category_id": "CWE-290", "title": "OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerabili...", "description": "OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-* headers in reverse-proxy configurations that implicitly trust these headers.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:19.593", "references": [ "https://github.com/openclaw/openclaw/commit/a749db9820eb6d6224032a5a34223d286d2dcc2f", "https://github.com/openclaw/openclaw/security/advisories/GHSA-3m3q-x3gj-f79x", "https://www.vulncheck.com/advisories/openclaw-voice-call-webhook-verification-bypass-via-forwarded-headers" ], "cvss_score": 5.9, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28465", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.9); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28464", "severity": "medium", "type": "unknown_cwe_208", "nvd_category_id": "CWE-208", "title": "OpenClaw versions prior to 2026.2.12 use non-constant-time string comparison for hook token validati...", "description": "OpenClaw versions prior to 2026.2.12 use non-constant-time string comparison for hook token validation, allowing attackers to infer tokens through timing measurements. Remote attackers with network access to the hooks endpoint can exploit timing side-channels across multiple requests to gradually determine the authentication token.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:19.393", "references": [ "https://github.com/openclaw/openclaw/commit/113ebfd6a23c4beb8a575d48f7482593254506ec", "https://github.com/openclaw/openclaw/security/advisories/GHSA-jmm5-fvh5-gf4p", "https://www.vulncheck.com/advisories/openclaw-timing-attack-in-hooks-token-authentication" ], "cvss_score": 5.9, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28464", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.9); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28463", "severity": "high", "type": "os_command_injection", "nvd_category_id": "CWE-78", "title": "OpenClaw versions prior to 2026.2.14 contain an arbitrary file read vulnerability in the exec-approv...", "description": "OpenClaw versions prior to 2026.2.14 contain an arbitrary file read vulnerability in the exec-approvals allowlist validation that checks pre-expansion argv tokens but executes using real shell expansion. Attackers with authorization or through prompt-injection attacks can exploit safe binaries like head, tail, or grep with glob patterns or environment variables to disclose files readable by the gateway or node process when host execution is enabled in allowlist mode.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:19.127", "references": [ "https://github.com/openclaw/openclaw/commit/77b89719d5b7e271f48b6f49e334a8b991468c3b", "https://github.com/openclaw/openclaw/security/advisories/GHSA-xvhf-x56f-2hpp", "https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-shell-expansion-in-safe-bins-allowlist" ], "cvss_score": 8.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28463", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.4); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28462", "severity": "high", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "OpenClaw versions prior to 2026.2.13 contain a vulnerability in the browser control API in which it ...", "description": "OpenClaw versions prior to 2026.2.13 contain a vulnerability in the browser control API in which it accepts user-supplied output paths for trace and download files without consistently constraining writes to temporary directories. Attackers with API access can exploit path traversal in POST /trace/stop, POST /wait/download, and POST /download endpoints to write files outside intended temp roots.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:18.873", "references": [ "https://github.com/openclaw/openclaw/commit/7f0489e4731c8d965d78d6eac4a60312e46a9426", "https://github.com/openclaw/openclaw/security/advisories/GHSA-gq9c-wg68-gwj2", "https://www.vulncheck.com/advisories/openclaw-path-traversal-in-trace-and-download-output-paths" ], "cvss_score": 7.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28462", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28459", "severity": "high", "type": "unknown_cwe_73", "nvd_category_id": "CWE-73", "title": "OpenClaw versions prior to 2026.2.12 fail to validate the sessionFile path parameter, allowing authe...", "description": "OpenClaw versions prior to 2026.2.12 fail to validate the sessionFile path parameter, allowing authenticated gateway clients to write transcript data to arbitrary locations on the host filesystem. Attackers can supply a sessionFile path outside the sessions directory to create files and append data repeatedly, potentially causing configuration corruption or denial of service.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:18.670", "references": [ "https://github.com/openclaw/openclaw/commit/25950bcbb8ba4d8cde002557f6e27c219ae4deda", "https://github.com/openclaw/openclaw/commit/4199f9889f0c307b77096a229b9e085b8d856c26", "https://github.com/openclaw/openclaw/security/advisories/GHSA-64qx-vpxx-mvqf" ], "cvss_score": 7.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28459", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.1); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28458", "severity": "high", "type": "missing_authentication_for_critical_function", "nvd_category_id": "CWE-306", "title": "OpenClaw version 2026.1.20 prior to 2026.2.1 contains a vulnerability in the Browser Relay (extensio...", "description": "OpenClaw version 2026.1.20 prior to 2026.2.1 contains a vulnerability in the Browser Relay (extension must be installed and enabled) /cdp WebSocket endpoint in which it does not require authentication tokens, allowing websites to connect via loopback and access sensitive data. Attackers can exploit this by connecting to ws://127.0.0.1:18792/cdp to steal session cookies and execute JavaScript in other browser tabs.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:18.457", "references": [ "https://github.com/openclaw/openclaw/commit/a1e89afcc19efd641c02b24d66d689f181ae2b5c", "https://github.com/openclaw/openclaw/security/advisories/GHSA-mr32-vwc2-5j6h", "https://www.vulncheck.com/advisories/openclaw-missing-authentication-in-browser-relay-cdp-websocket-endpoint" ], "cvss_score": 8.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28458", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.1); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28457", "severity": "medium", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in sandbox skill mirrori...", "description": "OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in sandbox skill mirroring (must be enabled) that uses the skill frontmatter name parameter unsanitized when copying skills into the sandbox workspace. Attackers who provide a crafted skill package with traversal sequences like ../ or absolute paths in the name field can write files outside the sandbox workspace root directory.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:18.227", "references": [ "https://github.com/openclaw/openclaw/commit/3eb6a31b6fcf8268456988bfa8e3637d373438c2", "https://github.com/openclaw/openclaw/security/advisories/GHSA-xw4p-pw82-hqr7", "https://www.vulncheck.com/advisories/openclaw-path-traversal-in-sandbox-skill-mirroring-via-name-parameter" ], "cvss_score": 6.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28457", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.1); requires local access; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28456", "severity": "high", "type": "unknown_cwe_427", "nvd_category_id": "CWE-427", "title": "OpenClaw versions 2026.1.5 prior to 2026.2.14 contain a vulnerability in the Gateway in which it doe...", "description": "OpenClaw versions 2026.1.5 prior to 2026.2.14 contain a vulnerability in the Gateway in which it does not sufficiently constrain configured hook module paths before passing them to dynamic import(), allowing code execution. An attacker with gateway configuration modification access can load and execute unintended local modules in the Node.js process.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:18.020", "references": [ "https://github.com/openclaw/openclaw/commit/35c0e66ed057f1a9f7ad2515fdcef516bd6584ce", "https://github.com/openclaw/openclaw/commit/a0361b8ba959e8506dc79d638b6e6a00d12887e4", "https://github.com/openclaw/openclaw/security/advisories/GHSA-v6c6-vqqg-w888" ], "cvss_score": 7.2, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28456", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.2); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28454", "severity": "high", "type": "unknown_cwe_345", "nvd_category_id": "CWE-345", "title": "OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode (must ...", "description": "OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode (must be enabled), allowing unauthenticated HTTP POST requests to the webhook endpoint that trust attacker-controlled JSON payloads. Remote attackers can forge Telegram updates by spoofing message.from.id and chat.id fields to bypass sender allowlists and execute privileged bot commands.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:17.817", "references": [ "https://github.com/openclaw/openclaw/commit/3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930", "https://github.com/openclaw/openclaw/commit/5643a934799dc523ec2ef18c007e1aa2c386b670", "https://github.com/openclaw/openclaw/commit/633fe8b9c17f02fcc68ecdb5ec212a5ace932f09" ], "cvss_score": 7.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28454", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28453", "severity": "high", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "OpenClaw versions prior to 2026.2.14 fail to validate TAR archive entry paths during extraction, all...", "description": "OpenClaw versions prior to 2026.2.14 fail to validate TAR archive entry paths during extraction, allowing path traversal sequences to write files outside the intended directory. Attackers can craft malicious archives with traversal sequences like ../../ to write files outside extraction boundaries, potentially enabling configuration tampering and code execution.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:17.617", "references": [ "https://github.com/openclaw/openclaw/commit/3aa94afcfd12104c683c9cad81faf434d0dadf87", "https://github.com/openclaw/openclaw/security/advisories/GHSA-p25h-9q54-ffvw", "https://www.vulncheck.com/advisories/openclaw-zip-slip-path-traversal-in-tar-archive-extraction" ], "cvss_score": 7.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28453", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28452", "severity": "medium", "type": "unknown_cwe_770", "nvd_category_id": "CWE-770", "title": "OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the extractArchive...", "description": "OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the extractArchive function within src/infra/archive.ts that allows attackers to consume excessive CPU, memory, and disk resources through high-expansion ZIP and TAR archives. Remote attackers can trigger resource exhaustion by providing maliciously crafted archive files during install or update operations, causing service degradation or system unavailability.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:17.410", "references": [ "https://github.com/openclaw/openclaw/commit/5f4b29145c236d124524c2c9af0f8acd048fbdea", "https://github.com/openclaw/openclaw/commit/d3ee5deb87ee2ad0ab83c92c365611165423cb71", "https://github.com/openclaw/openclaw/security/advisories/GHSA-h89v-j3x9-8wqj" ], "cvss_score": 5.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28452", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.5); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28451", "severity": "high", "type": "server_side_request_forgery", "nvd_category_id": "CWE-918", "title": "OpenClaw versions prior to 2026.2.14 contain server-side request forgery vulnerabilities in the Feis...", "description": "OpenClaw versions prior to 2026.2.14 contain server-side request forgery vulnerabilities in the Feishu extension that allow attackers to fetch attacker-controlled remote URLs without SSRF protections via sendMediaFeishu function and markdown image processing. Attackers can influence tool calls through direct manipulation or prompt injection to trigger requests to internal services and re-upload responses as Feishu media.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:17.210", "references": [ "https://github.com/openclaw/openclaw/commit/5b4121d6011a48c71e747e3c18197f180b872c5d", "https://github.com/openclaw/openclaw/security/advisories/GHSA-x22m-j5qq-j49m", "https://www.vulncheck.com/advisories/openclaw-ssrf-via-feishu-extension-media-fetching" ], "cvss_score": 8.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28451", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.3); remotely exploitable without authentication; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28450", "severity": "medium", "type": "missing_authentication_for_critical_function", "nvd_category_id": "CWE-306", "title": "OpenClaw versions prior to 2026.2.12 with the optional Nostr plugin enabled expose unauthenticated H...", "description": "OpenClaw versions prior to 2026.2.12 with the optional Nostr plugin enabled expose unauthenticated HTTP endpoints at /api/channels/nostr/:accountId/profile and /api/channels/nostr/:accountId/profile/import that allow reading and modifying Nostr profiles without gateway authentication. Remote attackers can exploit these endpoints to read sensitive profile data, modify Nostr profiles, persist malicious changes to gateway configuration, and publish signed Nostr events using the bot's private key when the gateway HTTP port is accessible beyond localhost.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:17.003", "references": [ "https://github.com/openclaw/openclaw/commit/647d929c9d0fd114249230d939a5cb3b36dc70e7", "https://github.com/openclaw/openclaw/security/advisories/GHSA-mv9j-6xhh-g383", "https://www.vulncheck.com/advisories/openclaw-unauthenticated-profile-tampering-via-nostr-plugin-http-endpoints" ], "cvss_score": 6.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28450", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.8); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28448", "severity": "high", "type": "improper_authorization", "nvd_category_id": "CWE-285", "title": "OpenClaw versions 2026.1.29 prior to 2026.2.1 contain a vulnerability in the Twitch plugin (must be ...", "description": "OpenClaw versions 2026.1.29 prior to 2026.2.1 contain a vulnerability in the Twitch plugin (must be installed and enabled) in which it fails to enforce the allowFrom allowlist when allowedRoles is unset or empty, allowing unauthorized Twitch users to trigger agent dispatch. Remote attackers can mention the bot in Twitch chat to bypass access control and invoke the agent pipeline, potentially causing unintended actions or resource exhaustion.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:16.803", "references": [ "https://github.com/openclaw/openclaw/commit/8c7901c984866a776eb59662dc9d8b028de4f0d0", "https://github.com/openclaw/openclaw/security/advisories/GHSA-33rq-m5x2-fvgf", "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-twitch-plugin-allowfrom-access-control" ], "cvss_score": 7.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28448", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.3); remotely exploitable without authentication; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28447", "severity": "high", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugi...", "description": "OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugin installation that allows malicious plugin package names to escape the extensions directory. Attackers can craft scoped package names containing path traversal sequences like .. to write files outside the intended installation directory when victims run the plugins install command.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:16.600", "references": [ "https://github.com/openclaw/openclaw/commit/d03eca8450dc493b198a88b105fd180895238e57", "https://github.com/openclaw/openclaw/security/advisories/GHSA-qrq5-wjgg-rvqw", "https://www.vulncheck.com/advisories/openclaw-beta-path-traversal-in-plugin-installation-via-package-name" ], "cvss_score": 8.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28447", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.1); network accessible; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28446", "severity": "critical", "type": "unknown_cwe_303", "nvd_category_id": "CWE-303", "title": "OpenClaw versions prior to 2026.2.1 with the voice-call extension installed and enabled contain an a...", "description": "OpenClaw versions prior to 2026.2.1 with the voice-call extension installed and enabled contain an authentication bypass vulnerability in inbound allowlist policy validation that accepts empty caller IDs and uses suffix-based matching instead of strict equality. Remote attackers can bypass inbound access controls by placing calls with missing caller IDs or numbers ending with allowlisted digits to reach the voice-call agent and execute tools.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:16.390", "references": [ "https://github.com/openclaw/openclaw/commit/f8dfd034f5d9235c5485f492a9e4ccc114e97fdb", "https://github.com/openclaw/openclaw/security/advisories/GHSA-4rj2-gpmh-qq5x", "https://www.vulncheck.com/advisories/openclaw-inbound-allowlist-policy-bypass-in-voice-call-extension-via-empty-caller-id" ], "cvss_score": 9.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28446", "exploitability_score": "high", "exploitability_rationale": "Critical CVSS score (9.4); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28395", "severity": "medium", "type": "unknown_cwe_1327", "nvd_category_id": "CWE-1327", "title": "OpenClaw version 2026.1.14-1 prior to 2026.2.12 contains an improper network binding vulnerability i...", "description": "OpenClaw version 2026.1.14-1 prior to 2026.2.12 contains an improper network binding vulnerability in the Chrome extension (must be installed and enabled) relay server that treats wildcard hosts as loopback addresses, allowing the relay HTTP/WS server to bind to all interfaces when a wildcard cdpUrl is configured. Remote attackers can access relay HTTP endpoints off-host to leak service presence and port information, or conduct denial-of-service and brute-force attacks against the relay token header.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:16.173", "references": [ "https://github.com/openclaw/openclaw/commit/8d75a496bf5aaab1755c56cf48502d967c75a1d0", "https://github.com/openclaw/openclaw/commit/a1e89afcc19efd641c02b24d66d689f181ae2b5c", "https://github.com/openclaw/openclaw/security/advisories/GHSA-qw99-grcx-4pvm" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28395", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28394", "severity": "medium", "type": "unknown_cwe_770", "nvd_category_id": "CWE-770", "title": "OpenClaw versions prior to 2026.2.15 contain a denial of service vulnerability in the web_fetch tool...", "description": "OpenClaw versions prior to 2026.2.15 contain a denial of service vulnerability in the web_fetch tool that allows attackers to crash the Gateway process through memory exhaustion by parsing oversized or deeply nested HTML responses. Remote attackers can social-engineer users into fetching malicious URLs with pathological HTML structures to exhaust server memory and cause service unavailability.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:15.973", "references": [ "https://github.com/openclaw/openclaw/commit/166cf6a3e04c7df42bea70a7ad5ce2b9df46d147", "https://github.com/openclaw/openclaw/security/advisories/GHSA-p536-vvpp-9mc8", "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unbounded-response-parsing-in-web-fetch-tool" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28394", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.5); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28393", "severity": "high", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "OpenClaw versions 2.0.0-beta3 prior to 2026.2.14 contain a path traversal vulnerability in hook tran...", "description": "OpenClaw versions 2.0.0-beta3 prior to 2026.2.14 contain a path traversal vulnerability in hook transform module loading that allows arbitrary JavaScript execution. The hooks.mappings[].transform.module parameter accepts absolute paths and traversal sequences, enabling attackers with configuration write access to load and execute malicious modules with gateway process privileges.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "cpe:2.3:a:openclaw:openclaw:2.0.0:beta3:*:*:*:node.js:*:*", "cpe:2.3:a:openclaw:openclaw:2.0.0:beta4:*:*:*:node.js:*:*", "cpe:2.3:a:openclaw:openclaw:2.0.0:beta5:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:15.767", "references": [ "https://github.com/openclaw/openclaw/commit/18e8bd68c5015a894f999c6d5e6e32468965bfb5", "https://github.com/openclaw/openclaw/commit/a0361b8ba959e8506dc79d638b6e6a00d12887e4", "https://github.com/openclaw/openclaw/security/advisories/GHSA-7xhj-55q9-pc3m" ], "cvss_score": 7.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28393", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.7); requires local access; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28392", "severity": "high", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw versions prior to 2026.2.14 contain a privilege escalation vulnerability in the Slack slash...", "description": "OpenClaw versions prior to 2026.2.14 contain a privilege escalation vulnerability in the Slack slash-command handler that incorrectly authorizes any direct message sender when dmPolicy is set to open (must be configured). Attackers can execute privileged slash commands via direct message to bypass allowlist and access-group restrictions.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:15.567", "references": [ "https://github.com/openclaw/openclaw/commit/f19eabee54c49e9a2e264b4965edf28a2f92e657", "https://github.com/openclaw/openclaw/security/advisories/GHSA-v773-r54f-q32w", "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-in-slack-slash-command-handler-via-direct-messages" ], "cvss_score": 7.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28392", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-28391", "severity": "critical", "type": "os_command_injection", "nvd_category_id": "CWE-78", "title": "OpenClaw versions prior to 2026.2.2 fail to properly validate Windows cmd.exe metacharacters in allo...", "description": "OpenClaw versions prior to 2026.2.2 fail to properly validate Windows cmd.exe metacharacters in allowlist-gated exec requests (non-default configuration), allowing attackers to bypass command approval restrictions. Remote attackers can craft command strings with shell metacharacters like & or %...% to execute unapproved commands beyond the allowlisted operations.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-03-05T22:16:15.360", "references": [ "https://github.com/openclaw/openclaw/commit/a7f4a53ce80c98ba1452eb90802d447fca9bf3d6", "https://github.com/openclaw/openclaw/security/advisories/GHSA-qj77-c3c8-9c3q", "https://www.vulncheck.com/advisories/openclaw-command-injection-via-cmdexe-parsing-bypass-in-allowlist-enforcement" ], "cvss_score": 9.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28391", "exploitability_score": "high", "exploitability_rationale": "Critical CVSS score (9.8); remotely exploitable without authentication; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "GHSA-474h-prjg-mmw3", "ghsa_id": "GHSA-474h-prjg-mmw3", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "high", "type": "github_security_advisory", "nvd_category_id": "CWE-269", "title": "Sandboxed sessionsspawn(runtime=\"acp\") bypassed sandbox inheritance and allowed host ACP initialization", "description": "Summary Sandboxed sessionsspawn(runtime=\"acp\") could bypass sandbox inheritance and initialize host-side ACP runtime. The fix now fail-closes ACP spawn from sandboxed requester sessions and rejects sandbox=\"require\" for runtime=\"acp\". Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version at triage time: 2026.3.1 (March 2, 2026) - Vulnerable range: <=2026.3.1 - Patched release: 2026.3.2 (released) Technical Details - Root cause: runtime=\"subagent\" enforced sandbox inheritance, while runtime=\"acp\" did not enforce equivalent sandbox/runtime checks. - Security impact: sandbox-boundary bypass into host-side ACP initialization. - Fixed behavior: - deny ACP spawn when requester runtime is sandboxed - deny sessionsspawn with runtime=\"acp\", sandbox=\"require\" - align sandboxed prompt guidance to avoid advertising blocked ACP paths Fix Commit(s) - ac11f0af731d41743ba02d8595f4d0fe747336e3 - c703aa0fe92df9fb71cf254fc46991e05fba2114", "affected": [ "openclaw@<=2026.3.1" ], "patched": [ "openclaw@>= 2026.3.2" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-03-03T04:14:22Z", "updated": "2026-03-03T04:14:22Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-474h-prjg-mmw3" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-474h-prjg-mmw3", "nvd_url": null, "cvss_score": 8, "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "cwe_ids": [ "CWE-269" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-474h-prjg-mmw3" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-v865-p3gq-hw6m", "ghsa_id": "GHSA-v865-p3gq-hw6m", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-288", "title": "Encoded-path auth bypass in plugin /api/channels route classification", "description": "Summary (Updated March 2, 2026) Encoded alternate-path requests could bypass plugin route auth checks for /api/channels/ due to canonicalization depth mismatch in vulnerable builds. Affected Packages / Versions - Package: openclaw (npm) - Latest published vulnerable version: 2026.3.1 - Affected range: <= 2026.3.1 - Patched release: 2026.3.2 (patchedversions: = 2026.3.2) Technical Details In affected versions, plugin auth-path classification and route-path canonicalization could diverge for deeply encoded slash variants (for example multi-encoded %2f). That mismatch allowed alternate encoded paths to evade protected-prefix auth checks while still resolving to /api/channels/... in plugin route handling. The fix set hardens this class of issue by: - canonicalizing route paths to a bounded fixpoint, - failing closed on malformed or unresolved canonicalization depth, - requiring explicit plugin-route auth contracts (no implicit auth default), - enforcing route ownership/conflict guards for duplicate route registrations, and - using shared webhook route lifecycle registration to avoid stale/conflicting route surfaces. Affected Deployments Deployments exposing plugin HTTP routes and relying on gateway auth for /api/channels/ protection. Fix Commit(s) - 93b07240257919f770d1e263e1f22753937b80ea - 2fd8264ab03bd178e62a5f0c50d1c8556c17f12d - d74bc257d8432f17e50b23ae713d7e0623a1fe0f - 7a7eee920a176a0043398c6b37bf4cc6eb983eeb", "affected": [ "openclaw@<= 2026.3.1" ], "patched": [ "openclaw@>= 2026.3.2" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-03-03T04:14:18Z", "updated": "2026-03-03T04:14:18Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-v865-p3gq-hw6m" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v865-p3gq-hw6m", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-288" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-v865-p3gq-hw6m" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-2858-xg23-26fp", "ghsa_id": "GHSA-2858-xg23-26fp", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "server_side_request_forgery", "nvd_category_id": "CWE-918", "title": "Node camera URL payload host-binding bypass allowed gateway fetch pivots", "description": "Summary OpenClaw accepted camera.snap / camera.clip node payload url fields and downloaded them on the gateway/agent host without binding downloads to the resolved node host. In OpenClaw's documented trust model, paired nodes are in the same operator trust boundary, so this is scoped as medium-severity hardening. A malicious or compromised paired node could still steer gateway-host fetches during camera URL retrieval. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: = 2026.2.13 <= 2026.3.1 - Latest vulnerable published version at time of update: 2026.3.1 - Patched versions: = 2026.3.2 (released) Technical Details Vulnerable flows accepted URL payloads and downloaded directly from the provided URL: - src/cli/nodes-camera.ts (writeUrlToFile) fetched URL payloads without node-host binding. - src/cli/nodes-cli/register.camera.ts passed camera.snap / camera.clip payload URLs into that downloader. - src/agents/tools/nodes-tool.ts did the same for camerasnap / cameraclip tool actions. Impact A malicious/compromised paired node could cause gateway-host URL fetches to off-node destinations reachable from the host network. This could be used for internal network probing/fetch pivots in deployments where paired nodes are not fully trusted. Remediation The fix introduces fail-closed node-host binding and guarded fetch for camera URL payload downloads: - Require resolved node host metadata for URL payload downloads. - Enforce hostname match between payload URL and resolved node host. - Use SSRF-guarded fetch with redirect host/protocol checks. - Apply the same enforcement across CLI and agent tool camera paths. Fix Commit(s) - 3bf19d6f40a0aaa55818b96eede3d05130c02533", "affected": [ "openclaw@>= 2026.2.13 <= 2026.3.1" ], "patched": [ "openclaw@>= 2026.3.2" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-03-03T04:14:15Z", "updated": "2026-03-03T04:14:15Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-2858-xg23-26fp" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2858-xg23-26fp", "nvd_url": null, "cvss_score": 5.5, "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "cwe_ids": [ "CWE-918" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-2858-xg23-26fp" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-8m9v-xpgf-g99m", "ghsa_id": "GHSA-8m9v-xpgf-g99m", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "Unauthorized sender bypass in stop triggers and /models command authorization", "description": "Summary Unauthorized senders could trigger two command paths without sender authorization checks: 1. stop-like natural-language abort triggers 2. /models command output Impact An unauthorized sender could disrupt active sessions and view model/auth metadata that should be authorization-gated. Fix Sender authorization is now enforced for stop-like abort triggers and /models listings. Affected and Patched Versions - Affected: <= 2026.2.26 - Patched: 2026.3.1", "affected": [ "openclaw@<= 2026.2.26" ], "patched": [ "openclaw@>= 2026.3.1" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-03-02T05:46:05Z", "updated": "2026-03-02T05:46:05Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-8m9v-xpgf-g99m" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8m9v-xpgf-g99m", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-863" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-8m9v-xpgf-g99m" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-7xmq-g46g-f8pv", "ghsa_id": "GHSA-7xmq-g46g-f8pv", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-59", "title": "Sandbox media TOCTOU could read files outside sandbox root", "description": "Summary Sandbox media handling had a time-of-check/time-of-use gap: media paths could be validated first and read later through a separate path. A symlink retarget between those steps could cause reads outside sandboxRoot. Impact Affected versions could permit host file reads outside the intended sandbox root in media attachment/image flows. Fix Media reads now use consolidated root-scoped, boundary-safe read paths at use time, removing check/use drift across call sites. Affected and Patched Versions - Affected: <= 2026.2.26 - Patched: 2026.3.1", "affected": [ "openclaw@<= 2026.2.26" ], "patched": [ "openclaw@>= 2026.3.1" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-03-02T05:46:04Z", "updated": "2026-03-02T05:46:04Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-7xmq-g46g-f8pv" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7xmq-g46g-f8pv", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-59", "CWE-367" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-7xmq-g46g-f8pv" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-x82f-27x3-q89c", "ghsa_id": "GHSA-x82f-27x3-q89c", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-59", "title": "TOCTOU symlink race in writeFileWithinRoot could create or truncate files outside root boundaries", "description": "Summary A symlink-retarget TOCTOU race in writeFileWithinRoot could point an attacker-controlled path alias outside the configured root between resolution and write operations. Impact Affected versions could cause out-of-root write side effects (including file creation or truncation) before final boundary validation. Fix Root-scoped write flow now opens existing files without pre-truncation, creates missing files with exclusive create semantics, truncates only after post-open identity/boundary checks, and removes out-of-root artifacts when a race is detected. Affected and Patched Versions - Affected: <= 2026.2.26 - Patched: 2026.3.1", "affected": [ "openclaw@<= 2026.2.26" ], "patched": [ "openclaw@>= 2026.3.1" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-03-02T05:46:04Z", "updated": "2026-03-02T05:46:04Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-x82f-27x3-q89c" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-x82f-27x3-q89c", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-59", "CWE-367" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-x82f-27x3-q89c" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-392f-ggf5-fp3c", "ghsa_id": "GHSA-392f-ggf5-fp3c", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-176", "title": "Unicode canonicalization drift in node metadata policy classification could broaden node allowlists", "description": "Summary A paired node could supply Unicode-confusable platform or deviceFamily metadata that passed metadata pinning but classified differently for command policy resolution, broadening default node command allowlists. Impact This is a policy-bypass issue within the paired-node trust boundary and can expand node command availability beyond intended defaults. Fix Node metadata canonicalization was hardened against confusables, and unknown platform defaults were made conservative (excluding system.run and system.which unless explicitly allowlisted). Affected and Patched Versions - Affected: <= 2026.2.26 - Patched: 2026.3.1", "affected": [ "openclaw@<= 2026.2.26" ], "patched": [ "openclaw@>= 2026.3.1" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-03-02T05:46:02Z", "updated": "2026-03-02T05:46:02Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-392f-ggf5-fp3c" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-392f-ggf5-fp3c", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-176", "CWE-436" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-392f-ggf5-fp3c" ], "source_feed": "ghsa-without-cve" }, { "id": "CVE-2026-28363", "severity": "critical", "type": "unknown_cwe_184", "nvd_category_id": "CWE-184", "title": "In OpenClaw before 2026.2.23, tools.exec.safeBins validation for sort could be bypassed via GNU long...", "description": "In OpenClaw before 2026.2.23, tools.exec.safeBins validation for sort could be bypassed via GNU long-option abbreviations (such as --compress-prog) in allowlist mode, leading to approval-free execution paths that were intended to require approval. Only an exact string such as --compress-program was denied.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-27T04:16:03.227", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-3c6h-g97w-fg78" ], "cvss_score": 9.9, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28363", "exploitability_score": "high", "exploitability_rationale": "Critical CVSS score (9.9); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "GHSA-gp3q-wpq4-5c5h", "ghsa_id": "GHSA-gp3q-wpq4-5c5h", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "high", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "LINE group allowlist scope mismatch with DM pairing-store entries", "description": "Summary In specific LINE configurations, sender IDs approved through DM pairing could also satisfy group allowlist checks when operators expected group sender access to be scoped only to explicit group allowlists. Affected Packages / Versions - Package: openclaw (npm) - Latest published version at triage/update time: 2026.2.25 - Affected: <= 2026.2.25 - Patched: = 2026.2.26 (planned next release) Impact This is a group-authorization scope mismatch. DM pairing-store entries could influence group sender authorization in allowlist mode. Technical Details Root cause: group allowlist composition inherited pairing-store entries intended for DM approvals. Under default DM pairing policy, a DM-paired sender could match group allowlist checks. Fixes on main: - isolate group allowlist composition from pairing-store entries - centralize shared DM/group allowlist composition to preserve DM-only pairing behavior - add regression coverage for LINE and Mattermost policy paths Fix Commit(s) - 8bdda7a651c21e98faccdbbd73081e79cffe8be0 - 892a9c24b0f6118729ab5b5f5499b1a7e792dd15 (follow-up refactor hardening) Release Process Note patchedversions is pre-set to = 2026.2.26 so once npm 2026.2.26 is published, this advisory can be published directly without additional version-field edits. Thanks @tdjackey for reporting.", "affected": [ "openclaw@<= 2026.2.25" ], "patched": [ "openclaw@>= 2026.2.26" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-26T22:40:37Z", "updated": "2026-02-26T22:40:37Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-gp3q-wpq4-5c5h" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gp3q-wpq4-5c5h", "nvd_url": null, "cvss_score": 7.1, "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "cwe_ids": [ "CWE-863" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-gp3q-wpq4-5c5h" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-qcc4-p59m-p54m", "ghsa_id": "GHSA-qcc4-p59m-p54m", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "high", "type": "github_security_advisory", "nvd_category_id": "CWE-59", "title": "Sandbox dangling-symlink alias handling could bypass workspace-only write boundary", "description": "Summary A sandbox boundary-validation gap in symlink alias handling allowed certain workspace-only write paths to be treated as in-boundary even when they could resolve outside the workspace/sandbox root. Affected Packages / Versions - Package: npm openclaw - Affected versions: <= 2026.2.25 - Latest published npm version included in affected range: 2026.2.25 (checked on February 26, 2026) - Patched version (pre-set for release): 2026.2.26 Technical Details In affected versions, dangling symlink hops could be accepted during boundary checks under missing-target conditions. For workspace-only write flows (including applypatch), this could allow writes to resolve outside the configured workspace/sandbox boundary. The fix resolves symlink targets through existing ancestors and fails closed when canonical resolution escapes the configured boundary. Impact - Boundary-confined write operations could be redirected outside the configured workspace/sandbox root. - Primary impact is integrity of host-side files reachable from that path resolution. Fix Commit(s) - 4fd29a35bb85a1898ebff518364c467058b50e14 Release Process Note patchedversions is pre-set to the planned next release (2026.2.26) so once npm 2026.2.26 is published, the advisory can be published without further field edits. Thanks @tdjackey for reporting.", "affected": [ "openclaw@<=2026.2.25" ], "patched": [ "openclaw@>= 2026.2.26" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-26T22:40:37Z", "updated": "2026-02-26T22:40:37Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-qcc4-p59m-p54m" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qcc4-p59m-p54m", "nvd_url": null, "cvss_score": 7, "cvss_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "cwe_ids": [ "CWE-59", "CWE-367" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-qcc4-p59m-p54m" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-7qf6-h84j-8fq4", "ghsa_id": "GHSA-7qf6-h84j-8fq4", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-367", "title": "Microsoft Teams media fetch SSRF hardening: unified guarded fetch across Graph and attachment paths", "description": "Impact Microsoft Teams media handling used mixed fetch paths for Graph metadata/content and attachment auth-retry flows. Some paths bypassed the shared SSRF guard model and created inconsistent host/DNS enforcement across redirect/fetch hops. Affected Packages / Versions - Package: openclaw (npm) - Latest published vulnerable version: 2026.2.25 - Affected range: <= 2026.2.25 - Planned patched version for next release: 2026.2.26 Technical Details The Microsoft Teams attachment/media code previously relied on plugin-local fetch behavior in parts of the flow, instead of uniformly using shared guarded fetch logic with pinned DNS + policy checks. This could allow policy drift and SSRF boundary inconsistency between channel/plugin paths. The fix unifies this path by: - routing Microsoft Teams Graph message/hosted-content/attachment fetches through shared SSRF-guarded fetch paths, - routing auth-scope fallback attachment downloads through the same guarded policy model, - centralizing hostname-suffix allowlist policy helpers in plugin-sdk so channel/plugins use the same allowlist normalization and policy construction behavior. Fix Commit(s) - 57334cd7d85174d5f951de01114fd5801b063564 Release Process Note patchedversions is pre-set to the planned next release (2026.2.26) so once npm openclaw@2026.2.26 is published, the advisory is ready to publish without further field edits. Thanks @tdjackey for reporting.", "affected": [ "openclaw@<=2026.2.25" ], "patched": [ "openclaw@>= 2026.2.26" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-26T22:40:33Z", "updated": "2026-02-26T22:40:33Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-7qf6-h84j-8fq4" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7qf6-h84j-8fq4", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-367", "CWE-918" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-7qf6-h84j-8fq4" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-gcj7-r3hg-m7w6", "ghsa_id": "GHSA-gcj7-r3hg-m7w6", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "low", "type": "github_security_advisory", "nvd_category_id": "CWE-294", "title": "voice-call Twilio replay dedupe now bound to authenticated webhook identity", "description": "Summary The voice-call Twilio webhook path accepted replay/dedupe identity from unsigned request metadata (i-twilio-idempotency-token), enabling replayed signed requests to bypass replay detection and manager dedupe by mutating only that header. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.25 (latest published npm version at triage time) - Fixed on main: commit 1aadf26f9acc399affabd859937a09468a9c5cb4 - Planned patched npm version: 2026.2.26 Impact Deployments using the optional voice-call Twilio webhook path could accept replayed webhook events as fresh events when an attacker had one valid signed request and changed only the unsigned idempotency header. Technical Details The fix removes unsigned-header trust from Twilio replay/dedupe identity and binds replay/manager dedupe to authenticated request material. It also threads a verified request identity through provider parsing so dedupe uses verification-derived identity rather than mutable headers. Fix Commit(s) - 1aadf26f9acc399affabd859937a09468a9c5cb4 Release Process Note patchedversions is pre-set to the planned next release (2026.2.26). After the npm release is published, this advisory can be published without additional version-field edits. Thanks @tdjackey for reporting.", "affected": [ "openclaw@<=2026.2.25" ], "patched": [ "openclaw@>= 2026.2.26" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-26T22:40:32Z", "updated": "2026-02-26T22:40:32Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-gcj7-r3hg-m7w6" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gcj7-r3hg-m7w6", "nvd_url": null, "cvss_score": 3.7, "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "cwe_ids": [ "CWE-294", "CWE-345" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-gcj7-r3hg-m7w6" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-f7ww-2725-qvw2", "ghsa_id": "GHSA-f7ww-2725-qvw2", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-59", "title": "Node system.run approval bypass via parent-symlink cwd rebind", "description": "Summary For host=node executions, approval context could be bypassed after approval-time by rebinding a writable parent symlink in cwd while preserving the visible cwd string. Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.2.25 - Fixed: = 2026.2.26 (planned next npm release) Impact A command approved for one filesystem location could execute from a different location if a mutable parent symlink changed between approval and execution. Fix - Added immutable approval-time plan preparation (system.run.prepare) and systemRunPlanV2 canonical fields (argv, cwd, agentId, sessionKey). - Enforced canonical plan values through approval request storage and forwarding-time sanitization. - Rejected mutable parent-symlink path components during approval-plan building to block symlink rebind bypass. - Follow-up refactors centralized command catalogs and approval context/error handling to reduce future drift. Fix Commit(s) - 78a7ff2d50fb3bcef351571cb5a0f21430a340c1 - d82c042b09727a6148f3ca651b254c4a677aff26 - d06632ba45a8482192792c55d5ff0b2e21abb0a7 - 4e690e09c746408b5e27617a20cb3fdc5190dbda - 4b4718c8dfce2e2c48404aa5088af7c013bed60b Release Process Note patchedversions is pre-set to the planned next release (2026.2.26). Once npm openclaw@2026.2.26 is published, publish this advisory directly without further version-field edits. Thanks @tdjackey for reporting.", "affected": [ "openclaw@<= 2026.2.25" ], "patched": [ "openclaw@>= 2026.2.26" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-26T22:40:31Z", "updated": "2026-02-26T22:40:31Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-f7ww-2725-qvw2" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f7ww-2725-qvw2", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-59", "CWE-367" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-f7ww-2725-qvw2" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-j26j-7qc4-3mrf", "ghsa_id": "GHSA-j26j-7qc4-3mrf", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-639", "title": "MS Teams fileConsent/invoke missing conversation binding allowed cross-conversation pending-upload consumption", "description": "Summary In openclaw MS Teams file-consent flow, pending uploads were authorized by uploadId alone. fileConsent/invoke did not verify the invoke conversation against the conversation that created the pending upload. Impact An attacker who obtained a valid uploadId within TTL could trigger cross-conversation upload completion (accept path) or cancel a victim pending upload (decline path). Technical Details - Pending uploads stored conversationId, but invoke handling consumed by uploadId only. - The invoke path did not enforce conversation binding before uploadToConsentUrl(...) and pending-upload removal. - Fix binds accept/decline handling to normalized conversation id match before consuming pending upload state. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version (as of February 26, 2026): 2026.2.24 - Vulnerable range: <= 2026.2.24 - Patched in release: 2026.2.25 Remediation Upgrade to openclaw 2026.2.25 (or later) once published. Fix Commit(s) - 347f7b9550064f5f5b33c6e07f64e85b9657b6f1 Release Process Note patchedversions is pre-set to the release (2026.2.25). Advisory published with npm release 2026.2.25. Thanks @tdjackey for reporting.", "affected": [ "openclaw@<= 2026.2.24" ], "patched": [ "openclaw@>= 2026.2.25" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-26T03:58:32Z", "updated": "2026-02-26T03:58:32Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-j26j-7qc4-3mrf" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-j26j-7qc4-3mrf", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-639", "CWE-862" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-j26j-7qc4-3mrf" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-xmv6-r34m-62p4", "ghsa_id": "GHSA-xmv6-r34m-62p4", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "Sandbox media fallback tmp symlink alias bypass allows host file reads outside sandboxRoot", "description": "Summary A sandbox path validation bypass in openclaw allows host file reads outside sandboxRoot via the media path fallback tmp flow when the fallback tmp root is a symlink alias. Affected Packages / Versions - Package: npm openclaw - Affected versions: <= 2026.2.24 - Latest published npm version at triage time (February 26, 2026): 2026.2.24 - Patched version : 2026.2.25 Details When /tmp/openclaw is unavailable or unsafe, resolvePreferredOpenClawTmpDir() in src/infra/tmp-openclaw-dir.ts fell back to os.tmpdir()/openclaw-= 2026.2.25" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-26T03:58:31Z", "updated": "2026-02-26T03:58:31Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-xmv6-r34m-62p4" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xmv6-r34m-62p4", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-22", "CWE-59" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-xmv6-r34m-62p4" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-3jx4-q2m7-r496", "ghsa_id": "GHSA-3jx4-q2m7-r496", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "high", "type": "github_security_advisory", "nvd_category_id": "CWE-59", "title": "Hardlink alias checks could bypass workspace-only file boundaries in specific configurations", "description": "Summary In certain workspace-restricted configurations, OpenClaw could follow hardlink aliases inside the workspace that reference files outside the workspace boundary. By default, tools.fs.workspaceOnly is off. This primarily affects deployments that intentionally enable workspace-only filesystem restrictions (and workspace-only applypatch checks). Impact - Confidentiality: out-of-workspace files could be read through in-workspace hardlink aliases. - Integrity: out-of-workspace files could be modified through in-workspace hardlink aliases. Affected Packages / Versions - Package: openclaw (npm) - Latest published version at triage time: 2026.2.24 - Affected range: <= 2026.2.24 - Planned patched version: 2026.2.25 Fix Commit(s) - 04d91d0319b82fd4de91ed05e9fc5219ff2ab64e (main) Remediation OpenClaw now rejects hardlinked final-file aliases during workspace boundary validation for: - workspace-only path checks (read / write / edit) - workspace-only applypatch read/write paths - sandbox mount-root path-safety checks Regression tests were added for applypatch, workspace fs tools, and sandbox fs bridge hardlink alias escapes. Release Process Note patchedversions is pre-set to the release (2026.2.25) so the advisory can be published after npm release with no further version-field edits. Thanks @tdjackey for reporting.", "affected": [ "openclaw@<= 2026.2.24" ], "patched": [ "openclaw@>= 2026.2.25" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-26T03:58:27Z", "updated": "2026-02-26T03:58:27Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-3jx4-q2m7-r496" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3jx4-q2m7-r496", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-59", "CWE-668" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-3jx4-q2m7-r496" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-qj22-xqjr-v83v", "ghsa_id": "GHSA-qj22-xqjr-v83v", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "Telegram messagereaction authorization bypass allows unauthorized system-event injection", "description": "A missing sender-authorization check in Telegram messagereaction handling allowed unauthorized users to trigger reaction-derived system events. Affected Packages / Versions - Package: openclaw (npm) - Introduced: 2026.2.17 - Affected: = 2026.2.17 and <= 2026.2.24 - Latest published at patch time: 2026.2.24 - Patched in release: 2026.2.25 Impact When reaction notifications are enabled, unauthorized Telegram senders could inject reaction system events despite configured DM/group authorization controls (dmPolicy, allowFrom, groupPolicy, groupAllowFrom). Fix Commit(s) - e56b0cf1a04f992ac6ebc775899f48ea31687640 Release Process Note patchedversions is pre-set to the release (2026.2.25) so once npm release 2026.2.25 is published, this advisory can be published without further edits. Thanks @tdjackey for reporting.", "affected": [ "openclaw@<= 2026.2.24" ], "patched": [ "openclaw@>= 2026.2.25" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-26T03:58:21Z", "updated": "2026-02-26T03:58:21Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-qj22-xqjr-v83v" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qj22-xqjr-v83v", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-863" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-qj22-xqjr-v83v" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-h97f-6pqj-q452", "ghsa_id": "GHSA-h97f-6pqj-q452", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "low", "type": "server_side_request_forgery", "nvd_category_id": "CWE-918", "title": "IPv6 multicast SSRF classifier bypass", "description": "Summary OpenClaw's SSRF IP classifier did not treat IPv6 multicast literals (ff00::/8) as blocked/private-internal. This allowed literal multicast hosts to pass SSRF preflight checks. Impact A bypass in address classification existed for IPv6 multicast literals. OpenClaw's network fetch/navigation paths are constrained to HTTP/HTTPS and this was triaged as low-severity defense-in-depth hardening. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.24 - Patched versions: = 2026.2.25 Technical Details The IPv6 private/internal range set omitted multicast, so addresses like ff02::1 and ff05::1:3 were not classified as blocked by the shared SSRF classifier. Fix Commit(s) - baf656bc6fd7f83b6033e6dbc2548ec75028641f Release Process Note patchedversions is pre-set to the planned next npm release (2026.2.25). Once that release is published on npm, the advisory is published. Thanks @zpbrent for reporting.", "affected": [ "openclaw@<= 2026.2.24" ], "patched": [ "openclaw@>= 2026.2.25" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-26T03:58:14Z", "updated": "2026-02-26T03:58:14Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-h97f-6pqj-q452" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h97f-6pqj-q452", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-918" ], "credits": [ "zpbrent" ], "aliases": [ "GHSA-h97f-6pqj-q452" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-9f72-qcpw-2hxc", "ghsa_id": "GHSA-9f72-qcpw-2hxc", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "high", "type": "exposure_of_sensitive_information", "nvd_category_id": "CWE-200", "title": "Native prompt image auto-load did not honor tools.fs.workspaceOnly in sandboxed runs", "description": "Summary In sandboxed runs, native prompt image auto-load did not honor tools.fs.workspaceOnly=true. This optional hardening setting is not enabled by default. When operators enabled it, prompt text could still reference mounted out-of-workspace image paths (for example /agent/secret.png) and load those image bytes for vision-capable model input. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version at triage time: 2026.2.23 - Vulnerable version range: <= 2026.2.23 - Patched version (planned next release): 2026.2.24 Conditions Required This issue required all of the following: - sandbox mode enabled, - tools.fs.workspaceOnly=true configured, - an out-of-workspace mount path reachable from the sandbox (for example /agent), - vision-capable model path active for native prompt image loading. Technical Details Native prompt image ingestion (detectAndLoadPromptImages / loadImageFromRef) resolved and read sandbox paths but did not apply the same workspace-root assertion used by file tools when tools.fs.workspaceOnly was set. Fix Commit(s) - 370d115549c0dadace0902775eea0d5094aedfdc Verification - pnpm check - pnpm exec vitest run --config vitest.gateway.config.ts - pnpm test:fast Release Process Note patchedversions is pre-set to the planned next release (2026.2.24) so once npm release is available, this advisory only needs publish action. Thanks @tdjackey for reporting. Publication Update (2026-02-25) openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks = 2026.2.24 as patched.", "affected": [ "openclaw@<= 2026.2.23" ], "patched": [ "openclaw@>= 2026.2.24" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-25T04:37:41Z", "updated": "2026-02-25T04:37:41Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-9f72-qcpw-2hxc" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9f72-qcpw-2hxc", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-200", "CWE-284" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-9f72-qcpw-2hxc" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-h656-5vcf-cm23", "ghsa_id": "GHSA-h656-5vcf-cm23", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "improper_access_control", "nvd_category_id": "CWE-284", "title": "Telegram: Unauthorized Senders Trigger Media Download and Disk Write Before Access Check", "description": "Impact In Telegram DM mode, inbound media was downloaded and written to disk before sender authorization checks completed. An unauthorized sender could trigger inbound media download/write activity (including media groups) even when DM access should be denied. Affected Packages / Versions - Package: openclaw (npm) - Latest published version currently affected: 2026.2.23 - Vulnerable range: <= 2026.2.23 - Patched in planned next release: 2026.2.24 Fix Commit(s) - 9514201fb9b51de5d0b23151110d0ff5d9c8bd67 Technical Details The Telegram handler flow now enforces DM authorization before media download/write paths execute, including media-group handling. Inbound channel activity tracking was also moved to run after DM authorization in the Telegram message context path. Release Process Note patchedversions is pre-set to the planned next release (2026.2.24). After npm publish, the advisory can be published without further version-field edits. Thanks @v8hid for reporting. Publication Update (2026-02-25) openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks = 2026.2.24 as patched.", "affected": [ "openclaw@<=2026.2.23" ], "patched": [ "openclaw@>= 2026.2.24" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-25T04:37:39Z", "updated": "2026-02-25T04:37:39Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-h656-5vcf-cm23" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h656-5vcf-cm23", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-284", "CWE-404", "CWE-406", "CWE-770" ], "credits": [ "v8hid" ], "aliases": [ "GHSA-h656-5vcf-cm23" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-33hm-cq8r-wc49", "ghsa_id": "GHSA-33hm-cq8r-wc49", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "Temporary path handling could write outside OpenClaw temp boundary", "description": "Summary Sandbox media local-path validation accepted absolute paths under host tmp, even when those paths were outside the active sandbox root. Affected Packages / Versions - Package: openclaw (npm) - Latest published version verified during triage: 2026.2.23 - Affected versions: <= 2026.2.23 - Patched versions (planned next release): = 2026.2.24 Details In affected versions, sandbox media path resolution allowed absolute host tmp paths as trusted media inputs when they were under os.tmpdir(), without requiring that the path stay within the active sandboxRoot. Because outbound attachment hydration consumed these paths as already validated, this enabled out-of-sandbox host tmp file reads and exfiltration through attachment delivery. Impact - Confidentiality impact: high for deployments relying on sandboxRoot as a strict local filesystem boundary. - Practical impact: attacker-controlled media references could read and attach host tmp files outside the sandbox workspace boundary. Remediation - Restrict sandbox tmp-path acceptance to OpenClaw-managed temp roots only. - Default SDK/extension temp helpers to OpenClaw-managed temp roots. - Add CI guardrails to prevent broad tmp-root regressions in messaging/channel code paths. Fix Commit(s) - d3da67c7a9b463edc1a9b1c1f7af107a34ca32f5 - 79a7b3d22ef92e36a4031093d80a0acb0d82f351 - def993dbd843ff28f2b3bad5cc24603874ba9f1e Release Process Note The advisory is pre-set with patched version 2026.2.24 so it is ready for publication once that npm release is available. Thanks @tdjackey for reporting. Publication Update (2026-02-25) openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks = 2026.2.24 as patched.", "affected": [ "openclaw@<= 2026.2.23" ], "patched": [ "openclaw@>= 2026.2.24" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-25T04:37:35Z", "updated": "2026-02-25T04:37:35Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-33hm-cq8r-wc49" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-33hm-cq8r-wc49", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-22", "CWE-284" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-33hm-cq8r-wc49" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-534w-2vm4-89xr", "ghsa_id": "GHSA-534w-2vm4-89xr", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "improper_access_control", "nvd_category_id": "CWE-284", "title": "Zalo group sender allowlist bypass permits unauthorized GROUP dispatch", "description": "A missing group-sender authorization check in the Zalo plugin allowed unauthorized GROUP messages to enter agent dispatch paths in configurations intended to restrict group traffic. Impact When Zalo group handling was configured with allowlist-style controls, a sender not present in the intended group allowlist could still trigger agent processing through the GROUP message path. Root Cause Group access checks were not consistently enforced before dispatch for Zalo GROUP messages. The fix adds explicit runtime group-policy evaluation (groupPolicy, groupAllowFrom, fallback to allowFrom) and fail-closed behavior for missing provider config. Affected Packages / Versions - Package: openclaw (npm) - Latest published vulnerable version: 2026.2.23 (as of 2026-02-24) - Affected range: <= 2026.2.23 - Planned patched version: 2026.2.24 Fix Commit(s) - b4010a0b627025c809c0e5dbdbd4770f3bc59ef8 Release Process Note patchedversions is pre-set to the planned next release (2026.2.24). Once that npm release is published, this advisory should only need to be published. Thanks @tdjackey for reporting. Publication Update (2026-02-25) openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks = 2026.2.24 as patched.", "affected": [ "openclaw@<= 2026.2.23" ], "patched": [ "openclaw@>= 2026.2.24" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-25T04:37:33Z", "updated": "2026-02-25T04:37:33Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-534w-2vm4-89xr" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-534w-2vm4-89xr", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-284", "CWE-863" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-534w-2vm4-89xr" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-r294-2894-92j3", "ghsa_id": "GHSA-r294-2894-92j3", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "cross_site_scripting", "nvd_category_id": "CWE-79", "title": "Stored XSS in exported session HTML viewer via markdown/raw-HTML rendering", "description": "Summary The exported session HTML viewer allowed stored XSS when untrusted session content included raw HTML markdown tokens or unescaped metadata fields. Impact Opening a crafted exported HTML session could execute attacker-controlled JavaScript in the viewer context. This can expose session content in the page and enable phishing or UI spoofing in the trusted export view. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.22-2 - Patched version (released): = 2026.2.23 Technical Details The exporter rendered markdown with marked.parse(...) and inserted HTML via innerHTML, but did not override the html renderer token path. Raw HTML (for example = 2026.2.23" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-24T05:27:23Z", "updated": "2026-02-24T05:27:23Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-r294-2894-92j3" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-r294-2894-92j3", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-79" ], "credits": [ "allsmog" ], "aliases": [ "GHSA-r294-2894-92j3" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-7ff8-xjh3-mgh6", "ghsa_id": "GHSA-7ff8-xjh3-mgh6", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-266", "title": "non-default autoAllowSkills setting could bypass on-miss exec prompt", "description": "Summary In openclaw versions up to and including 2026.2.22-2, a non-default exec-approval configuration could allow a skill-name collision to bypass an ask=on-miss prompt. When autoAllowSkills=true, a path-scoped executable such as ./skill-bin could resolve to basename skill-bin, satisfy the skills allowlist segment, and run without prompting for approval. Affected Packages / Versions - Package: npm openclaw - Affected versions: <= 2026.2.22-2 - Patched versions: = 2026.2.23 (released) Configuration Scope (Not Default) This behavior requires non-default settings and does not affect default installs. Required conditions: - autoAllowSkills=true (default is false) - system.run with security=allowlist - ask=on-miss Technical Details The allowlist evaluator accepted skills satisfaction by bin-name match, so ./skill-bin could match skillBins.has(\"skill-bin\") after resolution. The fix hardens skill auto-allow matching by requiring: - a pathless invocation token (no / or \\\\), and - a trusted resolved executable path for that skill bin on the machine where skills run. This preserves normal skill-bin ... behavior while preventing ./=2026.2.23" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-24T05:27:21Z", "updated": "2026-02-24T05:27:21Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-7ff8-xjh3-mgh6" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7ff8-xjh3-mgh6", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-266", "CWE-863" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-7ff8-xjh3-mgh6" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-2j9j-gf59-p4p5", "ghsa_id": "GHSA-2j9j-gf59-p4p5", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "low", "type": "github_security_advisory", "nvd_category_id": null, "title": "iOS deep link (openclaw://agent) can trigger gateway agent requests without local confirmation", "description": "Summary A crafted openclaw://agent deep link could cause OpenClaw iOS to forward an agent.request event to a connected Gateway without local confirmation on iOS. Affected Packages / Versions - Advisory package metadata: openclaw (swift ecosystem). - Latest published npm openclaw at triage time: 2026.2.22-2. - Affected practical surface: internal preview iOS builds only (not publicly distributed). - Structured advisory range is set to <= 2026.2.22-2 and patched version is pre-set to 2026.2.23 and is now public. Impact - External deep-link trigger could cause unintended agent action initiation in an already-connected iOS node context. - This is a user-interaction deep-link abuse issue, not unauthenticated server takeover. - Severity is set to Low because iOS distribution is internal preview/super-alpha and not public/TestFlight release. Remediation The iOS deep-link path now requires local confirmation unless a trusted deep-link key is provided, and unkeyed deep links have delivery-routing fields stripped before submission. Fix Commit(s) - ff4e6ca0d942ef52330dcbe116321ae4fed21749 Release Process Note patchedversions is pre-set to the released version (2026.2.23). This advisory now reflects released fix version 2026.2.23. Thanks @GCXWLP for reporting.", "affected": [ "openclaw@<= 2026.2.22-2" ], "patched": [ "openclaw@2026.2.23" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-24T05:27:20Z", "updated": "2026-02-24T05:27:20Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-2j9j-gf59-p4p5" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2j9j-gf59-p4p5", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [], "credits": [ "GCXWLP" ], "aliases": [ "GHSA-2j9j-gf59-p4p5" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-6x2m-hqfw-hvpj", "ghsa_id": "GHSA-6x2m-hqfw-hvpj", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-285", "title": "Node exec approvals could be replayed across nodes", "description": "Summary exec.approval requests for host=node were not explicitly bound to the target nodeId, so an approval intended for one node could be replayed for a different node under the same operator-controlled gateway fleet. Impact An operator approval for a system.run request could be reused across nodes if the request payload did not carry node identity through approval and execution checks. Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.2.22-2 - Fixed: 2026.2.23 (released) Mitigation Upgrade to 2026.2.23 or later once published. Fix Details The fix requires and persists nodeId for host=node approval requests and rejects execution when the approving node binding does not match the invoking node. Fix Commit(s) - 4a3f8438e527ac371a67fe7ac68a287f0dbe6063 Release Process Note patchedversions is pre-set to the released version (2026.2.23). This advisory now reflects released fix version 2026.2.23. Thanks @tdjackey for reporting.", "affected": [ "openclaw@<= 2026.2.22-2" ], "patched": [ "openclaw@>= 2026.2.23" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-24T05:27:18Z", "updated": "2026-02-24T05:27:18Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-6x2m-hqfw-hvpj" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6x2m-hqfw-hvpj", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-285", "CWE-863" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-6x2m-hqfw-hvpj" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-2ch6-x3g4-7759", "ghsa_id": "GHSA-2ch6-x3g4-7759", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-639", "title": "commands.allowFrom sender authorization accepted conversation identifiers via ctx.From", "description": "Summary commands.allowFrom is documented as a sender authorization allowlist for commands/directives, but command authorization could include ctx.From (conversation identity) as a sender candidate. When commands.allowFrom contained conversation-like identifiers (for example Discord channel:= 2026.2.23" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-24T05:27:14Z", "updated": "2026-02-24T05:27:14Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-796m-2973-wc5q" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-796m-2973-wc5q", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-436" ], "credits": [ "jiseoung" ], "aliases": [ "GHSA-796m-2973-wc5q" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-8j9w-9pm5-pv8m", "ghsa_id": "GHSA-8j9w-9pm5-pv8m", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-184", "title": "DUPLICATE of GHSA-3c6h-g97w-fg78: safeBins denied flags can be bypassed via GNU long-option abbreviations", "description": "Duplicate Notice This draft advisory duplicates GHSA-3c6h-g97w-fg78. Canonical advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-3c6h-g97w-fg78 Use GHSA-3c6h-g97w-fg78 for tracking/publication. This advisory is published as a duplicate notice. Summary OpenClaw safeBins argument validation allowed denied flags to be bypassed via GNU long-option abbreviations. The validator matched denied long flags by exact string and treated unknown long options as allowed, creating a policy/runtime mismatch: commands could be approved as safe-bin usage while runtime behavior reached denied options. Impact - Default safe-bin wc: unauthorized file-read behavior via abbreviated --files0-fro (runtime resolves to --files0-from). - Configured safe-bin sort: external program invocation via abbreviated --compress-prog (runtime resolves to --compress-program). - Additional hardening gap: unknown or ambiguous long options in safe-bin mode were not rejected fail-closed. Technical Details Affected paths included safe-bin argv validation and allowlist evaluation: - src/infra/exec-safe-bin-policy.ts - src/infra/exec-approvals-allowlist.ts Affected Packages / Versions - Ecosystem: npm - Package: openclaw - Affected versions: <= 2026.2.22-2 - Fixed in code on main: 2026.2.23 (released) Remediation - Canonicalize long options using GNU-style unique-prefix matching. - Reject unknown and ambiguous long options in safe-bin mode (fail-closed). - Reject inline values for non-value long flags. - Deny additional sort filesystem-dependent flags in safe-bin mode: --random-source, --temporary-directory, -T. - Add regression tests for denied-flag abbreviations and fail-closed long-option handling. Fix Commit(s) - 3b8e33037ae2e12af7beb56fcf0346f1f8cbde6f Release Process Note Patched in 2026.2.23 and published. Thanks @jiseoung for reporting.", "affected": [ "openclaw@<= 2026.2.22-2" ], "patched": [ "openclaw@>=2026.2.23" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-24T05:27:13Z", "updated": "2026-02-24T05:27:13Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-8j9w-9pm5-pv8m" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8j9w-9pm5-pv8m", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-184" ], "credits": [ "jiseoung" ], "aliases": [ "GHSA-8j9w-9pm5-pv8m" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-4cqv-h74h-93j4", "ghsa_id": "GHSA-4cqv-h74h-93j4", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "improper_authentication", "nvd_category_id": "CWE-287", "title": "Discord allowFrom slug-collision authorization bypass", "description": "OpenClaw supports Discord allowlists using either user IDs or names/tags. Name/tag matching depends on slug normalization, so different user tags can collide to the same slug and unintentionally satisfy a name-based allowlist entry. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.21-2 - Patched versions: = 2026.2.22 What Changed - openclaw security audit now warns on Discord name/tag allowlist entries (DM allowlists, guild/channel users, and pairing-store entries). - Runtime authorization now prefers resolved user IDs when a configured name/tag can be resolved, without rewriting config files on disk. - Name-based entries remain supported for compatibility. Recommendations - Prefer stable Discord user IDs for security-sensitive allowlists. - Run openclaw security audit and address warnings where practical. Fix Commit(s) - f97c45c5b5e0698b6667bb5f6badc0cac7dabd12 - 747bb581b3f2264495e1fec5a0727d9f2ca1b6f1 Release Process Note Patched version fields now point to 2026.2.22 and fixes are merged on main. Thanks @tdjackey for reporting.", "affected": [ "openclaw@<= 2026.2.21-2" ], "patched": [ "openclaw@>= 2026.2.22" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-23T00:52:17Z", "updated": "2026-02-23T00:52:17Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-4cqv-h74h-93j4" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4cqv-h74h-93j4", "nvd_url": null, "cvss_score": 6.5, "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "cwe_ids": [ "CWE-287" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-4cqv-h74h-93j4" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-jxrq-8fm4-9p58", "ghsa_id": "GHSA-jxrq-8fm4-9p58", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-59", "title": "Zip extraction symlink traversal could write outside destination", "description": "Summary A path confinement bypass in OpenClaw ZIP extraction allowed writes outside the intended destination when a pre-existing symlink was present under the extraction root. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version at triage time: 2026.2.21-2 - Affected versions: <= 2026.2.21-2 - Planned patched version for next release: 2026.2.22 Technical Details The vulnerable path was in src/infra/archive.ts ZIP extraction logic. Output-path checks were lexical, but writes could still traverse an existing symlink in destination path segments. The fix blocks this by: - rejecting symlink traversal in destination path segments, - validating resolved destination paths remain inside the extraction root, - using no-follow file opens for ZIP output writes where supported, - adding a regression test for pre-seeded destination symlink traversal. Impact - Type: Arbitrary file write outside extraction root via symlink traversal during ZIP extraction. - Preconditions: attacker-controlled archive extraction plus pre-existing symlink in destination path. Fix Commit(s) - 4b226b74f5fd3b106a83a6347fd404172e2fd246 Release Process Note Patched version is pre-set to the planned next release (2026.2.22). Once npm release 2026.2.22 is published, the advisory can be published without further field edits. Thanks @tdjackey for reporting.", "affected": [ "openclaw@<= 2026.2.21-2" ], "patched": [ "openclaw@>= 2026.2.22" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-23T00:52:17Z", "updated": "2026-02-23T00:52:17Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-jxrq-8fm4-9p58" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jxrq-8fm4-9p58", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-59" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-jxrq-8fm4-9p58" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-jwf4-8wf4-jf2m", "ghsa_id": "GHSA-jwf4-8wf4-jf2m", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "BlueBubbles (optional plugin) pairing/allowlist mismatch when allowFrom is empty", "description": "Summary BlueBubbles is an optional OpenClaw channel plugin. A configuration-sensitive access-control mismatch allowed DM senders to be treated as authorized when dmPolicy was pairing or allowlist and allowFrom was empty/unset. Severity Rationale (Medium) Severity is set to medium because: - this affects an optional plugin, not core messaging surfaces; - many deployments use owner-controlled/private BlueBubbles identities with limited external reachability; - practical exploitability depends on an untrusted sender being able to reach that specific BlueBubbles account identifier. In typical personal/self-hosted BlueBubbles setups, the mapped Apple identity is single-owner and not broadly reachable, so this is usually low practical risk. Risk is higher in deployments where the identifier is publicly reachable and/or agent tool permissions are broad. Technical Details 1. BlueBubbles DM policy defaults to pairing (dmPolicy ?? \"pairing\"). 2. Effective allowlist can be empty (effectiveAllowFrom). 3. DM/reaction authorization called isAllowedBlueBubblesSender(...). 4. That delegated to shared isAllowedParsedChatSender(...), which previously returned true for empty allowlists. 5. Result: unknown senders could bypass intended pairing/allowlist gating when allowFrom was empty. Affected Packages / Versions - Package: openclaw (npm) - Vulnerable versions: <= 2026.2.21-2 - Planned fixed version: 2026.2.22 Fix The shared parsed-chat allowlist helper now fails closed on empty allowlists, restoring expected BlueBubbles DM gating behavior. BlueBubbles inbound gating was also refactored to use one shared DM/group decision helper for both message and reaction paths to reduce future drift. Fix Commit(s) - 9632b9bcf032c5f2280c3103961fde912ab1f920 - 2ba6de7eaad812e5e8603018e14e54e96bdd57dd - 51c0893673de8e5cea64e64351dbfa4680ba0dec - 4540790cb62412676f7b61cfc6e47443f84a251e Release Process Note patchedversions is pre-set to the planned next release (2026.2.22). Once npm release 2026.2.22 is published, this advisory is ready to publish without additional field edits. Thanks @tdjackey for reporting.", "affected": [ "openclaw@<= 2026.2.21-2" ], "patched": [ "openclaw@2026.2.22" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-23T00:52:16Z", "updated": "2026-02-23T00:52:16Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-jwf4-8wf4-jf2m" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jwf4-8wf4-jf2m", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-863" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-jwf4-8wf4-jf2m" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-659f-22xc-98f2", "ghsa_id": "GHSA-659f-22xc-98f2", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "code_injection", "nvd_category_id": "CWE-94", "title": "Hook transform path containment missed symlink-resolved escapes", "description": "Vulnerability Webhook transform modules were validated with lexical path checks only. A symlink under the allowed hooks transform tree could resolve outside the intended directory and be dynamically imported. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.21-2 - Patched version (planned next release): 2026.2.22 Impact When an attacker can cause a transform module path to reference a symlinked entry that resolves outside the trusted transform directory, the gateway may import and execute unintended JavaScript with gateway-process privileges. Attack Preconditions - Hook transforms are enabled and reachable. - Attacker can influence transform path resolution (for example via privileged config access and/or writable filesystem path in the transform tree). - A symlink escape exists to attacker-controlled code. Remediation - Enforce realpath-aware containment for existing path ancestors before dynamic import. - Keep lexical containment checks for traversal and absolute-path escapes. - Add regression coverage for: - transform module symlink escape rejection, - hooks.transformsDir symlink escape rejection, - in-root symlink allow-case. Fix Commit(s) - f4dd0577b055f77af783105bd65eae32f3d5e6a1 Release Process Note patchedversions is pre-set to the planned next release (2026.2.22). After npm release is published, advisory publication can proceed without further version edits. Thanks @aether-ai-agent for reporting.", "affected": [ "openclaw@<=2026.2.21-2" ], "patched": [ "openclaw@2026.2.22" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-23T00:52:09Z", "updated": "2026-02-23T00:52:09Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-659f-22xc-98f2" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-659f-22xc-98f2", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-94" ], "credits": [], "aliases": [ "GHSA-659f-22xc-98f2" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-5847-rm3g-23mw", "ghsa_id": "GHSA-5847-rm3g-23mw", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": null, "title": "Hook auth rate limiter bypass via IPv4-mapped IPv6 client key variants", "description": "Vulnerability The hook authentication throttle keyed failed attempts by raw socket remoteAddress text. IPv4 and IPv4-mapped IPv6 forms of the same client (for example 1.2.3.4 and ::ffff:1.2.3.4) were treated as different clients, allowing separate rate-limit buckets. Impact An attacker could split failed hook-auth attempts across both address forms and effectively double the brute-force budget from 20 to 40 attempts per 60-second window. Affected Components - src/gateway/server-http.ts - src/gateway/auth-rate-limit.ts Affected Packages / Versions - Package: openclaw (npm) - Vulnerable versions: <= 2026.2.21-2 - Patched version (planned next release): 2026.2.22 Remediation Centralize and reuse canonical client-IP normalization for auth rate-limiting, and use that canonical key for hook auth throttling. Fix Commit(s) - 3284d2eb227e7b6536d543bcf5c3e320bc9d13c5 Release Process Note patchedversions is pre-set to the planned next release (2026.2.22) so once npm release 2026.2.22 is published, this advisory can be published directly. Thanks @aether-ai-agent for reporting.", "affected": [ "openclaw@<=2026.2.21-2" ], "patched": [ "openclaw@>= 2026.2.22" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-23T00:52:08Z", "updated": "2026-02-23T00:52:08Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-5847-rm3g-23mw" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5847-rm3g-23mw", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [], "credits": [], "aliases": [ "GHSA-5847-rm3g-23mw" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-9mph-4f7v-fmvh", "ghsa_id": "GHSA-9mph-4f7v-fmvh", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": null, "title": "Agent avatar symlink traversal in gateway session metadata", "description": "Summary A crafted local avatar path could follow a symlink outside the agent workspace and return arbitrary file contents as a base64 data: URL in gateway responses. Impact - Confidentiality impact: local file read in the gateway process context. - Exfiltration path: agents.list can return the resulting avatarUrl payload. Affected Components - src/gateway/session-utils.ts (resolveIdentityAvatarUrl) Affected Packages / Versions - Package: openclaw (npm) - Introduced: v2026.1.21 - Affected published versions: <= 2026.2.21-2 - Planned patched version: 2026.2.22 Remediation - Resolve workspace and avatar paths with realpath and enforce realpath containment. - Open files with ONOFOLLOW when available. - Compare pre-open and opened file identity (dev/ino) to block swap races. - Add regression tests for outside-workspace symlink rejection and in-workspace symlink allowance. Fix Commit(s) - 3d0337504349954237d09e4d957df5cb844d5e77 Release Process Note The advisory patchedversions field is pre-set to the planned next release (2026.2.22). After that npm release is published, the remaining step is to publish this advisory. Thanks @aether-ai-agent for reporting.", "affected": [ "openclaw@<= 2026.2.21-2" ], "patched": [ "openclaw@>= 2026.2.22" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-23T00:52:08Z", "updated": "2026-02-23T00:52:08Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-9mph-4f7v-fmvh" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9mph-4f7v-fmvh", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [], "credits": [], "aliases": [ "GHSA-9mph-4f7v-fmvh" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-5h2c-8v84-qpvr", "ghsa_id": "GHSA-5h2c-8v84-qpvr", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-15", "title": "Shell-env fallback trusted startup env and could execute attacker-influenced login-shell paths", "description": "Summary OpenClaw shell-env fallback trusted startup environment values and could execute attacker-influenced login-shell startup paths before loading env keys. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: = 2026.1.5 and <= 2026.2.21-2 - Fixed on main: 9363c320d8ffe29290906752fab92621da02c3f7 - Planned patched release version (pre-set): 2026.2.22 Details The vulnerable chain was in the shell-env fallback path: 1. src/infra/shell-env.ts - resolveShell(env) trusted env.SHELL when set. - execLoginShellEnvZero(...) executed ${SHELL} -l -c \"env -0\" with inherited runtime env. 2. src/config/io.ts - Config env values were applied before shell fallback execution. 3. src/config/env-vars.ts / env policy coverage - SHELL handling was hardened, but startup-path selectors (HOME, ZDOTDIR) still needed explicit blocking in config env ingestion and sanitization for shell fallback execution. With env/config influence, this could trigger unintended command execution in shell startup processing on the OpenClaw host process context. Fix Mainline hardening now: - blocks SHELL, HOME, and ZDOTDIR during config env ingestion used by runtime fallback, - sanitizes shell fallback execution env, pinning HOME to the real user home and dropping ZDOTDIR + dangerous startup vars, - adds regression tests for config env ingestion and shell fallback/path-probe sanitization. Fix Commit(s) - 9363c320d8ffe29290906752fab92621da02c3f7 Impact - Local code-execution risk in environments where attacker-controlled env/config input can reach shell-env fallback. - Under OpenClaw trust assumptions (SECURITY.md), this is not a public-remote issue and depends on crossing local trusted-operator boundaries. Release Process Note patchedversions is intentionally pre-set to the planned next release (2026.2.22) so once npm release is out, maintainers can publish advisory immediately. Thanks @tdjackey for reporting.", "affected": [ "openclaw@<=2026.2.21-2" ], "patched": [ "openclaw@>= 2026.2.22" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-23T00:52:06Z", "updated": "2026-02-23T00:52:06Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-5h2c-8v84-qpvr" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5h2c-8v84-qpvr", "nvd_url": null, "cvss_score": 5.3, "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "cwe_ids": [ "CWE-15", "CWE-78" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-5h2c-8v84-qpvr" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-8mf7-vv8w-hjr2", "ghsa_id": "GHSA-8mf7-vv8w-hjr2", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "low", "type": "os_command_injection", "nvd_category_id": "CWE-78", "title": "tools.exec.safeBins generic fallback allowed interpreter-style inline payload execution in allowlist mode", "description": "Summary When tools.exec.safeBins contained a binary without an explicit safe-bin profile, OpenClaw used a permissive generic fallback profile. In allowlist mode, that could let interpreter-style binaries (for example python3, node, ruby) execute inline payloads via flags like -c. This requires explicit operator configuration to add such binaries to safeBins, so impact is limited to non-default/misconfigured deployments. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.21-2 - Patched in code: = 2026.2.22 (planned next npm release) Fix - Remove generic safe-bin fallback during allowlist evaluation. - Require explicit safe-bin profiles for safeBins entries. - Add configurable tools.exec.safeBinProfiles (global + per-agent) for safe custom binaries. - Update docs to clearly separate safeBins from command allowlist semantics. Fix Commit(s) - 47c3f742b6c488be26dd7b9636dbbb8676089154 Release Process Note patchedversions is pre-set to the planned next release (= 2026.2.22) so once that npm release is published, the advisory can be published directly without further metadata edits. Thanks @tdjackey for reporting.", "affected": [ "openclaw@<= 2026.2.21-2" ], "patched": [ "openclaw@>= 2026.2.22" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-23T00:52:06Z", "updated": "2026-02-23T00:52:06Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-8mf7-vv8w-hjr2" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8mf7-vv8w-hjr2", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-78", "CWE-693" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-8mf7-vv8w-hjr2" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-4rqq-w8v4-7p47", "ghsa_id": "GHSA-4rqq-w8v4-7p47", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "low", "type": "github_security_advisory", "nvd_category_id": null, "title": "Incomplete IPv4 special-use SSRF blocking in web fetch guard", "description": "Summary isPrivateIpv4() in bundled SSRF guard code missed several IPv4 special-use/non-global ranges, so webfetch could allow targets that should be blocked by SSRF policy. Affected Packages / Versions - Package: openclaw (npm) - Latest published affected version: 2026.2.21-2 (published 2026-02-21) - Structured vulnerable range: <= 2026.2.21-2 - Planned patched version (pre-set): = 2026.2.22 Impact Low severity. Exploitation requires network reachability to the relevant special-use ranges and a request path that reaches webfetch URL fetching. Technical Details Affected releases used narrow IPv4 private-range checks that omitted multiple RFC special-use/non-global ranges. This allowed requests such as http://198.18.0.1/... through SSRF validation in affected releases. Follow-up hardening consolidates local-host/tailnet range checks so gateway/browser/tailnet paths share one canonical IP classification flow. Fix Commit(s) - 71bd15bb4294d3d1b54386064d69cd0f5f731bd8 - 44dfbd23df453e51b71ef79a148c28c53e89168c - 333fbb86347998526dd514290adfd5f727caa6d9 - f14ebd743cfc73f667fae80af70043d0ab1f88bd Release Process Note patchedversions is intentionally pre-set to the planned next release (= 2026.2.22) so once npm 2026.2.22 is published, maintainers can publish this advisory without further metadata edits. Thanks @princeeismond-dot for reporting.", "affected": [ "openclaw@<= 2026.2.21-2" ], "patched": [ "openclaw@>= 2026.2.22" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-23T00:52:05Z", "updated": "2026-02-23T00:52:05Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-4rqq-w8v4-7p47" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4rqq-w8v4-7p47", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [], "credits": [ "princeeismond-dot" ], "aliases": [ "GHSA-4rqq-w8v4-7p47" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-f6h3-846h-2r8w", "ghsa_id": "GHSA-f6h3-846h-2r8w", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-639", "title": "Elevated allowFrom matching tightened for sender-scoped authorization", "description": "Summary In certain elevated-mode configurations, tools.elevated.allowFrom accepted broader identity signals than intended. The fix tightens matching to sender-scoped identity by default and makes mutable metadata matching explicit. Context OpenClaw is commonly used in 1:1 chats or trusted group chats. In that intended model, this issue is best treated as authorization hardening / defense-in-depth for elevated sender approval. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version at triage: 2026.2.21-2 - Affected versions: <= 2026.2.21-2 - Planned patched version (pre-set for publish-ready advisory): 2026.2.22 Details Elevated sender authorization now matches sender-scoped identity values only by default (SenderId, From, SenderE164) and no longer considers recipient routing fields such as ctx.To. Mutable sender metadata (SenderName, SenderUsername, SenderTag) now requires explicit allowlist prefixes (name:, username:, tag:). Explicit identity prefixes are also supported (id:, from:, e164:). Fix Commit(s) - 6817c0ec7b4fa830123d4f5c340f075a4bd04ee2 Release Process Note The advisory patchedversions is pre-set to the planned next release (2026.2.22). Once npm openclaw@2026.2.22 is published, this advisory can be published without additional content edits. Thanks @jiseoung for reporting.", "affected": [ "openclaw@<= 2026.2.21-2" ], "patched": [ "openclaw@>= 2026.2.22" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-23T00:52:03Z", "updated": "2026-02-23T00:52:03Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-f6h3-846h-2r8w" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f6h3-846h-2r8w", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-639" ], "credits": [ "jiseoung" ], "aliases": [ "GHSA-f6h3-846h-2r8w" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-qhrr-grqp-6x2g", "ghsa_id": "GHSA-qhrr-grqp-6x2g", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-426", "title": "tools.exec.safeBins trusted PATH directories allowed binary shadowing in allowlist mode", "description": "Summary In openclaw allowlist mode, tools.exec.safeBins trusted PATH-derived directories for safe-bin resolution. A same-name binary placed in a trusted PATH directory could satisfy safe-bin checks and execute. Impact This is an allowlist bypass in exec policy that can lead to command execution in the OpenClaw runtime context when allowlist mode relies on safe bins and an attacker can influence trusted binary locations. Affected Packages / Versions - Package: openclaw (npm) - Vulnerable versions: <= 2026.2.21-2 - Patched versions: = 2026.2.22 (planned next release) - Latest published npm version at triage time (2026-02-22): 2026.2.21-2 Root Cause - Safe-bin trust accepted PATH-derived directories instead of explicit trusted directories. - Safe-bin execution used shell command tokens that could resolve to shadowed binaries. Remediation - Stop trusting PATH-derived directories for safe-bin trust. - Add explicit tools.exec.safeBinTrustedDirs for opt-in extra trusted paths. - Pin safe-bin shell execution to resolved absolute executable paths. Fix Commit(s) - 64b273a71cf0b2f2419c974832cede1fc2158729 Release Process Note patchedversions is pre-set to the planned next release (2026.2.22). After npm release, this advisory is ready for publish without additional field edits. Thanks @tdjackey for reporting.", "affected": [ "openclaw@<= 2026.2.21-2" ], "patched": [ "openclaw@>= 2026.2.22" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-23T00:52:00Z", "updated": "2026-02-23T00:52:00Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-qhrr-grqp-6x2g" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qhrr-grqp-6x2g", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-426" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-qhrr-grqp-6x2g" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-cjv3-m589-v3rx", "ghsa_id": "GHSA-cjv3-m589-v3rx", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "cross_site_scripting", "nvd_category_id": "CWE-79", "title": "Canvas route hardening for mixed-trust deployments", "description": "Summary This advisory tracks a defense-in-depth hardening for canvas routes. In mixed-trust or network-visible deployments, prior canvas auth/fallback behavior could broaden access beyond intended boundaries. Deployment Context OpenClaw’s default model is trusted host + loopback-first access. Some operators intentionally expose canvas routes on LAN/tailnet. This update is aimed at those broader deployment patterns. What Changed - Require explicit token or session-capability authorization for canvas routes. - Remove shared-IP fallback paths for canvas access. - Tighten bind/fallback behavior to fail closed. Impact Risk was highest in non-loopback or mixed-trust environments. In strict single-operator trusted-host setups, practical exposure is lower. Affected Packages / Versions - Package: openclaw (npm) - Vulnerable: <= 2026.2.19-2 - Patched: 2026.2.21 (next release target) Fix Commit(s) - c45f3c5b004c8d63dc0e282e2176f8c9355d24f1 - 08a7967936cfc0b2af6b27ec1f9272542648ad6c Release Process Note Fix is already on main. Publish this advisory after npm release 2026.2.21 ships. Thanks @NucleiAv for reporting.", "affected": [ "openclaw@<= 2026.2.19-2" ], "patched": [ "openclaw@>=2026.2.21" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-21T18:16:09Z", "updated": "2026-02-21T18:16:09Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-cjv3-m589-v3rx" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cjv3-m589-v3rx", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-79", "CWE-1021" ], "credits": [ "NucleiAv" ], "aliases": [ "GHSA-cjv3-m589-v3rx" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-w9cg-v44m-4qv8", "ghsa_id": "GHSA-w9cg-v44m-4qv8", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-15", "title": "BASHENV / ENV startup-file injection into spawned shell commands", "description": "Summary BASHENV / ENV startup-file injection could lead to unintended pre-command shell execution when attacker-controlled environment values were admitted and then inherited by host command execution paths. Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.2.19-2 - Fixed on main: 2cdbadee1f8fcaa93302d7debbfc529e19868ea4 - Planned patched release version: 2026.2.21 Details The fix hardens environment handling across all relevant execution paths: - Blocks dangerous startup/runtime env keys and prefixes in shared host env sanitization. - Sanitizes inherited ambient environment even when no per-request overrides are provided. - Blocks dangerous config-driven env injection before values enter process environment. - Uses the same sanitizer in macOS host execution paths. - Aligns skill env override sanitization with the shared dangerous-env policy. Impact Medium. Exploitation requires local/privileged influence over configuration or environment inputs; there is no standalone remote unauthenticated trigger from this issue alone. Fix Commit(s) - 2cdbadee1f8fcaa93302d7debbfc529e19868ea4 Release Process Note patchedversions is pre-set to the planned next release (2026.2.21). Once npm openclaw@2026.2.21 is published, the advisory can be published without further field edits. Thanks @tdjackey for reporting.", "affected": [ "openclaw@<= 2026.2.19-2" ], "patched": [ "openclaw@>=2026.2.21" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-21T18:16:03Z", "updated": "2026-02-21T18:16:03Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-w9cg-v44m-4qv8" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w9cg-v44m-4qv8", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-15", "CWE-78" ], "credits": [ "tdjackey" ], "aliases": [ "GHSA-w9cg-v44m-4qv8" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-w7j5-j98m-w679", "ghsa_id": "GHSA-w7j5-j98m-w679", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "high", "type": "github_security_advisory", "nvd_category_id": "CWE-250", "title": "Multiple E2E/test Dockerfiles run all processes as root", "description": "Three Dockerfiles in scripts/docker/ and scripts/e2e/ lack a USER directive, meaning all processes run as uid 0 (root). If any process is compromised, the attacker has root inside the container, making container breakout significantly easier. Partial fix (2026-02-08): Commit 28e1a65e added USER sandbox to Dockerfile.sandbox and Dockerfile.sandbox-browser. The E2E/test Dockerfiles listed below remain unpatched. Affected components: - scripts/e2e/Dockerfile - scripts/e2e/Dockerfile.qr-import - scripts/docker/install-sh-e2e/Dockerfile - scripts/docker/install-sh-nonroot/Dockerfile (runs as app but with NOPASSWD sudo — see related advisory) Technical Reproduction: 1. Open each Dockerfile listed above and search for a USER directive — none found. 2. Run any of these containers: docker run --rm -it = 2026.2.21" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-21T10:42:51Z", "updated": "2026-02-21T10:42:51Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-w7j5-j98m-w679" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w7j5-j98m-w679", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-250" ], "credits": [ "TerminalsandCoffee" ], "aliases": [ "GHSA-w7j5-j98m-w679" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-82g8-464f-2mv7", "ghsa_id": "GHSA-82g8-464f-2mv7", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-15", "title": "Skill env override host env injection", "description": "Summary applySkillConfigEnvOverrides previously copied skills.entries..env values into the host process.env without applying the host env safety policy. Impact In affected versions, dangerous process-level variables such as NODEOPTIONS could be injected when unset, which can influence runtime/child-process behavior. Required attacker capability An attacker must be able to modify OpenClaw local state/config (for example ~/.openclaw/openclaw.json) to set skills.entries.= 2026.2.21" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-21T10:42:37Z", "updated": "2026-03-02T06:53:28Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-82g8-464f-2mv7" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-82g8-464f-2mv7", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-15", "CWE-94", "CWE-1341" ], "credits": [ "nedlir" ], "aliases": [ "GHSA-82g8-464f-2mv7" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-jjgj-cpp9-cvpv", "ghsa_id": "GHSA-jjgj-cpp9-cvpv", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "Local File Exfiltration via MCP Tool Result MEDIA: Directive Injection", "description": "Summary A malicious or compromised MCP (Model Context Protocol) tool server can exfiltrate arbitrary local files from the host system by injecting MEDIA: directives into tool result text content. OpenClaw's tool result processing pipeline extracts file paths from MEDIA: tokens without source-level validation, passes them through a localRoots allowlist check that includes os.tmpdir() by default (covering /tmp on Linux/macOS and %TEMP% on Windows), and then reads and delivers the file contents to external messaging channels such as Discord, Slack, Telegram, and WhatsApp. Affected Component OpenClaw (all versions up to and including latest as of 2026-02-19) Vulnerability Details Root Cause The vulnerability exists across multiple files in the media processing pipeline: 1. Unvalidated extraction (src/agents/pi-embedded-subscribe.tools.ts, lines 143-202): extractToolResultMediaPaths() parses MEDIA: tokens from MCP tool result text content blocks using a regex. It accepts any file path (absolute, relative, Windows drive, UNC, file:// URI) without validating the source is trusted or the path is within expected boundaries. 2. Overly broad default allowlist (src/media/local-roots.ts, lines 7-16): buildMediaLocalRoots() includes os.tmpdir() in the default allowed directory list. On Linux/macOS this is /tmp (world-readable, often containing application secrets, database dumps, SSH keys, session tokens), and on Windows it is %TEMP% (user's temp directory containing application caches, credentials, and temporary secrets). 3. Delivery to external channels (src/agents/pi-embedded-subscribe.handlers.tools.ts, lines 380-392): After extraction, media paths are delivered via ctx.params.onToolResult({ mediaUrls: mediaPaths }), which flows through the outbound delivery pipeline to send file contents as attachments to Discord, Slack, Telegram, and other configured messaging channels. Attack Flow Secondary Attack Vector: details.path Fallback When an MCP tool result contains type: \"image\" content blocks, extractToolResultMediaPaths() falls back to reading result.details.path (lines 192-199). A malicious tool can return: This bypasses the MEDIA: token parsing entirely and directly injects arbitrary file paths. Third Attack Vector: file:// URI Scheme The loadWebMediaInternal() function (line 228-233) converts file:// URIs to local paths via fileURLToPath(): This provides an alternative syntax for targeting files. Impact - File exfiltration: Any file within os.tmpdir() (or the OpenClaw state directory) can be read and sent to external messaging channels - Secret theft: Temporary files often contain API keys, database credentials, SSH keys, session tokens, and application secrets - Cross-application data theft: Other applications' temp files (browser caches, build artifacts, CI/CD secrets) are accessible - Silent exfiltration: The file content is sent as a media attachment to messaging channels the attacker can monitor, with no user-visible indication - Automated exploitation: If auto-reply is enabled, the malicious tool can be triggered without user interaction Reproduction Steps Prerequisites - Node.js 18+ installed - No OpenClaw installation required (PoC is self-contained) Steps 1. Save the PoC script below as poc-media-exfil.js 2. Run: node poc-media-exfil.js 3. Observe: All 21 assertions pass, confirming the vulnerability PoC Script Expected Output Affected Code Locations | File | Lines | Function | Role | |------|-------|----------|------| | src/media/parse.ts | 7 | MEDIATOKENRE | Regex that matches MEDIA: directives in text | | src/agents/pi-embedded-subscribe.tools.ts | 143-202 | extractToolResultMediaPaths() | Extracts file paths from MCP tool results without source validation | | src/agents/pi-embedded-subscribe.handlers.tools.ts | 380-392 | handleToolExecutionEnd() | Delivers extracted media paths to messaging channels | | src/media/local-roots.ts | 7-16 | buildMediaLocalRoots() | Includes os.tmpdir() in default allowed roots | | src/web/media.ts | 60-117 | assertLocalMediaAllowed() | Validates paths against overly broad localRoots | | src/web/media.ts | 212-381 | loadWebMediaInternal() | Reads validated files into memory for delivery | Suggested Remediation 1. Validate MEDIA: source trust: Only accept MEDIA: directives from OpenClaw's own internal tools (TTS, image generation). Reject or flag MEDIA: directives from external MCP tool results. 2. Remove os.tmpdir() from default localRoots: The temp directory is too broad. Replace with a narrow OpenClaw-specific subdirectory (e.g., path.join(os.tmpdir(), \"openclaw-media\")). 3. Add source tagging to tool results: Tag each tool result with its source (internal vs. MCP external) and enforce different media access policies for each. 4. Require explicit opt-in for file media delivery: When a tool result contains MEDIA: directives referencing local files, require user confirmation before reading and sending the file. Differentiation from Existing Advisories This vulnerability is distinct from all existing OpenClaw security advisories. Below is an explicit comparison against every advisory or commit that could appear superficially related: Not a duplicate of path traversal advisories (apply-patch, workspace escape, etc.) The existing path traversal advisories (e.g., those targeting apply-patch tool workspace containment via assertSandboxPath(), or resolveFileWithinRoot() in the canvas host file resolver) are about preventing filesystem access outside a sandbox boundary. This vulnerability is fundamentally different: - Different attack surface: The attack enters through MCP tool result text content (extractToolResultMediaPaths() in pi-embedded-subscribe.tools.ts), not through tool arguments, HTTP paths, or patch file contents. - Different code path: The vulnerable pipeline is extractToolResultMediaPaths() → handleToolExecutionEnd() → onToolResult() → loadWebMedia() → assertLocalMediaAllowed(). None of these functions are involved in the existing path traversal fixes. - The validation passes by design: This is not a bypass of assertLocalMediaAllowed(). The function works correctly. The problem is that os.tmpdir() is included in the default localRoots allowlist (src/media/local-roots.ts:10), making the entire system temp directory readable by any MCP tool that returns a MEDIA: directive. Not a duplicate of SSRF advisories The existing SSRF advisories cover fetchWithSsrFGuard() and resolvePinnedHostnameWithPolicy() in src/infra/net/. This vulnerability does not involve any HTTP fetching or DNS resolution. Instead, it reads local files from disk and delivers them outbound to messaging channels. The MEDIA: path is a local filesystem path, not a URL. Not a duplicate of canvas host file disclosure The canvas host file disclosure advisory covers the HTTP serving side (resolveFileWithinRoot() in src/canvas-host/file-resolver.ts), where path traversal in the URL could escape the canvas root directory. This vulnerability is about outbound file exfiltration through the agent messaging pipeline, not about the canvas host HTTP server. Not a duplicate of inbound attachment root policy (1316e57) Commit 1316e57 (\"enforce inbound attachment root policy across pipelines\") added src/media/inbound-path-policy.ts to restrict inbound media paths from messaging channels (e.g., iMessage attachment roots). This vulnerability is about outbound media delivery, where files are read from disk and sent to external channels via MEDIA: directives in MCP tool results. Different direction, different code, different policy layer. Not a duplicate of any webhook/messaging auth bypass The webhook auth bypass and messaging platform allowlist bypass advisories cover authentication between OpenClaw and external services. This vulnerability assumes the MCP tool is already configured and trusted. The issue is that tool results can inject MEDIA: directives that cause unintended local file reads and exfiltration. Verification: zero prior fixes for this code path A git log search for commits touching localRoots, local-roots, tmpdir, or extractToolResultMediaPaths returns zero results, confirming this vulnerability has never been reported or addressed. References - OpenClaw MCP tool integration documentation - OWASP Path Traversal - CWE-22: Improper Limitation of a Pathname to a Restricted Directory - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor Credit Anmol Vats (@NucleiAv)", "affected": [ "openclaw@<= 2026.2.19-2" ], "patched": [ "openclaw@>= 2026.2.21" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-21T10:42:36Z", "updated": "2026-02-21T10:42:36Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-jjgj-cpp9-cvpv" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jjgj-cpp9-cvpv", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-22", "CWE-200" ], "credits": [ "NucleiAv" ], "aliases": [ "GHSA-jjgj-cpp9-cvpv" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-3x3x-h76w-hp98", "ghsa_id": "GHSA-3x3x-h76w-hp98", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-184", "title": "OpenClaw exec allowlist safeBins short-option bypass could permit arbitrary file write", "description": "Summary OpenClaw exec allowlist/safeBins policy could be bypassed with attached short-option payloads (for example sort -o/tmp/poc), enabling file-write operations while still satisfying safeBins checks. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.17 - Latest published vulnerable version: 2026.2.17 - Patched in: 2026.2.19 Impact When tools.exec.security=allowlist and tools.exec.safeBins included affected binaries, attached short-option payloads could bypass safeBins argument validation and permit file-write behavior that should have been denied. Fix Commit(s) - cfe8457a0f4aae5324daec261d3b0aad1461a4bc - bafdbb6f112409a65decd3d4e7350fbd637c7754 - fec48a5006eab37c6a5821726ccaeec886486b13 Thanks @FailButWin and @Redgrave961 for reporting.", "affected": [ "openclaw@<=2026.2.17" ], "patched": [ "openclaw@>= 2026.2.19" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-21T10:34:16Z", "updated": "2026-02-21T10:39:23Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-3x3x-h76w-hp98" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3x3x-h76w-hp98", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-184" ], "credits": [ "FailButWin", "Redgrave961" ], "aliases": [ "GHSA-3x3x-h76w-hp98" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-2hm8-rqrm-xfjq", "ghsa_id": "GHSA-2hm8-rqrm-xfjq", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "low", "type": "github_security_advisory", "nvd_category_id": "CWE-269", "title": "Owner-only gateway tool access checks were incomplete in specific authenticated DM flows", "description": "Summary In authenticated non-owner DM sessions, a narrow tool-invocation path could reach broader-than-intended owner-only gateway actions. Impact This requires an authenticated non-owner sender in a DM session and a specific tool invocation path. No unauthenticated access is involved, and this does not provide direct code execution by itself. Root Cause - Some gateway call paths were still using broader default scopes instead of method-level least-privilege scopes. - Owner-only enforcement depended on tool-name checks and was not consistently metadata-driven across all call paths. Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.2.17 (latest published npm version as of February 19, 2026) - Patched: 2026.2.19 Remediation - Refactored gateway method scope mapping to a data-driven table and added guard tests to ensure all exposed core gateway methods stay classified. - Centralized owner-only enforcement in tool policy wrappers and tool metadata. - Marked owner-only tools explicitly (cron, gateway, whatsapplogin) and removed duplicated per-tool owner checks. - Refactored gateway call path internals into smaller helpers while preserving behavior and coverage. Fix Commit(s) - a40c10d3e24568b1e2947c104484be74bf66b8d2 - 2777d8ad91ef1e8a7c6f5b4b18f8507be7d02914 - 3d7ad1cfca4daaa84cd553e843e0e08fa6201349 Thanks @Adam55A-code for reporting.", "affected": [ "openclaw@<= 2026.2.17" ], "patched": [ "openclaw@>= 2026.2.19" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-21T10:34:15Z", "updated": "2026-02-21T10:40:02Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-2hm8-rqrm-xfjq" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2hm8-rqrm-xfjq", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-269", "CWE-863" ], "credits": [ "Adam55A-code" ], "aliases": [ "GHSA-2hm8-rqrm-xfjq" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-ff98-w8hj-qrxf", "ghsa_id": "GHSA-ff98-w8hj-qrxf", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "low", "type": "os_command_injection", "nvd_category_id": "CWE-78", "title": "Plugin runtime command execution is part of trusted plugin boundary", "description": "Summary OpenClaw plugins/extensions run in-process and are treated as trusted code. This advisory tracks trust-boundary clarification around plugin runtime command execution (runtime.system.runCommandWithTimeout). Impact Plugins already execute with the same OS privileges as the OpenClaw process. Exposing runtime command helpers does not cross an additional sandbox boundary. Affected Packages / Versions - Package: openclaw (npm) - Latest published version reviewed: 2026.2.17 - Affected range for this advisory record: <= 2026.2.17 - Planned patched version metadata: 2026.2.19 (next release line) Fix Commit(s) - 2e421f32dfc589c02706265fd3c3137ffc06c4b1 Remediation - Install only trusted plugins. - Use plugins.allow to pin explicit trusted plugin IDs. - SECURITY.md now explicitly documents that plugin runtime helpers are convenience APIs, not a sandbox boundary. Thanks @markmusson for reporting.", "affected": [ "openclaw@<= 2026.2.17" ], "patched": [ "openclaw@>= 2026.2.19" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-21T10:34:13Z", "updated": "2026-02-21T10:39:21Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-ff98-w8hj-qrxf" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-ff98-w8hj-qrxf", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-78" ], "credits": [ "markmusson" ], "aliases": [ "GHSA-ff98-w8hj-qrxf" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-vj3g-5px3-gr46", "ghsa_id": "GHSA-vj3g-5px3-gr46", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "Path traversal in Feishu media temp-file naming allows writes outside os.tmpdir()", "description": "Summary OpenClaw’s Feishu media download flow used untrusted Feishu media keys (imageKey / fileKey) when building temporary file paths in extensions/feishu/src/media.ts. Because those keys were interpolated directly into temp-file paths, traversal segments could escape the temp directory and redirect writes outside os.tmpdir(). Impact This is an arbitrary file write issue (within the OpenClaw process file permissions). If an attacker can control Feishu media key values returned to the client (for example via compromised upstream response path), they can influence where downloaded bytes are written. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version at triage: 2026.2.17 - Affected versions: <= 2026.2.17 - Fixed version: 2026.2.19 Fix Commit(s) - c821099157a9767d4df208c6b12f214946507871 - cdb00fe2428000e7a08f9b7848784a0049176705 - ec232a9e2dff60f0e3d7e827a7c868db5254473f Remediation The fix removes key-derived temp-file naming and keeps downloads in safe temp locations. Additional hardening isolates SDK writeFile calls in per-download temp directories (mkdtemp) with deterministic cleanup, enforces Feishu key trust-boundary validation, and adds a repository guard test against dynamic path.join(os.tmpdir(), \\...${...}\\) patterns in runtime code. Thanks @allsmog for reporting.", "affected": [ "openclaw@<= 2026.2.17" ], "patched": [ "openclaw@>= 2026.2.19" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-21T10:34:11Z", "updated": "2026-02-21T10:39:20Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-vj3g-5px3-gr46" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vj3g-5px3-gr46", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-22" ], "credits": [ "allsmog" ], "aliases": [ "GHSA-vj3g-5px3-gr46" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-2mc2-g238-722j", "ghsa_id": "GHSA-2mc2-g238-722j", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "os_command_injection", "nvd_category_id": "CWE-78", "title": "iMessage remote attachment SCP hardening (strict host-key checks and remoteHost validation)", "description": "Summary Remote iMessage attachment fetches used SCP with trust-on-first-use host-key behavior and accepted unvalidated remote host tokens. Before the fix: - SCP used StrictHostKeyChecking=accept-new in the remote attachment path. - channels.imessage.remoteHost was not validated as a strict SSH host token. Impact In remote iMessage deployments that use SCP attachment fetching, a first-connection MITM/DNS-poisoning scenario could cause the wrong host key to be trusted. Unsafe remote host token values could also alter SCP argument semantics. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version currently affected: 2026.2.17 - Vulnerable range (structured field): <= 2026.2.17 - Patched version (pre-set for next release): = 2026.2.19 Fix The fix hardens remote attachment SSH/SCP handling by: - requiring StrictHostKeyChecking=yes for SCP and SSH tunnel paths, - adding strict remoteHost normalization/validation, - adding -- argument barrier for SCP remote source parsing, - validating channels.imessage.remoteHost in config schema, - rejecting unsafe auto-detected host tokens at runtime. Fix Commit(s) - Pushed to main: 49d0def6d1e88f002026b1d2a35aa615d48a751a Thanks @allsmog for reporting.", "affected": [ "openclaw@<= 2026.2.17" ], "patched": [ "openclaw@>= 2026.2.19" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-21T10:34:10Z", "updated": "2026-02-21T10:39:20Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-2mc2-g238-722j" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2mc2-g238-722j", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-78", "CWE-295" ], "credits": [ "allsmog" ], "aliases": [ "GHSA-2mc2-g238-722j" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-8cp7-rp8r-mg77", "ghsa_id": "GHSA-8cp7-rp8r-mg77", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "server_side_request_forgery", "nvd_category_id": "CWE-918", "title": "SSRF guard bypass via IPv6 transition over ISATAP", "description": "Summary OpenClaw's SSRF hostname/IP guard did not detect ISATAP embedded IPv4 addresses (...:5efe:w.x.y.z). A crafted URL containing an ISATAP IPv6 literal could embed a private IPv4 target (for example loopback) and bypass private-address filtering in URL-fetching paths. Severity Assessment Rated medium: the bug weakens SSRF protections in URL fetch flows, but impact depends on reaching a URL-fetching path with attacker-controlled input and is generally constrained to internal network access attempts. Affected Packages / Versions - Package: openclaw (npm) - Affected: =2026.1.20 <=2026.2.17 - Latest published at patch time: 2026.2.17 - Patched release: 2026.2.19 Security Policy Context Per SECURITY.md, OpenClaw's web/gateway surface is intended for local use by default, public internet exposure is out-of-scope, and prompt-injection reports are out-of-scope for bounty handling. This advisory tracks a core SSRF-guard bypass in fetch protections. Impact This can permit SSRF-style access attempts to internal/private network targets through URL ingestion/fetch paths that rely on shared hostname/IP blocking. Fix - Added RFC 5214 ISATAP embedded-IPv4 detection to the shared SSRF classifier. - Centralized hostname/IP blocking through isBlockedHostnameOrIp and routed relevant validators to that shared path. - Added regression tests for ISATAP private vs public embedded IPv4 handling. Fix Commit(s) - d51929ecb52fe65e90bf36795f4247feb29eb8aa Thanks @zpbrent for reporting.", "affected": [ "openclaw@>=2026.1.20 <=2026.2.17" ], "patched": [ "openclaw@>= 2026.2.19" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-21T10:34:08Z", "updated": "2026-02-21T10:39:19Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-8cp7-rp8r-mg77" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8cp7-rp8r-mg77", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-918" ], "credits": [ "zpbrent" ], "aliases": [ "GHSA-8cp7-rp8r-mg77" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-pfv7-rr5m-qmv6", "ghsa_id": "GHSA-pfv7-rr5m-qmv6", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": null, "title": "Auth inconsistency on local Browser Extension Relay /extension endpoint", "description": "Summary When the optional Chrome extension relay is enabled, /extension accepted unauthenticated WebSocket upgrades while /json/ and /cdp required auth. Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.2.17 - Latest published npm version at triage time: 2026.2.17 Impact This is a local-only issue on loopback (127.0.0.1) and only applies when the extension relay feature is in use. A local process on the same machine could connect to /extension without the token and interfere with extension-relay behavior. No remote network exploit path is involved. Fix - Require gateway-token auth on both /extension and /cdp relay WebSocket endpoints. - Keep loopback/origin checks as defense-in-depth, not as authentication. - Use one token path in setup: gateway.auth.token / OPENCLAWGATEWAYTOKEN. Fix Commit(s) - 7e54b6c96feb1a5c30884f2b32037b8dadd0e532 Thanks @tdjackey for reporting.", "affected": [ "openclaw@<= 2026.2.17" ], "patched": [ "openclaw@>= 2026.2.19" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-21T10:34:07Z", "updated": "2026-02-21T10:39:18Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-pfv7-rr5m-qmv6" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-pfv7-rr5m-qmv6", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [], "credits": [ "tdjackey" ], "aliases": [ "GHSA-pfv7-rr5m-qmv6" ], "source_feed": "ghsa-without-cve" }, { "id": "CVE-2026-27576", "severity": "medium", "type": "uncontrolled_resource_consumption", "nvd_category_id": "CWE-400", "title": "OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the ACP bridge accepts very la...", "description": "OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the ACP bridge accepts very large prompt text blocks and can assemble oversized prompt payloads before forwarding them to chat.send. Because ACP runs over local stdio, this mainly affects local ACP clients (for example IDE integrations) that send unusually large inputs. This issue has been fixed in version 2026.2.19.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-21T10:16:13.437", "references": [ "https://github.com/openclaw/openclaw/commit/63e39d7f57ac4ad4a5e38d17e7394ae7c4dd0b9c", "https://github.com/openclaw/openclaw/commit/8ae2d5110f6ceadef73822aa3db194fb60d2ba68", "https://github.com/openclaw/openclaw/commit/ebcf19746f5c500a41817e03abecadea8655654a" ], "cvss_score": 4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27576", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (4.0); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-27488", "severity": "high", "type": "server_side_request_forgery", "nvd_category_id": "CWE-918", "title": "OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, Cron webhook delivery in src/g...", "description": "OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, Cron webhook delivery in src/gateway/server-cron.ts uses fetch() directly, so webhook targets can reach private/metadata/internal endpoints without SSRF policy checks. This issue was fixed in version 2026.2.19.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-21T10:16:13.267", "references": [ "https://github.com/openclaw/openclaw/commit/99db4d13e5c139883ef0def9ff963e9273179655", "https://github.com/openclaw/openclaw/releases/tag/v2026.2.19", "https://github.com/openclaw/openclaw/security/advisories/GHSA-w45g-5746-x9fp" ], "cvss_score": 7.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27488", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.3); remotely exploitable without authentication; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-27487", "severity": "high", "type": "os_command_injection", "nvd_category_id": "CWE-78", "title": "OpenClaw is a personal AI assistant. In versions 2026.2.13 and below, when using macOS, the Claude C...", "description": "OpenClaw is a personal AI assistant. In versions 2026.2.13 and below, when using macOS, the Claude CLI keychain credential refresh path constructed a shell command to write the updated JSON blob into Keychain via security add-generic-password -w .... Because OAuth tokens are user-controlled data, this created an OS command injection risk. This issue has been fixed in version 2026.2.14.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-21T10:16:13.100", "references": [ "https://github.com/openclaw/openclaw/commit/66d7178f2d6f9d60abad35797f97f3e61389b70c", "https://github.com/openclaw/openclaw/commit/9dce3d8bf83f13c067bc3c32291643d2f1f10a06", "https://github.com/openclaw/openclaw/commit/b908388245764fb3586859f44d1dff5372b19caf" ], "cvss_score": 7.6, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27487", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.6); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-27486", "severity": "medium", "type": "unknown_cwe_283", "nvd_category_id": "CWE-283", "title": "OpenClaw is a personal AI assistant. In versions 2026.2.13 and below of the OpenClaw CLI, the proces...", "description": "OpenClaw is a personal AI assistant. In versions 2026.2.13 and below of the OpenClaw CLI, the process cleanup uses system-wide process enumeration and pattern matching to terminate processes without verifying if they are owned by the current OpenClaw process. On shared hosts, unrelated processes can be terminated if they match the pattern. The CLI runner cleanup helpers can kill processes matched by command-line patterns without validating process ownership. This issue has been fixed in version 2026.2.14.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-21T10:16:12.903", "references": [ "https://github.com/openclaw/openclaw/commit/6084d13b956119e3cf95daaf9a1cae1670ea3557", "https://github.com/openclaw/openclaw/commit/eb60e2e1b213740c3c587a7ba4dbf10da620ca66", "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14" ], "cvss_score": 5.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27486", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-27485", "severity": "medium", "type": "unknown_cwe_61", "nvd_category_id": "CWE-61", "title": "OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, skills/skill-creator/scripts/p...", "description": "OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, skills/skill-creator/scripts/package_skill.py (a local helper script used when authors package skills) previously followed symlinks while building .skill archives. If an author runs this script on a crafted local skill directory containing symlinks to files outside the skill root, the resulting archive can include unintended file contents. If exploited, this vulnerability can lead to potential unintentional disclosure of local files from the packaging machine into a generated .skill artifact, but requires local execution of the packaging script on attacker-controlled skill contents. This issue has been fixed in version 2026.2.18.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-21T10:16:12.723", "references": [ "https://github.com/openclaw/openclaw/commit/c275932aa4230fb7a8212fe1b9d2a18424874b3f", "https://github.com/openclaw/openclaw/commit/ee1d6427b544ccadd73e02b1630ea5c29ba9a9f0", "https://github.com/openclaw/openclaw/pull/20796" ], "cvss_score": 4.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27485", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (4.4); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-27484", "severity": "medium", "type": "missing_authorization", "nvd_category_id": "CWE-862", "title": "OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the Discord moderation action ...", "description": "OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the Discord moderation action handling (timeout, kick, ban) uses sender identity from request parameters in tool-driven flows, instead of trusted runtime sender context. In setups where Discord moderation actions are enabled and the bot has the necessary guild permissions, a non-admin user can request moderation actions by spoofing sender identity fields. This issue has been fixed in version 2026.2.18.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-21T10:16:12.557", "references": [ "https://github.com/openclaw/openclaw/commit/775816035ecc6bb243843f8000c9a58ff609e32d", "https://github.com/openclaw/openclaw/releases/tag/v2026.2.19", "https://github.com/openclaw/openclaw/security/advisories/GHSA-wh94-p5m6-mr7j" ], "cvss_score": 4.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27484", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (4.3); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-27009", "severity": "medium", "type": "cross_site_scripting", "nvd_category_id": "CWE-79", "title": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a atored XSS issue in the OpenClaw ...", "description": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a atored XSS issue in the OpenClaw Control UI when rendering assistant identity (name/avatar) into an inline `` could break out of the script tag and execute attacker-controlled JavaScript in the Control UI origin. Version 2026.2.15 removed inline script injection and serve bootstrap config from a JSON endpoint and added a restrictive Content Security Policy for the Control UI (`script-src 'self'`, no inline scripts).", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-20T00:16:17.620", "references": [ "https://github.com/openclaw/openclaw/commit/3b4096e02e7e335f99f5986ec1bd566e90b14a7e", "https://github.com/openclaw/openclaw/commit/adc818db4a4b3b8d663e7674ef20436947514e1b", "https://github.com/openclaw/openclaw/releases/tag/v2026.2.15" ], "cvss_score": 5.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27009", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.8); requires local access; XSS has limited impact in headless agents", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-27008", "severity": "medium", "type": "unknown_cwe_73", "nvd_category_id": "CWE-73", "title": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a bug in `download` skill installat...", "description": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a bug in `download` skill installation allowed `targetDir` values from skill frontmatter to resolve outside the per-skill tools directory if not strictly validated. In the admin-only `skills.install` flow, this could write files outside the intended install sandbox. Version 2026.2.15 contains a fix for the issue.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-20T00:16:17.460", "references": [ "https://github.com/openclaw/openclaw/commit/2363e1b0853a028e47f90dcc1066e3e9809d65f1", "https://github.com/openclaw/openclaw/commit/b6305e97256d67e439719faacf5af3de9727d6e1", "https://github.com/openclaw/openclaw/releases/tag/v2026.2.15" ], "cvss_score": 6.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27008", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.7); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-27007", "severity": "low", "type": "unknown_cwe_1254", "nvd_category_id": "CWE-1254", "title": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, `normalizeForHash` in `src/agents/s...", "description": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, `normalizeForHash` in `src/agents/sandbox/config-hash.ts` recursively sorted arrays that contained only primitive values. This made order-sensitive sandbox configuration arrays hash to the same value even when order changed. In OpenClaw sandbox flows, this hash is used to decide whether existing sandbox containers should be recreated. As a result, order-only config changes (for example Docker `dns` and `binds` array order) could be treated as unchanged and stale containers could be reused. This is a configuration integrity issue affecting sandbox recreation behavior. Starting in version 2026.2.15, array ordering is preserved during hash normalization; only object key ordering remains normalized for deterministic hashing.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-20T00:16:17.303", "references": [ "https://github.com/openclaw/openclaw/commit/41ded303b4f6dae5afa854531ff837c3276ad60b", "https://github.com/openclaw/openclaw/releases/tag/v2026.2.15", "https://github.com/openclaw/openclaw/security/advisories/GHSA-xxvh-5hwj-42pp" ], "cvss_score": 3.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27007", "exploitability_score": "low", "exploitability_rationale": "Low CVSS score (3.3); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-27004", "severity": "medium", "type": "unknown_cwe_209", "nvd_category_id": "CWE-209", "title": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, in some shared-agent deployments, O...", "description": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, in some shared-agent deployments, OpenClaw session tools (`sessions_list`, `sessions_history`, `sessions_send`) allowed broader session targeting than some operators intended. This is primarily a configuration/visibility-scoping issue in multi-user environments where peers are not equally trusted. In Telegram webhook mode, monitor startup also did not fall back to per-account `webhookSecret` when only the account-level secret was configured. In shared-agent, multi-user, less-trusted environments: session-tool access could expose transcript content across peer sessions. In single-agent or trusted environments, practical impact is limited. In Telegram webhook mode, account-level secret wiring could be missed unless an explicit monitor webhook secret override was provided. Version 2026.2.15 fixes the issue.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-20T00:16:17.140", "references": [ "https://github.com/openclaw/openclaw/commit/c6c53437f7da033b94a01d492e904974e7bda74c", "https://github.com/openclaw/openclaw/security/advisories/GHSA-6hf3-mhgc-cm65" ], "cvss_score": 5.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27004", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.5); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-27003", "severity": "medium", "type": "unknown_cwe_522", "nvd_category_id": "CWE-522", "title": "OpenClaw is a personal AI assistant. Telegram bot tokens can appear in error messages and stack trac...", "description": "OpenClaw is a personal AI assistant. Telegram bot tokens can appear in error messages and stack traces (for example, when request URLs include `https://api.telegram.org/bot/...`). Prior to version 2026.2.15, OpenClaw logged these strings without redaction, which could leak the bot token into logs, crash reports, CI output, or support bundles. Disclosure of a Telegram bot token allows an attacker to impersonate the bot and take over Bot API access. Users should upgrade to version 2026.2.15 to obtain a fix and rotate the Telegram bot token if it may have been exposed.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-20T00:16:16.983", "references": [ "https://github.com/openclaw/openclaw/commit/cf69907015b659e5025efb735ee31bd05c4ee3d5", "https://github.com/openclaw/openclaw/security/advisories/GHSA-chf7-jq6g-qrwv" ], "cvss_score": 5.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27003", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.5); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-27002", "severity": "critical", "type": "execution_with_unnecessary_privileges", "nvd_category_id": "CWE-250", "title": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a configuration injection issue in ...", "description": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a configuration injection issue in the Docker tool sandbox could allow dangerous Docker options (bind mounts, host networking, unconfined profiles) to be applied, enabling container escape or host data access. OpenClaw 2026.2.15 blocks dangerous sandbox Docker settings and includes runtime enforcement when building `docker create` args; config-schema validation for `network=host`, `seccompProfile=unconfined`, `apparmorProfile=unconfined`; and security audit findings to surface dangerous sandbox docker config. As a workaround, do not configure `agents.*.sandbox.docker.binds` to mount system directories or Docker socket paths, keep `agents.*.sandbox.docker.network` at `none` (default) or `bridge`, and do not use `unconfined` for seccomp/AppArmor profiles.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-20T00:16:16.827", "references": [ "https://github.com/openclaw/openclaw/commit/887b209db47f1f9322fead241a1c0b043fd38339", "https://github.com/openclaw/openclaw/releases/tag/v2026.2.15", "https://github.com/openclaw/openclaw/security/advisories/GHSA-w235-x559-36mg" ], "cvss_score": 9.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27002", "exploitability_score": "high", "exploitability_rationale": "Critical CVSS score (9.8); remotely exploitable without authentication; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-27001", "severity": "high", "type": "command_injection", "nvd_category_id": "CWE-77", "title": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, OpenClaw embedded the current worki...", "description": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, OpenClaw embedded the current working directory (workspace path) into the agent system prompt without sanitization. If an attacker can cause OpenClaw to run inside a directory whose name contains control/format characters (for example newlines or Unicode bidi/zero-width markers), those characters could break the prompt structure and inject attacker-controlled instructions. Starting in version 2026.2.15, the workspace path is sanitized before it is embedded into any LLM prompt output, stripping Unicode control/format characters and explicit line/paragraph separators. Workspace path resolution also applies the same sanitization as defense-in-depth.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-20T00:16:16.653", "references": [ "https://github.com/openclaw/openclaw/commit/6254e96acf16e70ceccc8f9b2abecee44d606f79", "https://github.com/openclaw/openclaw/releases/tag/v2026.2.15", "https://github.com/openclaw/openclaw/security/advisories/GHSA-2qj5-gwg2-xwc4" ], "cvss_score": 7.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27001", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.8); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-26972", "severity": "medium", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "OpenClaw is a personal AI assistant. In versions 2026.1.12 through 2026.2.12, OpenClaw browser downl...", "description": "OpenClaw is a personal AI assistant. In versions 2026.1.12 through 2026.2.12, OpenClaw browser download helpers accepted an unsanitized output path. When invoked via the browser control gateway routes, this allowed path traversal to write downloads outside the intended OpenClaw temp downloads directory. This issue is not exposed via the AI agent tool schema (no `download` action). Exploitation requires authenticated CLI access or an authenticated gateway RPC token. Version 2026.2.13 fixes the issue.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-20T00:16:16.500", "references": [ "https://github.com/openclaw/openclaw/commit/7f0489e4731c8d965d78d6eac4a60312e46a9426", "https://github.com/openclaw/openclaw/releases/tag/v2026.2.13", "https://github.com/openclaw/openclaw/security/advisories/GHSA-xwjm-j929-xq7c" ], "cvss_score": 6.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26972", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.7); requires local access; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-26329", "severity": "medium", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, authenticated attackers can read ar...", "description": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, authenticated attackers can read arbitrary files from the Gateway host by supplying absolute paths or path traversal sequences to the browser tool's `upload` action. The server passed these paths to Playwright's `setInputFiles()` APIs without restricting them to a safe root. An attacker must reach the Gateway HTTP surface (or otherwise invoke the same browser control hook endpoints); present valid Gateway auth (bearer token / password), as required by the Gateway configuration (In common default setups, the Gateway binds to loopback and the onboarding wizard generates a gateway token even for loopback); and have the `browser` tool permitted by tool policy for the target session/context (and have browser support enabled). If an operator exposes the Gateway beyond loopback (LAN/tailnet/custom bind, reverse proxy, tunnels, etc.), the impact increases accordingly. Starting in version 2026.2.14, the upload paths are now confined to OpenClaw's temp uploads root (`DEFAULT_UPLOAD_DIR`) and traversal/escape paths are rejected.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-20T00:16:15.687", "references": [ "https://github.com/openclaw/openclaw/commit/3aa94afcfd12104c683c9cad81faf434d0dadf87", "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14", "https://github.com/openclaw/openclaw/security/advisories/GHSA-cv7m-c9jx-vg7q" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26329", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); network accessible; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-26328", "severity": "medium", "type": "improper_access_control", "nvd_category_id": "CWE-284", "title": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, under iMessage `groupPolicy=allowli...", "description": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, under iMessage `groupPolicy=allowlist`, group authorization could be satisfied by sender identities coming from the DM pairing store, broadening DM trust into group contexts. Version 2026.2.14 fixes the issue.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-20T00:16:15.523", "references": [ "https://github.com/openclaw/openclaw/commit/872079d42fe105ece2900a1dd6ab321b92da2d59", "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14", "https://github.com/openclaw/openclaw/security/advisories/GHSA-g34w-4xqq-h79m" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26328", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.5); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-26327", "severity": "medium", "type": "unknown_cwe_345", "nvd_category_id": "CWE-345", "title": "OpenClaw is a personal AI assistant. Discovery beacons (Bonjour/mDNS and DNS-SD) include TXT records...", "description": "OpenClaw is a personal AI assistant. Discovery beacons (Bonjour/mDNS and DNS-SD) include TXT records such as `lanHost`, `tailnetDns`, `gatewayPort`, and `gatewayTlsSha256`. TXT records are unauthenticated. Prior to version 2026.2.14, some clients treated TXT values as authoritative routing/pinning inputs. iOS and macOS used TXT-provided host hints (`lanHost`/`tailnetDns`) and ports (`gatewayPort`) to build the connection URL. iOS and Android allowed the discovery-provided TLS fingerprint (`gatewayTlsSha256`) to override a previously stored TLS pin. On a shared/untrusted LAN, an attacker could advertise a rogue `_openclaw-gw._tcp` service. This could cause a client to connect to an attacker-controlled endpoint and/or accept an attacker certificate, potentially exfiltrating Gateway credentials (`auth.token` / `auth.password`) during connection. As of time of publication, the iOS and Android apps are alpha/not broadly shipped (no public App Store / Play Store release). Practical impact is primarily limited to developers/testers running those builds, plus any other shipped clients relying on discovery on a shared/untrusted LAN. Version 2026.2.14 fixes the issue. Clients now prefer the resolved service endpoint (SRV + A/AAAA) over TXT-provided routing hints. Discovery-provided fingerprints no longer override stored TLS pins. In iOS/Android, first-time TLS pins require explicit user confirmation (fingerprint shown; no silent TOFU) and discovery-based direct connects are TLS-only. In Android, hostname verification is no longer globally disabled (only bypassed when pinning).", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-19T23:16:26.100", "references": [ "https://github.com/openclaw/openclaw/commit/d583782ee322a6faa1fe87ae52455e0d349de586", "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14", "https://github.com/openclaw/openclaw/security/advisories/GHSA-pv58-549p-qh99" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26327", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-26326", "severity": "medium", "type": "exposure_of_sensitive_information", "nvd_category_id": "CWE-200", "title": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, `skills.status` could disclose secr...", "description": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, `skills.status` could disclose secrets to `operator.read` clients by returning raw resolved config values in `configChecks` for skill `requires.config` paths. Version 2026.2.14 stops including raw resolved config values in requirement checks (return only `{ path, satisfied }`) and narrows the Discord skill requirement to the token key. In addition to upgrading, users should rotate any Discord tokens that may have been exposed to read-scoped clients.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-19T23:16:25.950", "references": [ "https://github.com/openclaw/openclaw/commit/d3428053d95eefbe10ecf04f92218ffcba55ae5a", "https://github.com/openclaw/openclaw/commit/ebc68861a61067fc37f9298bded3eec9de0ba783", "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14" ], "cvss_score": 4.3, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26326", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (4.3); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-26325", "severity": "high", "type": "improper_access_control", "nvd_category_id": "CWE-284", "title": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, a mismatch between `rawCommand` and...", "description": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, a mismatch between `rawCommand` and `command[]` in the node host `system.run` handler could cause allowlist/approval evaluation to be performed on one command while executing a different argv. This only impacts deployments that use the node host / companion node execution path (`system.run` on a node), enable allowlist-based exec policy (`security=allowlist`) with approval prompting driven by allowlist misses (for example `ask=on-miss`), allow an attacker to invoke `system.run`. Default/non-node configurations are not affected. Version 2026.2.14 enforces `rawCommand`/`command[]` consistency (gateway fail-fast + node host validation).", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-19T23:16:25.800", "references": [ "https://github.com/openclaw/openclaw/commit/cb3290fca32593956638f161d9776266b90ab891", "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14", "https://github.com/openclaw/openclaw/security/advisories/GHSA-h3f9-mjwj-w476" ], "cvss_score": 7.2, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26325", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.2); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-26324", "severity": "high", "type": "server_side_request_forgery", "nvd_category_id": "CWE-918", "title": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, OpenClaw's SSRF protection could be...", "description": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, OpenClaw's SSRF protection could be bypassed using full-form IPv4-mapped IPv6 literals such as `0:0:0:0:0:ffff:7f00:1` (which is `127.0.0.1`). This could allow requests that should be blocked (loopback / private network / link-local metadata) to pass the SSRF guard. Version 2026.2.14 patches the issue.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-19T23:16:25.653", "references": [ "https://github.com/openclaw/openclaw/commit/c0c0e0f9aecb913e738742f73e091f2f72d39a19", "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14", "https://github.com/openclaw/openclaw/security/advisories/GHSA-jrvc-8ff5-2f9f" ], "cvss_score": 7.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26324", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-26323", "severity": "high", "type": "os_command_injection", "nvd_category_id": "CWE-78", "title": "OpenClaw is a personal AI assistant. Versions 2026.1.8 through 2026.2.13 have a command injection in...", "description": "OpenClaw is a personal AI assistant. Versions 2026.1.8 through 2026.2.13 have a command injection in the maintainer/dev script `scripts/update-clawtributors.ts`. The issue affects contributors/maintainers (or CI) who run `bun scripts/update-clawtributors.ts` in a source checkout that contains a malicious commit author email (e.g. crafted `@users[.]noreply[.]github[.]com` values). Normal CLI usage is not affected (`npm i -g openclaw`): this script is not part of the shipped CLI and is not executed during routine operation. The script derived a GitHub login from `git log` author metadata and interpolated it into a shell command (via `execSync`). A malicious commit record could inject shell metacharacters and execute arbitrary commands when the script is run. Version 2026.2.14 contains a patch.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-19T23:16:25.500", "references": [ "https://github.com/openclaw/openclaw/commit/a429380e337152746031d290432a4b93aa553d55", "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14", "https://github.com/openclaw/openclaw/security/advisories/GHSA-m7x8-2w3w-pr42" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26323", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-26322", "severity": "high", "type": "server_side_request_forgery", "nvd_category_id": "CWE-918", "title": "OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Gateway tool accepted ...", "description": "OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Gateway tool accepted a tool-supplied `gatewayUrl` without sufficient restrictions, which could cause the OpenClaw host to attempt outbound WebSocket connections to user-specified targets. This requires the ability to invoke tools that accept `gatewayUrl` overrides (directly or indirectly). In typical setups this is limited to authenticated operators, trusted automation, or environments where tool calls are exposed to non-operators. In other words, this is not a drive-by issue for arbitrary internet users unless a deployment explicitly allows untrusted users to trigger these tool calls. Some tool call paths allowed `gatewayUrl` overrides to flow into the Gateway WebSocket client without validation or allowlisting. This meant the host could be instructed to attempt connections to non-gateway endpoints (for example, localhost services, private network addresses, or cloud metadata IPs). In the common case, this results in an outbound connection attempt from the OpenClaw host (and corresponding errors/timeouts). In environments where the tool caller can observe the results, this can also be used for limited network reachability probing. If the target speaks WebSocket and is reachable, further interaction may be possible. Starting in version 2026.2.14, tool-supplied `gatewayUrl` overrides are restricted to loopback (on the configured gateway port) or the configured `gateway.remote.url`. Disallowed protocols, credentials, query/hash, and non-root paths are rejected.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-19T23:16:25.340", "references": [ "https://github.com/openclaw/openclaw/commit/c5406e1d2434be2ef6eb4d26d8f1798d718713f4", "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14", "https://github.com/openclaw/openclaw/security/advisories/GHSA-g6q9-8fvw-f7rf" ], "cvss_score": 7.6, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26322", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.6); network accessible; SSRF affects agents making external requests", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-26321", "severity": "high", "type": "path_traversal", "nvd_category_id": "CWE-22", "title": "OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Feishu extension previ...", "description": "OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Feishu extension previously allowed `sendMediaFeishu` to treat attacker-controlled `mediaUrl` values as local filesystem paths and read them directly. If an attacker can influence tool calls (directly or via prompt injection), they may be able to exfiltrate local files by supplying paths such as `/etc/passwd` as `mediaUrl`. Upgrade to OpenClaw `2026.2.14` or newer to receive a fix. The fix removes direct local file reads from this path and routes media loading through hardened helpers that enforce local-root restrictions.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-19T23:16:25.180", "references": [ "https://github.com/openclaw/openclaw/commit/5b4121d6011a48c71e747e3c18197f180b872c5d", "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14", "https://github.com/openclaw/openclaw/security/advisories/GHSA-8jpq-5h99-ff5r" ], "cvss_score": 7.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26321", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-26320", "severity": "medium", "type": "unknown_cwe_451", "nvd_category_id": "CWE-451", "title": "OpenClaw is a personal AI assistant. OpenClaw macOS desktop client registers the `openclaw://` URL s...", "description": "OpenClaw is a personal AI assistant. OpenClaw macOS desktop client registers the `openclaw://` URL scheme. For `openclaw://agent` deep links without an unattended `key`, the app shows a confirmation dialog that previously displayed only the first 240 characters of the message, but executed the full message after the user clicked \"Run.\" At the time of writing, the OpenClaw macOS desktop client is still in beta. In versions 2026.2.6 through 2026.2.13, an attacker could pad the message with whitespace to push a malicious payload outside the visible preview, increasing the chance a user approves a different message than the one that is actually executed. If a user runs the deep link, the agent may perform actions that can lead to arbitrary command execution depending on the user's configured tool approvals/allowlists. This is a social-engineering mediated vulnerability: the confirmation prompt could be made to misrepresent the executed message. The issue is fixed in 2026.2.14. Other mitigations include not approve unexpected \"Run OpenClaw agent?\" prompts triggered while browsing untrusted sites and usingunattended deep links only with a valid `key` for trusted personal automations.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-19T23:16:25.017", "references": [ "https://github.com/openclaw/openclaw/commit/28d9dd7a772501ccc3f71457b4adfee79084fe6f", "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14", "https://github.com/openclaw/openclaw/security/advisories/GHSA-7q2j-c4q5-rm27" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26320", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (6.5); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-26319", "severity": "high", "type": "missing_authentication_for_critical_function", "nvd_category_id": "CWE-306", "title": "OpenClaw is a personal AI assistant. Versions 2026.2.13 and below allow the optional @openclaw/voice...", "description": "OpenClaw is a personal AI assistant. Versions 2026.2.13 and below allow the optional @openclaw/voice-call plugin Telnyx webhook handler to accept unsigned inbound webhook requests when telnyx.publicKey is not configured, enabling unauthenticated callers to forge Telnyx events. Telnyx webhooks are expected to be authenticated via Ed25519 signature verification. In affected versions, TelnyxProvider.verifyWebhook() could effectively fail open when no Telnyx public key was configured, allowing arbitrary HTTP POST requests to the voice-call webhook endpoint to be treated as legitimate Telnyx events. This only impacts deployments where the Voice Call plugin is installed, enabled, and the webhook endpoint is reachable from the attacker (for example, publicly exposed via a tunnel/proxy). The issue has been fixed in version 2026.2.14.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-19T23:16:24.857", "references": [ "https://github.com/openclaw/openclaw/commit/29b587e73cbdc941caec573facd16e87d52f007b", "https://github.com/openclaw/openclaw/commit/f47584fec86d6d73f2d483043a2ad0e7e3c50411", "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14" ], "cvss_score": 7.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26319", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-26317", "severity": "high", "type": "cross_site_request_forgery", "nvd_category_id": "CWE-352", "title": "OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes ac...", "description": "OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins. A malicious website can trigger unauthorized state changes against a victim's local OpenClaw browser control plane (for example opening tabs, starting/stopping the browser, mutating storage/cookies) if the browser control service is reachable on loopback in the victim's browser context. Starting in version 2026.2.14, mutating HTTP methods (POST/PUT/PATCH/DELETE) are rejected when the request indicates a non-loopback Origin/Referer (or `Sec-Fetch-Site: cross-site`). Other mitigations include enabling browser control auth (token/password) and avoid running with auth disabled.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-19T22:16:47.270", "references": [ "https://github.com/openclaw/openclaw/commit/b566b09f81e2b704bf9398d8d97d5f7a90aa94c3", "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14", "https://github.com/openclaw/openclaw/security/advisories/GHSA-3fqr-4cg8-h96q" ], "cvss_score": 7.1, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26317", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.1); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-26316", "severity": "high", "type": "incorrect_authorization", "nvd_category_id": "CWE-863", "title": "OpenClaw is a personal AI assistant. Prior to 2026.2.13, the optional BlueBubbles iMessage channel p...", "description": "OpenClaw is a personal AI assistant. Prior to 2026.2.13, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback (`127.0.0.1`, `::1`, `::ffff:127.0.0.1`) even when the configured webhook secret was missing or incorrect. This does not affect the default iMessage integration unless BlueBubbles is installed and enabled. Version 2026.2.13 contains a patch. Other mitigations include setting a non-empty BlueBubbles webhook password and avoiding deployments where a public-facing reverse proxy forwards to a loopback-bound Gateway without strong upstream authentication.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-19T22:16:47.110", "references": [ "https://github.com/openclaw/openclaw/commit/743f4b28495cdeb0d5bf76f6ebf4af01f6a02e5a", "https://github.com/openclaw/openclaw/commit/f836c385ffc746cb954e8ee409f99d079bfdcd2f", "https://github.com/openclaw/openclaw/releases/tag/v2026.2.13" ], "cvss_score": 7.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26316", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "GHSA-6c9j-x93c-rw6j", "ghsa_id": "GHSA-6c9j-x93c-rw6j", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": "CWE-203", "title": "OpenClaw safeBins file-existence oracle information disclosure", "description": "An information disclosure vulnerability in OpenClaw's tools.exec.safeBins approval flow allowed a file-existence oracle. When safe-bin validation examined candidate file paths, command allow/deny behavior could differ based on whether a path already existed on the host filesystem. An attacker could probe for file presence by comparing outcomes for existing vs non-existing filenames. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.17 - Latest published vulnerable version at triage time: 2026.2.17 - Planned patched version: 2026.2.18 Impact Attackers with access to this execution surface could infer whether specific files exist (for example secrets/config files), enabling filesystem enumeration and improving follow-on attack planning. Fix The safe-bin policy was changed to deterministic argv-only validation without host file-existence checks. File-oriented flags are blocked for safe-bin mode (for example sort -o, jq -f, grep -f), and trusted-path checks remain enforced. Fix Commit(s) - bafdbb6f112409a65decd3d4e7350fbd637c7754 Found using MCPwner Thanks @nedlir for reporting.", "affected": [ "openclaw@<=2026.2.17" ], "patched": [ "openclaw@>= 2026.2.18" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-19T16:03:56Z", "updated": "2026-02-26T07:11:44Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-6c9j-x93c-rw6j" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6c9j-x93c-rw6j", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-203" ], "credits": [ "nedlir" ], "aliases": [ "GHSA-6c9j-x93c-rw6j" ], "source_feed": "ghsa-without-cve" }, { "id": "CVE-2026-25474", "severity": "high", "type": "unknown_cwe_345", "nvd_category_id": "CWE-345", "title": "OpenClaw is a personal AI assistant. In versions 2026.1.30 and below, if channels.telegram.webhookSe...", "description": "OpenClaw is a personal AI assistant. In versions 2026.1.30 and below, if channels.telegram.webhookSecret is not set when in Telegram webhook mode, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint is reachable by an attacker, this can allow forged Telegram updates (for example spoofing message.from.id). If an attacker can reach the webhook endpoint, they may be able to send forged updates that are processed as if they came from Telegram. Depending on enabled commands/tools and configuration, this could lead to unintended bot actions. Note: Telegram webhook mode is not enabled by default. It is enabled only when `channels.telegram.webhookUrl` is configured. This issue has been fixed in version 2026.2.1.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-19T07:17:45.847", "references": [ "https://github.com/openclaw/openclaw/commit/3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930", "https://github.com/openclaw/openclaw/commit/5643a934799dc523ec2ef18c007e1aa2c386b670", "https://github.com/openclaw/openclaw/commit/633fe8b9c17f02fcc68ecdb5ec212a5ace932f09" ], "cvss_score": 7.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25474", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-24764", "severity": "low", "type": "unknown_cwe_74", "nvd_category_id": "CWE-74", "title": "OpenClaw (formerly Clawdbot) is a personal AI assistant users run on their own devices. In versions ...", "description": "OpenClaw (formerly Clawdbot) is a personal AI assistant users run on their own devices. In versions 2026.2.2 and below, when the Slack integration is enabled, channel metadata (topic/description) can be incorporated into the model's system prompt. Prompt injection is a documented risk for LLM-driven systems. This issue increases the injection surface by allowing untrusted Slack channel metadata to be treated as higher-trust system input. This issue has been fixed in version 2026.2.3.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-19T07:17:44.957", "references": [ "https://github.com/openclaw/openclaw/commit/35eb40a7000b59085e9c638a80fd03917c7a095e", "https://github.com/openclaw/openclaw/releases/tag/v2026.2.3", "https://github.com/openclaw/openclaw/security/advisories/GHSA-782p-5fr5-7fj8" ], "cvss_score": 3.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24764", "exploitability_score": "low", "exploitability_rationale": "Low CVSS score (3.7); network accessible", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": true, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "GHSA-mmpf-jwf4-h3qv", "ghsa_id": "GHSA-mmpf-jwf4-h3qv", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "low", "type": "github_security_advisory", "nvd_category_id": "CWE-77", "title": "Option injection in pre-commit hook can stage ignored files", "description": "Summary A maliciously-named file (for example, --force) can trigger option injection in the repository's git-hooks/pre-commit hook when a contributor uses the built-in git hook setup (git config core.hooksPath git-hooks). This can cause unintended staging of ignored files. Details The hook collected staged filenames and piped them through xargs into git add without a -- separator. Filenames beginning with - could be interpreted as flags. This issue only affects contributors who: - use the repo's git-hooks/ hook mechanism (not the pre-commit framework), and - run commits in a working directory that contains sensitive ignored files. Impact Under specific circumstances, ignored files (for example .env) can be added to git history. Affected Packages / Versions - Repository versions: <= 2026.2.14 - Fixed in: 2026.2.15 Note: the npm package does not ship git-hooks/; the impact is on contributors working from the repository checkout/source release. Fix The hook now: - uses NUL-delimited file lists (git diff ... -z) to safely handle whitespace, and - passes paths to git add after -- to prevent option injection. Fix Commit(s) - b88f37762f5b6d7ec0f589eb761815e466e4ef4b - ba84b1253967143692166023f9e174c149b6f2ed Thanks @mrthankyou for reporting.", "affected": [ "openclaw@<=2026.2.14" ], "patched": [ "openclaw@>=2026.2.15" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-18T03:39:01Z", "updated": "2026-02-21T10:37:07Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-mmpf-jwf4-h3qv" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mmpf-jwf4-h3qv", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-77" ], "credits": [ "mrthankyou" ], "aliases": [ "GHSA-mmpf-jwf4-h3qv" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-h9g4-589h-68xv", "ghsa_id": "GHSA-h9g4-589h-68xv", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "high", "type": "missing_authentication_for_critical_function", "nvd_category_id": "CWE-306", "title": "Authentication bypass in sandbox browser bridge server", "description": "Summary openclaw could start the sandbox browser bridge server without authentication. When the sandboxed browser is enabled, openclaw runs a local (loopback) HTTP bridge that exposes browser control endpoints (for example /profiles, /tabs, /tabs/open, /agent/). Due to missing auth wiring in the sandbox initialization path, that bridge server accepted requests without requiring gateway auth. CVSS - CVSS v3.1: 7.1 - Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Impact A local attacker (any process on the same machine) could access the bridge server port and: - enumerate open tabs and retrieve CDP WebSocket URLs - open/close/navigate tabs - execute JavaScript in page contexts via CDP - exfiltrate cookies/session data and page contents from authenticated sessions This is a localhost-only exposure (CVSS AV:L), but provides full browser-session compromise for sandboxed browser usage. Affected Versions - Introduced in: 2026.1.29-beta.1 (first npm release that shipped the sandbox browser bridge) - Affected range: =2026.1.29-beta.1 <2026.2.14 Patched Versions - 2026.2.14 Mitigation - Upgrade to 2026.2.14 (recommended). - Or disable the sandboxed browser (agents.defaults.sandbox.browser.enabled=false). Fix Details - The sandbox browser bridge server now always requires auth and enforces the same gateway browser control auth (token/password) that loopback browser clients already use. - Additional hardening: bridge server refuses non-loopback binds; local helper servers are bound to loopback. - Added regression tests (including unit coverage for per-port bridge auth fallback). Fix commits: - openclaw/openclaw@4711a943e30bc58016247152ba06472dab09d0b0 - openclaw/openclaw@6dd6bce997c48752134f2d6ed89b27de01ced7e3 - openclaw/openclaw@cd84885a4ac78eadb7bf321aae98db9519426d67 Credits Thanks to Adnan Jakati (@jackhax) of Praetorian for reporting this issue.", "affected": [ "openclaw@>=2026.1.29-beta.1 <2026.2.14" ], "patched": [ "openclaw@2026.2.14" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-16T01:37:15Z", "updated": "2026-02-16T01:45:52Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-h9g4-589h-68xv" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h9g4-589h-68xv", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-306" ], "credits": [ "jackhax" ], "aliases": [ "GHSA-h9g4-589h-68xv" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-chm2-m3w2-wcxm", "ghsa_id": "GHSA-chm2-m3w2-wcxm", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "low", "type": "github_security_advisory", "nvd_category_id": "CWE-290", "title": "Google Chat spoofing access with allowlist authorized mutable email principal despite sender-ID mismatch", "description": "Summary Google Chat allowlisting supports matching by sender email in addition to immutable sender resource name (users/=2026.2.14" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-16T00:31:29Z", "updated": "2026-02-21T10:40:48Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-chm2-m3w2-wcxm" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-chm2-m3w2-wcxm", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-290", "CWE-863" ], "credits": [ "vincentkoc" ], "aliases": [ "GHSA-chm2-m3w2-wcxm" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-w5c7-9qqw-6645", "ghsa_id": "GHSA-w5c7-9qqw-6645", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "medium", "type": "github_security_advisory", "nvd_category_id": null, "title": "Inter-session prompts could be treated as direct user instructions", "description": "Summary Inter-session messages sent via sessionssend could be interpreted as direct end-user instructions because they were persisted as role: \"user\" without provenance metadata. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.12 (i.e. < 2026.2.13) - Fixed in: 2026.2.13 (patched versions = 2026.2.13) Impact A delegated or internal session could inject instructions into another session that appeared equivalent to externally-originated user input. This is an instruction-provenance confusion issue (confused-deputy style), which can lead to unintended privileged behavior in workflows that trust role: \"user\" as a sole authority signal. Technical details Before the fix, routed inter-session prompts were stored as regular user turns without a verifiable source marker. As a result, downstream workers and transcript readers could not distinguish: - External user input - Internal inter-session routed input Fix OpenClaw now carries explicit input provenance end-to-end for routed prompts. Key changes: - Added structured provenance model (inputProvenance) with kind values including intersession. - sessionssend and agent-to-agent steps now set inter-session provenance when invoking target runs. - Provenance is persisted on user messages as message.provenance.kind = \"intersession\" (role remains user for provider compatibility). - Transcript readers and memory helpers were updated to respect provenance and avoid treating inter-session prompts as external user-originated input. - Runtime context rebuilding now annotates inter-session turns with an explicit in-memory marker ([Inter-session message]) for clearer model-side disambiguation. - Regression tests were added for transcript parsing, session tools flow, runner sanitization, and memory hook behavior. Fix Commit(s) - 85409e401b6586f83954cb53552395d7aab04797 Workarounds If immediate upgrade is not possible: - Disable or restrict sessionssend in affected environments. - Do not use role alone as an authority boundary; require provenance-aware checks in orchestration logic. Credit Reported by @anbecker. Thanks @anbecker for reporting.", "affected": [ "openclaw@<2026.2.13" ], "patched": [ "openclaw@>=2026.2.13" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-15T23:31:43Z", "updated": "2026-02-21T10:37:10Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-w5c7-9qqw-6645" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w5c7-9qqw-6645", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [], "credits": [ "anbecker" ], "aliases": [ "GHSA-w5c7-9qqw-6645" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-fhvm-j76f-qmjv", "ghsa_id": "GHSA-fhvm-j76f-qmjv", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "high", "type": "github_security_advisory", "nvd_category_id": "CWE-285", "title": "Potential access-group authorization bypass if channel type lookup fails", "description": "Summary When Telegram webhook mode is enabled without a configured webhook secret, OpenClaw may accept unauthenticated HTTP POST requests at the Telegram webhook endpoint and trust attacker-controlled update JSON. This can allow forged Telegram updates that spoof message.from.id / chat.id, potentially bypassing sender allowlists and executing privileged bot commands. Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.1.30 - Patched: = 2026.2.1 Impact An attacker who can reach the webhook endpoint can forge Telegram updates and impersonate allowlisted/paired senders by spoofing fields in the webhook payload (for example message.from.id). Impact depends on enabled commands/tools and the deployment’s network exposure. Mitigations / Workarounds - Configure a strong channels.telegram.webhookSecret and ensure your reverse proxy forwards the X-Telegram-Bot-Api-Secret-Token header unchanged. Fix Commit(s) - ca92597e1f9593236ad86810b66633144b69314d (config validation: webhookUrl requires webhookSecret) Defense-in-depth / supporting fixes: - 5643a934799dc523ec2ef18c007e1aa2c386b670 (default webhook listener bind host to loopback) - 3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930 (bound webhook request body size/time) - 633fe8b9c17f02fcc68ecdb5ec212a5ace932f09 (runtime guard: reject webhook startup when secret is missing/empty) Thanks @yueyueL for reporting.", "affected": [ "openclaw@<=2026.2.1" ], "patched": [ "openclaw@>=2026.2.2" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-14T21:15:31Z", "updated": "2026-02-21T10:37:22Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-fhvm-j76f-qmjv" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fhvm-j76f-qmjv", "nvd_url": null, "cvss_score": null, "cvss_vector": null, "cwe_ids": [ "CWE-285" ], "credits": [ "simecek", "stanislavfortaisle" ], "aliases": [ "GHSA-fhvm-j76f-qmjv" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-g27f-9qjv-22pm", "ghsa_id": "GHSA-g27f-9qjv-22pm", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "low", "type": "github_security_advisory", "nvd_category_id": "CWE-117", "title": "OpenClaw log poisoning (indirect prompt injection) via WebSocket headers", "description": "Summary In openclaw versions prior to 2026.2.13, OpenClaw logged certain WebSocket request headers (including Origin and User-Agent) without neutralization or length limits on the \"closed before connect\" path. If an unauthenticated client can reach the gateway and send crafted header values, those values may be written into core logs. Under workflows where logs are later read or interpreted by an LLM (for example via AI-assisted debugging), this can increase the risk of indirect prompt injection (log poisoning). Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.2.12 - Fixed: = 2026.2.13 Details - Component: src/gateway/server/ws-connection.ts - Trigger: WebSocket connection closes before completing the connect/handshake; header values are included in the log message and structured context. Impact This issue is primarily an indirect prompt injection risk and depends on downstream log consumption behavior. If you do not feed logs into an LLM or other automation, impact is limited. Fix Header values written to gateway logs are now sanitized and truncated (including removal of control/format characters and length limiting). - Fix commits: d637a263505448bf4505b85535babbfaacedbaac, e84318e4bcdc948d92e57fda1eb763a65e1774f0 (PR #15592) Workarounds - Upgrade to openclaw@2026.2.13 or later. - Treat logs as untrusted input when using AI-assisted debugging (sanitize/escape, and do not auto-execute instructions derived from logs). - Restrict gateway network exposure; apply reverse-proxy limits on header size where applicable. Thanks @pkerkhofs for reporting.", "affected": [ "openclaw@<= 2026.2.12" ], "patched": [ "openclaw@2026.2.13" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-14T20:19:44Z", "updated": "2026-02-14T20:19:44Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-g27f-9qjv-22pm" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g27f-9qjv-22pm", "nvd_url": null, "cvss_score": 3.1, "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", "cwe_ids": [ "CWE-117" ], "credits": [ "pkerkhofs" ], "aliases": [ "GHSA-g27f-9qjv-22pm" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-56f2-hvwg-5743", "ghsa_id": "GHSA-56f2-hvwg-5743", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "high", "type": "server_side_request_forgery", "nvd_category_id": "CWE-918", "title": "SSRF in Image Tool Remote Fetch", "description": "Summary A server-side request forgery (SSRF) vulnerability in the Image tool allowed attackers to force OpenClaw to make HTTP requests to arbitrary internal or restricted network targets. Affected Versions - npm: openclaw <= 2026.2.1 Patched Versions - npm: openclaw 2026.2.2 and later Fix Commits - 81c68f582d4a9a20d9cca9f367d2da9edc5a65ae (guard remote media fetches with SSRF checks) - 9bd64c8a1f91dda602afc1d5246a2ff2be164647 (expand SSRF guard coverage) Details The Image tool accepts file paths, file:// URLs, data: URLs, and http(s) URLs. In vulnerable versions, http(s) URLs were fetched without SSRF protections, enabling requests to localhost, RFC1918, link-local, and cloud metadata targets. This was fixed by routing remote media fetching through the SSRF guard (private/internal IP + hostname blocking, redirect hardening, DNS pinning). Exploitability Notes - Requires attacker-controlled invocation of the Image tool (direct tool access, or a gateway/channel surface that forwards untrusted image arguments into tool calls). - The image tool expects the fetched content to be an image. Many high-value SSRF targets return text/JSON (for example cloud metadata endpoints), which will typically fail media-type validation. In practice, the most direct confidentiality impact comes from internal endpoints that actually return images (screenshots/renderers, camera snapshots, chart exports, etc.). - Remote fetches are GET-only with no custom headers. Some metadata services require special headers or session tokens (for example GCP Metadata-Flavor, AWS IMDSv2 token), which can further reduce the likelihood of direct credential theft in some environments. - Despite the above constraints, SSRF remains a powerful primitive: it can enable internal network probing and access to unauthenticated/internal HTTP endpoints, and can chain with other weaknesses if present. Related - Duplicate / broader writeup: GHSA-9vf6-3vcv-rpj2 (closed). Thanks @p80n-sec for reporting.", "affected": [ "openclaw@<=2026.2.1" ], "patched": [ "openclaw@2026.2.2" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-14T17:21:19Z", "updated": "2026-02-14T17:21:19Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-56f2-hvwg-5743" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-56f2-hvwg-5743", "nvd_url": null, "cvss_score": 7.6, "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "cwe_ids": [ "CWE-918" ], "credits": [ "p80n-sec" ], "aliases": [ "GHSA-56f2-hvwg-5743" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-hv93-r4j3-q65f", "ghsa_id": "GHSA-hv93-r4j3-q65f", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "high", "type": "github_security_advisory", "nvd_category_id": "CWE-330", "title": "Hook Session Key Override Enables Targeted Cross-Session Routing", "description": "Summary The issue is not deterministic session keys by itself. The exploitable path was accepting externally supplied sessionKey values on authenticated hook ingress, allowing a hook token holder to route messages into chosen sessions. Affected Behavior - POST /hooks/agent accepted payload sessionKey and used it directly for session routing. - Common session-key shapes (for example agent:main:dm:= 2.0.0-beta3, < 2026.2.12" ], "patched": [ "openclaw@>= 2026.2.12" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-14T13:36:56Z", "updated": "2026-02-21T14:11:04Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-hv93-r4j3-q65f" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hv93-r4j3-q65f", "nvd_url": null, "cvss_score": 7.1, "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "cwe_ids": [ "CWE-330", "CWE-639" ], "credits": [ "alpernae" ], "aliases": [ "GHSA-hv93-r4j3-q65f" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-gv46-4xfq-jv58", "ghsa_id": "GHSA-gv46-4xfq-jv58", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "critical", "type": "github_security_advisory", "nvd_category_id": "CWE-20", "title": "Remote Code Execution via Node Invoke Approval Bypass in Gateway", "description": "Summary A remote code execution (RCE) vulnerability in the gateway-to-node invocation path allowed an authenticated gateway client to bypass node-host exec approvals by injecting internal control fields into node.invoke parameters. Affected Component - Gateway method: node.invoke for node command system.run - Node host runner: exec approval gating for system.run Impact If an attacker can authenticate to a gateway (for example via a leaked/shared gateway token or a paired device token with operator.write), they could execute arbitrary commands on connected node hosts that support system.run. This can lead to full compromise of developer workstations, CI runners, and servers running the node host. Technical Details The gateway forwarded user-controlled params to node hosts without sanitizing internal approval fields. The node host treated params.approved === true and/or params.approvalDecision as sufficient to skip the approval workflow. Fix Patched in OpenClaw 2026.2.14. - Commits: - 318379cdb8d045da0009b0051bd0e712e5c65e2d - a7af646fdab124a7536998db6bd6ad567d2b06b0 - c1594627421f95b6bc4ad7c606657dc75b5ad0ce - 0af76f5f0e93540efbdf054895216c398692afcd - Gateway strips untrusted approval control fields from system.run user input. - Gateway only re-attaches approval flags when params.runId references a valid exec.approval.request record and the request context matches. Approval IDs are bound to the requesting device identity (stable across reconnects), preventing replay by other clients. - Gateway forwards only an allowlisted set of system.run parameters, preventing future control-field smuggling. Mitigations - Upgrade to 2026.2.14 or later. - Restrict access to the gateway (do not expose it to untrusted networks/users). - Rotate gateway credentials if you suspect token/password exposure. - Disable remote command execution on nodes by blocking system.run at the gateway (gateway.nodes.denyCommands) and/or by configuring node exec security to deny. Credits Thanks to @222n5 for reporting this issue.", "affected": [ "openclaw@< 2026.2.14" ], "patched": [ "openclaw@>= 2026.2.14" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-14T12:06:43Z", "updated": "2026-02-14T12:32:18Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-gv46-4xfq-jv58" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gv46-4xfq-jv58", "nvd_url": null, "cvss_score": 9.9, "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "cwe_ids": [ "CWE-20", "CWE-441", "CWE-863" ], "credits": [ "222n5" ], "aliases": [ "GHSA-gv46-4xfq-jv58" ], "source_feed": "ghsa-without-cve" }, { "id": "GHSA-943q-mwmv-hhvh", "ghsa_id": "GHSA-943q-mwmv-hhvh", "cve_id": null, "status": "stale", "stale": true, "stale_after_days": 60, "severity": "high", "type": "os_command_injection", "nvd_category_id": "CWE-78", "title": "OC-02: Gateway /tools/invoke tool escalation + ACP permission auto-approval", "description": "Summary OpenClaw Gateway exposes an authenticated HTTP endpoint (POST /tools/invoke) intended for invoking a constrained set of tools. Two issues could combine to significantly increase blast radius in misconfigured or exposed deployments: - The HTTP gateway layer did not deny high-risk session orchestration tools by default, allowing a caller with Gateway auth to invoke tools like sessionsspawn / sessionssend and pivot into creating or controlling agent sessions. - ACP clients could auto-approve permission requests for risky tools with insufficient user interaction/guardrails, reducing the friction that should normally prevent silent execution or mutation. Impact If the Gateway is reachable by an attacker and they obtain a valid Gateway token, they may be able to: - Escalate from single-tool invocation to spawning/controlling sessions and reach command execution capabilities depending on tool policy and runtime environment. - Perform cross-session message injection via sessionssend. - In ACP-integrated scenarios, obtain unintended approvals for non-read/search tool permissions. CVSS - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8) Affected versions - openclaw < 2026.2.14 Fixed in - openclaw = 2026.2.14 Remediation The default behavior is now hardened: - PR #15390: deny high-risk tools over HTTP /tools/invoke by default (with gateway.tools.{allow,deny} overrides) and harden ACP permission handling. - Commit bb1c3dfe1: ACP clients now prompt for any non-read/search permission request (fail closed for mutating/execution/fetch operations). - Commit 539689a2f: security audit warns when gateway.tools.allow re-enables default-denied HTTP tools, since this can increase RCE blast radius if the Gateway is reachable. - Commit 153a7644e: ACP safe-kind inference is stricter to avoid accidental auto-approval due to substring matches (still auto-approves only confident read/search). Mitigations / deployment guidance - Keep the Gateway loopback-only unless you have a strong reason not to: gateway.bind=\"loopback\" / openclaw gateway run --bind loopback. - Avoid exposing the Gateway directly to the public internet. Use an SSH tunnel or Tailscale to access a loopback-bound Gateway. - Treat opting in to default-denied HTTP tools (via gateway.tools.allow) as high-risk and audit such configurations carefully. Credits Thanks to @aether-ai-agent for reporting this issue and contributing remediation work.", "affected": [ "openclaw@<2026.2.14" ], "patched": [ "openclaw@>=2026.2.14" ], "platforms": [ "openclaw" ], "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", "published": "2026-02-14T11:55:07Z", "updated": "2026-02-14T12:19:32Z", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-943q-mwmv-hhvh" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-943q-mwmv-hhvh", "nvd_url": null, "cvss_score": 8.8, "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "cwe_ids": [ "CWE-78" ], "credits": [ "aether-ai-agent" ], "aliases": [ "GHSA-943q-mwmv-hhvh" ], "source_feed": "ghsa-without-cve" }, { "id": "CVE-2026-25593", "severity": "high", "type": "missing_authentication_for_critical_function", "nvd_category_id": "CWE-306", "title": "OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use t...", "description": "OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user. This vulnerability is fixed in 2026.1.20.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-06T21:16:17.790", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-g55j-c2v4-pjcg" ], "cvss_score": 8.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25593", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.4); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": false, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-25475", "severity": "medium", "type": "exposure_of_sensitive_information", "nvd_category_id": "CWE-200", "title": "OpenClaw is a personal AI assistant. Prior to version 2026.1.30, the isValidMedia() function in src/...", "description": "OpenClaw is a personal AI assistant. Prior to version 2026.1.30, the isValidMedia() function in src/media/parse.ts allows arbitrary file paths including absolute paths, home directory paths, and directory traversal sequences. An agent can read any file on the system by outputting MEDIA:/path/to/file, exfiltrating sensitive data to the user/channel. This issue has been patched in version 2026.1.30.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-04T20:16:07.287", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-r8g4-86fx-92mq" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25475", "exploitability_score": "high", "exploitability_rationale": "Medium CVSS score (6.5); network accessible; path traversal affects agents with file access", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-25157", "severity": "high", "type": "os_command_injection", "nvd_category_id": "CWE-78", "title": "OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vu...", "description": "OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vulnerability via the Project Root Path in sshNodeCommand. The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project path in an error message. When the cd command failed, the unescaped path was interpolated directly into an echo statement, allowing arbitrary command execution on the remote SSH host. The parseSSHTarget function did not validate that SSH target strings could not begin with a dash. An attacker-supplied target like -oProxyCommand=... would be interpreted as an SSH configuration flag rather than a hostname, allowing arbitrary command execution on the local machine. This issue has been patched in version 2026.1.29.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-04T20:16:06.577", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-q284-4pvr-m585" ], "cvss_score": 7.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25157", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (7.7); requires local access; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": false, "requires_user_interaction": true, "complexity": "high" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-24763", "severity": "high", "type": "os_command_injection", "nvd_category_id": "CWE-78", "title": "OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026....", "description": "OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026.1.29, a command injection vulnerability existed in OpenClaw’s Docker sandbox execution mechanism due to unsafe handling of the PATH environment variable when constructing shell commands. An authenticated user able to control environment variables could influence command execution within the container context. This vulnerability is fixed in 2026.1.29.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-02T23:16:08.593", "references": [ "https://github.com/openclaw/openclaw/commit/771f23d36b95ec2204cc9a0054045f5d8439ea75", "https://github.com/openclaw/openclaw/releases/tag/v2026.1.29", "https://github.com/openclaw/openclaw/security/advisories/GHSA-mc68-q9jw-2h3v" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24763", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": true, "requires_user_interaction": false, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-25253", "severity": "high", "type": "incorrect_resource_transfer_between_spheres", "nvd_category_id": "CWE-669", "title": "OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string a...", "description": "OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value.", "affected": [ "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "openclaw@*" ], "platforms": [ "openclaw" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-01T23:15:49.717", "references": [ "https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys", "https://ethiack.com/news/blog/one-click-rce-moltbot", "https://github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25253", "exploitability_score": "high", "exploitability_rationale": "High CVSS score (8.8); network accessible; RCE is critical in agent deployments", "attack_vector_analysis": { "is_network_accessible": true, "requires_authentication": false, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } }, { "id": "CVE-2026-22798", "severity": "medium", "type": "unknown_cwe_532", "nvd_category_id": "CWE-532", "title": "hermes is an implementation of the HERMES workflow to automatize software publication with rich meta...", "description": "hermes is an implementation of the HERMES workflow to automatize software publication with rich metadata. From 0.8.1 to before 0.9.1, hermes subcommands take arbitrary options under the -O argument. These have been logged in raw form. If users provide sensitive data such as API tokens (e.g., via hermes deposit -O invenio_rdm.auth_token SECRET), these are written to the log file in plain text, making them available to whoever can access the log file. This vulnerability is fixed in 0.9.1.", "affected": [ "cpe:2.3:a:software-metadata.pub:hermes:*:*:*:*:*:python:*:*", "hermes@*" ], "platforms": [ "hermes" ], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-01-12T22:16:08.780", "references": [ "https://github.com/softwarepub/hermes/commit/7f64f102e916c76dc44404b77ab2a80f5a4e59b1", "https://github.com/softwarepub/hermes/commit/90cb86acd026e7841f2539ae7a1b284a7f263514", "https://github.com/softwarepub/hermes/security/advisories/GHSA-jm5j-jfrm-hm23" ], "cvss_score": 5.9, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22798", "exploitability_score": "medium", "exploitability_rationale": "Medium CVSS score (5.9); requires local access", "attack_vector_analysis": { "is_network_accessible": false, "requires_authentication": true, "requires_user_interaction": true, "complexity": "low" }, "exploit_detection": { "exploit_available": false, "exploit_sources": [] } } ] }