gnezim/clawsec
1
0
Fork 0
mirror of https://github.com/prompt-security/clawsec.git synced 2026-06-13 05:28:02 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
58b092d6d04665553cf12ff8075ad3285f01b3a9
clawsec/advisories/ghsa-without-cve.json
T
github-actions[bot] 58b092d6d0 chore: update NVD/GHSA advisories - 7 NVD new, 1 NVD updated (#250) 
Automated update from NVD CVE and GHSA advisory feeds.
Keywords: openclaw, nanoclaw, hermes, picoclaw
Poll window: 2026-05-27T06:34:09Z to 2026-05-31T07:15:12.000Z

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-05-31 10:32:39 +03:00

6176 lines
377 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"version": "0.1.0",
"updated": "2026-05-31T07:16:21Z",
"description": "Provisional ClawSec advisory feed for public GitHub Security Advisories that do not yet have CVE identifiers.",
"stale_after_days": 60,
"semantics": {
"active": "GHSA is published and has no CVE identifier yet.",
"matured": "GHSA now has a CVE identifier and should be reconciled with the canonical CVE feed.",
"stale": "GHSA is older than stale_after_days and still has no CVE identifier."
},
"sources": [
{
"repository": "openclaw/openclaw",
"platform": "openclaw",
"url": "https://github.com/openclaw/openclaw/security/advisories"
},
{
"repository": "qwibitai/nanoclaw",
"platform": "nanoclaw",
"url": "https://github.com/qwibitai/nanoclaw/security/advisories"
},
{
"repository": "softwarepub/hermes",
"platform": "hermes",
"url": "https://github.com/softwarepub/hermes/security/advisories"
},
{
"repository": "nousresearch/hermes-agent",
"platform": "hermes",
"url": "https://github.com/nousresearch/hermes-agent/security/advisories"
},
{
"repository": "sipeed/picoclaw",
"platform": "picoclaw",
"url": "https://github.com/sipeed/picoclaw/security/advisories"
}
],
"advisories": [
{
"id": "GHSA-275c-xpvc-jgfw",
"ghsa_id": "GHSA-275c-xpvc-jgfw",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": null,
"title": "Slack and Zalo webhook secrets could remain active after secrets.reload",
"description": "Summary Slack and Zalo webhook secrets could remain active after secrets.reload. In affected versions, a caller with an old webhook secret during the stale-secret window could keep accepting the previous secret after secrets.reload. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could deliver webhook events briefly after the operator expected revocation. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.4.22. Mitigations restart the affected channel runtime after rotating webhook secrets until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<=2026.4.21"
],
"patched": [
"openclaw@2026.4.22"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:40:10Z",
"updated": "2026-05-28T17:40:10Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-275c-xpvc-jgfw"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-275c-xpvc-jgfw",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [],
"credits": [
"feynman-hou"
],
"aliases": [
"GHSA-275c-xpvc-jgfw"
]
},
{
"id": "GHSA-rj6p-xmxr-qj4h",
"ghsa_id": "GHSA-rj6p-xmxr-qj4h",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "missing_authorization",
"nvd_category_id": "CWE-862",
"title": "MCP loopback could skip owner-only tool policy for non-owner callers",
"description": "Summary MCP loopback could skip owner-only tool policy for non-owner callers. In affected versions, a non-owner caller reaching the affected loopback path could skip owner-only tool policy and before-tool-call hooks. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could invoke owner-only behavior through that loopback path. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Resolution Update to a patched OpenClaw release when one is listed for this advisory. If the Patched versions field is populated, use that version or later. Mitigations restrict MCP loopback access to trusted operators until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<2026.4.24"
],
"patched": [
"openclaw@2026.4.24"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:40:09Z",
"updated": "2026-05-28T17:40:10Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-rj6p-xmxr-qj4h"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rj6p-xmxr-qj4h",
"nvd_url": null,
"cvss_score": 6.6,
"cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
"cwe_ids": [
"CWE-862"
],
"credits": [
"zsxsoft",
"KeenSecurityLab",
"qclawer"
],
"aliases": [
"GHSA-rj6p-xmxr-qj4h"
]
},
{
"id": "GHSA-4m3v-q747-pc6h",
"ghsa_id": "GHSA-4m3v-q747-pc6h",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": null,
"title": "Mattermost slash token revocation could lag until monitor refresh",
"description": "Summary Mattermost slash token revocation could lag until monitor refresh. In affected versions, a caller with an old Mattermost slash token during the refresh window could continue accepting the old token until the monitor refreshed. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could invoke slash command behavior briefly after token revocation. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.4.24. Mitigations restart or refresh the Mattermost monitor after token rotation until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<=2026.4.23"
],
"patched": [
"openclaw@2026.4.24"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:40:08Z",
"updated": "2026-05-28T17:40:08Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-4m3v-q747-pc6h"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4m3v-q747-pc6h",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [],
"credits": [
"feynman-hou"
],
"aliases": [
"GHSA-4m3v-q747-pc6h"
]
},
{
"id": "GHSA-4hpg-mp64-x7xq",
"ghsa_id": "GHSA-4hpg-mp64-x7xq",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": null,
"title": "Internal/webchat command auth could inherit ownerAllowFrom wildcard state",
"description": "Summary Internal/webchat command auth could inherit ownerAllowFrom wildcard state. In affected versions, a sender on an affected internal or webchat path could inherit wildcard ownerAllowFrom state across channel boundaries. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could run owner-style command behavior that should have stayed channel-scoped. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.4.25. Mitigations keep owner command allowlists explicit per channel until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<=2026.4.24"
],
"patched": [
"openclaw@2026.4.25"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:40:06Z",
"updated": "2026-05-28T17:40:07Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-4hpg-mp64-x7xq"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4hpg-mp64-x7xq",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [],
"credits": [
"zsxsoft",
"KeenSecurityLab",
"qclawer"
],
"aliases": [
"GHSA-4hpg-mp64-x7xq"
]
},
{
"id": "GHSA-p39j-x9h5-q66m",
"ghsa_id": "GHSA-p39j-x9h5-q66m",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": null,
"title": "Embedded runner policy could be confused by provider aliases",
"description": "Summary Embedded runner policy could be confused by provider aliases. In affected versions, a request using provider aliases could compare policy against an alias instead of the canonical provider identity. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could select bundled tool access outside the intended provider policy. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.4.25. Mitigations avoid provider alias routing for embedded runner tool policy until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<=2026.4.24"
],
"patched": [
"openclaw@2026.4.25"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:40:05Z",
"updated": "2026-05-28T17:40:05Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-p39j-x9h5-q66m"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-p39j-x9h5-q66m",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [],
"credits": [
"zsxsoft",
"KeenSecurityLab",
"qclawer"
],
"aliases": [
"GHSA-p39j-x9h5-q66m"
]
},
{
"id": "GHSA-mpc8-jxjh-qpgh",
"ghsa_id": "GHSA-mpc8-jxjh-qpgh",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": null,
"title": "Focus command could miss controlScope enforcement",
"description": "Summary Focus command could miss controlScope enforcement. In affected versions, a caller able to trigger the focus command could run the command without enforcing the expected control scope. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could change focus state outside the intended caller authority. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.4.25. Mitigations restrict focus command access to trusted operators until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<=2026.4.24"
],
"patched": [
"openclaw@2026.4.25"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:40:03Z",
"updated": "2026-05-28T17:40:04Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-mpc8-jxjh-qpgh"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mpc8-jxjh-qpgh",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [],
"credits": [
"zsxsoft",
"KeenSecurityLab",
"qclawer"
],
"aliases": [
"GHSA-mpc8-jxjh-qpgh"
]
},
{
"id": "GHSA-985f-72mj-8gf7",
"ghsa_id": "GHSA-985f-72mj-8gf7",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": null,
"title": "Tool group policy callers could accept unvalidated group IDs",
"description": "Summary Tool group policy callers could accept unvalidated group IDs. In affected versions, a caller that can supply a group id to the affected policy resolver could resolve policy for an unvalidated group id. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could apply the wrong group-policy decision for a tool invocation. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.4.25. Mitigations avoid exposing group-policy controlled tools to untrusted senders until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<=2026.4.24"
],
"patched": [
"openclaw@2026.4.25"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:40:01Z",
"updated": "2026-05-28T17:40:02Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-985f-72mj-8gf7"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-985f-72mj-8gf7",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [],
"credits": [
"zsxsoft",
"KeenSecurityLab",
"qclawer"
],
"aliases": [
"GHSA-985f-72mj-8gf7"
]
},
{
"id": "GHSA-8mg9-j9cf-54cj",
"ghsa_id": "GHSA-8mg9-j9cf-54cj",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": null,
"title": "Empty-scope device re-pairing could confuse caller scope containment",
"description": "Summary Empty-scope device re-pairing could confuse caller scope containment. In affected versions, a device re-pairing request with an empty scope set could skip the intended containment guard during re-pairing. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could restore or retain scopes broader than the caller should grant. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.4.25. Mitigations revoke unexpected device sessions and require fresh pairing for suspicious devices until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<=2026.4.24"
],
"patched": [
"openclaw@2026.4.25"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:40:00Z",
"updated": "2026-05-28T17:40:00Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-8mg9-j9cf-54cj"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8mg9-j9cf-54cj",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [],
"credits": [
"zsxsoft",
"KeenSecurityLab",
"qclawer"
],
"aliases": [
"GHSA-8mg9-j9cf-54cj"
]
},
{
"id": "GHSA-6c4r-g249-wv3c",
"ghsa_id": "GHSA-6c4r-g249-wv3c",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-668",
"title": "Sandboxed session spawn could expose the real workspace path to child prompts",
"description": "Summary Sandboxed session spawn could expose the real workspace path to child prompts. In affected versions, a child session spawned from a sandboxed parent could forward the host workspace path into the child session prompt. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could reveal host workspace location or related memory context to the child model. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.4.26. Mitigations avoid spawning child sessions from sensitive sandboxed workspaces until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<= 2026.4.25"
],
"patched": [
"openclaw@2026.4.26"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:59Z",
"updated": "2026-05-28T17:39:59Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-6c4r-g249-wv3c"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6c4r-g249-wv3c",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-668"
],
"credits": [
"anshumanbh"
],
"aliases": [
"GHSA-6c4r-g249-wv3c"
]
},
{
"id": "GHSA-24vr-rprv-67rf",
"ghsa_id": "GHSA-24vr-rprv-67rf",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": null,
"title": "Workspace .env npmexecpath could influence bundled runtime dependency install",
"description": "Summary Workspace .env npmexecpath could influence bundled runtime dependency install. In affected versions, a workspace .env in a repository opened by a trusted operator could override the package-manager executable path used by the install helper. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could run an unintended local package-manager executable during dependency setup. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.4.29. Mitigations install bundled runtime dependencies from trusted workspaces until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@< 2026.4.29"
],
"patched": [
"openclaw@2026.4.29"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:58Z",
"updated": "2026-05-28T17:39:58Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-24vr-rprv-67rf"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-24vr-rprv-67rf",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [],
"credits": [
"feynman-hou"
],
"aliases": [
"GHSA-24vr-rprv-67rf"
]
},
{
"id": "GHSA-rx78-29qr-5hq8",
"ghsa_id": "GHSA-rx78-29qr-5hq8",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": null,
"title": "Workspace-derived service PATH could influence trash command selection",
"description": "Summary Workspace-derived service PATH could influence trash command selection. In affected versions, a workspace-derived environment path could select an unintended trash executable during maintenance. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could run a local executable from a path the operator did not intend for maintenance tasks. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.2. Mitigations keep maintenance flows on trusted workspaces and fixed service paths until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@< 2026.5.2"
],
"patched": [
"openclaw@2026.5.2"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:57Z",
"updated": "2026-05-28T17:39:57Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-rx78-29qr-5hq8"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rx78-29qr-5hq8",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [],
"credits": [],
"aliases": [
"GHSA-rx78-29qr-5hq8"
]
},
{
"id": "GHSA-v8cx-933x-r976",
"ghsa_id": "GHSA-v8cx-933x-r976",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": null,
"title": "Fake package roots could influence memory-core artifact loading",
"description": "Summary Fake package roots could influence memory-core artifact loading. In affected versions, a local package root resolution path influenced by workspace state could select a package root that was not the intended bundled artifact root. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could load memory-core artifacts from an unintended local location. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.4.25. Mitigations run memory-core flows from trusted workspaces until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<=2026.4.24"
],
"patched": [
"openclaw@2026.4.25"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:56Z",
"updated": "2026-05-28T17:39:56Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-v8cx-933x-r976"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v8cx-933x-r976",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [],
"credits": [
"feynman-hou"
],
"aliases": [
"GHSA-v8cx-933x-r976"
]
},
{
"id": "GHSA-wc84-j36w-pw4x",
"ghsa_id": "GHSA-wc84-j36w-pw4x",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": null,
"title": "Workspace .env STATEDIRECTORY could influence bundled runtime dependency roots",
"description": "Summary Workspace .env STATEDIRECTORY could influence bundled runtime dependency roots. In affected versions, a workspace .env in a repository opened by a trusted operator could set STATEDIRECTORY before runtime dependency root resolution. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could load bundled runtime dependencies from an unintended local state path. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.2. Mitigations avoid opening untrusted workspace env files before runtime dependency installation until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@< 2026.5.2"
],
"patched": [
"openclaw@2026.5.2"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:55Z",
"updated": "2026-05-28T17:39:55Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-wc84-j36w-pw4x"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wc84-j36w-pw4x",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [],
"credits": [
"feynman-hou"
],
"aliases": [
"GHSA-wc84-j36w-pw4x"
]
},
{
"id": "GHSA-fq9j-vw4w-fr6v",
"ghsa_id": "GHSA-fq9j-vw4w-fr6v",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": null,
"title": "Workspace .env CLOUDSDKPYTHON could influence Gmail setup gcloud execution",
"description": "Summary Workspace .env CLOUDSDKPYTHON could influence Gmail setup gcloud execution. In affected versions, a workspace .env in a repository opened by a trusted operator could influence which Python runtime gcloud used through CLOUDSDKPYTHON. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could run setup through an unintended local Python path. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.2. Mitigations run Gmail setup from trusted workspaces and clear workspace env overrides until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@< 2026.5.2"
],
"patched": [
"openclaw@2026.5.2"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:54Z",
"updated": "2026-05-28T17:39:54Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-fq9j-vw4w-fr6v"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fq9j-vw4w-fr6v",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [],
"credits": [
"feynman-hou"
],
"aliases": [
"GHSA-fq9j-vw4w-fr6v"
]
},
{
"id": "GHSA-8wg3-5mcm-fjq8",
"ghsa_id": "GHSA-8wg3-5mcm-fjq8",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": null,
"title": "Workspace .env could override Homebrew executable selection for skill install flows",
"description": "Summary Workspace .env could override Homebrew executable selection for skill install flows. In affected versions, a workspace .env in a repository opened by a trusted operator could override the Homebrew executable used by the install helper. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could run an unintended Homebrew-compatible executable during skill setup. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.27. Mitigations avoid running skill install flows from untrusted workspaces until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@< 2026.5.27"
],
"patched": [
"openclaw@2026.5.27"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:53Z",
"updated": "2026-05-28T17:39:53Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-8wg3-5mcm-fjq8"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8wg3-5mcm-fjq8",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [],
"credits": [
"feynman-hou"
],
"aliases": [
"GHSA-8wg3-5mcm-fjq8"
]
},
{
"id": "GHSA-77pv-3w4q-vrj5",
"ghsa_id": "GHSA-77pv-3w4q-vrj5",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": null,
"title": "QQBot pre-dispatch slash commands could skip allowFrom checks",
"description": "Summary QQBot pre-dispatch slash commands could skip allowFrom checks. In affected versions, a QQBot sender able to invoke slash commands could dispatch the command before applying the configured allowFrom policy. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could trigger command handling from a sender that policy should have blocked. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.4.27. Mitigations restrict QQBot slash command exposure until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<=2026.4.26"
],
"patched": [
"openclaw@2026.4.27"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:52Z",
"updated": "2026-05-28T17:39:52Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-77pv-3w4q-vrj5"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-77pv-3w4q-vrj5",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [],
"credits": [
"zsxsoft",
"KeenSecurityLab",
"qclawer"
],
"aliases": [
"GHSA-77pv-3w4q-vrj5"
]
},
{
"id": "GHSA-v2ww-5rh7-2h5v",
"ghsa_id": "GHSA-v2ww-5rh7-2h5v",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "high",
"type": "github_security_advisory",
"nvd_category_id": "CWE-693",
"title": "Linux and macOS exec allowlists skipped configured argument patterns",
"description": "Summary OpenClaw's exec allowlist supported optional argPattern entries to restrict the arguments accepted for an allowlisted executable. In affected releases, Linux and macOS gateways skipped argPattern checks and treated a matching executable path as sufficient to satisfy the allowlist. This meant an operator could configure an allowlist entry that appeared to permit only a narrow argv shape, but OpenClaw would allow other argv for the same executable without an approval prompt when tools.exec.security was set to allowlist. This issue is limited to direct enforcement of configured argPattern values. OpenClaw's exec approvals remain best-effort guardrails and do not attempt to semantically model every interpreter, loader, package script, shell feature, or transitive file a command may use. Affected configurations This affects OpenClaw gateway deployments that meet all of these conditions: - the gateway runs on Linux or macOS - exec is configured with tools.exec.security: \"allowlist\" - at least one exec allowlist entry uses argPattern - the allowlisted executable accepts security-relevant arguments or flags Path-only allowlist entries are not additionally affected by this issue, because those entries intentionally allow any arguments for the matched executable. Windows was not affected by this specific bug because the affected code path already applied argPattern checks on Windows. Impact If an untrusted or lower-trust sender can influence a tool-enabled agent to call exec, they may be able to run disallowed arguments for an executable that the operator intended to restrict with argPattern. Depending on the executable, those arguments can cause host-side file access, network access, or command execution that should have required an approval prompt. The practical impact depends on the operator's allowlist and channel exposure. Examples of higher-risk allowlisted executables include tools with interpreter, loader, subprocess, network, or plugin flags such as git, python, node, bash, find, tar, and ssh. This is not a bypass of all exec approval semantics. It is a bypass of the direct argPattern predicate that the operator configured and that the exec tool description advertised as enforced at runtime. Patched Versions The first stable patched version is 2026.5.12. Mitigations Upgrade to openclaw@2026.5.12 or later. Before upgrading, operators who use exec allowlist mode should review entries that combine an executable path with argPattern, especially for interpreter-like or subprocess-capable tools.",
"affected": [
"openclaw@< 2026.5.12"
],
"patched": [
"openclaw@2026.5.12"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:50Z",
"updated": "2026-05-28T17:39:50Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-v2ww-5rh7-2h5v"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v2ww-5rh7-2h5v",
"nvd_url": null,
"cvss_score": 7.1,
"cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"cwe_ids": [
"CWE-693",
"CWE-863"
],
"credits": [
"Curly-Haired-Baboon"
],
"aliases": [
"GHSA-v2ww-5rh7-2h5v"
]
},
{
"id": "GHSA-72fw-cqh5-f324",
"ghsa_id": "GHSA-72fw-cqh5-f324",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": null,
"title": "memory-wiki shared search could miss session visibility checks",
"description": "Summary memory-wiki shared search could miss session visibility checks. In affected versions, a caller able to search shared memory could skip the session visibility guard on the affected search path. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could return memory entries that should not have been visible to that session. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.4.29. Mitigations limit shared memory search to trusted operators until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<=2026.4.27"
],
"patched": [
"openclaw@2026.4.29"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:49Z",
"updated": "2026-05-28T17:39:49Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-72fw-cqh5-f324"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-72fw-cqh5-f324",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [],
"credits": [
"zsxsoft",
"KeenSecurityLab",
"qclawer"
],
"aliases": [
"GHSA-72fw-cqh5-f324"
]
},
{
"id": "GHSA-grc3-2j34-p6gm",
"ghsa_id": "GHSA-grc3-2j34-p6gm",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": null,
"title": "message.action forwarding could send Gateway credentials to model-supplied loopback URLs",
"description": "Summary message.action forwarding could send Gateway credentials to model-supplied loopback URLs. In affected versions, model-controlled action metadata that selects a loopback Gateway URL could forward the action payload with Gateway credentials to the supplied loopback URL. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could expose the token and action payload to a local listener chosen through the affected path. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.2. Mitigations restrict message action forwarding and avoid model-supplied loopback targets until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<= 2026.4.29"
],
"patched": [
"openclaw@2026.5.2"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:47Z",
"updated": "2026-05-28T17:39:47Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-grc3-2j34-p6gm"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-grc3-2j34-p6gm",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [],
"credits": [
"anshumanbh"
],
"aliases": [
"GHSA-grc3-2j34-p6gm"
]
},
{
"id": "GHSA-jvm4-4j77-39p6",
"ghsa_id": "GHSA-jvm4-4j77-39p6",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": null,
"title": "QQBot streaming command could mutate config without explicit allowFrom",
"description": "Summary QQBot streaming command could mutate config without explicit allowFrom. In affected versions, a QQBot sender reaching the affected command could change configuration without requiring an explicit non-wildcard allowlist entry. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could modify QQBot streaming configuration outside the intended admin policy. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.4.29. Mitigations disable the command or restrict it to explicit trusted QQBot senders until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"@openclaw/qqbot@<= 2026.4.27"
],
"patched": [
"@openclaw/qqbot@2026.4.29"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:46Z",
"updated": "2026-05-28T17:39:46Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-jvm4-4j77-39p6"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jvm4-4j77-39p6",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [],
"credits": [
"anshumanbh"
],
"aliases": [
"GHSA-jvm4-4j77-39p6"
]
},
{
"id": "GHSA-8c59-hr4w-qg69",
"ghsa_id": "GHSA-8c59-hr4w-qg69",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-290",
"title": "Zalo allowFrom could bind to mutable display names",
"description": "Summary Zalo allowFrom could bind to mutable display names. In affected versions, a Zalo friend or contact with mutable display metadata could match a policy entry through mutable display metadata. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could receive agent responses intended for another Zalo identity. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.3. Mitigations use stable Zalo identifiers where available and keep friend access restricted until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<= 2026.5.2"
],
"patched": [
"openclaw@2026.5.3"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:43Z",
"updated": "2026-05-28T17:39:43Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-8c59-hr4w-qg69"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8c59-hr4w-qg69",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-290"
],
"credits": [
"PhilipPhil"
],
"aliases": [
"GHSA-8c59-hr4w-qg69"
]
},
{
"id": "GHSA-qjpc-qf9m-xwmr",
"ghsa_id": "GHSA-qjpc-qf9m-xwmr",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "high",
"type": "missing_authorization",
"nvd_category_id": "CWE-862",
"title": "Trusted-proxy Control UI WebSocket accepted client-declared scopes before pairing",
"description": "Summary In trusted-proxy Control UI mode, OpenClaw accepted a WebSocket client's declared operator scopes before those scopes were bound to a server-approved pairing or trusted-proxy authorization baseline. This issue affects trusted-proxy Control UI deployments. It does not apply to shared-secret Control UI sessions, which are treated as trusted operator sessions by design. Affected configurations This affects deployments using gateway.auth.mode: \"trusted-proxy\" for Control UI access where a restricted trusted-proxy user could open a Control UI WebSocket and present a fresh, unpaired device identity with elevated requested scopes. Impact An unpaired or restricted trusted-proxy Control UI client could obtain cached operator.admin authority on its live WebSocket connection. That authority could then be used for admin-gated Gateway RPCs until the connection was closed or revalidated. Patched Versions The first stable patched version is 2026.5.18. Mitigations Upgrade to openclaw@2026.5.18 or later. Before upgrading, restrict trusted-proxy Control UI access to users who should have the scopes they can request, and restart the gateway after changing trusted-proxy authorization policy.",
"affected": [
"openclaw@< 2026.5.18"
],
"patched": [
"openclaw@2026.5.18"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:42Z",
"updated": "2026-05-28T17:39:42Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-qjpc-qf9m-xwmr"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qjpc-qf9m-xwmr",
"nvd_url": null,
"cvss_score": 8.8,
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-862",
"CWE-863"
],
"credits": [
"adactum",
"handmilkingsoftware"
],
"aliases": [
"GHSA-qjpc-qf9m-xwmr"
]
},
{
"id": "GHSA-rwp6-7w3q-75fq",
"ghsa_id": "GHSA-rwp6-7w3q-75fq",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-276",
"title": "Config recovery could restore openclaw.json with broad file permissions",
"description": "Summary Config recovery could restore openclaw.json with broad file permissions. In affected versions, a local recovery path after configuration repair could leave the restored config file more readable than intended. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could expose local configuration to other same-host users where OS permissions allow it. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.4.24. Mitigations check openclaw.json permissions after recovery on shared hosts until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@= 2026.4.23"
],
"patched": [
"openclaw@2026.4.24"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:41Z",
"updated": "2026-05-28T17:39:41Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-rwp6-7w3q-75fq"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rwp6-7w3q-75fq",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-276"
],
"credits": [
"Kaze310"
],
"aliases": [
"GHSA-rwp6-7w3q-75fq"
]
},
{
"id": "GHSA-c29c-2q9c-pc86",
"ghsa_id": "GHSA-c29c-2q9c-pc86",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-290",
"title": "Slack allowFrom could bind to mutable display names",
"description": "Summary Slack allowFrom could bind to mutable display names. In affected versions, a Slack account able to change display name metadata could match a policy entry through mutable display metadata. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could receive agent access intended for another Slack identity. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.3. Mitigations use stable Slack user IDs in allowlists until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<= 2026.5.3-1"
],
"patched": [
"openclaw@2026.5.3"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:40Z",
"updated": "2026-05-28T17:39:40Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-c29c-2q9c-pc86"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-c29c-2q9c-pc86",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-290"
],
"credits": [
"PhilipPhil"
],
"aliases": [
"GHSA-c29c-2q9c-pc86"
]
},
{
"id": "GHSA-gp79-m99v-gjmh",
"ghsa_id": "GHSA-gp79-m99v-gjmh",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": null,
"title": "Mattermost handlers could fall open when channel type was missing",
"description": "Summary Mattermost handlers could fall open when channel type was missing. In affected versions, a Mattermost event missing channel type metadata could continue without applying the intended DM policy decision. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could process a Mattermost event that should have been gated by channel policy. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.6. Mitigations keep Mattermost bot access restricted and review channel metadata errors until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<=2026.5.5"
],
"patched": [
"openclaw@2026.5.6"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:39Z",
"updated": "2026-05-28T17:39:39Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-gp79-m99v-gjmh"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gp79-m99v-gjmh",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [],
"credits": [
"zsxsoft",
"KeenSecurityLab",
"qclawer"
],
"aliases": [
"GHSA-gp79-m99v-gjmh"
]
},
{
"id": "GHSA-c226-q6fx-6j6c",
"ghsa_id": "GHSA-c226-q6fx-6j6c",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": null,
"title": "macOS Swift exec allowlist missed combined POSIX inline flags",
"description": "Summary macOS Swift exec allowlist missed combined POSIX inline flags. In affected versions, a command request using combined POSIX inline-command flags could miss inline-command content expressed through combined flags. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could run shell content outside the intended allowlist check. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.6. Mitigations require approval for combined shell flag forms on macOS until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<=2026.5.5"
],
"patched": [
"openclaw@2026.5.6"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:38Z",
"updated": "2026-05-28T17:39:38Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-c226-q6fx-6j6c"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-c226-q6fx-6j6c",
"nvd_url": null,
"cvss_score": 6.6,
"cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"cwe_ids": [],
"credits": [
"zsxsoft",
"KeenSecurityLab",
"qclawer"
],
"aliases": [
"GHSA-c226-q6fx-6j6c"
]
},
{
"id": "GHSA-3wqp-prf6-2m72",
"ghsa_id": "GHSA-3wqp-prf6-2m72",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "low",
"type": "github_security_advisory",
"nvd_category_id": null,
"title": "Feishu dynamic-agent bindings could miss configWrites enforcement",
"description": "Summary Feishu dynamic-agent bindings could miss configWrites enforcement. In affected versions, a Feishu sender using dynamic-agent binding behavior could create or update bindings without honoring the configured config-write control. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could change sender-agent binding state beyond the intended policy. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.6. Mitigations disable sender-created Feishu dynamic-agent bindings until patched if not needed. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<=2026.5.5"
],
"patched": [
"openclaw@2026.5.6"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:37Z",
"updated": "2026-05-28T17:39:37Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-3wqp-prf6-2m72"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3wqp-prf6-2m72",
"nvd_url": null,
"cvss_score": 3.1,
"cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"cwe_ids": [],
"credits": [
"zsxsoft",
"KeenSecurityLab",
"qclawer"
],
"aliases": [
"GHSA-3wqp-prf6-2m72"
]
},
{
"id": "GHSA-cqwv-9qjx-vxw2",
"ghsa_id": "GHSA-cqwv-9qjx-vxw2",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": null,
"title": "Skill Workshop apply flow could override pending approval",
"description": "Summary Skill Workshop apply flow could override pending approval. In affected versions, an agent tool call reaching the affected Skill Workshop apply path could set apply: true despite approvalPolicy: pending. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could apply a workshop change before the expected approval step. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.6. Mitigations review Skill Workshop changes manually and keep the tool restricted until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<=2026.5.5"
],
"patched": [
"openclaw@2026.5.6"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:35Z",
"updated": "2026-05-28T17:39:35Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-cqwv-9qjx-vxw2"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cqwv-9qjx-vxw2",
"nvd_url": null,
"cvss_score": 5.3,
"cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
"cwe_ids": [],
"credits": [
"zsxsoft",
"KeenSecurityLab",
"qclawer"
],
"aliases": [
"GHSA-cqwv-9qjx-vxw2"
]
},
{
"id": "GHSA-68xw-r643-9p5w",
"ghsa_id": "GHSA-68xw-r643-9p5w",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "low",
"type": "github_security_advisory",
"nvd_category_id": null,
"title": "Skill-command dispatch could skip before-tool-call hooks",
"description": "Summary Skill-command dispatch could skip before-tool-call hooks. In affected versions, a skill command routed through the affected dispatch path could run without the same runBeforeToolCallHook coverage as other tool entry points. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could miss hook-based auditing or policy parity for that command path. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.6. Mitigations avoid relying on hook-only enforcement for skill commands until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<=2026.5.5"
],
"patched": [
"openclaw@2026.5.6"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:34Z",
"updated": "2026-05-29T03:38:44Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-68xw-r643-9p5w"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-68xw-r643-9p5w",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [],
"credits": [
"zsxsoft",
"qclawer",
"KeenSecurityLab"
],
"aliases": [
"GHSA-68xw-r643-9p5w"
]
},
{
"id": "GHSA-x629-46cc-7xgw",
"ghsa_id": "GHSA-x629-46cc-7xgw",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": null,
"title": "Active Memory write scope could mutate global config",
"description": "Summary Active Memory write scope could mutate global config. In affected versions, a Gateway caller with operator.write access to the affected command could change global configuration without requiring operator.admin. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could apply configuration changes beyond the intended write scope. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.6. Mitigations limit Active Memory write access to trusted operators until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<=2026.5.5"
],
"patched": [
"openclaw@2026.5.6"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:33Z",
"updated": "2026-05-28T17:39:33Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-x629-46cc-7xgw"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-x629-46cc-7xgw",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [],
"credits": [
"zsxsoft",
"KeenSecurityLab",
"qclawer"
],
"aliases": [
"GHSA-x629-46cc-7xgw"
]
},
{
"id": "GHSA-w5ww-7chg-mxcq",
"ghsa_id": "GHSA-w5ww-7chg-mxcq",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": null,
"title": "Telegram interactive callbacks could skip commands.allowFrom",
"description": "Summary Telegram interactive callbacks could skip commands.allowFrom. In affected versions, a Telegram user able to invoke an affected callback could mark the callback as an authorized sender before applying commands.allowFrom. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could trigger command behavior outside the configured Telegram sender allowlist. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.6. Mitigations restrict Telegram command callbacks to trusted chats until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<=2026.5.5"
],
"patched": [
"openclaw@2026.5.6"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:32Z",
"updated": "2026-05-28T17:39:32Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-w5ww-7chg-mxcq"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w5ww-7chg-mxcq",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [],
"credits": [
"zsxsoft",
"KeenSecurityLab",
"qclawer"
],
"aliases": [
"GHSA-w5ww-7chg-mxcq"
]
},
{
"id": "GHSA-p73f-w79w-jqr5",
"ghsa_id": "GHSA-p73f-w79w-jqr5",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": null,
"title": "Native command authorization could skip owner-command enforcement",
"description": "Summary Native command authorization could skip owner-command enforcement. In affected versions, a sender able to trigger native command handling could authorize a native command without enforcing the configured owner-only command policy. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could run an owner-style command from a sender that should not have that command access. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.6. Mitigations keep native command surfaces limited to trusted senders until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<=2026.5.5"
],
"patched": [
"openclaw@2026.5.6"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:31Z",
"updated": "2026-05-29T03:36:40Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-p73f-w79w-jqr5"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-p73f-w79w-jqr5",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [],
"credits": [
"zsxsoft",
"KeenSecurityLab",
"qclawer"
],
"aliases": [
"GHSA-p73f-w79w-jqr5"
]
},
{
"id": "GHSA-7hxm-f538-3xp6",
"ghsa_id": "GHSA-7hxm-f538-3xp6",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-290",
"title": "Matrix allowFrom could bind to mutable display names",
"description": "Summary Matrix allowFrom could bind to mutable display names. In affected versions, a Matrix account able to change display name metadata could match a policy entry through mutable display metadata. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could receive agent access intended for another Matrix identity. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.7. Mitigations use stable Matrix user IDs in allowlists until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<= 2026.5.6"
],
"patched": [
"openclaw@2026.5.7"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:30Z",
"updated": "2026-05-28T17:39:30Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-7hxm-f538-3xp6"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7hxm-f538-3xp6",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-290"
],
"credits": [
"PhilipPhil"
],
"aliases": [
"GHSA-7hxm-f538-3xp6"
]
},
{
"id": "GHSA-cw4q-gqg5-g38h",
"ghsa_id": "GHSA-cw4q-gqg5-g38h",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-290",
"title": "Discord allowFrom could bind to mutable display names",
"description": "Summary Discord allowFrom could bind to mutable display names. In affected versions, a Discord account able to change display or global name metadata could match a policy entry through mutable display metadata. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could receive agent access intended for another Discord identity. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.7. Mitigations use stable Discord user IDs in allowlists until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<= 2026.5.6"
],
"patched": [
"openclaw@2026.5.7"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:29Z",
"updated": "2026-05-28T17:39:29Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-cw4q-gqg5-g38h"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cw4q-gqg5-g38h",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-290"
],
"credits": [
"PhilipPhil"
],
"aliases": [
"GHSA-cw4q-gqg5-g38h"
]
},
{
"id": "GHSA-p2fh-f5fc-44hr",
"ghsa_id": "GHSA-p2fh-f5fc-44hr",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-732",
"title": "memory-wiki ingest could read local files with operator.write scope",
"description": "Summary memory-wiki ingest could read local files with operator.write scope. In affected versions, a Gateway caller with operator.write access to the plugin tool could read arbitrary local file paths instead of staying within the intended ingest sources. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could import local file content into wiki memory. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Resolution Update to a patched OpenClaw release when one is listed for this advisory. If the Patched versions field is populated, use that version or later. Mitigations limit memory-wiki write access to trusted operators until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<= 2026.5.6"
],
"patched": [
"openclaw@>= 2026.4.7"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:28Z",
"updated": "2026-05-28T17:39:28Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-p2fh-f5fc-44hr"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-p2fh-f5fc-44hr",
"nvd_url": null,
"cvss_score": 6.5,
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"cwe_ids": [
"CWE-732"
],
"credits": [
"Blee72"
],
"aliases": [
"GHSA-p2fh-f5fc-44hr"
]
},
{
"id": "GHSA-77q5-rr5v-x43q",
"ghsa_id": "GHSA-77q5-rr5v-x43q",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-20",
"title": "Trusted retry endpoint checks could match hostname prefixes",
"description": "Summary Trusted retry endpoint checks could match hostname prefixes. In affected versions, a retry endpoint URL chosen by lower-trust input could pass validation by using a hostname prefix that resembled a trusted host. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could send authentication material to an endpoint outside the intended trust target. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.7. Mitigations pin retry endpoints to exact trusted origins until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@*"
],
"patched": [],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:26Z",
"updated": "2026-05-28T17:39:27Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-77q5-rr5v-x43q"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-77q5-rr5v-x43q",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-20",
"CWE-345",
"CWE-1023"
],
"credits": [
"ccy41928-del"
],
"aliases": [
"GHSA-77q5-rr5v-x43q"
]
},
{
"id": "GHSA-83w9-h5wv-j9xm",
"ghsa_id": "GHSA-83w9-h5wv-j9xm",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-367",
"title": "Node pairing reconnection could confuse approval scope state",
"description": "Summary Node pairing reconnection could confuse approval scope state. In affected versions, a paired or reconnecting node session could mutate pairing state in a way that changed the approval scope decision. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could restore or present broader node authority than the operator intended. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.27. Mitigations revoke unexpected node pairings and re-pair only trusted nodes until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@< 2026.5.27"
],
"patched": [
"openclaw@2026.5.27"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:25Z",
"updated": "2026-05-28T17:39:25Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-83w9-h5wv-j9xm"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-83w9-h5wv-j9xm",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-367"
],
"credits": [
"YLChen-007"
],
"aliases": [
"GHSA-83w9-h5wv-j9xm"
]
},
{
"id": "GHSA-j472-gf56-x589",
"ghsa_id": "GHSA-j472-gf56-x589",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-184",
"title": "PowerShell encoded-command aliases could miss exec allowlist checks",
"description": "Summary PowerShell encoded-command aliases could miss exec allowlist checks. In affected versions, a command request using abbreviated encoded-command flags could use an alias form not recognized by the allowlist parser. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could run encoded PowerShell content without the intended allowlist decision. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.12. Mitigations avoid allowlisting PowerShell wrapper forms and require approval for encoded commands until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<= 2026.5.7"
],
"patched": [
"openclaw@2026.5.12"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:25Z",
"updated": "2026-05-28T17:39:25Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-j472-gf56-x589"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-j472-gf56-x589",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-184"
],
"credits": [
"YLChen-007"
],
"aliases": [
"GHSA-j472-gf56-x589"
]
},
{
"id": "GHSA-w9hf-3pp7-pvxv",
"ghsa_id": "GHSA-w9hf-3pp7-pvxv",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "cross_site_scripting",
"nvd_category_id": "CWE-79",
"title": "Exported session HTML could keep unsafe markdown links",
"description": "Summary Exported session HTML could keep unsafe markdown links. In affected versions, content rendered into an exported session could preserve unsafe javascript: or data: links in generated HTML. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could run browser-side script if a trusted operator opens the exported file and activates the link. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.12. Mitigations do not open exported session HTML from untrusted content in a privileged browser profile until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<= 2026.5.7"
],
"patched": [
"openclaw@2026.5.12"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:23Z",
"updated": "2026-05-28T17:39:23Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-w9hf-3pp7-pvxv"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w9hf-3pp7-pvxv",
"nvd_url": null,
"cvss_score": 6.1,
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"cwe_ids": [
"CWE-79"
],
"credits": [
"YLChen-007"
],
"aliases": [
"GHSA-w9hf-3pp7-pvxv"
]
},
{
"id": "GHSA-8j37-5w68-wj2g",
"ghsa_id": "GHSA-8j37-5w68-wj2g",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "low",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "BlueBubbles sender policy could match mutable conversation identifiers",
"description": "Summary BlueBubbles sender policy could match mutable conversation identifiers. In affected versions, a participant able to influence conversation-level identifiers could match an allowlist entry through conversation metadata rather than a stable sender identity. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could receive agent responses that should have been limited to a configured sender. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.7. Mitigations prefer stable sender identifiers and keep BlueBubbles groups restricted until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<= 2026.5.6"
],
"patched": [
"openclaw@2026.5.7"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:22Z",
"updated": "2026-05-28T17:39:22Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-8j37-5w68-wj2g"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8j37-5w68-wj2g",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-863"
],
"credits": [
"YLChen-007"
],
"aliases": [
"GHSA-8j37-5w68-wj2g"
]
},
{
"id": "GHSA-fcvx-5cxc-v5p8",
"ghsa_id": "GHSA-fcvx-5cxc-v5p8",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "low",
"type": "github_security_advisory",
"nvd_category_id": "CWE-285",
"title": "Slack reaction events could ignore reaction notification settings",
"description": "Summary Slack reaction events could ignore reaction notification settings. In affected versions, a Slack reaction event delivered to the configured app could enter the agent pipeline even when reaction notifications were disabled. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could trigger unintended agent processing for reaction events. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.12. Mitigations disable or restrict Slack reaction event subscriptions until patched if this path is not needed. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<= 2026.5.7"
],
"patched": [
"openclaw@2026.5.12"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:18Z",
"updated": "2026-05-28T17:39:18Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-fcvx-5cxc-v5p8"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fcvx-5cxc-v5p8",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-285"
],
"credits": [
"YLChen-007"
],
"aliases": [
"GHSA-fcvx-5cxc-v5p8"
]
},
{
"id": "GHSA-f397-5vjw-v2c2",
"ghsa_id": "GHSA-f397-5vjw-v2c2",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-184",
"title": "Shell inline-command parsing could miss an allowlist check",
"description": "Summary Shell inline-command parsing could miss an allowlist check. In affected versions, a command request using shell inline-command forms could route an inline command through a parser case that did not receive the expected allowlist decision. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could run shell content without the intended approval or allowlist prompt. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.12. Mitigations require approval for shell inline-command forms until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<= 2026.5.10-beta.1"
],
"patched": [
"openclaw@2026.5.12"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:16Z",
"updated": "2026-05-28T17:39:16Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-f397-5vjw-v2c2"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f397-5vjw-v2c2",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-184"
],
"credits": [
"YLChen-007"
],
"aliases": [
"GHSA-f397-5vjw-v2c2"
]
},
{
"id": "GHSA-9v8j-9c9g-w66c",
"ghsa_id": "GHSA-9v8j-9c9g-w66c",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-269",
"title": "Bootstrap token replay could widen pending pairing scopes",
"description": "Summary Bootstrap token replay could widen pending pairing scopes. In affected versions, a caller with access to a pending bootstrap token could reuse the token before approval with a broader requested scope set. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could present or retain broader pending pairing authority than intended. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.12. Mitigations treat pairing codes as sensitive and cancel unexpected pending pairings until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<= 2026.5.10-beta.2"
],
"patched": [
"openclaw@2026.5.12"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:15Z",
"updated": "2026-05-28T17:39:15Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-9v8j-9c9g-w66c"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9v8j-9c9g-w66c",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-269"
],
"credits": [
"YLChen-007"
],
"aliases": [
"GHSA-9v8j-9c9g-w66c"
]
},
{
"id": "GHSA-rjxq-qqhf-8hwh",
"ghsa_id": "GHSA-rjxq-qqhf-8hwh",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "high",
"type": "exposure_of_sensitive_information",
"nvd_category_id": "CWE-200",
"title": "MCP Streamable HTTP redirects could forward configured custom headers to another origin",
"description": "Summary OpenClaw supports remote MCP Streamable HTTP servers with operator-configured custom headers. In affected releases, those headers could be forwarded when the MCP endpoint responded with a cross-origin redirect. This issue is limited to configured MCP Streamable HTTP servers that use custom headers. It does not expose unrelated OpenClaw credentials. Affected configurations This affects deployments where an MCP server is configured with: - transportType: \"streamable-http\" - sensitive custom headers under mcp.servers..headers - an MCP endpoint that is malicious, compromised, or able to redirect to another origin Impact Custom MCP headers, such as API keys or tenant-routing headers, could be sent to the redirect target. The exposed credential scope depends on the header the operator configured for that MCP server. Patched Versions The first stable patched version is 2026.5.12. Mitigations Upgrade to openclaw@2026.5.8 or later. Before upgrading, avoid custom MCP headers with servers you do not fully trust, and rotate any MCP-specific credentials that may have been exposed by a redirecting endpoint.",
"affected": [
"openclaw@< 2026.5.12"
],
"patched": [
"openclaw@2026.5.12"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:13Z",
"updated": "2026-05-28T17:39:13Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-rjxq-qqhf-8hwh"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rjxq-qqhf-8hwh",
"nvd_url": null,
"cvss_score": 7.1,
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"cwe_ids": [
"CWE-200"
],
"credits": [
"YLChen-007"
],
"aliases": [
"GHSA-rjxq-qqhf-8hwh"
]
},
{
"id": "GHSA-chr9-m4q2-76hw",
"ghsa_id": "GHSA-chr9-m4q2-76hw",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "high",
"type": "improper_access_control",
"nvd_category_id": "CWE-284",
"title": "Control UI locality spoofing could mint a durable admin device token",
"description": "Summary In affected LAN/shared-token Control UI deployments, a caller could spoof locality information used during Control UI pairing and obtain a durable admin-capable device token. This issue is limited to deployments where the caller already has the network/authentication foothold needed to reach the Control UI pairing path. It is not an unauthenticated internet exposure issue. Affected configurations This affects configurations such as LAN-bound gateways or shared-token Control UI access where locality signals were accepted as sufficient for pairing decisions. Impact A temporary or shared Control UI access path could be turned into a persistent admin device token. That token could remain useful after the shared gateway token was rotated, unless the paired device was removed. The issue is a pairing/locality validation problem: locality-derived trust was stronger than it should have been. Patched Versions The first stable patched version is 2026.5.22. Mitigations Upgrade to openclaw@2026.5.22 or later. For older deployments, remove unexpected paired devices and avoid exposing Control UI pairing paths on networks with untrusted clients.",
"affected": [
"openclaw@< 2026.5.22"
],
"patched": [
"openclaw@2026.5.22"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:12Z",
"updated": "2026-05-28T17:39:12Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-chr9-m4q2-76hw"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-chr9-m4q2-76hw",
"nvd_url": null,
"cvss_score": 8,
"cvss_vector": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-284",
"CWE-287",
"CWE-290",
"CWE-863"
],
"credits": [
"cantinagen"
],
"aliases": [
"GHSA-chr9-m4q2-76hw"
]
},
{
"id": "GHSA-rggc-m335-3wvj",
"ghsa_id": "GHSA-rggc-m335-3wvj",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-269",
"title": "Same-host trusted-proxy deployments could accept local forged identity headers",
"description": "Summary Same-host trusted-proxy deployments could accept local forged identity headers. In affected versions, a local same-host caller that can reach the proxy-facing Gateway port could supply identity headers normally reserved for the trusted proxy. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could receive operator identity associated with the forged headers. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.18. Mitigations bind trusted-proxy ingress behind the actual proxy and firewall direct same-host access. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@< 2026.5.18"
],
"patched": [
"openclaw@2026.5.18"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:11Z",
"updated": "2026-05-28T17:39:11Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-rggc-m335-3wvj"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rggc-m335-3wvj",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-269",
"CWE-284",
"CWE-287",
"CWE-290",
"CWE-863"
],
"credits": [
"cantinagen"
],
"aliases": [
"GHSA-rggc-m335-3wvj"
]
},
{
"id": "GHSA-6fvr-66p3-3qj4",
"ghsa_id": "GHSA-6fvr-66p3-3qj4",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "high",
"type": "exposure_of_sensitive_information",
"nvd_category_id": "CWE-200",
"title": "Hook-triggered CLI runs could receive owner MCP tool authority",
"description": "Summary OpenClaw hook ingress can start automated agent runs using a configured hook token. In affected releases, a hook-triggered run could select a bundled CLI backend that received owner-scoped MCP loopback authority instead of a scope appropriate for hook ingress. This issue affects the boundary between hook-token automation and owner-only MCP tools. It does not affect deployments with hooks disabled. Affected configurations This affects deployments where hooks are enabled, /hooks/agent is reachable with a valid hook token, and a bundled CLI backend can be selected for the hook-triggered run. Impact A caller with the hook token could cause the spawned CLI runtime to see or call MCP tools that should have been owner-only. The practical impact depends on which MCP tools are available; the reported proof used persistent cron state as a representative owner-only action. Patched Versions The first stable patched version is 2026.5.20. Fixed in the 2026.5.20 stable release. Mitigations Upgrade to openclaw@2026.5.20 or later. Keep hook tokens secret, restrict network access to hook endpoints, and disable hooks when they are not needed.",
"affected": [
"openclaw@< 2026.5.20"
],
"patched": [
"openclaw@2026.5.20"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:09Z",
"updated": "2026-05-28T17:39:09Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-6fvr-66p3-3qj4"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6fvr-66p3-3qj4",
"nvd_url": null,
"cvss_score": 8.4,
"cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L",
"cwe_ids": [
"CWE-200",
"CWE-284"
],
"credits": [
"cantinagen"
],
"aliases": [
"GHSA-6fvr-66p3-3qj4"
]
},
{
"id": "GHSA-q99w-vh6v-q3v7",
"ghsa_id": "GHSA-q99w-vh6v-q3v7",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "high",
"type": "improper_access_control",
"nvd_category_id": "CWE-284",
"title": "Pairing-scoped device session could restore revoked node token authority",
"description": "Summary In affected releases, a surviving pairing-scoped session for a device could re-establish node token authority after that node token had been revoked. Revocation should require the device to lose that authority unless it is approved again through the normal pairing flow. This issue affects token revocation and device-role containment. It does not allow unauthenticated device creation. Affected configurations This affects deployments where an already paired device keeps a same-device session with pairing-related scope after its node token is revoked. Impact A device that should have lost node WebSocket authority could regain it without renewed approval. That weakens revocation as an operator control and can keep node-level access alive longer than intended. The impact is limited to devices that already had a legitimate pairing/session foothold. Patched Versions The first stable patched version is 2026.5.26. Mitigations Upgrade to openclaw@2026.5.26 or later. If a node token was revoked on an older version, restart the gateway and remove/re-pair the affected device to ensure no stale session remains active.",
"affected": [
"openclaw@< 2026.5.26"
],
"patched": [
"openclaw@2026.5.26"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:08Z",
"updated": "2026-05-28T17:39:08Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-q99w-vh6v-q3v7"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q99w-vh6v-q3v7",
"nvd_url": null,
"cvss_score": 8.8,
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"credits": [
"cantinagen"
],
"aliases": [
"GHSA-q99w-vh6v-q3v7"
]
},
{
"id": "GHSA-3c6j-hq33-3jv4",
"ghsa_id": "GHSA-3c6j-hq33-3jv4",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "high",
"type": "improper_access_control",
"nvd_category_id": "CWE-284",
"title": "Paired nodes could forge exec lifecycle events without system.run provenance",
"description": "Summary OpenClaw nodes send lifecycle events back to the gateway. In affected releases, a paired node could send an exec lifecycle event that was accepted without enough provenance tying it to an authorized system.run request. This issue affects the node event boundary. It does not allow an unauthenticated caller to reach the gateway; the attacker must already control a paired node connection. Affected configurations This affects deployments with a paired node where that node can send crafted node.event messages to the gateway and the target agent/session can process exec lifecycle events. Impact A malicious or compromised paired node could make the gateway treat attacker-supplied event data as an exec lifecycle result. In the vulnerable flow, that could steer the target session into an exec-event path that exposed capabilities the reduced node surface should not have provided. The issue is a missing provenance check for node-originated lifecycle events. Patched Versions The first stable patched version is 2026.5.18. Mitigations Upgrade to openclaw@2026.5.18 or later. Pair nodes only from trusted environments, and remove/re-pair nodes that may have been compromised.",
"affected": [
"openclaw@< 2026.5.18"
],
"patched": [
"openclaw@2026.5.18"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:06Z",
"updated": "2026-05-28T17:39:06Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-3c6j-hq33-3jv4"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3c6j-hq33-3jv4",
"nvd_url": null,
"cvss_score": 7.2,
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"credits": [
"cantinagen"
],
"aliases": [
"GHSA-3c6j-hq33-3jv4"
]
},
{
"id": "GHSA-2hfg-4fh4-qp7f",
"ghsa_id": "GHSA-2hfg-4fh4-qp7f",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "high",
"type": "improper_access_control",
"nvd_category_id": "CWE-284",
"title": "Browser act interactions could bypass private-network navigation checks",
"description": "Summary OpenClaw's browser control SSRF checks blocked direct navigation to private or loopback URLs, but some Playwright act interactions could trigger navigation after the initial check. A later browser evaluation could then read from the page reached by that action-triggered navigation. This issue is specific to browser control actions and private-network navigation policy. Browser evaluation remains an intentional trusted-operator feature when it is used on pages that policy allowed the browser to visit. Affected configurations This affects deployments where browser control is enabled and an authenticated browser-control caller can interact with an attacker-controlled page that redirects or navigates the tab to a private-network target through a UI action. Impact If the browser reached a private page through an unchecked action-triggered navigation, a caller with browser evaluation capability could read page content that direct navigation policy would have blocked. The issue does not grant access to OpenClaw without authentication. It bypasses the private-network navigation guard for a specific browser action path. Patched Versions The first stable patched version is 2026.5.18. Mitigations Upgrade to openclaw@2026.5.18 or later. Before upgrading, restrict browser-control access to trusted operators and avoid using browser control on untrusted pages in environments with sensitive private web services.",
"affected": [
"openclaw@< 2026.5.18"
],
"patched": [
"openclaw@2026.5.18"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:04Z",
"updated": "2026-05-28T17:39:04Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-2hfg-4fh4-qp7f"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2hfg-4fh4-qp7f",
"nvd_url": null,
"cvss_score": 7.7,
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"cwe_ids": [
"CWE-284",
"CWE-918"
],
"credits": [
"cantinagen"
],
"aliases": [
"GHSA-2hfg-4fh4-qp7f"
]
},
{
"id": "GHSA-v6r2-jh58-xx6w",
"ghsa_id": "GHSA-v6r2-jh58-xx6w",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "Marketplace runtime extension metadata could point at unscanned payloads",
"description": "Summary Marketplace runtime extension metadata could point at unscanned payloads. In affected versions, a package selected for installation by a trusted operator could redirect runtime loading toward hidden package content that was not scanned as expected. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could load plugin code outside the reviewed package entry points. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.18. Mitigations install only trusted plugins and keep plugin allowlists explicit until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@< 2026.5.18"
],
"patched": [
"openclaw@2026.5.18"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:03Z",
"updated": "2026-05-28T17:39:03Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-v6r2-jh58-xx6w"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v6r2-jh58-xx6w",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-78",
"CWE-94",
"CWE-284",
"CWE-829"
],
"credits": [
"cantinagen"
],
"aliases": [
"GHSA-v6r2-jh58-xx6w"
]
},
{
"id": "GHSA-mhq8-78pj-5j79",
"ghsa_id": "GHSA-mhq8-78pj-5j79",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "high",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "POSIX node system.run safe-bin allowlist could be widened by shell expansion",
"description": "Summary On POSIX nodes, OpenClaw's system.run safe-bin checks could approve a command before shell expansion changed how the command was interpreted. A value that appeared to be a safe-bin argument could expand into additional shell words and become a file operand. This issue is limited to paired POSIX node execution through system.run with safe-bin or allowlist-style auto-approval. It is not an unauthenticated node takeover. Affected configurations This affects deployments where: - a POSIX node is paired to the gateway - system.run is reachable by an authenticated operator or agent flow - exec policy uses safe-bin or allowlist-based auto-approval - the approved command contains shell-expanded values that can change argv shape Impact A lower-privilege operator flow could cause an approved safe-bin command to read a node-local file that was not intended by the policy. Depending on the local files available to the node process, this could expose OpenClaw configuration data or other node-local information. The issue is a policy-enforcement gap in argv validation, not a general statement that every safe-bin command is unsafe. Patched Versions The first stable patched version is 2026.5.18. Mitigations Upgrade to openclaw@2026.5.18 or later. Before upgrading, avoid broad safe-bin auto-approval for commands that can read arbitrary paths, and prefer explicit approval for node commands that touch local files.",
"affected": [
"openclaw@< 2026.5.18"
],
"patched": [
"openclaw@2026.5.18"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:39:01Z",
"updated": "2026-05-28T17:39:01Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-mhq8-78pj-5j79"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mhq8-78pj-5j79",
"nvd_url": null,
"cvss_score": 7.1,
"cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"cwe_ids": [
"CWE-78",
"CWE-200",
"CWE-284"
],
"credits": [
"cantinagen"
],
"aliases": [
"GHSA-mhq8-78pj-5j79"
]
},
{
"id": "GHSA-5cj2-3jr2-5h77",
"ghsa_id": "GHSA-5cj2-3jr2-5h77",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "Shell positional parameters could weaken strict inline-eval checks",
"description": "Summary Shell positional parameters could weaken strict inline-eval checks. In affected versions, a command request that combines allowlisted tools with shell positional arguments could place inline-eval content in a shell carrier not covered by the strict check. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could run shell-provided content outside the intended allowlist rule. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.4.2. Mitigations avoid allowlisting shell carrier patterns and require approval for shell wrappers until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@< 2026.4.2"
],
"patched": [
"openclaw@2026.4.2"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:38:59Z",
"updated": "2026-05-28T17:38:59Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-5cj2-3jr2-5h77"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5cj2-3jr2-5h77",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-78",
"CWE-269",
"CWE-284",
"CWE-863"
],
"credits": [
"cantinagen"
],
"aliases": [
"GHSA-5cj2-3jr2-5h77"
]
},
{
"id": "GHSA-xww8-gqvh-92x9",
"ghsa_id": "GHSA-xww8-gqvh-92x9",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "high",
"type": "improper_access_control",
"nvd_category_id": "CWE-284",
"title": "Exec approval display truncation could hide the command being approved",
"description": "Summary OpenClaw exec approvals could show a shortened command in the approval UI while keeping the full original command for execution. For very long commands, an approver could see and approve a benign-looking prefix while a hidden suffix remained part of the command that would run after approval. This issue affects the approval display and binding for oversized exec commands. It does not make exec available to unauthenticated users, and it does not change OpenClaw's local-first trust model. Affected configurations This affects deployments where exec approval is enabled and an authenticated caller can create a pending host exec request with a command long enough to be truncated in the approval view. Impact An approver could make a decision from incomplete command text. If the hidden suffix contained additional shell operations, those operations could run after the approval was resolved. The practical impact depends on who can request exec approvals and who is allowed to approve them. The issue is an approval integrity problem: the approval surface did not faithfully represent the command that would execute. Patched Versions The first stable patched version is 2026.5.18. Mitigations Upgrade to openclaw@2026.5.18 or later. Before upgrading, avoid approving unusually long exec commands and keep approval capability limited to trusted operators.",
"affected": [
"openclaw@< 2026.5.18"
],
"patched": [
"openclaw@2026.5.18"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:38:57Z",
"updated": "2026-05-28T17:38:57Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-xww8-gqvh-92x9"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xww8-gqvh-92x9",
"nvd_url": null,
"cvss_score": 8,
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"credits": [
"cantinagen"
],
"aliases": [
"GHSA-xww8-gqvh-92x9"
]
},
{
"id": "GHSA-qh2f-99mv-mrcf",
"ghsa_id": "GHSA-qh2f-99mv-mrcf",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "Bundle MCP loopback could miss its exec denylist on session spawn",
"description": "Summary Bundle MCP loopback could miss its exec denylist on session spawn. In affected versions, a caller that can reach the affected bundled MCP session-spawn path could bypass the denylist that was intended for that loopback MCP entry point. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could start a session with broader command reach than that MCP path should provide. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.12. Mitigations restrict bundled MCP loopback access to trusted operators until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@< 2026.5.12"
],
"patched": [
"openclaw@2026.5.12"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:38:55Z",
"updated": "2026-05-28T17:38:55Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-qh2f-99mv-mrcf"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qh2f-99mv-mrcf",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-78",
"CWE-284"
],
"credits": [
"cantinagen"
],
"aliases": [
"GHSA-qh2f-99mv-mrcf"
]
},
{
"id": "GHSA-vxx3-6hc9-7cc3",
"ghsa_id": "GHSA-vxx3-6hc9-7cc3",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-367",
"title": "Combined POSIX shell options could confuse exec revalidation",
"description": "Summary Combined POSIX shell options could confuse exec revalidation. In affected versions, a command request using combined shell flags could parse approval-time and execution-time shell options differently. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could run inline shell content without the intended allowlist decision. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.12. Mitigations avoid combined shell option forms in allowlisted commands until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<= 2026.5.7"
],
"patched": [
"openclaw@2026.5.12"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:38:54Z",
"updated": "2026-05-28T17:38:54Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-vxx3-6hc9-7cc3"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vxx3-6hc9-7cc3",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-367"
],
"credits": [
"YLChen-007"
],
"aliases": [
"GHSA-vxx3-6hc9-7cc3"
]
},
{
"id": "GHSA-2j8v-hwgc-x698",
"ghsa_id": "GHSA-2j8v-hwgc-x698",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "improper_access_control",
"nvd_category_id": "CWE-284",
"title": "Shell wrapper argv could change between approval and execution",
"description": "Summary Shell wrapper argv could change between approval and execution. In affected versions, a command request using a shell wrapper form could approve one resolved argv shape and rebuild another for execution. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could run a command shape that was not checked against the allowlist. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.18. Mitigations require explicit approval for shell wrappers and avoid durable allowlists for wrapper-heavy commands until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"Openclaw@<= 2026.5.16"
],
"patched": [
"Openclaw@2026.5.18"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:38:52Z",
"updated": "2026-05-28T17:38:52Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-2j8v-hwgc-x698"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2j8v-hwgc-x698",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-284"
],
"credits": [],
"aliases": [
"GHSA-2j8v-hwgc-x698"
]
},
{
"id": "GHSA-q7q8-3mgw-q67r",
"ghsa_id": "GHSA-q7q8-3mgw-q67r",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "exposure_of_sensitive_information",
"nvd_category_id": "CWE-200",
"title": "Message read actions could skip channel allowlist checks",
"description": "Summary Message read actions could skip channel allowlist checks. In affected versions, a lower-trust caller with access to the affected message read action could request messages without the same channel allowlist check used by normal delivery. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could expose messages from a channel that was not intended for that caller. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.19. Mitigations limit message read actions to trusted operators and keep channel allowlists narrow. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<= 2026.5.18",
"openclaw@<= 2026.5.19-beta.2"
],
"patched": [
"openclaw@2026.5.19"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:38:50Z",
"updated": "2026-05-28T17:38:50Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-q7q8-3mgw-q67r"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q7q8-3mgw-q67r",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-200",
"CWE-862"
],
"credits": [
"samchodev"
],
"aliases": [
"GHSA-q7q8-3mgw-q67r"
]
},
{
"id": "GHSA-gxg4-2rrr-jhc7",
"ghsa_id": "GHSA-gxg4-2rrr-jhc7",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-20",
"title": "Hostname checks could treat trailing-dot hosts inconsistently",
"description": "Summary Hostname checks could treat trailing-dot hosts inconsistently. In affected versions, a request path that accepts model- or workspace-derived URLs could present the same hostname with a trailing dot and avoid a blocklist comparison. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could reach a destination that the operator expected the hostname policy to block. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.26. Mitigations keep private-network and metadata destinations blocked at the proxy or network layer until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<= 2026.5.22"
],
"patched": [
"openclaw@2026.5.26"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:38:49Z",
"updated": "2026-05-28T17:38:49Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-gxg4-2rrr-jhc7"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gxg4-2rrr-jhc7",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-20",
"CWE-918"
],
"credits": [
"nayakchinmohan"
],
"aliases": [
"GHSA-gxg4-2rrr-jhc7"
]
},
{
"id": "GHSA-cwpp-5962-q4f6",
"ghsa_id": "GHSA-cwpp-5962-q4f6",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "Exec allowlist could miss side effects from transparent command wrappers",
"description": "Summary Exec allowlist could miss side effects from transparent command wrappers. In affected versions, a command request that reaches the exec allowlist path could be evaluated against the inner command while the wrapper invocation still executed. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could perform wrapper-level side effects outside the intent of the allowlisted command. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.26. Mitigations review wrapper commands carefully and require approval for shell-like wrapper usage until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<= 2026.5.22"
],
"patched": [
"openclaw@2026.5.26"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:38:46Z",
"updated": "2026-05-28T17:38:46Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-cwpp-5962-q4f6"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cwpp-5962-q4f6",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-78",
"CWE-184"
],
"credits": [
"nayakchinmohan"
],
"aliases": [
"GHSA-cwpp-5962-q4f6"
]
},
{
"id": "GHSA-ccwh-wwpp-6wg5",
"ghsa_id": "GHSA-ccwh-wwpp-6wg5",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-184",
"title": "Host environment sanitizer missed two Node.js control variables",
"description": "Summary Host environment sanitizer missed two Node.js control variables. In affected versions, a lower-trust env source such as a workspace .env, tool env override, or skill env block could pass Node.js control variables through the shared sanitizer. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could influence a later Node.js child process or coverage output path when that process is launched under the accepted environment. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.26. Mitigations avoid inheriting workspace or tool-supplied env values from untrusted repositories until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"affected": [
"openclaw@<= 2026.5.22"
],
"patched": [
"openclaw@2026.5.26"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-05-28T17:38:45Z",
"updated": "2026-05-28T17:38:45Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-ccwh-wwpp-6wg5"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-ccwh-wwpp-6wg5",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-184"
],
"credits": [
"nayakchinmohan"
],
"aliases": [
"GHSA-ccwh-wwpp-6wg5"
]
},
{
"id": "GHSA-mr34-9552-qr95",
"ghsa_id": "GHSA-mr34-9552-qr95",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "Webchat media embedding enforces local-root containment for tool-result files",
"description": "Summary Webchat tool-result media normalization could pass local and UNC-style file paths into the host-side media embedding path without applying the configured local-root containment policy. Impact A crafted tool-result media reference could cause the host to attempt local file reads or Windows UNC/network path access while preparing webchat media blocks. This could disclose allowed host files or trigger network credential exposure on affected Windows deployments. Severity remains medium because exploitation depends on a tool-result media path reaching the webchat embedding path, but the sink is a host-side file read before the user sees the rendered result. Affected versions - Affected: = 2026.4.7, < 2026.4.15 - Patched: 2026.4.15 Fix OpenClaw 2026.4.15 hardens the webchat media path and the shared media resolver. Remote-host file:// URLs and Windows network paths are rejected before filesystem access, and audio embedding now enforces configured localRoots containment before stat or read operations. Verified in v2026.4.15: - src/gateway/server-methods/chat-webchat-media.ts uses safe file-URL parsing, rejects Windows network paths, and calls assertLocalMediaAllowed before probing local audio files. - src/media/web-media.ts rejects remote-host file:// URLs, Windows network paths, and local-root bypasses on the shared media path. - src/gateway/server-methods/chat-webchat-media.test.ts covers both remote-host file:// rejection and local-root denial before filesystem access. Fix commits included in v2026.4.15 and absent from v2026.4.14: - 1470de5d3e0970856d86cd99336bb8ada3fe87da via PR #67293 - 6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde via PR #67298 - 52ef42302ead9e183e6c8810e0a04ee4ef8ae9fc via PR #67303 as defense-in-depth for trusted media passthrough anchoring Thanks to @Kherrisan for reporting this issue.",
"affected": [
"openclaw@>= 2026.4.7, < 2026.4.15"
],
"patched": [
"openclaw@2026.4.15"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-04-16T23:40:33Z",
"updated": "2026-04-16T23:40:33Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-mr34-9552-qr95"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mr34-9552-qr95",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-22",
"CWE-73"
],
"credits": [
"Kherrisan"
],
"aliases": [
"GHSA-mr34-9552-qr95"
]
},
{
"id": "GHSA-536q-mj95-h29h",
"ghsa_id": "GHSA-536q-mj95-h29h",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": null,
"title": "Browser press/type interaction routes missed complete navigation guard coverage",
"description": "Summary Browser press/type interaction routes missed complete navigation guard coverage. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: < 2026.4.10 - Patched versions: = 2026.4.10 Impact Some browser press/type style interactions could trigger navigation without complete post-action SSRF policy enforcement. Technical Details The fix applies a three-phase interaction navigation guard to navigation-capable interactions, including pressKey and type submit flows. Fix The issue was fixed in #62023 and #63226 and #63889. The first stable tag containing the fix is v2026.4.10, and openclaw@2026.4.14 includes the fix. Fix Commit(s) - 049acf23cb03e1b92f5c71cd99c6ec5f35cc56fe - 5f5b3d733bdd791cb457f838514179e1288b10b3 - e0b8ddc1a55185aff1cf9e0e095014d2e4f1d894 - PR: #62023, #63226, #63889 Release Process Note Users should upgrade to openclaw 2026.4.10 or newer. The latest npm release, 2026.4.14, already includes the fix. Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.",
"affected": [
"openclaw@< 2026.4.10"
],
"patched": [
"openclaw@>= 2026.4.10"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-04-16T15:19:51Z",
"updated": "2026-04-16T15:19:52Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-536q-mj95-h29h"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-536q-mj95-h29h",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [],
"credits": [
"zsxsoft",
"KeenSecurityLab",
"qclawer"
],
"aliases": [
"GHSA-536q-mj95-h29h"
]
},
{
"id": "GHSA-53vx-pmqw-863c",
"ghsa_id": "GHSA-53vx-pmqw-863c",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "high",
"type": "server_side_request_forgery",
"nvd_category_id": "CWE-918",
"title": "Browser SSRF policy default allowed private-network navigation",
"description": "Summary Browser SSRF policy default allowed private-network navigation. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: < 2026.4.14 - Patched versions: = 2026.4.14 Impact Browser SSRF protection could allow private-network navigation by default in paths where restrictive behavior was expected, exposing internal services or metadata endpoints through browser-driven requests. Technical Details The fix preserves strict SSRF configuration semantics, keeps private-network access disabled unless explicitly opted in, and updates loopback CDP readiness handling for the stricter default. Fix The issue was fixed in #66354 and #66386. The first stable tag containing the fix is v2026.4.14, and openclaw@2026.4.14 includes the fix. Fix Commit(s) - 024f4614a1a1831406e763adc40ef226e3d5e9ed - 1dabfef28db523e7de81edeb3dd689e9171236a2 - 213c36cf51121ef6c05cfccd78037371f968f31a - 7eecfa411df3d12e6b810e6ca5df47254fc3db3f - PR: #66354, #66386 Release Process Note Users should upgrade to openclaw 2026.4.14 or newer. The latest npm release, 2026.4.14, already includes the fix. Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.",
"affected": [
"openclaw@< 2026.4.14"
],
"patched": [
"openclaw@>= 2026.4.14"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-04-16T15:19:27Z",
"updated": "2026-04-16T15:19:27Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-53vx-pmqw-863c"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-53vx-pmqw-863c",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-918",
"CWE-1188"
],
"credits": [
"dhyabi2"
],
"aliases": [
"GHSA-53vx-pmqw-863c"
]
},
{
"id": "GHSA-jf56-mccx-5f3f",
"ghsa_id": "GHSA-jf56-mccx-5f3f",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "high",
"type": "github_security_advisory",
"nvd_category_id": "CWE-501",
"title": "Authenticated /hooks/wake and mapped wake payloads are promoted into the trusted System: prompt channel",
"description": "Impact Authenticated /hooks/wake and mapped wake payloads are promoted into the trusted System: prompt channel. An authenticated wake hook or mapped wake payload could be promoted into the trusted System prompt channel instead of an untrusted event. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.2 - Patched versions: 2026.4.8 Fix The issue was fixed on main and is available in the patched npm version listed above. The verified fixed tree is commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5. Verification The fix was re-checked against main before publication, including targeted regression tests for the affected security boundary. Credits Thanks @tdjackey for reporting.",
"affected": [
"openclaw@<= 2026.4.2"
],
"patched": [
"openclaw@2026.4.8"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-04-08T05:33:37Z",
"updated": "2026-04-08T05:33:37Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-jf56-mccx-5f3f"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jf56-mccx-5f3f",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-501"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-jf56-mccx-5f3f"
]
},
{
"id": "GHSA-gfmx-pph7-g46x",
"ghsa_id": "GHSA-gfmx-pph7-g46x",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "high",
"type": "github_security_advisory",
"nvd_category_id": "CWE-501",
"title": "Lower-trust background runtime output is injected into trusted System: events, and local async exec completion misses the intended exec-event downgrade",
"description": "Impact Lower-trust background runtime output is injected into trusted System: events, and local async exec completion misses the intended exec-event downgrade. Lower-trust runtime/background output could be promoted into trusted System events, allowing prompt-injection into later agent turns. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.2 - Patched versions: 2026.4.8 Fix The issue was fixed on main and is available in the patched npm version listed above. The verified fixed tree is commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5. Verification The fix was re-checked against main before publication, including targeted regression tests for the affected security boundary. Credits Thanks @tdjackey for reporting.",
"affected": [
"openclaw@<= 2026.4.2"
],
"patched": [
"openclaw@2026.4.8"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-04-08T05:33:36Z",
"updated": "2026-04-08T05:33:36Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-gfmx-pph7-g46x"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gfmx-pph7-g46x",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-501"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-gfmx-pph7-g46x"
]
},
{
"id": "GHSA-846p-hgpv-vphc",
"ghsa_id": "GHSA-846p-hgpv-vphc",
"cve_id": null,
"status": "active",
"stale": false,
"stale_after_days": 60,
"severity": "high",
"type": "github_security_advisory",
"nvd_category_id": null,
"title": "QQ Bot structured payloads could read arbitrary local files",
"description": "Summary Before OpenClaw 2026.4.2, QQ Bot structured media payloads could read local files from attacker-chosen paths. A crafted structured payload could escape QQ Bot-owned media roots and cause arbitrary file reads on the host. Impact Prompt-influenced structured payload output could exfiltrate any host file readable by the OpenClaw process through the QQ Bot media-send path. This was a real confidentiality bug on the host filesystem boundary. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.1 - Patched versions: = 2026.4.2 - Latest published npm version: 2026.4.1 Fix Commit(s) - 2c45b06afdd6f7c621038b5419d8e661cff34a7f — restrict QQ Bot structured payload local paths Release Process Note The fix is present on main and is staged for OpenClaw 2026.4.2. Publish this advisory after the 2026.4.2 npm release is live. Thanks @feiyang666 of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.",
"affected": [
"openclaw@<= 2026.4.1"
],
"patched": [
"openclaw@>= 2026.4.2"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-04-02T19:21:36Z",
"updated": "2026-04-03T01:33:55Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-846p-hgpv-vphc"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-846p-hgpv-vphc",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [],
"credits": [
"feiyang666"
],
"aliases": [
"GHSA-846p-hgpv-vphc"
]
},
{
"id": "GHSA-cwq8-6f96-g3q4",
"ghsa_id": "GHSA-cwq8-6f96-g3q4",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "low",
"type": "github_security_advisory",
"nvd_category_id": "CWE-636",
"title": "Security Scan Failure Does Not Block Plugin Installation (Fail-Open)",
"description": "Summary Security Scan Failure Does Not Block Plugin Installation (Fail-Open) Current Maintainer Triage - Status: open - Normalized severity: low - Assessment: Real in shipped v2026.3.28 plugin install flow, but low severity fits because it still requires an operator to choose installation of an untrusted package and the scan failure was visible rather than silent. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version: 2026.3.31 - Vulnerable version range: <=2026.3.28 - Patched versions: = 2026.3.31 - First stable tag containing the fix: v2026.3.31 Fix Commit(s) - 7a953a52271b9188a5fa830739a4366614ff9916 — 2026-03-30T15:36:08+01:00 - 44b993613601280d46a5b88190e46669fc13d669 — 2026-03-31T23:16:11+09:00 - 0d7f1e2c84eca65df7dee890d9c30e2a841c030a — 2026-03-31T23:27:20+09:00 - bf96c67fd1954740aeabfadc7cfe3098bcfc6b68 — 2026-03-31T15:53:29+01:00 Release Process Note - The fix is already present in released version 2026.3.31. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @davidluzsilva for reporting.",
"affected": [
"openclaw@<=2026.3.28"
],
"patched": [
"openclaw@>= 2026.3.31"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-03-31T21:45:37Z",
"updated": "2026-03-31T21:45:37Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-cwq8-6f96-g3q4"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cwq8-6f96-g3q4",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-636",
"CWE-754"
],
"credits": [
"davidluzsilva"
],
"aliases": [
"GHSA-cwq8-6f96-g3q4"
]
},
{
"id": "GHSA-39mp-545q-w789",
"ghsa_id": "GHSA-39mp-545q-w789",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-285",
"title": "Non-owner command-authorized sender can change the owner-only /send session delivery policy",
"description": "Fixed in OpenClaw 2026.3.24, the current shipping release. Title Non-owner command-authorized sender can change the owner-only /send session delivery policy CWE CWE-285 Improper Authorization CVSS v3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L Base score: 5.4 (Medium) Severity Assessment Medium. This is a real owner-only authorization bypass, but the demonstrated impact is limited to persistent mutation of the current sessions delivery policy rather than direct code execution, sandbox escape, or cross-host compromise. Impact A non-owner sender who is allowed to run commands can invoke /send on|off|inherit and persistently change the current sessions sendPolicy, even though OpenClaw documents /send as owner-only. That lets a lower-trust participant: - disable reply delivery for the current session (/send off), suppressing future replies in that chat; - re-enable reply delivery (/send on) after the owner intentionally disabled it; - remove the session override (/send inherit). Affected Component Verified against the latest published GitHub release tag v2026.3.23 (ccfeecb6887cd97937e33a71877ad512741e82b2), published 2026-03-23T23:15:50Z. Exact vulnerable path on the shipped tag: - src/auto-reply/reply/commands-session.ts:212-239 - handleSendPolicyCommand(...) checks only params.command.isAuthorizedSender. - when true, it mutates params.sessionEntry.sendPolicy and persists the session entry. Authorization behavior that makes this reachable: - src/auto-reply/command-auth.ts:401-407 - senderIsOwner is computed separately from general command authorization. - src/auto-reply/command-auth.ts:420-429 - command authorization can succeed even when senderIsOwner === false. - src/auto-reply/command-auth.owner-default.test.ts:10-47 - existing coverage confirms a sender can be command-authorized while not treated as owner. Documented owner-only contract: - docs/tools/slash-commands.md:112 - /send on|off|inherit is documented as owner-only. - docs/concepts/session-tool.md:156 - sendPolicy is documented as settable via sessions.patch or owner-only /send on|off|inherit. Related privilege model: - src/gateway/method-scopes.ts:131-133 - sessions.patch is admin-scoped, which reinforces that session-delivery-policy mutation is treated as privileged state. Version history: - The vulnerable handler exists in release history going back at least to commit ea018a68ccb92dbc735bc1df9880d5c95c63ca35 (refactor(auto-reply): split reply pipeline). - Earliest released affected tag found: v2026.1.14-1 - Latest released affected tag verified: v2026.3.23 Technical Reproduction 1. Check out the shipped release tag v2026.3.23. 2. Configure a channel where: - a non-owner sender is allowed to run commands, for example through commands.allowFrom; - the owner identity is distinct, for example via commands.ownerAllowFrom. 3. Start or reuse a session with a live sessionEntry and sessionStore. 4. Send /send off as the non-owner but command-authorized sender. 5. Confirm the resolved command context has: - isAuthorizedSender === true - senderIsOwner === false 6. Observe that the handler still accepts the command, mutates sessionEntry.sendPolicy, and persists the session entry. Demonstrated Impact The vulnerable handler performs a real persistent session-state change: - src/auto-reply/reply/commands-session.ts:232-238 - /send inherit deletes sessionEntry.sendPolicy - other modes assign sessionEntry.sendPolicy = sendPolicyCommand.mode - the handler then calls persistSessionEntry(params) The mutation is not gated by owner status, only by general command authorization. That changes subsequent delivery behavior for the current session, which matches the documented meaning of sendPolicy. Environment - Product: OpenClaw - Verified shipped tag: v2026.3.23 - Shipped tag commit: ccfeecb6887cd97937e33a71877ad512741e82b2 - Published GitHub release time: 2026-03-23T23:15:50Z - Verification date: 2026-03-24 Duplicate Check I did not find an existing GHSA for /send. This is distinct from: - GHSA-r7vr-gr74-94p8 - that advisory covered owner-only authorization bypasses for /config and /debug, not /send. This is the same authorization class, but a different privileged command surface that still lacks the owner check. In Scope Check This report is in scope under SECURITY.md because: - it does not rely on adversarial operators sharing one gateway host or config; - it does not rely on trusted local state tampering; - SECURITY.md:151-152 explicitly says non-owner sender status matters for owner-only tools and commands; - /send is explicitly documented as owner-only, so this is a direct owner-only authorization bypass, not a complaint about normal shared-agent steering. This is therefore a concrete authorization flaw against a documented product boundary. Remediation Advice 1. Change /send to require owner status, not just command authorization. 2. Reuse the same owner-only rejection pattern already used by privileged command surfaces such as /config, /debug, and owner-only /plugins writes. 3. Add regression coverage for the exact case where: - a non-owner sender is command-authorized; - /send must still be rejected unless senderIsOwner === true. 4. Verify that the owner can still use /send on|off|inherit normally.",
"affected": [
"openclaw@<= 2026.3.22"
],
"patched": [
"openclaw@>= 2026.3.24"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-03-27T15:52:20Z",
"updated": "2026-03-27T15:52:20Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-39mp-545q-w789"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-39mp-545q-w789",
"nvd_url": null,
"cvss_score": 5.4,
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"cwe_ids": [
"CWE-285"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-39mp-545q-w789"
]
},
{
"id": "GHSA-vqvg-86cc-cg83",
"ghsa_id": "GHSA-vqvg-86cc-cg83",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "missing_authorization",
"nvd_category_id": "CWE-862",
"title": "Mutating internal /allowlist chat commands missed operator.admin scope enforcement",
"description": "Fixed in OpenClaw 2026.3.24, the current shipping release. Title Mutating internal /allowlist chat commands missed operator.admin scope enforcement CWE CWE-862 Missing Authorization CVSS v3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Base score: 6.5 (Medium) Severity Assessment Medium. This is a real authorization flaw in OpenClaws internal control plane. The issue does not require host access, trusted local state tampering, or multi-tenant assumptions, but exploitation does require an already authenticated internal Gateway caller with operator.write. Impact An authenticated internal Gateway caller limited to operator.write can perform state-changing /allowlist actions without operator.admin, even though comparable mutating internal chat commands already require operator.admin. The reachable effects are persistent changes to config-backed allowFrom entries and pairing-store-backed allowlist entries. This is not a semantic-modeling complaint and not a generic “trusted operator can do things” claim. It is a missing authorization check inside OpenClaws own internal scope model, where peer mutating command surfaces already distinguish operator.write from operator.admin. Affected Component Verified against the latest published GitHub release tag v2026.3.23 (ccfeecb6887cd97937e33a71877ad512741e82b2), published 2026-03-23T23:15:50Z. Exact vulnerable path on the shipped tag: - src/auto-reply/reply/commands-allowlist.ts:251-254 - /allowlist authorization uses only rejectUnauthorizedCommand(...). - src/auto-reply/reply/commands-allowlist.ts:386-524 - mutating config and pairing-store writes happen here, but there is no requireGatewayClientScopeForInternalChannel(..., operator.admin, ...). Reachability and scope model: - src/gateway/method-scopes.ts:94-109 - chat.send is a write-scoped method. - src/gateway/server.chat.gateway-server-chat.test.ts:539-559 - existing runtime coverage proves chat.send routes slash commands without an agent run. - src/auto-reply/command-auth.ts:574-577 - internal callers become senderIsOwner only when GatewayClientScopes includes operator.admin. Comparable internal mutating command paths already enforce operator.admin: - src/auto-reply/reply/commands-config.ts:64-73 - src/auto-reply/reply/commands-mcp.ts:89-96 - src/auto-reply/reply/commands-plugins.ts:387-394 - src/auto-reply/reply/commands-acp.ts:98-106 Version history: - Introduced by commit 555b2578a8cc6e1b93f717496935ead97bfbed8b (feat: add /allowlist command) - Earliest released affected tag found: v2026.1.20 - Latest released affected tag verified: v2026.3.23 Technical Reproduction 1. Check out the shipped release tag v2026.3.23. 2. Use an internal command context with: - Provider = \"webchat\" - Surface = \"webchat\" - GatewayClientScopes = [\"operator.write\"] - params.command.channel = \"webchat\" 3. Route a slash command through chat.send. 4. Execute either of these mutating commands: - /allowlist add dm channel=telegram 789 - /allowlist add dm --store channel=telegram 789 5. Confirm the command context is authorized but not owner-equivalent: - isAuthorizedSender === true - senderIsOwner === false 6. Observe that the commands still succeed and perform persistent writes. Demonstrated Impact The vulnerable handler performs real state mutation for a low-scope internal caller: - Config-backed mutation path: - src/auto-reply/reply/commands-allowlist.ts:398-503 - reads the config snapshot, applies the edit, validates, and writes the updated config to disk. - Store-backed mutation path: - src/auto-reply/reply/commands-allowlist.ts:479-485 - src/auto-reply/reply/commands-allowlist.ts:513-518 - updates the pairing-store allowlist without any admin-scope gate. The result is successful persistence, not just a misleading success message. Environment - Product: OpenClaw - Verified shipped tag: v2026.3.23 - Shipped tag commit: ccfeecb6887cd97937e33a71877ad512741e82b2 - Published GitHub release time: 2026-03-23T23:15:50Z - Verification date: 2026-03-24 Duplicate Check This is not a duplicate of: - GHSA-pjvx-rx66-r3fg - that advisory covered cross-account scoping in /allowlist ... --store, not missing internal operator.admin enforcement. - GHSA-hfpr-jhpq-x4rm - that advisory covered /config writes through chat.send, not /allowlist. - GHSA-3w6x-gv34-mqpf - same authorization class, but different command path (/acp, not /allowlist). In Scope Check This report is in scope under SECURITY.md because: - it does not rely on adversarial operators sharing one gateway host or config; - it does not target the HTTP compatibility endpoints that SECURITY.md explicitly treats as full operator-access surfaces; - it demonstrates a real authorization mismatch inside OpenClaws own internal control-plane scope model (operator.write vs operator.admin); - peer mutating internal chat commands already enforce operator.admin, so this is not a request for a new boundary but a missing check on an existing one. This is therefore a concrete authorization bug, not a trusted-operator hardening suggestion. Remediation Advice 1. Add requireGatewayClientScopeForInternalChannel(..., allowedScopes: [\"operator.admin\"], ...) to the mutating internal /allowlist paths. 2. Add regression coverage for both mutation modes: - internal operator.write must be rejected; - internal operator.admin must be allowed. 3. Cover both config-backed and store-backed writes. 4. Audit other mutating internal chat-command paths for the same missing-scope pattern.",
"affected": [
"openclaw@<= 2026.3.22"
],
"patched": [
"openclaw@>= 2026.3.24"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-03-27T15:52:18Z",
"updated": "2026-03-27T15:52:18Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-vqvg-86cc-cg83"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vqvg-86cc-cg83",
"nvd_url": null,
"cvss_score": 6.5,
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"cwe_ids": [
"CWE-862"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-vqvg-86cc-cg83"
]
},
{
"id": "GHSA-cfp9-w5v9-3q4h",
"ghsa_id": "GHSA-cfp9-w5v9-3q4h",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "Image tool bypassed tools.fs.workspaceOnly and could read mounted files outside the workspace",
"description": "Summary The image tool did not fully honor the tools.fs.workspaceOnly filesystem boundary. In affected releases, image-path resolution could still traverse sandbox bridge mounts outside the workspace and read files from mounted directories that the other file tools would reject. Affected Packages / Versions - Package: openclaw (npm) - Affected: < 2026.3.2 - Fixed: = 2026.3.2 - Latest released tags checked: v2026.3.23 (ccfeecb6887cd97937e33a71877ad512741e82b2) and v2026.3.23-2 (630f1479c44f78484dfa21bb407cbe6f171dac87) - Latest published npm version checked: 2026.3.23-2 Fix Commit(s) - dd9d9c1c609dcb4579f9e57bd7b5c879d0146b53 - 14baadda2c456f3cf749f1f97e8678746a34a7f4 Release Status The complete fix shipped in v2026.3.2 and remains present in v2026.3.23 and v2026.3.23-2. Code-Level Confirmation - src/agents/openclaw-tools.ts now passes fsPolicy into createImageTool, so the image tool receives the same workspace-only policy input as the other filesystem tools. - src/agents/tools/image-tool.ts, src/agents/tools/media-tool-shared.ts, and src/agents/sandbox-media-paths.ts now restrict local roots and sandbox-bridge resolution to the workspace when tools.fs.workspaceOnly is enabled. Thanks @YLChen-007 for reporting.",
"affected": [
"openclaw@< 2026.3.2"
],
"patched": [
"openclaw@>= 2026.3.2"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-03-24T18:07:14Z",
"updated": "2026-03-24T18:07:14Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-cfp9-w5v9-3q4h"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cfp9-w5v9-3q4h",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-863"
],
"credits": [
"YLChen-007"
],
"aliases": [
"GHSA-cfp9-w5v9-3q4h"
]
},
{
"id": "GHSA-vfg3-pqpq-93m4",
"ghsa_id": "GHSA-vfg3-pqpq-93m4",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "Tlon cite expansion happened before channel and DM authorization completed.",
"description": "Summary Tlon cite expansion happened before channel and DM authorization completed, allowing cite work and content handling before the final auth decision. Affected Packages / Versions - Package: openclaw (npm) - Affected: < 2026.3.22 - Fixed: = 2026.3.22 - Latest released tag checked: v2026.3.23-2 (630f1479c44f78484dfa21bb407cbe6f171dac87) - Latest published npm version checked: 2026.3.23-2 Fix Commit(s) - 3cbf932413e41d1836cb91aed1541a28a3122f93 - ebee4e2210e1f282a982c7ef2ad79d77a572fc87 Release Status The fix shipped in v2026.3.22 and remains present in v2026.3.23 and v2026.3.23-2. Code-Level Confirmation - extensions/tlon/src/monitor/index.ts now defers cite expansion until after authorization and preserves explicit empty-allowlist semantics. - extensions/tlon/src/monitor/utils.ts and extensions/tlon/src/security.test.ts ship the deferred cite expansion behavior and regressions. Thanks @zpbrent for reporting.",
"affected": [
"openclaw@< 2026.3.22"
],
"patched": [
"openclaw@>= 2026.3.22"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-03-24T17:37:07Z",
"updated": "2026-03-24T17:37:07Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-vfg3-pqpq-93m4"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vfg3-pqpq-93m4",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-863"
],
"credits": [
"zpbrent"
],
"aliases": [
"GHSA-vfg3-pqpq-93m4"
]
},
{
"id": "GHSA-h3x4-hc5v-v2gm",
"ghsa_id": "GHSA-h3x4-hc5v-v2gm",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-40",
"title": "Windows media loaders accepted remote-host file URLs before local path validation",
"description": "Summary Windows local-media handling accepted remote-host file URLs and UNC-style paths before local-path validation, so network-hosted file targets could be treated as local content. Affected Packages / Versions - Package: openclaw (npm) - Affected: < 2026.3.22 - Fixed: = 2026.3.22 - Latest released tag checked: v2026.3.23-2 (630f1479c44f78484dfa21bb407cbe6f171dac87) - Latest published npm version checked: 2026.3.23-2 Fix Commit(s) - 4fd7feb0fd4ec16c48ed983980dba79a09b3aaf5 - 93880717f1cd34feaa45e74e939b7a5256288901 Release Status The fix shipped in v2026.3.22 and remains present in v2026.3.23 and v2026.3.23-2. Code-Level Confirmation - src/infra/local-file-access.ts now rejects remote-host file: URLs and UNC/network paths as non-local input. - src/media/web-media.ts, src/media-understanding/attachments.normalize.ts, and src/agents/sandbox-paths.ts all route through the shared local-file guard. Thanks @RacerZ-fighting, @Fushuling for reporting.",
"affected": [
"openclaw@< 2026.3.22"
],
"patched": [
"openclaw@>= 2026.3.22"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-03-24T17:36:44Z",
"updated": "2026-03-24T17:36:44Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-h3x4-hc5v-v2gm"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h3x4-hc5v-v2gm",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-40"
],
"credits": [
"RacerZ-fighting",
"Fushuling"
],
"aliases": [
"GHSA-h3x4-hc5v-v2gm"
]
},
{
"id": "GHSA-3h2q-j2v4-6w5r",
"ghsa_id": "GHSA-3h2q-j2v4-6w5r",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-184",
"title": "system.run allowlist approval parsing missed PowerShell encoded-command wrappers",
"description": "OpenClaw's system.run shell-wrapper detection did not recognize PowerShell -EncodedCommand forms as inline-command wrappers. In allowlist mode, a caller with access to system.run could invoke pwsh or powershell using -EncodedCommand, -enc, or -e, and the request would fall back to plain argv analysis instead of the normal shell-wrapper approval path. This could allow a PowerShell inline payload to execute without the approval step that equivalent -Command invocations would require. Latest published npm version: 2026.3.2 Fixed on main on March 7, 2026 in 1d1757b16f48f1a93cd16ab0ad7e2c3c63ce727d by recognizing PowerShell encoded-command aliases during shell-wrapper parsing, so allowlist mode continues to require approval for those payloads. Normal approved PowerShell wrapper flows continue to work. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.3.2 - Patched version: = 2026.3.7 Fix Commit(s) - 1d1757b16f48f1a93cd16ab0ad7e2c3c63ce727d Release Process Note npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package. Thanks @tdjackey for reporting.",
"affected": [
"openclaw@<= 2026.3.2"
],
"patched": [
"openclaw@>= 2026.3.7"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-03-08T14:26:58Z",
"updated": "2026-03-08T14:26:58Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-3h2q-j2v4-6w5r"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3h2q-j2v4-6w5r",
"nvd_url": null,
"cvss_score": 5,
"cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"cwe_ids": [
"CWE-184",
"CWE-863"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-3h2q-j2v4-6w5r"
]
},
{
"id": "GHSA-9q2p-vc84-2rwm",
"ghsa_id": "GHSA-9q2p-vc84-2rwm",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-436",
"title": "system.run allow-always persistence included shell-commented payload tails",
"description": "OpenClaw's system.run allowlist analysis did not honor POSIX shell comment semantics when deriving allow-always persistence entries. A caller in security=allowlist mode who received an allow-always decision could submit a shell command whose tail was commented out at runtime, for example by using an unquoted # before a chained payload. The runtime shell would execute only the pre-comment portion, but allowlist persistence could still analyze and store the non-executed tail as a trusted follow-up command. Latest published npm version: 2026.3.2 Fixed on main on March 7, 2026 in 939b18475d734ed75173f59507e3ebbdfe1992b7 by teaching shell tokenization and chain/pipeline analysis to stop at unquoted shell comments, so allow-always persistence now tracks only commands that the shell can actually execute. Normal real chained commands and quoted # literals continue to work. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.3.2 - Patched version: = 2026.3.7 Fix Commit(s) - 939b18475d734ed75173f59507e3ebbdfe1992b7 Release Process Note npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package. Thanks @tdjackey for reporting.",
"affected": [
"openclaw@<= 2026.3.2"
],
"patched": [
"openclaw@>= 2026.3.7"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-03-08T14:26:57Z",
"updated": "2026-03-08T14:26:57Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-9q2p-vc84-2rwm"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9q2p-vc84-2rwm",
"nvd_url": null,
"cvss_score": 5,
"cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"cwe_ids": [
"CWE-436",
"CWE-863"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-9q2p-vc84-2rwm"
]
},
{
"id": "GHSA-hfpr-jhpq-x4rm",
"ghsa_id": "GHSA-hfpr-jhpq-x4rm",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "operator.write chat.send could reach admin-only config writes",
"description": "Summary A gateway client authenticated with operator.write could route /config set or /config unset through chat.send and reach persistent config mutation even though direct config RPC methods are admin-scoped. Affected Packages / Versions - Package: openclaw (npm) - Latest published vulnerable version: 2026.3.2 - Affected range: <= 2026.3.2 - Patched in: 2026.3.7 Details Before the fix, chat.send ran slash commands in an internal gateway-chat context with CommandAuthorized: true, and /config write paths only checked command authorization plus commands.config / channels.<provider.configWrites gates. That allowed an authenticated operator.write gateway client to bridge into persistent config writes even though direct config. RPC methods remain operator.admin scoped. The fix keeps command functionality intact while restoring the intended scope boundary: - persistent /config set|unset writes routed through gateway chat.send now require operator.admin - read-only /config show remains available to normal write-scoped gateway clients - normal messaging-channel /config behavior remains unchanged Impact This is a real authorization mismatch, but exploitability requires an already authenticated gateway client with operator.write, chat.send access, and /config command support enabled. Maintainer severity is set to medium because the bug is a scoped control-plane privilege mismatch rather than a broad unauthenticated or generic remote compromise. The main consequence is unintended persistent config mutation. Fix Commit(s) - 5f8f58ae25e2a78f31b06edcf26532d634ca554e Release Process Note npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package. Thanks @tdjackey for reporting.",
"affected": [
"openclaw@<= 2026.3.2"
],
"patched": [
"openclaw@>= 2026.3.7"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-03-08T14:26:56Z",
"updated": "2026-03-08T14:26:56Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-hfpr-jhpq-x4rm"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hfpr-jhpq-x4rm",
"nvd_url": null,
"cvss_score": 4.3,
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"cwe_ids": [
"CWE-863"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-hfpr-jhpq-x4rm"
]
},
{
"id": "GHSA-j425-whc4-4jgc",
"ghsa_id": "GHSA-j425-whc4-4jgc",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-15",
"title": "system.run env override filtering allowed dangerous helper-command pivots",
"description": "Summary system.run env override sanitization allowed dangerous override-only helper-command pivots to reach subprocesses. A caller who could invoke system.run with env overrides could bypass allowlist/approval intent by steering an allowlisted tool through helper-command or config-loading environment variables such as GITSSHCOMMAND, editor/pager hooks, and GITCONFIG / NPMCONFIG. Affected Packages / Versions - Package: openclaw (npm) - Latest published vulnerable version: 2026.3.2 - Affected range: <= 2026.3.2 - Patched in: 2026.3.7 Details Before the fix, src/infra/host-env-security.ts blocked only a narrow set of override-only environment variables. Dangerous request-scoped overrides such as GITSSHCOMMAND and prefix families such as GITCONFIG and NPMCONFIG could still survive sanitizeSystemRunEnvOverrides(...) / sanitizeHostExecEnv(...) and reach the spawned process. That mattered for system.run allowlist and approval flows because approval evaluation was tied to the reviewed binary/argv, while the launched process could still inherit attacker-controlled env overrides that changed helper-command execution or config resolution. For allowlisted tools such as git, this allowed behavior outside the reviewed command semantics. The fix extends the shared TypeScript and macOS policy to block dangerous override-only exact keys and prefixes while preserving trusted inherited base-environment behavior. Impact This is a real protection-bypass issue, but exploitation requires an already tool-enabled caller who can invoke system.run and supply env overrides. In affected deployments, that caller could bypass allowlist/approval intent and trigger helper-command execution or config-loading behavior that is not represented by the approved command line. Maintainer severity is set to medium because the bug still requires that existing execution capability; the vulnerability is the mismatch between reviewed command semantics and the actual spawned-process behavior. Fix Commit(s) - e27bbe4982439da6864160fd1b66445058f74801 Release Process Note npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package. Thanks @tdjackey and @SnailSploit for reporting.",
"affected": [
"openclaw@<= 2026.3.2"
],
"patched": [
"openclaw@>= 2026.3.7"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-03-08T14:26:56Z",
"updated": "2026-03-08T14:26:56Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-j425-whc4-4jgc"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-j425-whc4-4jgc",
"nvd_url": null,
"cvss_score": 6.3,
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"cwe_ids": [
"CWE-15",
"CWE-693"
],
"credits": [
"tdjackey",
"SnailSploit",
"zpbrent"
],
"aliases": [
"GHSA-j425-whc4-4jgc"
]
},
{
"id": "GHSA-pjvx-rx66-r3fg",
"ghsa_id": "GHSA-pjvx-rx66-r3fg",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-639",
"title": "Cross-account sender authorization expansion in /allowlist ... --store account scoping",
"description": "Summary /allowlist ... --store resolved the selected channel accountId for reads, but store writes still dropped that accountId and wrote into the legacy unscoped pairing allowlist store. Because default-account reads still merge legacy unscoped entries, a store entry intended for one account could silently authorize the same sender on the default account. This is a real cross-account sender-authorization scoping bug. Severity is set to medium because exploitation requires an already-authorized user who can run /allowlist edits. Affected Packages / Versions - Package: openclaw (npm) - Latest published version checked: 2026.3.2 - Affected versions: <= 2026.3.2 - Fixed on main: March 7, 2026 in 70da80bcb5574a10925469048d2ebb2abf882e73 - Patched release: 2026.3.7 Details The affected path was: - src/auto-reply/reply/commands-allowlist.ts:386-393 resolved accountId and read store state with it - src/auto-reply/reply/commands-allowlist.ts:697-702 and src/auto-reply/reply/commands-allowlist.ts:730-733 wrote store state without passing accountId - src/pairing/pairing-store.ts:231-234 and src/pairing/pairing-store.ts:534-554 still merged legacy unscoped allowlist entries into the default account The fix scopes /allowlist ... --store writes to the resolved account and clears legacy default-account store entries on removal so legacy reads no longer create cross-account authorization bleed-through. Impact - Vulnerability class: improper authorization scoping / incorrect authorization - Exploitation requires: an already-authorized sender who can run /allowlist edits - Security effect: unintended authorization expansion from one channel account into default Fix Commit(s) - 70da80bcb5574a10925469048d2ebb2abf882e73 — scope /allowlist ... --store writes by account and clean up legacy default-account removals Release Process Note npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package. Thanks @tdjackey for reporting.",
"affected": [
"openclaw@<= 2026.3.2"
],
"patched": [
"openclaw@>= 2026.3.7"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-03-08T14:26:55Z",
"updated": "2026-03-08T14:26:55Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-pjvx-rx66-r3fg"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-pjvx-rx66-r3fg",
"nvd_url": null,
"cvss_score": 5.4,
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"cwe_ids": [
"CWE-639",
"CWE-863"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-pjvx-rx66-r3fg"
]
},
{
"id": "GHSA-6rmx-gvvg-vh6j",
"ghsa_id": "GHSA-6rmx-gvvg-vh6j",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-307",
"title": "hooks count non-POST requests toward auth lockout",
"description": "OpenClaw's hooks HTTP handler counted hook authentication failures before rejecting unsupported HTTP methods. An unauthenticated client could send repeated non-POST requests (for example GET) with an invalid token to consume the hook auth failure budget and trigger the temporary lockout window for that client key. The fix moves the hook method gate ahead of auth-failure accounting so unsupported methods return 405 Method Not Allowed without incrementing the hook auth limiter. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.3.2 - Patched version: 2026.3.7 - Latest published npm version at patch time: 2026.3.2 Impact An unauthenticated network client that could reach /hooks/ could temporarily lock out legitimate webhook delivery when requests collapsed to the same hook auth client key, such as shared proxy or NAT topologies. Impact is limited to temporary availability loss for hook-triggered wake or automation delivery. Fix Commit(s) - 44820dceadac65ac7c0ce8fc0ffba8c2bd9fae89 Verification - pnpm check passed - pnpm test:fast passed - focused hook regression tests passed - pnpm exec vitest run --config vitest.gateway.config.ts still has unrelated current-main failures in src/gateway/server-channels.test.ts and src/gateway/server-methods/agents-mutate.test.ts Release Process Note npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package. Thanks @JNX03 for reporting.",
"affected": [
"openclaw@<= 2026.3.2"
],
"patched": [
"openclaw@>= 2026.3.7"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-03-08T14:26:54Z",
"updated": "2026-03-08T14:26:54Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-6rmx-gvvg-vh6j"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6rmx-gvvg-vh6j",
"nvd_url": null,
"cvss_score": 5.3,
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"cwe_ids": [
"CWE-307",
"CWE-799"
],
"credits": [
"JNX03"
],
"aliases": [
"GHSA-6rmx-gvvg-vh6j"
]
},
{
"id": "GHSA-rchv-x836-w7xp",
"ghsa_id": "GHSA-rchv-x836-w7xp",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "high",
"type": "github_security_advisory",
"nvd_category_id": null,
"title": "Dashboard leaked gateway auth material via browser URL/query and localStorage",
"description": "OpenClaw's macOS Dashboard flow exposed Gateway authentication material to browser-controlled surfaces. Before the fix, the macOS app appended the shared Gateway token and password to the Dashboard URL query string when opening the Control UI in the browser. The Control UI then imported the token and persisted it into browser localStorage under openclaw.control.settings.v1. This expanded exposure of reusable Gateway admin credentials into browser address-bar/query surfaces and persistent script-readable storage. Affected Packages / Versions - Package: openclaw (npm) - Latest published version verified vulnerable: 2026.3.2 - Affected range: <= 2026.3.2 - Patched version: = 2026.3.7 Impact An attacker with access to browser-controlled surfaces or persistent browser storage could recover a valid Gateway admin token and reuse it against the OpenClaw management interface. The exposure chain was: 1. macOS Open Dashboard constructed a URL with auth material. 2. The browser received that credential-bearing URL. 3. The Control UI imported the token from the URL. 4. The Control UI persisted the token in localStorage. Fix The fix aligns the macOS Dashboard flow with the safer existing CLI/bootstrap pattern and removes persistent browser token storage: - macOS Dashboard now passes the Gateway token via URL fragment instead of query parameters. - macOS Dashboard no longer propagates the shared Gateway password into browser URLs. - Control UI keeps Gateway tokens in memory only for the current tab. - Control UI scrubs legacy persisted tokens from openclaw.control.settings.v1 on load. - Regression tests cover fragment transport, password omission, and token-scrubbing behavior. Fix Commit(s) - 10d0e3f3ca92326df0ca071fabffe463742f263c (March 7, 2026) Release Process Note npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package. Thanks @whiter6666 for reporting.",
"affected": [
"openclaw@<= 2026.3.2"
],
"patched": [
"openclaw@>= 2026.3.7"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-03-08T14:26:54Z",
"updated": "2026-03-08T14:26:54Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-rchv-x836-w7xp"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rchv-x836-w7xp",
"nvd_url": null,
"cvss_score": 7.1,
"cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"cwe_ids": [],
"credits": [
"whiter6666"
],
"aliases": [
"GHSA-rchv-x836-w7xp"
]
},
{
"id": "GHSA-474h-prjg-mmw3",
"ghsa_id": "GHSA-474h-prjg-mmw3",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "high",
"type": "github_security_advisory",
"nvd_category_id": "CWE-269",
"title": "Sandboxed sessionsspawn(runtime=\"acp\") bypassed sandbox inheritance and allowed host ACP initialization",
"description": "Summary Sandboxed sessionsspawn(runtime=\"acp\") could bypass sandbox inheritance and initialize host-side ACP runtime. The fix now fail-closes ACP spawn from sandboxed requester sessions and rejects sandbox=\"require\" for runtime=\"acp\". Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version at triage time: 2026.3.1 (March 2, 2026) - Vulnerable range: <=2026.3.1 - Patched release: 2026.3.2 (released) Technical Details - Root cause: runtime=\"subagent\" enforced sandbox inheritance, while runtime=\"acp\" did not enforce equivalent sandbox/runtime checks. - Security impact: sandbox-boundary bypass into host-side ACP initialization. - Fixed behavior: - deny ACP spawn when requester runtime is sandboxed - deny sessionsspawn with runtime=\"acp\", sandbox=\"require\" - align sandboxed prompt guidance to avoid advertising blocked ACP paths Fix Commit(s) - ac11f0af731d41743ba02d8595f4d0fe747336e3 - c703aa0fe92df9fb71cf254fc46991e05fba2114",
"affected": [
"openclaw@<=2026.3.1"
],
"patched": [
"openclaw@>= 2026.3.2"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-03-03T04:14:22Z",
"updated": "2026-03-03T04:14:22Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-474h-prjg-mmw3"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-474h-prjg-mmw3",
"nvd_url": null,
"cvss_score": 8,
"cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"cwe_ids": [
"CWE-269"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-474h-prjg-mmw3"
]
},
{
"id": "GHSA-v865-p3gq-hw6m",
"ghsa_id": "GHSA-v865-p3gq-hw6m",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-288",
"title": "Encoded-path auth bypass in plugin /api/channels route classification",
"description": "Summary (Updated March 2, 2026) Encoded alternate-path requests could bypass plugin route auth checks for /api/channels/ due to canonicalization depth mismatch in vulnerable builds. Affected Packages / Versions - Package: openclaw (npm) - Latest published vulnerable version: 2026.3.1 - Affected range: <= 2026.3.1 - Patched release: 2026.3.2 (patchedversions: = 2026.3.2) Technical Details In affected versions, plugin auth-path classification and route-path canonicalization could diverge for deeply encoded slash variants (for example multi-encoded %2f). That mismatch allowed alternate encoded paths to evade protected-prefix auth checks while still resolving to /api/channels/... in plugin route handling. The fix set hardens this class of issue by: - canonicalizing route paths to a bounded fixpoint, - failing closed on malformed or unresolved canonicalization depth, - requiring explicit plugin-route auth contracts (no implicit auth default), - enforcing route ownership/conflict guards for duplicate route registrations, and - using shared webhook route lifecycle registration to avoid stale/conflicting route surfaces. Affected Deployments Deployments exposing plugin HTTP routes and relying on gateway auth for /api/channels/ protection. Fix Commit(s) - 93b07240257919f770d1e263e1f22753937b80ea - 2fd8264ab03bd178e62a5f0c50d1c8556c17f12d - d74bc257d8432f17e50b23ae713d7e0623a1fe0f - 7a7eee920a176a0043398c6b37bf4cc6eb983eeb",
"affected": [
"openclaw@<= 2026.3.1"
],
"patched": [
"openclaw@>= 2026.3.2"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-03-03T04:14:18Z",
"updated": "2026-03-03T04:14:18Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-v865-p3gq-hw6m"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v865-p3gq-hw6m",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-288"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-v865-p3gq-hw6m"
]
},
{
"id": "GHSA-2858-xg23-26fp",
"ghsa_id": "GHSA-2858-xg23-26fp",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "server_side_request_forgery",
"nvd_category_id": "CWE-918",
"title": "Node camera URL payload host-binding bypass allowed gateway fetch pivots",
"description": "Summary OpenClaw accepted camera.snap / camera.clip node payload url fields and downloaded them on the gateway/agent host without binding downloads to the resolved node host. In OpenClaw's documented trust model, paired nodes are in the same operator trust boundary, so this is scoped as medium-severity hardening. A malicious or compromised paired node could still steer gateway-host fetches during camera URL retrieval. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: = 2026.2.13 <= 2026.3.1 - Latest vulnerable published version at time of update: 2026.3.1 - Patched versions: = 2026.3.2 (released) Technical Details Vulnerable flows accepted URL payloads and downloaded directly from the provided URL: - src/cli/nodes-camera.ts (writeUrlToFile) fetched URL payloads without node-host binding. - src/cli/nodes-cli/register.camera.ts passed camera.snap / camera.clip payload URLs into that downloader. - src/agents/tools/nodes-tool.ts did the same for camerasnap / cameraclip tool actions. Impact A malicious/compromised paired node could cause gateway-host URL fetches to off-node destinations reachable from the host network. This could be used for internal network probing/fetch pivots in deployments where paired nodes are not fully trusted. Remediation The fix introduces fail-closed node-host binding and guarded fetch for camera URL payload downloads: - Require resolved node host metadata for URL payload downloads. - Enforce hostname match between payload URL and resolved node host. - Use SSRF-guarded fetch with redirect host/protocol checks. - Apply the same enforcement across CLI and agent tool camera paths. Fix Commit(s) - 3bf19d6f40a0aaa55818b96eede3d05130c02533",
"affected": [
"openclaw@>= 2026.2.13 <= 2026.3.1"
],
"patched": [
"openclaw@>= 2026.3.2"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-03-03T04:14:15Z",
"updated": "2026-03-03T04:14:15Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-2858-xg23-26fp"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2858-xg23-26fp",
"nvd_url": null,
"cvss_score": 5.5,
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"cwe_ids": [
"CWE-918"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-2858-xg23-26fp"
]
},
{
"id": "GHSA-8m9v-xpgf-g99m",
"ghsa_id": "GHSA-8m9v-xpgf-g99m",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "Unauthorized sender bypass in stop triggers and /models command authorization",
"description": "Summary Unauthorized senders could trigger two command paths without sender authorization checks: 1. stop-like natural-language abort triggers 2. /models command output Impact An unauthorized sender could disrupt active sessions and view model/auth metadata that should be authorization-gated. Fix Sender authorization is now enforced for stop-like abort triggers and /models listings. Affected and Patched Versions - Affected: <= 2026.2.26 - Patched: 2026.3.1",
"affected": [
"openclaw@<= 2026.2.26"
],
"patched": [
"openclaw@>= 2026.3.1"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-03-02T05:46:05Z",
"updated": "2026-03-02T05:46:05Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-8m9v-xpgf-g99m"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8m9v-xpgf-g99m",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-863"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-8m9v-xpgf-g99m"
]
},
{
"id": "GHSA-7xmq-g46g-f8pv",
"ghsa_id": "GHSA-7xmq-g46g-f8pv",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-59",
"title": "Sandbox media TOCTOU could read files outside sandbox root",
"description": "Summary Sandbox media handling had a time-of-check/time-of-use gap: media paths could be validated first and read later through a separate path. A symlink retarget between those steps could cause reads outside sandboxRoot. Impact Affected versions could permit host file reads outside the intended sandbox root in media attachment/image flows. Fix Media reads now use consolidated root-scoped, boundary-safe read paths at use time, removing check/use drift across call sites. Affected and Patched Versions - Affected: <= 2026.2.26 - Patched: 2026.3.1",
"affected": [
"openclaw@<= 2026.2.26"
],
"patched": [
"openclaw@>= 2026.3.1"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-03-02T05:46:04Z",
"updated": "2026-03-02T05:46:04Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-7xmq-g46g-f8pv"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7xmq-g46g-f8pv",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-59",
"CWE-367"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-7xmq-g46g-f8pv"
]
},
{
"id": "GHSA-x82f-27x3-q89c",
"ghsa_id": "GHSA-x82f-27x3-q89c",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-59",
"title": "TOCTOU symlink race in writeFileWithinRoot could create or truncate files outside root boundaries",
"description": "Summary A symlink-retarget TOCTOU race in writeFileWithinRoot could point an attacker-controlled path alias outside the configured root between resolution and write operations. Impact Affected versions could cause out-of-root write side effects (including file creation or truncation) before final boundary validation. Fix Root-scoped write flow now opens existing files without pre-truncation, creates missing files with exclusive create semantics, truncates only after post-open identity/boundary checks, and removes out-of-root artifacts when a race is detected. Affected and Patched Versions - Affected: <= 2026.2.26 - Patched: 2026.3.1",
"affected": [
"openclaw@<= 2026.2.26"
],
"patched": [
"openclaw@>= 2026.3.1"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-03-02T05:46:04Z",
"updated": "2026-03-02T05:46:04Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-x82f-27x3-q89c"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-x82f-27x3-q89c",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-59",
"CWE-367"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-x82f-27x3-q89c"
]
},
{
"id": "GHSA-392f-ggf5-fp3c",
"ghsa_id": "GHSA-392f-ggf5-fp3c",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-176",
"title": "Unicode canonicalization drift in node metadata policy classification could broaden node allowlists",
"description": "Summary A paired node could supply Unicode-confusable platform or deviceFamily metadata that passed metadata pinning but classified differently for command policy resolution, broadening default node command allowlists. Impact This is a policy-bypass issue within the paired-node trust boundary and can expand node command availability beyond intended defaults. Fix Node metadata canonicalization was hardened against confusables, and unknown platform defaults were made conservative (excluding system.run and system.which unless explicitly allowlisted). Affected and Patched Versions - Affected: <= 2026.2.26 - Patched: 2026.3.1",
"affected": [
"openclaw@<= 2026.2.26"
],
"patched": [
"openclaw@>= 2026.3.1"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-03-02T05:46:02Z",
"updated": "2026-03-02T05:46:02Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-392f-ggf5-fp3c"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-392f-ggf5-fp3c",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-176",
"CWE-436"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-392f-ggf5-fp3c"
]
},
{
"id": "GHSA-gp3q-wpq4-5c5h",
"ghsa_id": "GHSA-gp3q-wpq4-5c5h",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "high",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "LINE group allowlist scope mismatch with DM pairing-store entries",
"description": "Summary In specific LINE configurations, sender IDs approved through DM pairing could also satisfy group allowlist checks when operators expected group sender access to be scoped only to explicit group allowlists. Affected Packages / Versions - Package: openclaw (npm) - Latest published version at triage/update time: 2026.2.25 - Affected: <= 2026.2.25 - Patched: = 2026.2.26 (planned next release) Impact This is a group-authorization scope mismatch. DM pairing-store entries could influence group sender authorization in allowlist mode. Technical Details Root cause: group allowlist composition inherited pairing-store entries intended for DM approvals. Under default DM pairing policy, a DM-paired sender could match group allowlist checks. Fixes on main: - isolate group allowlist composition from pairing-store entries - centralize shared DM/group allowlist composition to preserve DM-only pairing behavior - add regression coverage for LINE and Mattermost policy paths Fix Commit(s) - 8bdda7a651c21e98faccdbbd73081e79cffe8be0 - 892a9c24b0f6118729ab5b5f5499b1a7e792dd15 (follow-up refactor hardening) Release Process Note patchedversions is pre-set to = 2026.2.26 so once npm 2026.2.26 is published, this advisory can be published directly without additional version-field edits. Thanks @tdjackey for reporting.",
"affected": [
"openclaw@<= 2026.2.25"
],
"patched": [
"openclaw@>= 2026.2.26"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-26T22:40:37Z",
"updated": "2026-02-26T22:40:37Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-gp3q-wpq4-5c5h"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gp3q-wpq4-5c5h",
"nvd_url": null,
"cvss_score": 7.1,
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"cwe_ids": [
"CWE-863"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-gp3q-wpq4-5c5h"
]
},
{
"id": "GHSA-qcc4-p59m-p54m",
"ghsa_id": "GHSA-qcc4-p59m-p54m",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "high",
"type": "github_security_advisory",
"nvd_category_id": "CWE-59",
"title": "Sandbox dangling-symlink alias handling could bypass workspace-only write boundary",
"description": "Summary A sandbox boundary-validation gap in symlink alias handling allowed certain workspace-only write paths to be treated as in-boundary even when they could resolve outside the workspace/sandbox root. Affected Packages / Versions - Package: npm openclaw - Affected versions: <= 2026.2.25 - Latest published npm version included in affected range: 2026.2.25 (checked on February 26, 2026) - Patched version (pre-set for release): 2026.2.26 Technical Details In affected versions, dangling symlink hops could be accepted during boundary checks under missing-target conditions. For workspace-only write flows (including applypatch), this could allow writes to resolve outside the configured workspace/sandbox boundary. The fix resolves symlink targets through existing ancestors and fails closed when canonical resolution escapes the configured boundary. Impact - Boundary-confined write operations could be redirected outside the configured workspace/sandbox root. - Primary impact is integrity of host-side files reachable from that path resolution. Fix Commit(s) - 4fd29a35bb85a1898ebff518364c467058b50e14 Release Process Note patchedversions is pre-set to the planned next release (2026.2.26) so once npm 2026.2.26 is published, the advisory can be published without further field edits. Thanks @tdjackey for reporting.",
"affected": [
"openclaw@<=2026.2.25"
],
"patched": [
"openclaw@>= 2026.2.26"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-26T22:40:37Z",
"updated": "2026-02-26T22:40:37Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-qcc4-p59m-p54m"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qcc4-p59m-p54m",
"nvd_url": null,
"cvss_score": 7,
"cvss_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-59",
"CWE-367"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-qcc4-p59m-p54m"
]
},
{
"id": "GHSA-7qf6-h84j-8fq4",
"ghsa_id": "GHSA-7qf6-h84j-8fq4",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-367",
"title": "Microsoft Teams media fetch SSRF hardening: unified guarded fetch across Graph and attachment paths",
"description": "Impact Microsoft Teams media handling used mixed fetch paths for Graph metadata/content and attachment auth-retry flows. Some paths bypassed the shared SSRF guard model and created inconsistent host/DNS enforcement across redirect/fetch hops. Affected Packages / Versions - Package: openclaw (npm) - Latest published vulnerable version: 2026.2.25 - Affected range: <= 2026.2.25 - Planned patched version for next release: 2026.2.26 Technical Details The Microsoft Teams attachment/media code previously relied on plugin-local fetch behavior in parts of the flow, instead of uniformly using shared guarded fetch logic with pinned DNS + policy checks. This could allow policy drift and SSRF boundary inconsistency between channel/plugin paths. The fix unifies this path by: - routing Microsoft Teams Graph message/hosted-content/attachment fetches through shared SSRF-guarded fetch paths, - routing auth-scope fallback attachment downloads through the same guarded policy model, - centralizing hostname-suffix allowlist policy helpers in plugin-sdk so channel/plugins use the same allowlist normalization and policy construction behavior. Fix Commit(s) - 57334cd7d85174d5f951de01114fd5801b063564 Release Process Note patchedversions is pre-set to the planned next release (2026.2.26) so once npm openclaw@2026.2.26 is published, the advisory is ready to publish without further field edits. Thanks @tdjackey for reporting.",
"affected": [
"openclaw@<=2026.2.25"
],
"patched": [
"openclaw@>= 2026.2.26"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-26T22:40:33Z",
"updated": "2026-02-26T22:40:33Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-7qf6-h84j-8fq4"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7qf6-h84j-8fq4",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-367",
"CWE-918"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-7qf6-h84j-8fq4"
]
},
{
"id": "GHSA-gcj7-r3hg-m7w6",
"ghsa_id": "GHSA-gcj7-r3hg-m7w6",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "low",
"type": "github_security_advisory",
"nvd_category_id": "CWE-294",
"title": "voice-call Twilio replay dedupe now bound to authenticated webhook identity",
"description": "Summary The voice-call Twilio webhook path accepted replay/dedupe identity from unsigned request metadata (i-twilio-idempotency-token), enabling replayed signed requests to bypass replay detection and manager dedupe by mutating only that header. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.25 (latest published npm version at triage time) - Fixed on main: commit 1aadf26f9acc399affabd859937a09468a9c5cb4 - Planned patched npm version: 2026.2.26 Impact Deployments using the optional voice-call Twilio webhook path could accept replayed webhook events as fresh events when an attacker had one valid signed request and changed only the unsigned idempotency header. Technical Details The fix removes unsigned-header trust from Twilio replay/dedupe identity and binds replay/manager dedupe to authenticated request material. It also threads a verified request identity through provider parsing so dedupe uses verification-derived identity rather than mutable headers. Fix Commit(s) - 1aadf26f9acc399affabd859937a09468a9c5cb4 Release Process Note patchedversions is pre-set to the planned next release (2026.2.26). After the npm release is published, this advisory can be published without additional version-field edits. Thanks @tdjackey for reporting.",
"affected": [
"openclaw@<=2026.2.25"
],
"patched": [
"openclaw@>= 2026.2.26"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-26T22:40:32Z",
"updated": "2026-02-26T22:40:32Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-gcj7-r3hg-m7w6"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gcj7-r3hg-m7w6",
"nvd_url": null,
"cvss_score": 3.7,
"cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"cwe_ids": [
"CWE-294",
"CWE-345"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-gcj7-r3hg-m7w6"
]
},
{
"id": "GHSA-f7ww-2725-qvw2",
"ghsa_id": "GHSA-f7ww-2725-qvw2",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-59",
"title": "Node system.run approval bypass via parent-symlink cwd rebind",
"description": "Summary For host=node executions, approval context could be bypassed after approval-time by rebinding a writable parent symlink in cwd while preserving the visible cwd string. Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.2.25 - Fixed: = 2026.2.26 (planned next npm release) Impact A command approved for one filesystem location could execute from a different location if a mutable parent symlink changed between approval and execution. Fix - Added immutable approval-time plan preparation (system.run.prepare) and systemRunPlanV2 canonical fields (argv, cwd, agentId, sessionKey). - Enforced canonical plan values through approval request storage and forwarding-time sanitization. - Rejected mutable parent-symlink path components during approval-plan building to block symlink rebind bypass. - Follow-up refactors centralized command catalogs and approval context/error handling to reduce future drift. Fix Commit(s) - 78a7ff2d50fb3bcef351571cb5a0f21430a340c1 - d82c042b09727a6148f3ca651b254c4a677aff26 - d06632ba45a8482192792c55d5ff0b2e21abb0a7 - 4e690e09c746408b5e27617a20cb3fdc5190dbda - 4b4718c8dfce2e2c48404aa5088af7c013bed60b Release Process Note patchedversions is pre-set to the planned next release (2026.2.26). Once npm openclaw@2026.2.26 is published, publish this advisory directly without further version-field edits. Thanks @tdjackey for reporting.",
"affected": [
"openclaw@<= 2026.2.25"
],
"patched": [
"openclaw@>= 2026.2.26"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-26T22:40:31Z",
"updated": "2026-02-26T22:40:31Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-f7ww-2725-qvw2"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f7ww-2725-qvw2",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-59",
"CWE-367"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-f7ww-2725-qvw2"
]
},
{
"id": "GHSA-j26j-7qc4-3mrf",
"ghsa_id": "GHSA-j26j-7qc4-3mrf",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-639",
"title": "MS Teams fileConsent/invoke missing conversation binding allowed cross-conversation pending-upload consumption",
"description": "Summary In openclaw MS Teams file-consent flow, pending uploads were authorized by uploadId alone. fileConsent/invoke did not verify the invoke conversation against the conversation that created the pending upload. Impact An attacker who obtained a valid uploadId within TTL could trigger cross-conversation upload completion (accept path) or cancel a victim pending upload (decline path). Technical Details - Pending uploads stored conversationId, but invoke handling consumed by uploadId only. - The invoke path did not enforce conversation binding before uploadToConsentUrl(...) and pending-upload removal. - Fix binds accept/decline handling to normalized conversation id match before consuming pending upload state. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version (as of February 26, 2026): 2026.2.24 - Vulnerable range: <= 2026.2.24 - Patched in release: 2026.2.25 Remediation Upgrade to openclaw 2026.2.25 (or later) once published. Fix Commit(s) - 347f7b9550064f5f5b33c6e07f64e85b9657b6f1 Release Process Note patchedversions is pre-set to the release (2026.2.25). Advisory published with npm release 2026.2.25. Thanks @tdjackey for reporting.",
"affected": [
"openclaw@<= 2026.2.24"
],
"patched": [
"openclaw@>= 2026.2.25"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-26T03:58:32Z",
"updated": "2026-02-26T03:58:32Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-j26j-7qc4-3mrf"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-j26j-7qc4-3mrf",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-639",
"CWE-862"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-j26j-7qc4-3mrf"
]
},
{
"id": "GHSA-xmv6-r34m-62p4",
"ghsa_id": "GHSA-xmv6-r34m-62p4",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "Sandbox media fallback tmp symlink alias bypass allows host file reads outside sandboxRoot",
"description": "Summary A sandbox path validation bypass in openclaw allows host file reads outside sandboxRoot via the media path fallback tmp flow when the fallback tmp root is a symlink alias. Affected Packages / Versions - Package: npm openclaw - Affected versions: <= 2026.2.24 - Latest published npm version at triage time (February 26, 2026): 2026.2.24 - Patched version : 2026.2.25 Details When /tmp/openclaw is unavailable or unsafe, resolvePreferredOpenClawTmpDir() in src/infra/tmp-openclaw-dir.ts fell back to os.tmpdir()/openclaw-<uid without verifying that fallback path was a trusted non-symlink directory. resolveSandboxedMediaSource() (src/agents/sandbox-paths.ts) allows absolute tmp media paths under the OpenClaw tmp root using lexical containment and alias checks. If the fallback tmp root is a symlink alias (for example to /), inputs like $TMPDIR/openclaw-<uid/etc/passwd can pass validation and resolve to host files outside sandboxRoot. Impact This can break sandbox media path confinement and permit unauthorized host file reads (confidentiality impact). Reproduction (high level) 1. Force resolver fallback (make /tmp/openclaw unavailable/invalid). 2. Make fallback root ($TMPDIR/openclaw-<uid) a symlink alias to /. 3. Submit media path under fallback root (for example $TMPDIR/openclaw-<uid/etc/passwd). 4. Observe accepted path and read outside sandboxRoot. Fix Commit(s) - 496a76c03ba85e15ea715e5a583e498ae04d36e3 Release Process Note Patched version is pre-set to release 2026.2.25; once npm publish for 2026.2.25 is complete, this advisory can be published without further metadata edits. Thanks @tdjackey for reporting.",
"affected": [
"openclaw@<= 2026.2.24"
],
"patched": [
"openclaw@>= 2026.2.25"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-26T03:58:31Z",
"updated": "2026-02-26T03:58:31Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-xmv6-r34m-62p4"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xmv6-r34m-62p4",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-22",
"CWE-59"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-xmv6-r34m-62p4"
]
},
{
"id": "GHSA-3jx4-q2m7-r496",
"ghsa_id": "GHSA-3jx4-q2m7-r496",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "high",
"type": "github_security_advisory",
"nvd_category_id": "CWE-59",
"title": "Hardlink alias checks could bypass workspace-only file boundaries in specific configurations",
"description": "Summary In certain workspace-restricted configurations, OpenClaw could follow hardlink aliases inside the workspace that reference files outside the workspace boundary. By default, tools.fs.workspaceOnly is off. This primarily affects deployments that intentionally enable workspace-only filesystem restrictions (and workspace-only applypatch checks). Impact - Confidentiality: out-of-workspace files could be read through in-workspace hardlink aliases. - Integrity: out-of-workspace files could be modified through in-workspace hardlink aliases. Affected Packages / Versions - Package: openclaw (npm) - Latest published version at triage time: 2026.2.24 - Affected range: <= 2026.2.24 - Planned patched version: 2026.2.25 Fix Commit(s) - 04d91d0319b82fd4de91ed05e9fc5219ff2ab64e (main) Remediation OpenClaw now rejects hardlinked final-file aliases during workspace boundary validation for: - workspace-only path checks (read / write / edit) - workspace-only applypatch read/write paths - sandbox mount-root path-safety checks Regression tests were added for applypatch, workspace fs tools, and sandbox fs bridge hardlink alias escapes. Release Process Note patchedversions is pre-set to the release (2026.2.25) so the advisory can be published after npm release with no further version-field edits. Thanks @tdjackey for reporting.",
"affected": [
"openclaw@<= 2026.2.24"
],
"patched": [
"openclaw@>= 2026.2.25"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-26T03:58:27Z",
"updated": "2026-02-26T03:58:27Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-3jx4-q2m7-r496"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3jx4-q2m7-r496",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-59",
"CWE-668"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-3jx4-q2m7-r496"
]
},
{
"id": "GHSA-qj22-xqjr-v83v",
"ghsa_id": "GHSA-qj22-xqjr-v83v",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "Telegram messagereaction authorization bypass allows unauthorized system-event injection",
"description": "A missing sender-authorization check in Telegram messagereaction handling allowed unauthorized users to trigger reaction-derived system events. Affected Packages / Versions - Package: openclaw (npm) - Introduced: 2026.2.17 - Affected: = 2026.2.17 and <= 2026.2.24 - Latest published at patch time: 2026.2.24 - Patched in release: 2026.2.25 Impact When reaction notifications are enabled, unauthorized Telegram senders could inject reaction system events despite configured DM/group authorization controls (dmPolicy, allowFrom, groupPolicy, groupAllowFrom). Fix Commit(s) - e56b0cf1a04f992ac6ebc775899f48ea31687640 Release Process Note patchedversions is pre-set to the release (2026.2.25) so once npm release 2026.2.25 is published, this advisory can be published without further edits. Thanks @tdjackey for reporting.",
"affected": [
"openclaw@<= 2026.2.24"
],
"patched": [
"openclaw@>= 2026.2.25"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-26T03:58:21Z",
"updated": "2026-02-26T03:58:21Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-qj22-xqjr-v83v"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qj22-xqjr-v83v",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-863"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-qj22-xqjr-v83v"
]
},
{
"id": "GHSA-h97f-6pqj-q452",
"ghsa_id": "GHSA-h97f-6pqj-q452",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "low",
"type": "server_side_request_forgery",
"nvd_category_id": "CWE-918",
"title": "IPv6 multicast SSRF classifier bypass",
"description": "Summary OpenClaw's SSRF IP classifier did not treat IPv6 multicast literals (ff00::/8) as blocked/private-internal. This allowed literal multicast hosts to pass SSRF preflight checks. Impact A bypass in address classification existed for IPv6 multicast literals. OpenClaw's network fetch/navigation paths are constrained to HTTP/HTTPS and this was triaged as low-severity defense-in-depth hardening. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.24 - Patched versions: = 2026.2.25 Technical Details The IPv6 private/internal range set omitted multicast, so addresses like ff02::1 and ff05::1:3 were not classified as blocked by the shared SSRF classifier. Fix Commit(s) - baf656bc6fd7f83b6033e6dbc2548ec75028641f Release Process Note patchedversions is pre-set to the planned next npm release (2026.2.25). Once that release is published on npm, the advisory is published. Thanks @zpbrent for reporting.",
"affected": [
"openclaw@<= 2026.2.24"
],
"patched": [
"openclaw@>= 2026.2.25"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-26T03:58:14Z",
"updated": "2026-02-26T03:58:14Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-h97f-6pqj-q452"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h97f-6pqj-q452",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-918"
],
"credits": [
"zpbrent"
],
"aliases": [
"GHSA-h97f-6pqj-q452"
]
},
{
"id": "GHSA-9f72-qcpw-2hxc",
"ghsa_id": "GHSA-9f72-qcpw-2hxc",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "high",
"type": "exposure_of_sensitive_information",
"nvd_category_id": "CWE-200",
"title": "Native prompt image auto-load did not honor tools.fs.workspaceOnly in sandboxed runs",
"description": "Summary In sandboxed runs, native prompt image auto-load did not honor tools.fs.workspaceOnly=true. This optional hardening setting is not enabled by default. When operators enabled it, prompt text could still reference mounted out-of-workspace image paths (for example /agent/secret.png) and load those image bytes for vision-capable model input. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version at triage time: 2026.2.23 - Vulnerable version range: <= 2026.2.23 - Patched version (planned next release): 2026.2.24 Conditions Required This issue required all of the following: - sandbox mode enabled, - tools.fs.workspaceOnly=true configured, - an out-of-workspace mount path reachable from the sandbox (for example /agent), - vision-capable model path active for native prompt image loading. Technical Details Native prompt image ingestion (detectAndLoadPromptImages / loadImageFromRef) resolved and read sandbox paths but did not apply the same workspace-root assertion used by file tools when tools.fs.workspaceOnly was set. Fix Commit(s) - 370d115549c0dadace0902775eea0d5094aedfdc Verification - pnpm check - pnpm exec vitest run --config vitest.gateway.config.ts - pnpm test:fast Release Process Note patchedversions is pre-set to the planned next release (2026.2.24) so once npm release is available, this advisory only needs publish action. Thanks @tdjackey for reporting. Publication Update (2026-02-25) openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks = 2026.2.24 as patched.",
"affected": [
"openclaw@<= 2026.2.23"
],
"patched": [
"openclaw@>= 2026.2.24"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-25T04:37:41Z",
"updated": "2026-02-25T04:37:41Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-9f72-qcpw-2hxc"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9f72-qcpw-2hxc",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-200",
"CWE-284"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-9f72-qcpw-2hxc"
]
},
{
"id": "GHSA-h656-5vcf-cm23",
"ghsa_id": "GHSA-h656-5vcf-cm23",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "improper_access_control",
"nvd_category_id": "CWE-284",
"title": "Telegram: Unauthorized Senders Trigger Media Download and Disk Write Before Access Check",
"description": "Impact In Telegram DM mode, inbound media was downloaded and written to disk before sender authorization checks completed. An unauthorized sender could trigger inbound media download/write activity (including media groups) even when DM access should be denied. Affected Packages / Versions - Package: openclaw (npm) - Latest published version currently affected: 2026.2.23 - Vulnerable range: <= 2026.2.23 - Patched in planned next release: 2026.2.24 Fix Commit(s) - 9514201fb9b51de5d0b23151110d0ff5d9c8bd67 Technical Details The Telegram handler flow now enforces DM authorization before media download/write paths execute, including media-group handling. Inbound channel activity tracking was also moved to run after DM authorization in the Telegram message context path. Release Process Note patchedversions is pre-set to the planned next release (2026.2.24). After npm publish, the advisory can be published without further version-field edits. Thanks @v8hid for reporting. Publication Update (2026-02-25) openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks = 2026.2.24 as patched.",
"affected": [
"openclaw@<=2026.2.23"
],
"patched": [
"openclaw@>= 2026.2.24"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-25T04:37:39Z",
"updated": "2026-02-25T04:37:39Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-h656-5vcf-cm23"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h656-5vcf-cm23",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-284",
"CWE-404",
"CWE-406",
"CWE-770"
],
"credits": [
"v8hid"
],
"aliases": [
"GHSA-h656-5vcf-cm23"
]
},
{
"id": "GHSA-33hm-cq8r-wc49",
"ghsa_id": "GHSA-33hm-cq8r-wc49",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "Temporary path handling could write outside OpenClaw temp boundary",
"description": "Summary Sandbox media local-path validation accepted absolute paths under host tmp, even when those paths were outside the active sandbox root. Affected Packages / Versions - Package: openclaw (npm) - Latest published version verified during triage: 2026.2.23 - Affected versions: <= 2026.2.23 - Patched versions (planned next release): = 2026.2.24 Details In affected versions, sandbox media path resolution allowed absolute host tmp paths as trusted media inputs when they were under os.tmpdir(), without requiring that the path stay within the active sandboxRoot. Because outbound attachment hydration consumed these paths as already validated, this enabled out-of-sandbox host tmp file reads and exfiltration through attachment delivery. Impact - Confidentiality impact: high for deployments relying on sandboxRoot as a strict local filesystem boundary. - Practical impact: attacker-controlled media references could read and attach host tmp files outside the sandbox workspace boundary. Remediation - Restrict sandbox tmp-path acceptance to OpenClaw-managed temp roots only. - Default SDK/extension temp helpers to OpenClaw-managed temp roots. - Add CI guardrails to prevent broad tmp-root regressions in messaging/channel code paths. Fix Commit(s) - d3da67c7a9b463edc1a9b1c1f7af107a34ca32f5 - 79a7b3d22ef92e36a4031093d80a0acb0d82f351 - def993dbd843ff28f2b3bad5cc24603874ba9f1e Release Process Note The advisory is pre-set with patched version 2026.2.24 so it is ready for publication once that npm release is available. Thanks @tdjackey for reporting. Publication Update (2026-02-25) openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks = 2026.2.24 as patched.",
"affected": [
"openclaw@<= 2026.2.23"
],
"patched": [
"openclaw@>= 2026.2.24"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-25T04:37:35Z",
"updated": "2026-02-25T04:37:35Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-33hm-cq8r-wc49"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-33hm-cq8r-wc49",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-22",
"CWE-284"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-33hm-cq8r-wc49"
]
},
{
"id": "GHSA-534w-2vm4-89xr",
"ghsa_id": "GHSA-534w-2vm4-89xr",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "improper_access_control",
"nvd_category_id": "CWE-284",
"title": "Zalo group sender allowlist bypass permits unauthorized GROUP dispatch",
"description": "A missing group-sender authorization check in the Zalo plugin allowed unauthorized GROUP messages to enter agent dispatch paths in configurations intended to restrict group traffic. Impact When Zalo group handling was configured with allowlist-style controls, a sender not present in the intended group allowlist could still trigger agent processing through the GROUP message path. Root Cause Group access checks were not consistently enforced before dispatch for Zalo GROUP messages. The fix adds explicit runtime group-policy evaluation (groupPolicy, groupAllowFrom, fallback to allowFrom) and fail-closed behavior for missing provider config. Affected Packages / Versions - Package: openclaw (npm) - Latest published vulnerable version: 2026.2.23 (as of 2026-02-24) - Affected range: <= 2026.2.23 - Planned patched version: 2026.2.24 Fix Commit(s) - b4010a0b627025c809c0e5dbdbd4770f3bc59ef8 Release Process Note patchedversions is pre-set to the planned next release (2026.2.24). Once that npm release is published, this advisory should only need to be published. Thanks @tdjackey for reporting. Publication Update (2026-02-25) openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks = 2026.2.24 as patched.",
"affected": [
"openclaw@<= 2026.2.23"
],
"patched": [
"openclaw@>= 2026.2.24"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-25T04:37:33Z",
"updated": "2026-02-25T04:37:33Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-534w-2vm4-89xr"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-534w-2vm4-89xr",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-534w-2vm4-89xr"
]
},
{
"id": "GHSA-r294-2894-92j3",
"ghsa_id": "GHSA-r294-2894-92j3",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "cross_site_scripting",
"nvd_category_id": "CWE-79",
"title": "Stored XSS in exported session HTML viewer via markdown/raw-HTML rendering",
"description": "Summary The exported session HTML viewer allowed stored XSS when untrusted session content included raw HTML markdown tokens or unescaped metadata fields. Impact Opening a crafted exported HTML session could execute attacker-controlled JavaScript in the viewer context. This can expose session content in the page and enable phishing or UI spoofing in the trusted export view. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.22-2 - Patched version (released): = 2026.2.23 Technical Details The exporter rendered markdown with marked.parse(...) and inserted HTML via innerHTML, but did not override the html renderer token path. Raw HTML (for example <img ... onerror=...) was passed through. Additional tree/header metadata fields were interpolated without escaping in the export template. Reproduction 1. Create a session containing content like <img src=x onerror=alert(1). 2. Export the session to HTML. 3. Open the exported file. 4. Observe script execution from injected content. Remediation - Added a marked html(token) renderer override that escapes raw HTML tokens. - Escaped previously unescaped tree/header metadata fields in the export template. - Added image MIME sanitization for exported data-URL image rendering. - Added regression tests for markdown/token and metadata escaping paths. Fix Commit(s) - f8524ec77a3999d573e6c6b8a5055bf35c49a2e6 Release Process Note patchedversions is pre-set to the released version (= 2026.2.23). This advisory now reflects released fix version 2026.2.23. Thanks @allsmog for reporting.",
"affected": [
"openclaw@<= 2026.2.22-2"
],
"patched": [
"openclaw@>= 2026.2.23"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-24T05:27:23Z",
"updated": "2026-02-24T05:27:23Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-r294-2894-92j3"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-r294-2894-92j3",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-79"
],
"credits": [
"allsmog"
],
"aliases": [
"GHSA-r294-2894-92j3"
]
},
{
"id": "GHSA-7ff8-xjh3-mgh6",
"ghsa_id": "GHSA-7ff8-xjh3-mgh6",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-266",
"title": "non-default autoAllowSkills setting could bypass on-miss exec prompt",
"description": "Summary In openclaw versions up to and including 2026.2.22-2, a non-default exec-approval configuration could allow a skill-name collision to bypass an ask=on-miss prompt. When autoAllowSkills=true, a path-scoped executable such as ./skill-bin could resolve to basename skill-bin, satisfy the skills allowlist segment, and run without prompting for approval. Affected Packages / Versions - Package: npm openclaw - Affected versions: <= 2026.2.22-2 - Patched versions: = 2026.2.23 (released) Configuration Scope (Not Default) This behavior requires non-default settings and does not affect default installs. Required conditions: - autoAllowSkills=true (default is false) - system.run with security=allowlist - ask=on-miss Technical Details The allowlist evaluator accepted skills satisfaction by bin-name match, so ./skill-bin could match skillBins.has(\"skill-bin\") after resolution. The fix hardens skill auto-allow matching by requiring: - a pathless invocation token (no / or \\\\), and - a trusted resolved executable path for that skill bin on the machine where skills run. This preserves normal skill-bin ... behavior while preventing ./<skill-bin and absolute-path basename collisions from auto-satisfying skills. Impact In affected non-default configurations, approval prompts could be skipped for commands that should have required operator confirmation. Fix Commit(s) - ffd63b7a2c4c6d5aeb4710ef951d5794ad7ad77b (fix(security): trust resolved skill-bin paths in allowlist auto-allow) Release Process Note patchedversions is pre-set to the released version (2026.2.23) This advisory now reflects released fix version 2026.2.23. Thanks @tdjackey for reporting.",
"affected": [
"openclaw@<=2026.2.22-2"
],
"patched": [
"openclaw@>=2026.2.23"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-24T05:27:21Z",
"updated": "2026-02-24T05:27:21Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-7ff8-xjh3-mgh6"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7ff8-xjh3-mgh6",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-266",
"CWE-863"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-7ff8-xjh3-mgh6"
]
},
{
"id": "GHSA-2j9j-gf59-p4p5",
"ghsa_id": "GHSA-2j9j-gf59-p4p5",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "low",
"type": "github_security_advisory",
"nvd_category_id": null,
"title": "iOS deep link (openclaw://agent) can trigger gateway agent requests without local confirmation",
"description": "Summary A crafted openclaw://agent deep link could cause OpenClaw iOS to forward an agent.request event to a connected Gateway without local confirmation on iOS. Affected Packages / Versions - Advisory package metadata: openclaw (swift ecosystem). - Latest published npm openclaw at triage time: 2026.2.22-2. - Affected practical surface: internal preview iOS builds only (not publicly distributed). - Structured advisory range is set to <= 2026.2.22-2 and patched version is pre-set to 2026.2.23 and is now public. Impact - External deep-link trigger could cause unintended agent action initiation in an already-connected iOS node context. - This is a user-interaction deep-link abuse issue, not unauthenticated server takeover. - Severity is set to Low because iOS distribution is internal preview/super-alpha and not public/TestFlight release. Remediation The iOS deep-link path now requires local confirmation unless a trusted deep-link key is provided, and unkeyed deep links have delivery-routing fields stripped before submission. Fix Commit(s) - ff4e6ca0d942ef52330dcbe116321ae4fed21749 Release Process Note patchedversions is pre-set to the released version (2026.2.23). This advisory now reflects released fix version 2026.2.23. Thanks @GCXWLP for reporting.",
"affected": [
"openclaw@<= 2026.2.22-2"
],
"patched": [
"openclaw@2026.2.23"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-24T05:27:20Z",
"updated": "2026-02-24T05:27:20Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-2j9j-gf59-p4p5"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2j9j-gf59-p4p5",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [],
"credits": [
"GCXWLP"
],
"aliases": [
"GHSA-2j9j-gf59-p4p5"
]
},
{
"id": "GHSA-6x2m-hqfw-hvpj",
"ghsa_id": "GHSA-6x2m-hqfw-hvpj",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-285",
"title": "Node exec approvals could be replayed across nodes",
"description": "Summary exec.approval requests for host=node were not explicitly bound to the target nodeId, so an approval intended for one node could be replayed for a different node under the same operator-controlled gateway fleet. Impact An operator approval for a system.run request could be reused across nodes if the request payload did not carry node identity through approval and execution checks. Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.2.22-2 - Fixed: 2026.2.23 (released) Mitigation Upgrade to 2026.2.23 or later once published. Fix Details The fix requires and persists nodeId for host=node approval requests and rejects execution when the approving node binding does not match the invoking node. Fix Commit(s) - 4a3f8438e527ac371a67fe7ac68a287f0dbe6063 Release Process Note patchedversions is pre-set to the released version (2026.2.23). This advisory now reflects released fix version 2026.2.23. Thanks @tdjackey for reporting.",
"affected": [
"openclaw@<= 2026.2.22-2"
],
"patched": [
"openclaw@>= 2026.2.23"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-24T05:27:18Z",
"updated": "2026-02-24T05:27:18Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-6x2m-hqfw-hvpj"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6x2m-hqfw-hvpj",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-285",
"CWE-863"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-6x2m-hqfw-hvpj"
]
},
{
"id": "GHSA-2ch6-x3g4-7759",
"ghsa_id": "GHSA-2ch6-x3g4-7759",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-639",
"title": "commands.allowFrom sender authorization accepted conversation identifiers via ctx.From",
"description": "Summary commands.allowFrom is documented as a sender authorization allowlist for commands/directives, but command authorization could include ctx.From (conversation identity) as a sender candidate. When commands.allowFrom contained conversation-like identifiers (for example Discord channel:<id or WhatsApp group JIDs), command/directive authorization could be granted to participants in that conversation instead of only the intended sender identity. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.22-2 - Patched version: 2026.2.23 (released) Details Root cause: resolveSenderCandidates() in src/auto-reply/command-auth.ts always included ctx.From in candidate evaluation used by commands.allowFrom authorization checks. ctx.From is sender-like in some direct-message contexts, but conversation-like in channel/group/thread contexts. This mixed principal handling allowed conversation identifiers to satisfy sender-only authorization. Impact In affected versions, command/directive authorization could become broader than intended when operators configured commands.allowFrom with conversation identifiers, allowing unintended users in that conversation to run command-only/directive-only flows. Fix Main branch now treats commands.allowFrom as sender-only: - ctx.From is no longer included as a general sender candidate. - ctx.From is only used as fallback when sender fields are absent and the value is not conversation-shaped. - Regression tests were added for conversation-id denial and direct-message fallback preservation. Fix Commit(s) - 08e2aa44e78a9c946d97bea62304e6f533b8fa8e Release Process Note patchedversions is pre-set to the released version (2026.2.23). This advisory now reflects released fix version 2026.2.23. Thanks @jiseoung for reporting.",
"affected": [
"openclaw@<=2026.2.22-2"
],
"patched": [
"openclaw@2026.2.23"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-24T05:27:15Z",
"updated": "2026-02-24T05:27:15Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-2ch6-x3g4-7759"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2ch6-x3g4-7759",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-639"
],
"credits": [
"jiseoung"
],
"aliases": [
"GHSA-2ch6-x3g4-7759"
]
},
{
"id": "GHSA-796m-2973-wc5q",
"ghsa_id": "GHSA-796m-2973-wc5q",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "high",
"type": "github_security_advisory",
"nvd_category_id": "CWE-436",
"title": "exec allowlist/safeBins policy-runtime mismatch via env -S wrapper interpretation",
"description": "Summary tools.exec allowlist/safe-bins evaluation could diverge from runtime execution for wrapper commands using GNU env -S/--split-string semantics. This allowed policy checks to treat a command as a benign safe-bin invocation while runtime executed a different payload. Affected Packages / Versions - Package: openclaw (npm) - Vulnerable versions: <= 2026.2.22-2 (latest currently published npm version) - Patched version (released): 2026.2.23 Impact An attacker able to influence tool command text (for example via untrusted prompt/content injection reaching an exec-capable flow) could bypass allowlist/safe-bins intent and execute unexpected commands. Technical Details Root cause was policy/runtime interpretation mismatch for dispatch wrappers: - analysis resolved an effective executable from wrapper-unwrapped argv, - execution could still run original wrapper argv semantics, - safe-bin short-flag handling also allowed unknown short options in clusters. Remediation The fix hardens exec approvals to fail closed and enforce analysis/runtime parity: - introduce wrapper execution planning with semantic-wrapper blocking, - carry planned effectiveArgv + policyBlocked metadata through resolution, - evaluate allowlist/safe-bins against planned argv, - enforce canonical rebuilt shell command from planned argv for allowlist auto-paths, - use planned argv for node-host/mac exec-host invocation paths, - reject unknown short safe-bin flags, - add regression tests for semantic env wrappers and parity fixtures. Fix Commit(s) - a1c4bf07c6baad3ef87a0e710fe9aef127b1f606 Release Process Note patchedversions is pre-set to the released version (2026.2.23). Patched in 2026.2.23 and published. Thanks @jiseoung for reporting.",
"affected": [
"openclaw@<= 2026.2.22-2"
],
"patched": [
"openclaw@>= 2026.2.23"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-24T05:27:14Z",
"updated": "2026-02-24T05:27:14Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-796m-2973-wc5q"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-796m-2973-wc5q",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-436"
],
"credits": [
"jiseoung"
],
"aliases": [
"GHSA-796m-2973-wc5q"
]
},
{
"id": "GHSA-8j9w-9pm5-pv8m",
"ghsa_id": "GHSA-8j9w-9pm5-pv8m",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-184",
"title": "DUPLICATE of GHSA-3c6h-g97w-fg78: safeBins denied flags can be bypassed via GNU long-option abbreviations",
"description": "Duplicate Notice This draft advisory duplicates GHSA-3c6h-g97w-fg78. Canonical advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-3c6h-g97w-fg78 Use GHSA-3c6h-g97w-fg78 for tracking/publication. This advisory is published as a duplicate notice. Summary OpenClaw safeBins argument validation allowed denied flags to be bypassed via GNU long-option abbreviations. The validator matched denied long flags by exact string and treated unknown long options as allowed, creating a policy/runtime mismatch: commands could be approved as safe-bin usage while runtime behavior reached denied options. Impact - Default safe-bin wc: unauthorized file-read behavior via abbreviated --files0-fro (runtime resolves to --files0-from). - Configured safe-bin sort: external program invocation via abbreviated --compress-prog (runtime resolves to --compress-program). - Additional hardening gap: unknown or ambiguous long options in safe-bin mode were not rejected fail-closed. Technical Details Affected paths included safe-bin argv validation and allowlist evaluation: - src/infra/exec-safe-bin-policy.ts - src/infra/exec-approvals-allowlist.ts Affected Packages / Versions - Ecosystem: npm - Package: openclaw - Affected versions: <= 2026.2.22-2 - Fixed in code on main: 2026.2.23 (released) Remediation - Canonicalize long options using GNU-style unique-prefix matching. - Reject unknown and ambiguous long options in safe-bin mode (fail-closed). - Reject inline values for non-value long flags. - Deny additional sort filesystem-dependent flags in safe-bin mode: --random-source, --temporary-directory, -T. - Add regression tests for denied-flag abbreviations and fail-closed long-option handling. Fix Commit(s) - 3b8e33037ae2e12af7beb56fcf0346f1f8cbde6f Release Process Note Patched in 2026.2.23 and published. Thanks @jiseoung for reporting.",
"affected": [
"openclaw@<= 2026.2.22-2"
],
"patched": [
"openclaw@>=2026.2.23"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-24T05:27:13Z",
"updated": "2026-02-24T05:27:13Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-8j9w-9pm5-pv8m"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8j9w-9pm5-pv8m",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-184"
],
"credits": [
"jiseoung"
],
"aliases": [
"GHSA-8j9w-9pm5-pv8m"
]
},
{
"id": "GHSA-4cqv-h74h-93j4",
"ghsa_id": "GHSA-4cqv-h74h-93j4",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "improper_authentication",
"nvd_category_id": "CWE-287",
"title": "Discord allowFrom slug-collision authorization bypass",
"description": "OpenClaw supports Discord allowlists using either user IDs or names/tags. Name/tag matching depends on slug normalization, so different user tags can collide to the same slug and unintentionally satisfy a name-based allowlist entry. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.21-2 - Patched versions: = 2026.2.22 What Changed - openclaw security audit now warns on Discord name/tag allowlist entries (DM allowlists, guild/channel users, and pairing-store entries). - Runtime authorization now prefers resolved user IDs when a configured name/tag can be resolved, without rewriting config files on disk. - Name-based entries remain supported for compatibility. Recommendations - Prefer stable Discord user IDs for security-sensitive allowlists. - Run openclaw security audit and address warnings where practical. Fix Commit(s) - f97c45c5b5e0698b6667bb5f6badc0cac7dabd12 - 747bb581b3f2264495e1fec5a0727d9f2ca1b6f1 Release Process Note Patched version fields now point to 2026.2.22 and fixes are merged on main. Thanks @tdjackey for reporting.",
"affected": [
"openclaw@<= 2026.2.21-2"
],
"patched": [
"openclaw@>= 2026.2.22"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-23T00:52:17Z",
"updated": "2026-02-23T00:52:17Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-4cqv-h74h-93j4"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4cqv-h74h-93j4",
"nvd_url": null,
"cvss_score": 6.5,
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"cwe_ids": [
"CWE-287"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-4cqv-h74h-93j4"
]
},
{
"id": "GHSA-jxrq-8fm4-9p58",
"ghsa_id": "GHSA-jxrq-8fm4-9p58",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-59",
"title": "Zip extraction symlink traversal could write outside destination",
"description": "Summary A path confinement bypass in OpenClaw ZIP extraction allowed writes outside the intended destination when a pre-existing symlink was present under the extraction root. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version at triage time: 2026.2.21-2 - Affected versions: <= 2026.2.21-2 - Planned patched version for next release: 2026.2.22 Technical Details The vulnerable path was in src/infra/archive.ts ZIP extraction logic. Output-path checks were lexical, but writes could still traverse an existing symlink in destination path segments. The fix blocks this by: - rejecting symlink traversal in destination path segments, - validating resolved destination paths remain inside the extraction root, - using no-follow file opens for ZIP output writes where supported, - adding a regression test for pre-seeded destination symlink traversal. Impact - Type: Arbitrary file write outside extraction root via symlink traversal during ZIP extraction. - Preconditions: attacker-controlled archive extraction plus pre-existing symlink in destination path. Fix Commit(s) - 4b226b74f5fd3b106a83a6347fd404172e2fd246 Release Process Note Patched version is pre-set to the planned next release (2026.2.22). Once npm release 2026.2.22 is published, the advisory can be published without further field edits. Thanks @tdjackey for reporting.",
"affected": [
"openclaw@<= 2026.2.21-2"
],
"patched": [
"openclaw@>= 2026.2.22"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-23T00:52:17Z",
"updated": "2026-02-23T00:52:17Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-jxrq-8fm4-9p58"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jxrq-8fm4-9p58",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-59"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-jxrq-8fm4-9p58"
]
},
{
"id": "GHSA-jwf4-8wf4-jf2m",
"ghsa_id": "GHSA-jwf4-8wf4-jf2m",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "BlueBubbles (optional plugin) pairing/allowlist mismatch when allowFrom is empty",
"description": "Summary BlueBubbles is an optional OpenClaw channel plugin. A configuration-sensitive access-control mismatch allowed DM senders to be treated as authorized when dmPolicy was pairing or allowlist and allowFrom was empty/unset. Severity Rationale (Medium) Severity is set to medium because: - this affects an optional plugin, not core messaging surfaces; - many deployments use owner-controlled/private BlueBubbles identities with limited external reachability; - practical exploitability depends on an untrusted sender being able to reach that specific BlueBubbles account identifier. In typical personal/self-hosted BlueBubbles setups, the mapped Apple identity is single-owner and not broadly reachable, so this is usually low practical risk. Risk is higher in deployments where the identifier is publicly reachable and/or agent tool permissions are broad. Technical Details 1. BlueBubbles DM policy defaults to pairing (dmPolicy ?? \"pairing\"). 2. Effective allowlist can be empty (effectiveAllowFrom). 3. DM/reaction authorization called isAllowedBlueBubblesSender(...). 4. That delegated to shared isAllowedParsedChatSender(...), which previously returned true for empty allowlists. 5. Result: unknown senders could bypass intended pairing/allowlist gating when allowFrom was empty. Affected Packages / Versions - Package: openclaw (npm) - Vulnerable versions: <= 2026.2.21-2 - Planned fixed version: 2026.2.22 Fix The shared parsed-chat allowlist helper now fails closed on empty allowlists, restoring expected BlueBubbles DM gating behavior. BlueBubbles inbound gating was also refactored to use one shared DM/group decision helper for both message and reaction paths to reduce future drift. Fix Commit(s) - 9632b9bcf032c5f2280c3103961fde912ab1f920 - 2ba6de7eaad812e5e8603018e14e54e96bdd57dd - 51c0893673de8e5cea64e64351dbfa4680ba0dec - 4540790cb62412676f7b61cfc6e47443f84a251e Release Process Note patchedversions is pre-set to the planned next release (2026.2.22). Once npm release 2026.2.22 is published, this advisory is ready to publish without additional field edits. Thanks @tdjackey for reporting.",
"affected": [
"openclaw@<= 2026.2.21-2"
],
"patched": [
"openclaw@2026.2.22"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-23T00:52:16Z",
"updated": "2026-02-23T00:52:16Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-jwf4-8wf4-jf2m"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jwf4-8wf4-jf2m",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-863"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-jwf4-8wf4-jf2m"
]
},
{
"id": "GHSA-659f-22xc-98f2",
"ghsa_id": "GHSA-659f-22xc-98f2",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "code_injection",
"nvd_category_id": "CWE-94",
"title": "Hook transform path containment missed symlink-resolved escapes",
"description": "Vulnerability Webhook transform modules were validated with lexical path checks only. A symlink under the allowed hooks transform tree could resolve outside the intended directory and be dynamically imported. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.21-2 - Patched version (planned next release): 2026.2.22 Impact When an attacker can cause a transform module path to reference a symlinked entry that resolves outside the trusted transform directory, the gateway may import and execute unintended JavaScript with gateway-process privileges. Attack Preconditions - Hook transforms are enabled and reachable. - Attacker can influence transform path resolution (for example via privileged config access and/or writable filesystem path in the transform tree). - A symlink escape exists to attacker-controlled code. Remediation - Enforce realpath-aware containment for existing path ancestors before dynamic import. - Keep lexical containment checks for traversal and absolute-path escapes. - Add regression coverage for: - transform module symlink escape rejection, - hooks.transformsDir symlink escape rejection, - in-root symlink allow-case. Fix Commit(s) - f4dd0577b055f77af783105bd65eae32f3d5e6a1 Release Process Note patchedversions is pre-set to the planned next release (2026.2.22). After npm release is published, advisory publication can proceed without further version edits. Thanks @aether-ai-agent for reporting.",
"affected": [
"openclaw@<=2026.2.21-2"
],
"patched": [
"openclaw@2026.2.22"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-23T00:52:09Z",
"updated": "2026-02-23T00:52:09Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-659f-22xc-98f2"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-659f-22xc-98f2",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-94"
],
"credits": [],
"aliases": [
"GHSA-659f-22xc-98f2"
]
},
{
"id": "GHSA-5847-rm3g-23mw",
"ghsa_id": "GHSA-5847-rm3g-23mw",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": null,
"title": "Hook auth rate limiter bypass via IPv4-mapped IPv6 client key variants",
"description": "Vulnerability The hook authentication throttle keyed failed attempts by raw socket remoteAddress text. IPv4 and IPv4-mapped IPv6 forms of the same client (for example 1.2.3.4 and ::ffff:1.2.3.4) were treated as different clients, allowing separate rate-limit buckets. Impact An attacker could split failed hook-auth attempts across both address forms and effectively double the brute-force budget from 20 to 40 attempts per 60-second window. Affected Components - src/gateway/server-http.ts - src/gateway/auth-rate-limit.ts Affected Packages / Versions - Package: openclaw (npm) - Vulnerable versions: <= 2026.2.21-2 - Patched version (planned next release): 2026.2.22 Remediation Centralize and reuse canonical client-IP normalization for auth rate-limiting, and use that canonical key for hook auth throttling. Fix Commit(s) - 3284d2eb227e7b6536d543bcf5c3e320bc9d13c5 Release Process Note patchedversions is pre-set to the planned next release (2026.2.22) so once npm release 2026.2.22 is published, this advisory can be published directly. Thanks @aether-ai-agent for reporting.",
"affected": [
"openclaw@<=2026.2.21-2"
],
"patched": [
"openclaw@>= 2026.2.22"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-23T00:52:08Z",
"updated": "2026-02-23T00:52:08Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-5847-rm3g-23mw"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5847-rm3g-23mw",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [],
"credits": [],
"aliases": [
"GHSA-5847-rm3g-23mw"
]
},
{
"id": "GHSA-9mph-4f7v-fmvh",
"ghsa_id": "GHSA-9mph-4f7v-fmvh",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": null,
"title": "Agent avatar symlink traversal in gateway session metadata",
"description": "Summary A crafted local avatar path could follow a symlink outside the agent workspace and return arbitrary file contents as a base64 data: URL in gateway responses. Impact - Confidentiality impact: local file read in the gateway process context. - Exfiltration path: agents.list can return the resulting avatarUrl payload. Affected Components - src/gateway/session-utils.ts (resolveIdentityAvatarUrl) Affected Packages / Versions - Package: openclaw (npm) - Introduced: v2026.1.21 - Affected published versions: <= 2026.2.21-2 - Planned patched version: 2026.2.22 Remediation - Resolve workspace and avatar paths with realpath and enforce realpath containment. - Open files with ONOFOLLOW when available. - Compare pre-open and opened file identity (dev/ino) to block swap races. - Add regression tests for outside-workspace symlink rejection and in-workspace symlink allowance. Fix Commit(s) - 3d0337504349954237d09e4d957df5cb844d5e77 Release Process Note The advisory patchedversions field is pre-set to the planned next release (2026.2.22). After that npm release is published, the remaining step is to publish this advisory. Thanks @aether-ai-agent for reporting.",
"affected": [
"openclaw@<= 2026.2.21-2"
],
"patched": [
"openclaw@>= 2026.2.22"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-23T00:52:08Z",
"updated": "2026-02-23T00:52:08Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-9mph-4f7v-fmvh"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9mph-4f7v-fmvh",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [],
"credits": [],
"aliases": [
"GHSA-9mph-4f7v-fmvh"
]
},
{
"id": "GHSA-5h2c-8v84-qpvr",
"ghsa_id": "GHSA-5h2c-8v84-qpvr",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-15",
"title": "Shell-env fallback trusted startup env and could execute attacker-influenced login-shell paths",
"description": "Summary OpenClaw shell-env fallback trusted startup environment values and could execute attacker-influenced login-shell startup paths before loading env keys. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: = 2026.1.5 and <= 2026.2.21-2 - Fixed on main: 9363c320d8ffe29290906752fab92621da02c3f7 - Planned patched release version (pre-set): 2026.2.22 Details The vulnerable chain was in the shell-env fallback path: 1. src/infra/shell-env.ts - resolveShell(env) trusted env.SHELL when set. - execLoginShellEnvZero(...) executed ${SHELL} -l -c \"env -0\" with inherited runtime env. 2. src/config/io.ts - Config env values were applied before shell fallback execution. 3. src/config/env-vars.ts / env policy coverage - SHELL handling was hardened, but startup-path selectors (HOME, ZDOTDIR) still needed explicit blocking in config env ingestion and sanitization for shell fallback execution. With env/config influence, this could trigger unintended command execution in shell startup processing on the OpenClaw host process context. Fix Mainline hardening now: - blocks SHELL, HOME, and ZDOTDIR during config env ingestion used by runtime fallback, - sanitizes shell fallback execution env, pinning HOME to the real user home and dropping ZDOTDIR + dangerous startup vars, - adds regression tests for config env ingestion and shell fallback/path-probe sanitization. Fix Commit(s) - 9363c320d8ffe29290906752fab92621da02c3f7 Impact - Local code-execution risk in environments where attacker-controlled env/config input can reach shell-env fallback. - Under OpenClaw trust assumptions (SECURITY.md), this is not a public-remote issue and depends on crossing local trusted-operator boundaries. Release Process Note patchedversions is intentionally pre-set to the planned next release (2026.2.22) so once npm release is out, maintainers can publish advisory immediately. Thanks @tdjackey for reporting.",
"affected": [
"openclaw@<=2026.2.21-2"
],
"patched": [
"openclaw@>= 2026.2.22"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-23T00:52:06Z",
"updated": "2026-02-23T00:52:06Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-5h2c-8v84-qpvr"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5h2c-8v84-qpvr",
"nvd_url": null,
"cvss_score": 5.3,
"cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"cwe_ids": [
"CWE-15",
"CWE-78"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-5h2c-8v84-qpvr"
]
},
{
"id": "GHSA-8mf7-vv8w-hjr2",
"ghsa_id": "GHSA-8mf7-vv8w-hjr2",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "low",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "tools.exec.safeBins generic fallback allowed interpreter-style inline payload execution in allowlist mode",
"description": "Summary When tools.exec.safeBins contained a binary without an explicit safe-bin profile, OpenClaw used a permissive generic fallback profile. In allowlist mode, that could let interpreter-style binaries (for example python3, node, ruby) execute inline payloads via flags like -c. This requires explicit operator configuration to add such binaries to safeBins, so impact is limited to non-default/misconfigured deployments. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.21-2 - Patched in code: = 2026.2.22 (planned next npm release) Fix - Remove generic safe-bin fallback during allowlist evaluation. - Require explicit safe-bin profiles for safeBins entries. - Add configurable tools.exec.safeBinProfiles (global + per-agent) for safe custom binaries. - Update docs to clearly separate safeBins from command allowlist semantics. Fix Commit(s) - 47c3f742b6c488be26dd7b9636dbbb8676089154 Release Process Note patchedversions is pre-set to the planned next release (= 2026.2.22) so once that npm release is published, the advisory can be published directly without further metadata edits. Thanks @tdjackey for reporting.",
"affected": [
"openclaw@<= 2026.2.21-2"
],
"patched": [
"openclaw@>= 2026.2.22"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-23T00:52:06Z",
"updated": "2026-02-23T00:52:06Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-8mf7-vv8w-hjr2"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8mf7-vv8w-hjr2",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-78",
"CWE-693"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-8mf7-vv8w-hjr2"
]
},
{
"id": "GHSA-4rqq-w8v4-7p47",
"ghsa_id": "GHSA-4rqq-w8v4-7p47",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "low",
"type": "github_security_advisory",
"nvd_category_id": null,
"title": "Incomplete IPv4 special-use SSRF blocking in web fetch guard",
"description": "Summary isPrivateIpv4() in bundled SSRF guard code missed several IPv4 special-use/non-global ranges, so webfetch could allow targets that should be blocked by SSRF policy. Affected Packages / Versions - Package: openclaw (npm) - Latest published affected version: 2026.2.21-2 (published 2026-02-21) - Structured vulnerable range: <= 2026.2.21-2 - Planned patched version (pre-set): = 2026.2.22 Impact Low severity. Exploitation requires network reachability to the relevant special-use ranges and a request path that reaches webfetch URL fetching. Technical Details Affected releases used narrow IPv4 private-range checks that omitted multiple RFC special-use/non-global ranges. This allowed requests such as http://198.18.0.1/... through SSRF validation in affected releases. Follow-up hardening consolidates local-host/tailnet range checks so gateway/browser/tailnet paths share one canonical IP classification flow. Fix Commit(s) - 71bd15bb4294d3d1b54386064d69cd0f5f731bd8 - 44dfbd23df453e51b71ef79a148c28c53e89168c - 333fbb86347998526dd514290adfd5f727caa6d9 - f14ebd743cfc73f667fae80af70043d0ab1f88bd Release Process Note patchedversions is intentionally pre-set to the planned next release (= 2026.2.22) so once npm 2026.2.22 is published, maintainers can publish this advisory without further metadata edits. Thanks @princeeismond-dot for reporting.",
"affected": [
"openclaw@<= 2026.2.21-2"
],
"patched": [
"openclaw@>= 2026.2.22"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-23T00:52:05Z",
"updated": "2026-02-23T00:52:05Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-4rqq-w8v4-7p47"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4rqq-w8v4-7p47",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [],
"credits": [
"princeeismond-dot"
],
"aliases": [
"GHSA-4rqq-w8v4-7p47"
]
},
{
"id": "GHSA-f6h3-846h-2r8w",
"ghsa_id": "GHSA-f6h3-846h-2r8w",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-639",
"title": "Elevated allowFrom matching tightened for sender-scoped authorization",
"description": "Summary In certain elevated-mode configurations, tools.elevated.allowFrom accepted broader identity signals than intended. The fix tightens matching to sender-scoped identity by default and makes mutable metadata matching explicit. Context OpenClaw is commonly used in 1:1 chats or trusted group chats. In that intended model, this issue is best treated as authorization hardening / defense-in-depth for elevated sender approval. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version at triage: 2026.2.21-2 - Affected versions: <= 2026.2.21-2 - Planned patched version (pre-set for publish-ready advisory): 2026.2.22 Details Elevated sender authorization now matches sender-scoped identity values only by default (SenderId, From, SenderE164) and no longer considers recipient routing fields such as ctx.To. Mutable sender metadata (SenderName, SenderUsername, SenderTag) now requires explicit allowlist prefixes (name:, username:, tag:). Explicit identity prefixes are also supported (id:, from:, e164:). Fix Commit(s) - 6817c0ec7b4fa830123d4f5c340f075a4bd04ee2 Release Process Note The advisory patchedversions is pre-set to the planned next release (2026.2.22). Once npm openclaw@2026.2.22 is published, this advisory can be published without additional content edits. Thanks @jiseoung for reporting.",
"affected": [
"openclaw@<= 2026.2.21-2"
],
"patched": [
"openclaw@>= 2026.2.22"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-23T00:52:03Z",
"updated": "2026-02-23T00:52:03Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-f6h3-846h-2r8w"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f6h3-846h-2r8w",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-639"
],
"credits": [
"jiseoung"
],
"aliases": [
"GHSA-f6h3-846h-2r8w"
]
},
{
"id": "GHSA-qhrr-grqp-6x2g",
"ghsa_id": "GHSA-qhrr-grqp-6x2g",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-426",
"title": "tools.exec.safeBins trusted PATH directories allowed binary shadowing in allowlist mode",
"description": "Summary In openclaw allowlist mode, tools.exec.safeBins trusted PATH-derived directories for safe-bin resolution. A same-name binary placed in a trusted PATH directory could satisfy safe-bin checks and execute. Impact This is an allowlist bypass in exec policy that can lead to command execution in the OpenClaw runtime context when allowlist mode relies on safe bins and an attacker can influence trusted binary locations. Affected Packages / Versions - Package: openclaw (npm) - Vulnerable versions: <= 2026.2.21-2 - Patched versions: = 2026.2.22 (planned next release) - Latest published npm version at triage time (2026-02-22): 2026.2.21-2 Root Cause - Safe-bin trust accepted PATH-derived directories instead of explicit trusted directories. - Safe-bin execution used shell command tokens that could resolve to shadowed binaries. Remediation - Stop trusting PATH-derived directories for safe-bin trust. - Add explicit tools.exec.safeBinTrustedDirs for opt-in extra trusted paths. - Pin safe-bin shell execution to resolved absolute executable paths. Fix Commit(s) - 64b273a71cf0b2f2419c974832cede1fc2158729 Release Process Note patchedversions is pre-set to the planned next release (2026.2.22). After npm release, this advisory is ready for publish without additional field edits. Thanks @tdjackey for reporting.",
"affected": [
"openclaw@<= 2026.2.21-2"
],
"patched": [
"openclaw@>= 2026.2.22"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-23T00:52:00Z",
"updated": "2026-02-23T00:52:00Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-qhrr-grqp-6x2g"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qhrr-grqp-6x2g",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-426"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-qhrr-grqp-6x2g"
]
},
{
"id": "GHSA-cjv3-m589-v3rx",
"ghsa_id": "GHSA-cjv3-m589-v3rx",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "cross_site_scripting",
"nvd_category_id": "CWE-79",
"title": "Canvas route hardening for mixed-trust deployments",
"description": "Summary This advisory tracks a defense-in-depth hardening for canvas routes. In mixed-trust or network-visible deployments, prior canvas auth/fallback behavior could broaden access beyond intended boundaries. Deployment Context OpenClaws default model is trusted host + loopback-first access. Some operators intentionally expose canvas routes on LAN/tailnet. This update is aimed at those broader deployment patterns. What Changed - Require explicit token or session-capability authorization for canvas routes. - Remove shared-IP fallback paths for canvas access. - Tighten bind/fallback behavior to fail closed. Impact Risk was highest in non-loopback or mixed-trust environments. In strict single-operator trusted-host setups, practical exposure is lower. Affected Packages / Versions - Package: openclaw (npm) - Vulnerable: <= 2026.2.19-2 - Patched: 2026.2.21 (next release target) Fix Commit(s) - c45f3c5b004c8d63dc0e282e2176f8c9355d24f1 - 08a7967936cfc0b2af6b27ec1f9272542648ad6c Release Process Note Fix is already on main. Publish this advisory after npm release 2026.2.21 ships. Thanks @NucleiAv for reporting.",
"affected": [
"openclaw@<= 2026.2.19-2"
],
"patched": [
"openclaw@>=2026.2.21"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-21T18:16:09Z",
"updated": "2026-02-21T18:16:09Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-cjv3-m589-v3rx"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cjv3-m589-v3rx",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-79",
"CWE-1021"
],
"credits": [
"NucleiAv"
],
"aliases": [
"GHSA-cjv3-m589-v3rx"
]
},
{
"id": "GHSA-w9cg-v44m-4qv8",
"ghsa_id": "GHSA-w9cg-v44m-4qv8",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-15",
"title": "BASHENV / ENV startup-file injection into spawned shell commands",
"description": "Summary BASHENV / ENV startup-file injection could lead to unintended pre-command shell execution when attacker-controlled environment values were admitted and then inherited by host command execution paths. Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.2.19-2 - Fixed on main: 2cdbadee1f8fcaa93302d7debbfc529e19868ea4 - Planned patched release version: 2026.2.21 Details The fix hardens environment handling across all relevant execution paths: - Blocks dangerous startup/runtime env keys and prefixes in shared host env sanitization. - Sanitizes inherited ambient environment even when no per-request overrides are provided. - Blocks dangerous config-driven env injection before values enter process environment. - Uses the same sanitizer in macOS host execution paths. - Aligns skill env override sanitization with the shared dangerous-env policy. Impact Medium. Exploitation requires local/privileged influence over configuration or environment inputs; there is no standalone remote unauthenticated trigger from this issue alone. Fix Commit(s) - 2cdbadee1f8fcaa93302d7debbfc529e19868ea4 Release Process Note patchedversions is pre-set to the planned next release (2026.2.21). Once npm openclaw@2026.2.21 is published, the advisory can be published without further field edits. Thanks @tdjackey for reporting.",
"affected": [
"openclaw@<= 2026.2.19-2"
],
"patched": [
"openclaw@>=2026.2.21"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-21T18:16:03Z",
"updated": "2026-02-21T18:16:03Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-w9cg-v44m-4qv8"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w9cg-v44m-4qv8",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-15",
"CWE-78"
],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-w9cg-v44m-4qv8"
]
},
{
"id": "GHSA-w7j5-j98m-w679",
"ghsa_id": "GHSA-w7j5-j98m-w679",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "high",
"type": "github_security_advisory",
"nvd_category_id": "CWE-250",
"title": "Multiple E2E/test Dockerfiles run all processes as root",
"description": "Three Dockerfiles in scripts/docker/ and scripts/e2e/ lack a USER directive, meaning all processes run as uid 0 (root). If any process is compromised, the attacker has root inside the container, making container breakout significantly easier. Partial fix (2026-02-08): Commit 28e1a65e added USER sandbox to Dockerfile.sandbox and Dockerfile.sandbox-browser. The E2E/test Dockerfiles listed below remain unpatched. Affected components: - scripts/e2e/Dockerfile - scripts/e2e/Dockerfile.qr-import - scripts/docker/install-sh-e2e/Dockerfile - scripts/docker/install-sh-nonroot/Dockerfile (runs as app but with NOPASSWD sudo — see related advisory) Technical Reproduction: 1. Open each Dockerfile listed above and search for a USER directive — none found. 2. Run any of these containers: docker run --rm -it <image id 3. Observe: returns uid=0(root). Demonstrated Impact: - Root inside the container enables kernel exploit attempts, volume mount abuse, and privileged syscall access. - Test images share the same base (node:22-bookworm) as production, creating risk of accidental deployment of root-running images. Environment: Base images node:22-bookworm and node:22-bookworm-slim default to root. Dockerfile.sandbox and Dockerfile.sandbox-browser were remediated in commit 28e1a65e; only the E2E/test images listed above remain affected. Remediation: Add a USER directive before CMD/ENTRYPOINT in each remaining Dockerfile: RUN useradd --create-home --shell /bin/bash appuser USER appuser",
"affected": [
"openclaw@<= 2026.2.19-2"
],
"patched": [
"openclaw@>= 2026.2.21"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-21T10:42:51Z",
"updated": "2026-02-21T10:42:51Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-w7j5-j98m-w679"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w7j5-j98m-w679",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-250"
],
"credits": [
"TerminalsandCoffee"
],
"aliases": [
"GHSA-w7j5-j98m-w679"
]
},
{
"id": "GHSA-82g8-464f-2mv7",
"ghsa_id": "GHSA-82g8-464f-2mv7",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-15",
"title": "Skill env override host env injection",
"description": "Summary applySkillConfigEnvOverrides previously copied skills.entries..env values into the host process.env without applying the host env safety policy. Impact In affected versions, dangerous process-level variables such as NODEOPTIONS could be injected when unset, which can influence runtime/child-process behavior. Required attacker capability An attacker must be able to modify OpenClaw local state/config (for example ~/.openclaw/openclaw.json) to set skills.entries.<skill.env or related skill config values. Remediation Fixed in 2026.2.21 by sanitizing skill env overrides and blocking dangerous host env keys (including NODEOPTIONS) before applying overrides, with regression tests covering blocked dangerous keys. Fix Commit(s) - 8c9f35cdb51692b650ddf05b259ccdd75cc9a83c Found using MCPwner",
"affected": [
"openclaw@<= 2026.2.19-2"
],
"patched": [
"openclaw@>= 2026.2.21"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-21T10:42:37Z",
"updated": "2026-03-02T06:53:28Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-82g8-464f-2mv7"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-82g8-464f-2mv7",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-15",
"CWE-94",
"CWE-1341"
],
"credits": [
"nedlir"
],
"aliases": [
"GHSA-82g8-464f-2mv7"
]
},
{
"id": "GHSA-jjgj-cpp9-cvpv",
"ghsa_id": "GHSA-jjgj-cpp9-cvpv",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "Local File Exfiltration via MCP Tool Result MEDIA: Directive Injection",
"description": "Summary A malicious or compromised MCP (Model Context Protocol) tool server can exfiltrate arbitrary local files from the host system by injecting MEDIA: directives into tool result text content. OpenClaw's tool result processing pipeline extracts file paths from MEDIA: tokens without source-level validation, passes them through a localRoots allowlist check that includes os.tmpdir() by default (covering /tmp on Linux/macOS and %TEMP% on Windows), and then reads and delivers the file contents to external messaging channels such as Discord, Slack, Telegram, and WhatsApp. Affected Component OpenClaw (all versions up to and including latest as of 2026-02-19) Vulnerability Details Root Cause The vulnerability exists across multiple files in the media processing pipeline: 1. Unvalidated extraction (src/agents/pi-embedded-subscribe.tools.ts, lines 143-202): extractToolResultMediaPaths() parses MEDIA: tokens from MCP tool result text content blocks using a regex. It accepts any file path (absolute, relative, Windows drive, UNC, file:// URI) without validating the source is trusted or the path is within expected boundaries. 2. Overly broad default allowlist (src/media/local-roots.ts, lines 7-16): buildMediaLocalRoots() includes os.tmpdir() in the default allowed directory list. On Linux/macOS this is /tmp (world-readable, often containing application secrets, database dumps, SSH keys, session tokens), and on Windows it is %TEMP% (user's temp directory containing application caches, credentials, and temporary secrets). 3. Delivery to external channels (src/agents/pi-embedded-subscribe.handlers.tools.ts, lines 380-392): After extraction, media paths are delivered via ctx.params.onToolResult({ mediaUrls: mediaPaths }), which flows through the outbound delivery pipeline to send file contents as attachments to Discord, Slack, Telegram, and other configured messaging channels. Attack Flow Secondary Attack Vector: details.path Fallback When an MCP tool result contains type: \"image\" content blocks, extractToolResultMediaPaths() falls back to reading result.details.path (lines 192-199). A malicious tool can return: This bypasses the MEDIA: token parsing entirely and directly injects arbitrary file paths. Third Attack Vector: file:// URI Scheme The loadWebMediaInternal() function (line 228-233) converts file:// URIs to local paths via fileURLToPath(): This provides an alternative syntax for targeting files. Impact - File exfiltration: Any file within os.tmpdir() (or the OpenClaw state directory) can be read and sent to external messaging channels - Secret theft: Temporary files often contain API keys, database credentials, SSH keys, session tokens, and application secrets - Cross-application data theft: Other applications' temp files (browser caches, build artifacts, CI/CD secrets) are accessible - Silent exfiltration: The file content is sent as a media attachment to messaging channels the attacker can monitor, with no user-visible indication - Automated exploitation: If auto-reply is enabled, the malicious tool can be triggered without user interaction Reproduction Steps Prerequisites - Node.js 18+ installed - No OpenClaw installation required (PoC is self-contained) Steps 1. Save the PoC script below as poc-media-exfil.js 2. Run: node poc-media-exfil.js 3. Observe: All 21 assertions pass, confirming the vulnerability PoC Script Expected Output Affected Code Locations | File | Lines | Function | Role | |------|-------|----------|------| | src/media/parse.ts | 7 | MEDIATOKENRE | Regex that matches MEDIA: directives in text | | src/agents/pi-embedded-subscribe.tools.ts | 143-202 | extractToolResultMediaPaths() | Extracts file paths from MCP tool results without source validation | | src/agents/pi-embedded-subscribe.handlers.tools.ts | 380-392 | handleToolExecutionEnd() | Delivers extracted media paths to messaging channels | | src/media/local-roots.ts | 7-16 | buildMediaLocalRoots() | Includes os.tmpdir() in default allowed roots | | src/web/media.ts | 60-117 | assertLocalMediaAllowed() | Validates paths against overly broad localRoots | | src/web/media.ts | 212-381 | loadWebMediaInternal() | Reads validated files into memory for delivery | Suggested Remediation 1. Validate MEDIA: source trust: Only accept MEDIA: directives from OpenClaw's own internal tools (TTS, image generation). Reject or flag MEDIA: directives from external MCP tool results. 2. Remove os.tmpdir() from default localRoots: The temp directory is too broad. Replace with a narrow OpenClaw-specific subdirectory (e.g., path.join(os.tmpdir(), \"openclaw-media\")). 3. Add source tagging to tool results: Tag each tool result with its source (internal vs. MCP external) and enforce different media access policies for each. 4. Require explicit opt-in for file media delivery: When a tool result contains MEDIA: directives referencing local files, require user confirmation before reading and sending the file. Differentiation from Existing Advisories This vulnerability is distinct from all existing OpenClaw security advisories. Below is an explicit comparison against every advisory or commit that could appear superficially related: Not a duplicate of path traversal advisories (apply-patch, workspace escape, etc.) The existing path traversal advisories (e.g., those targeting apply-patch tool workspace containment via assertSandboxPath(), or resolveFileWithinRoot() in the canvas host file resolver) are about preventing filesystem access outside a sandbox boundary. This vulnerability is fundamentally different: - Different attack surface: The attack enters through MCP tool result text content (extractToolResultMediaPaths() in pi-embedded-subscribe.tools.ts), not through tool arguments, HTTP paths, or patch file contents. - Different code path: The vulnerable pipeline is extractToolResultMediaPaths() → handleToolExecutionEnd() → onToolResult() → loadWebMedia() → assertLocalMediaAllowed(). None of these functions are involved in the existing path traversal fixes. - The validation passes by design: This is not a bypass of assertLocalMediaAllowed(). The function works correctly. The problem is that os.tmpdir() is included in the default localRoots allowlist (src/media/local-roots.ts:10), making the entire system temp directory readable by any MCP tool that returns a MEDIA: directive. Not a duplicate of SSRF advisories The existing SSRF advisories cover fetchWithSsrFGuard() and resolvePinnedHostnameWithPolicy() in src/infra/net/. This vulnerability does not involve any HTTP fetching or DNS resolution. Instead, it reads local files from disk and delivers them outbound to messaging channels. The MEDIA: path is a local filesystem path, not a URL. Not a duplicate of canvas host file disclosure The canvas host file disclosure advisory covers the HTTP serving side (resolveFileWithinRoot() in src/canvas-host/file-resolver.ts), where path traversal in the URL could escape the canvas root directory. This vulnerability is about outbound file exfiltration through the agent messaging pipeline, not about the canvas host HTTP server. Not a duplicate of inbound attachment root policy (1316e57) Commit 1316e57 (\"enforce inbound attachment root policy across pipelines\") added src/media/inbound-path-policy.ts to restrict inbound media paths from messaging channels (e.g., iMessage attachment roots). This vulnerability is about outbound media delivery, where files are read from disk and sent to external channels via MEDIA: directives in MCP tool results. Different direction, different code, different policy layer. Not a duplicate of any webhook/messaging auth bypass The webhook auth bypass and messaging platform allowlist bypass advisories cover authentication between OpenClaw and external services. This vulnerability assumes the MCP tool is already configured and trusted. The issue is that tool results can inject MEDIA: directives that cause unintended local file reads and exfiltration. Verification: zero prior fixes for this code path A git log search for commits touching localRoots, local-roots, tmpdir, or extractToolResultMediaPaths returns zero results, confirming this vulnerability has never been reported or addressed. References - OpenClaw MCP tool integration documentation - OWASP Path Traversal - CWE-22: Improper Limitation of a Pathname to a Restricted Directory - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor Credit Anmol Vats (@NucleiAv)",
"affected": [
"openclaw@<= 2026.2.19-2"
],
"patched": [
"openclaw@>= 2026.2.21"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-21T10:42:36Z",
"updated": "2026-02-21T10:42:36Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-jjgj-cpp9-cvpv"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jjgj-cpp9-cvpv",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-22",
"CWE-200"
],
"credits": [
"NucleiAv"
],
"aliases": [
"GHSA-jjgj-cpp9-cvpv"
]
},
{
"id": "GHSA-3x3x-h76w-hp98",
"ghsa_id": "GHSA-3x3x-h76w-hp98",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-184",
"title": "OpenClaw exec allowlist safeBins short-option bypass could permit arbitrary file write",
"description": "Summary OpenClaw exec allowlist/safeBins policy could be bypassed with attached short-option payloads (for example sort -o/tmp/poc), enabling file-write operations while still satisfying safeBins checks. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.17 - Latest published vulnerable version: 2026.2.17 - Patched in: 2026.2.19 Impact When tools.exec.security=allowlist and tools.exec.safeBins included affected binaries, attached short-option payloads could bypass safeBins argument validation and permit file-write behavior that should have been denied. Fix Commit(s) - cfe8457a0f4aae5324daec261d3b0aad1461a4bc - bafdbb6f112409a65decd3d4e7350fbd637c7754 - fec48a5006eab37c6a5821726ccaeec886486b13 Thanks @FailButWin and @Redgrave961 for reporting.",
"affected": [
"openclaw@<=2026.2.17"
],
"patched": [
"openclaw@>= 2026.2.19"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-21T10:34:16Z",
"updated": "2026-02-21T10:39:23Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-3x3x-h76w-hp98"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3x3x-h76w-hp98",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-184"
],
"credits": [
"FailButWin",
"Redgrave961"
],
"aliases": [
"GHSA-3x3x-h76w-hp98"
]
},
{
"id": "GHSA-2hm8-rqrm-xfjq",
"ghsa_id": "GHSA-2hm8-rqrm-xfjq",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "low",
"type": "github_security_advisory",
"nvd_category_id": "CWE-269",
"title": "Owner-only gateway tool access checks were incomplete in specific authenticated DM flows",
"description": "Summary In authenticated non-owner DM sessions, a narrow tool-invocation path could reach broader-than-intended owner-only gateway actions. Impact This requires an authenticated non-owner sender in a DM session and a specific tool invocation path. No unauthenticated access is involved, and this does not provide direct code execution by itself. Root Cause - Some gateway call paths were still using broader default scopes instead of method-level least-privilege scopes. - Owner-only enforcement depended on tool-name checks and was not consistently metadata-driven across all call paths. Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.2.17 (latest published npm version as of February 19, 2026) - Patched: 2026.2.19 Remediation - Refactored gateway method scope mapping to a data-driven table and added guard tests to ensure all exposed core gateway methods stay classified. - Centralized owner-only enforcement in tool policy wrappers and tool metadata. - Marked owner-only tools explicitly (cron, gateway, whatsapplogin) and removed duplicated per-tool owner checks. - Refactored gateway call path internals into smaller helpers while preserving behavior and coverage. Fix Commit(s) - a40c10d3e24568b1e2947c104484be74bf66b8d2 - 2777d8ad91ef1e8a7c6f5b4b18f8507be7d02914 - 3d7ad1cfca4daaa84cd553e843e0e08fa6201349 Thanks @Adam55A-code for reporting.",
"affected": [
"openclaw@<= 2026.2.17"
],
"patched": [
"openclaw@>= 2026.2.19"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-21T10:34:15Z",
"updated": "2026-02-21T10:40:02Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-2hm8-rqrm-xfjq"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2hm8-rqrm-xfjq",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-269",
"CWE-863"
],
"credits": [
"Adam55A-code"
],
"aliases": [
"GHSA-2hm8-rqrm-xfjq"
]
},
{
"id": "GHSA-ff98-w8hj-qrxf",
"ghsa_id": "GHSA-ff98-w8hj-qrxf",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "low",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "Plugin runtime command execution is part of trusted plugin boundary",
"description": "Summary OpenClaw plugins/extensions run in-process and are treated as trusted code. This advisory tracks trust-boundary clarification around plugin runtime command execution (runtime.system.runCommandWithTimeout). Impact Plugins already execute with the same OS privileges as the OpenClaw process. Exposing runtime command helpers does not cross an additional sandbox boundary. Affected Packages / Versions - Package: openclaw (npm) - Latest published version reviewed: 2026.2.17 - Affected range for this advisory record: <= 2026.2.17 - Planned patched version metadata: 2026.2.19 (next release line) Fix Commit(s) - 2e421f32dfc589c02706265fd3c3137ffc06c4b1 Remediation - Install only trusted plugins. - Use plugins.allow to pin explicit trusted plugin IDs. - SECURITY.md now explicitly documents that plugin runtime helpers are convenience APIs, not a sandbox boundary. Thanks @markmusson for reporting.",
"affected": [
"openclaw@<= 2026.2.17"
],
"patched": [
"openclaw@>= 2026.2.19"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-21T10:34:13Z",
"updated": "2026-02-21T10:39:21Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-ff98-w8hj-qrxf"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-ff98-w8hj-qrxf",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-78"
],
"credits": [
"markmusson"
],
"aliases": [
"GHSA-ff98-w8hj-qrxf"
]
},
{
"id": "GHSA-vj3g-5px3-gr46",
"ghsa_id": "GHSA-vj3g-5px3-gr46",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "Path traversal in Feishu media temp-file naming allows writes outside os.tmpdir()",
"description": "Summary OpenClaws Feishu media download flow used untrusted Feishu media keys (imageKey / fileKey) when building temporary file paths in extensions/feishu/src/media.ts. Because those keys were interpolated directly into temp-file paths, traversal segments could escape the temp directory and redirect writes outside os.tmpdir(). Impact This is an arbitrary file write issue (within the OpenClaw process file permissions). If an attacker can control Feishu media key values returned to the client (for example via compromised upstream response path), they can influence where downloaded bytes are written. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version at triage: 2026.2.17 - Affected versions: <= 2026.2.17 - Fixed version: 2026.2.19 Fix Commit(s) - c821099157a9767d4df208c6b12f214946507871 - cdb00fe2428000e7a08f9b7848784a0049176705 - ec232a9e2dff60f0e3d7e827a7c868db5254473f Remediation The fix removes key-derived temp-file naming and keeps downloads in safe temp locations. Additional hardening isolates SDK writeFile calls in per-download temp directories (mkdtemp) with deterministic cleanup, enforces Feishu key trust-boundary validation, and adds a repository guard test against dynamic path.join(os.tmpdir(), \\...${...}\\) patterns in runtime code. Thanks @allsmog for reporting.",
"affected": [
"openclaw@<= 2026.2.17"
],
"patched": [
"openclaw@>= 2026.2.19"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-21T10:34:11Z",
"updated": "2026-02-21T10:39:20Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-vj3g-5px3-gr46"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vj3g-5px3-gr46",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-22"
],
"credits": [
"allsmog"
],
"aliases": [
"GHSA-vj3g-5px3-gr46"
]
},
{
"id": "GHSA-2mc2-g238-722j",
"ghsa_id": "GHSA-2mc2-g238-722j",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "iMessage remote attachment SCP hardening (strict host-key checks and remoteHost validation)",
"description": "Summary Remote iMessage attachment fetches used SCP with trust-on-first-use host-key behavior and accepted unvalidated remote host tokens. Before the fix: - SCP used StrictHostKeyChecking=accept-new in the remote attachment path. - channels.imessage.remoteHost was not validated as a strict SSH host token. Impact In remote iMessage deployments that use SCP attachment fetching, a first-connection MITM/DNS-poisoning scenario could cause the wrong host key to be trusted. Unsafe remote host token values could also alter SCP argument semantics. Affected Packages / Versions - Package: openclaw (npm) - Latest published npm version currently affected: 2026.2.17 - Vulnerable range (structured field): <= 2026.2.17 - Patched version (pre-set for next release): = 2026.2.19 Fix The fix hardens remote attachment SSH/SCP handling by: - requiring StrictHostKeyChecking=yes for SCP and SSH tunnel paths, - adding strict remoteHost normalization/validation, - adding -- argument barrier for SCP remote source parsing, - validating channels.imessage.remoteHost in config schema, - rejecting unsafe auto-detected host tokens at runtime. Fix Commit(s) - Pushed to main: 49d0def6d1e88f002026b1d2a35aa615d48a751a Thanks @allsmog for reporting.",
"affected": [
"openclaw@<= 2026.2.17"
],
"patched": [
"openclaw@>= 2026.2.19"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-21T10:34:10Z",
"updated": "2026-02-21T10:39:20Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-2mc2-g238-722j"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2mc2-g238-722j",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-78",
"CWE-295"
],
"credits": [
"allsmog"
],
"aliases": [
"GHSA-2mc2-g238-722j"
]
},
{
"id": "GHSA-8cp7-rp8r-mg77",
"ghsa_id": "GHSA-8cp7-rp8r-mg77",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "server_side_request_forgery",
"nvd_category_id": "CWE-918",
"title": "SSRF guard bypass via IPv6 transition over ISATAP",
"description": "Summary OpenClaw's SSRF hostname/IP guard did not detect ISATAP embedded IPv4 addresses (...:5efe:w.x.y.z). A crafted URL containing an ISATAP IPv6 literal could embed a private IPv4 target (for example loopback) and bypass private-address filtering in URL-fetching paths. Severity Assessment Rated medium: the bug weakens SSRF protections in URL fetch flows, but impact depends on reaching a URL-fetching path with attacker-controlled input and is generally constrained to internal network access attempts. Affected Packages / Versions - Package: openclaw (npm) - Affected: =2026.1.20 <=2026.2.17 - Latest published at patch time: 2026.2.17 - Patched release: 2026.2.19 Security Policy Context Per SECURITY.md, OpenClaw's web/gateway surface is intended for local use by default, public internet exposure is out-of-scope, and prompt-injection reports are out-of-scope for bounty handling. This advisory tracks a core SSRF-guard bypass in fetch protections. Impact This can permit SSRF-style access attempts to internal/private network targets through URL ingestion/fetch paths that rely on shared hostname/IP blocking. Fix - Added RFC 5214 ISATAP embedded-IPv4 detection to the shared SSRF classifier. - Centralized hostname/IP blocking through isBlockedHostnameOrIp and routed relevant validators to that shared path. - Added regression tests for ISATAP private vs public embedded IPv4 handling. Fix Commit(s) - d51929ecb52fe65e90bf36795f4247feb29eb8aa Thanks @zpbrent for reporting.",
"affected": [
"openclaw@>=2026.1.20 <=2026.2.17"
],
"patched": [
"openclaw@>= 2026.2.19"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-21T10:34:08Z",
"updated": "2026-02-21T10:39:19Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-8cp7-rp8r-mg77"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8cp7-rp8r-mg77",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-918"
],
"credits": [
"zpbrent"
],
"aliases": [
"GHSA-8cp7-rp8r-mg77"
]
},
{
"id": "GHSA-pfv7-rr5m-qmv6",
"ghsa_id": "GHSA-pfv7-rr5m-qmv6",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": null,
"title": "Auth inconsistency on local Browser Extension Relay /extension endpoint",
"description": "Summary When the optional Chrome extension relay is enabled, /extension accepted unauthenticated WebSocket upgrades while /json/ and /cdp required auth. Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.2.17 - Latest published npm version at triage time: 2026.2.17 Impact This is a local-only issue on loopback (127.0.0.1) and only applies when the extension relay feature is in use. A local process on the same machine could connect to /extension without the token and interfere with extension-relay behavior. No remote network exploit path is involved. Fix - Require gateway-token auth on both /extension and /cdp relay WebSocket endpoints. - Keep loopback/origin checks as defense-in-depth, not as authentication. - Use one token path in setup: gateway.auth.token / OPENCLAWGATEWAYTOKEN. Fix Commit(s) - 7e54b6c96feb1a5c30884f2b32037b8dadd0e532 Thanks @tdjackey for reporting.",
"affected": [
"openclaw@<= 2026.2.17"
],
"patched": [
"openclaw@>= 2026.2.19"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-21T10:34:07Z",
"updated": "2026-02-21T10:39:18Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-pfv7-rr5m-qmv6"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-pfv7-rr5m-qmv6",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [],
"credits": [
"tdjackey"
],
"aliases": [
"GHSA-pfv7-rr5m-qmv6"
]
},
{
"id": "GHSA-6c9j-x93c-rw6j",
"ghsa_id": "GHSA-6c9j-x93c-rw6j",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": "CWE-203",
"title": "OpenClaw safeBins file-existence oracle information disclosure",
"description": "An information disclosure vulnerability in OpenClaw's tools.exec.safeBins approval flow allowed a file-existence oracle. When safe-bin validation examined candidate file paths, command allow/deny behavior could differ based on whether a path already existed on the host filesystem. An attacker could probe for file presence by comparing outcomes for existing vs non-existing filenames. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.17 - Latest published vulnerable version at triage time: 2026.2.17 - Planned patched version: 2026.2.18 Impact Attackers with access to this execution surface could infer whether specific files exist (for example secrets/config files), enabling filesystem enumeration and improving follow-on attack planning. Fix The safe-bin policy was changed to deterministic argv-only validation without host file-existence checks. File-oriented flags are blocked for safe-bin mode (for example sort -o, jq -f, grep -f), and trusted-path checks remain enforced. Fix Commit(s) - bafdbb6f112409a65decd3d4e7350fbd637c7754 Found using MCPwner Thanks @nedlir for reporting.",
"affected": [
"openclaw@<=2026.2.17"
],
"patched": [
"openclaw@>= 2026.2.18"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-19T16:03:56Z",
"updated": "2026-02-26T07:11:44Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-6c9j-x93c-rw6j"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6c9j-x93c-rw6j",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-203"
],
"credits": [
"nedlir"
],
"aliases": [
"GHSA-6c9j-x93c-rw6j"
]
},
{
"id": "GHSA-mmpf-jwf4-h3qv",
"ghsa_id": "GHSA-mmpf-jwf4-h3qv",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "low",
"type": "github_security_advisory",
"nvd_category_id": "CWE-77",
"title": "Option injection in pre-commit hook can stage ignored files",
"description": "Summary A maliciously-named file (for example, --force) can trigger option injection in the repository's git-hooks/pre-commit hook when a contributor uses the built-in git hook setup (git config core.hooksPath git-hooks). This can cause unintended staging of ignored files. Details The hook collected staged filenames and piped them through xargs into git add without a -- separator. Filenames beginning with - could be interpreted as flags. This issue only affects contributors who: - use the repo's git-hooks/ hook mechanism (not the pre-commit framework), and - run commits in a working directory that contains sensitive ignored files. Impact Under specific circumstances, ignored files (for example .env) can be added to git history. Affected Packages / Versions - Repository versions: <= 2026.2.14 - Fixed in: 2026.2.15 Note: the npm package does not ship git-hooks/; the impact is on contributors working from the repository checkout/source release. Fix The hook now: - uses NUL-delimited file lists (git diff ... -z) to safely handle whitespace, and - passes paths to git add after -- to prevent option injection. Fix Commit(s) - b88f37762f5b6d7ec0f589eb761815e466e4ef4b - ba84b1253967143692166023f9e174c149b6f2ed Thanks @mrthankyou for reporting.",
"affected": [
"openclaw@<=2026.2.14"
],
"patched": [
"openclaw@>=2026.2.15"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-18T03:39:01Z",
"updated": "2026-02-21T10:37:07Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-mmpf-jwf4-h3qv"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mmpf-jwf4-h3qv",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-77"
],
"credits": [
"mrthankyou"
],
"aliases": [
"GHSA-mmpf-jwf4-h3qv"
]
},
{
"id": "GHSA-h9g4-589h-68xv",
"ghsa_id": "GHSA-h9g4-589h-68xv",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "high",
"type": "missing_authentication_for_critical_function",
"nvd_category_id": "CWE-306",
"title": "Authentication bypass in sandbox browser bridge server",
"description": "Summary openclaw could start the sandbox browser bridge server without authentication. When the sandboxed browser is enabled, openclaw runs a local (loopback) HTTP bridge that exposes browser control endpoints (for example /profiles, /tabs, /tabs/open, /agent/). Due to missing auth wiring in the sandbox initialization path, that bridge server accepted requests without requiring gateway auth. CVSS - CVSS v3.1: 7.1 - Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Impact A local attacker (any process on the same machine) could access the bridge server port and: - enumerate open tabs and retrieve CDP WebSocket URLs - open/close/navigate tabs - execute JavaScript in page contexts via CDP - exfiltrate cookies/session data and page contents from authenticated sessions This is a localhost-only exposure (CVSS AV:L), but provides full browser-session compromise for sandboxed browser usage. Affected Versions - Introduced in: 2026.1.29-beta.1 (first npm release that shipped the sandbox browser bridge) - Affected range: =2026.1.29-beta.1 <2026.2.14 Patched Versions - 2026.2.14 Mitigation - Upgrade to 2026.2.14 (recommended). - Or disable the sandboxed browser (agents.defaults.sandbox.browser.enabled=false). Fix Details - The sandbox browser bridge server now always requires auth and enforces the same gateway browser control auth (token/password) that loopback browser clients already use. - Additional hardening: bridge server refuses non-loopback binds; local helper servers are bound to loopback. - Added regression tests (including unit coverage for per-port bridge auth fallback). Fix commits: - openclaw/openclaw@4711a943e30bc58016247152ba06472dab09d0b0 - openclaw/openclaw@6dd6bce997c48752134f2d6ed89b27de01ced7e3 - openclaw/openclaw@cd84885a4ac78eadb7bf321aae98db9519426d67 Credits Thanks to Adnan Jakati (@jackhax) of Praetorian for reporting this issue.",
"affected": [
"openclaw@>=2026.1.29-beta.1 <2026.2.14"
],
"patched": [
"openclaw@2026.2.14"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-16T01:37:15Z",
"updated": "2026-02-16T01:45:52Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-h9g4-589h-68xv"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h9g4-589h-68xv",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-306"
],
"credits": [
"jackhax"
],
"aliases": [
"GHSA-h9g4-589h-68xv"
]
},
{
"id": "GHSA-chm2-m3w2-wcxm",
"ghsa_id": "GHSA-chm2-m3w2-wcxm",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "low",
"type": "github_security_advisory",
"nvd_category_id": "CWE-290",
"title": "Google Chat spoofing access with allowlist authorized mutable email principal despite sender-ID mismatch",
"description": "Summary Google Chat allowlisting supports matching by sender email in addition to immutable sender resource name (users/<id). This weakens identity binding if a deployment assumes allowlists are strictly keyed by immutable principals. Affected Packages / Versions (As of 2026-02-14; based on latest published npm versions) - openclaw (npm): <= 2026.2.13 - clawdbot (npm): <= 2026.1.24-3 Details Affected component: - extensions/googlechat/src/monitor.ts The allowFrom checks accept: - Immutable sender id (users/<id) - Raw email (alice@example.com) for usability Historically, users/<email was also treated as an email allowlist entry. This is now deprecated because it looks like an immutable ID but is actually a mutable principal. Security Triage (2026-02-14) Severity: Low Rationale: - Requests are authenticated as coming from Google Chat (token verification), so this is not a generic unauthenticated spoofing vector. - A realistic exploit generally requires Google Workspace / IdP administrative control over identity lifecycle (e.g. reassigning an email address to a different underlying account) to obtain the same email with a different users/<id. - With that level of access, the attacker typically has broader compromise paths. We still treat it as a valid defense-in-depth report because accepting mutable principals in authorization decisions can increase risk in chained-failure scenarios. Remediation / Behavior Changes Goal: preserve usability while reducing footguns. - Raw email allowlists remain supported. - users/<email is deprecated and treated as a user id, not as an email allowlist. - Documentation recommends users/<id when strict immutable binding is required. Fixed In - openclaw (npm): = 2026.2.14 - clawdbot (npm): no patched release is published under this legacy package name; migrate to openclaw = 2026.2.14. Fix Commit(s) - c8424bf29a921e25663b29f308640b3d91a49432 (PR #16243) Thanks @vincentkoc for reporting.",
"affected": [
"openclaw@<=2026.2.13",
"clawdbot@<=2026.1.24-3"
],
"patched": [
"openclaw@>=2026.2.14"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-16T00:31:29Z",
"updated": "2026-02-21T10:40:48Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-chm2-m3w2-wcxm"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-chm2-m3w2-wcxm",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-290",
"CWE-863"
],
"credits": [
"vincentkoc"
],
"aliases": [
"GHSA-chm2-m3w2-wcxm"
]
},
{
"id": "GHSA-w5c7-9qqw-6645",
"ghsa_id": "GHSA-w5c7-9qqw-6645",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "medium",
"type": "github_security_advisory",
"nvd_category_id": null,
"title": "Inter-session prompts could be treated as direct user instructions",
"description": "Summary Inter-session messages sent via sessionssend could be interpreted as direct end-user instructions because they were persisted as role: \"user\" without provenance metadata. Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.2.12 (i.e. < 2026.2.13) - Fixed in: 2026.2.13 (patched versions = 2026.2.13) Impact A delegated or internal session could inject instructions into another session that appeared equivalent to externally-originated user input. This is an instruction-provenance confusion issue (confused-deputy style), which can lead to unintended privileged behavior in workflows that trust role: \"user\" as a sole authority signal. Technical details Before the fix, routed inter-session prompts were stored as regular user turns without a verifiable source marker. As a result, downstream workers and transcript readers could not distinguish: - External user input - Internal inter-session routed input Fix OpenClaw now carries explicit input provenance end-to-end for routed prompts. Key changes: - Added structured provenance model (inputProvenance) with kind values including intersession. - sessionssend and agent-to-agent steps now set inter-session provenance when invoking target runs. - Provenance is persisted on user messages as message.provenance.kind = \"intersession\" (role remains user for provider compatibility). - Transcript readers and memory helpers were updated to respect provenance and avoid treating inter-session prompts as external user-originated input. - Runtime context rebuilding now annotates inter-session turns with an explicit in-memory marker ([Inter-session message]) for clearer model-side disambiguation. - Regression tests were added for transcript parsing, session tools flow, runner sanitization, and memory hook behavior. Fix Commit(s) - 85409e401b6586f83954cb53552395d7aab04797 Workarounds If immediate upgrade is not possible: - Disable or restrict sessionssend in affected environments. - Do not use role alone as an authority boundary; require provenance-aware checks in orchestration logic. Credit Reported by @anbecker. Thanks @anbecker for reporting.",
"affected": [
"openclaw@<2026.2.13"
],
"patched": [
"openclaw@>=2026.2.13"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-15T23:31:43Z",
"updated": "2026-02-21T10:37:10Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-w5c7-9qqw-6645"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w5c7-9qqw-6645",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [],
"credits": [
"anbecker"
],
"aliases": [
"GHSA-w5c7-9qqw-6645"
]
},
{
"id": "GHSA-fhvm-j76f-qmjv",
"ghsa_id": "GHSA-fhvm-j76f-qmjv",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "high",
"type": "github_security_advisory",
"nvd_category_id": "CWE-285",
"title": "Potential access-group authorization bypass if channel type lookup fails",
"description": "Summary When Telegram webhook mode is enabled without a configured webhook secret, OpenClaw may accept unauthenticated HTTP POST requests at the Telegram webhook endpoint and trust attacker-controlled update JSON. This can allow forged Telegram updates that spoof message.from.id / chat.id, potentially bypassing sender allowlists and executing privileged bot commands. Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.1.30 - Patched: = 2026.2.1 Impact An attacker who can reach the webhook endpoint can forge Telegram updates and impersonate allowlisted/paired senders by spoofing fields in the webhook payload (for example message.from.id). Impact depends on enabled commands/tools and the deployments network exposure. Mitigations / Workarounds - Configure a strong channels.telegram.webhookSecret and ensure your reverse proxy forwards the X-Telegram-Bot-Api-Secret-Token header unchanged. Fix Commit(s) - ca92597e1f9593236ad86810b66633144b69314d (config validation: webhookUrl requires webhookSecret) Defense-in-depth / supporting fixes: - 5643a934799dc523ec2ef18c007e1aa2c386b670 (default webhook listener bind host to loopback) - 3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930 (bound webhook request body size/time) - 633fe8b9c17f02fcc68ecdb5ec212a5ace932f09 (runtime guard: reject webhook startup when secret is missing/empty) Thanks @yueyueL for reporting.",
"affected": [
"openclaw@<=2026.2.1"
],
"patched": [
"openclaw@>=2026.2.2"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-14T21:15:31Z",
"updated": "2026-02-21T10:37:22Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-fhvm-j76f-qmjv"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fhvm-j76f-qmjv",
"nvd_url": null,
"cvss_score": null,
"cvss_vector": null,
"cwe_ids": [
"CWE-285"
],
"credits": [
"simecek",
"stanislavfortaisle"
],
"aliases": [
"GHSA-fhvm-j76f-qmjv"
]
},
{
"id": "GHSA-g27f-9qjv-22pm",
"ghsa_id": "GHSA-g27f-9qjv-22pm",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "low",
"type": "github_security_advisory",
"nvd_category_id": "CWE-117",
"title": "OpenClaw log poisoning (indirect prompt injection) via WebSocket headers",
"description": "Summary In openclaw versions prior to 2026.2.13, OpenClaw logged certain WebSocket request headers (including Origin and User-Agent) without neutralization or length limits on the \"closed before connect\" path. If an unauthenticated client can reach the gateway and send crafted header values, those values may be written into core logs. Under workflows where logs are later read or interpreted by an LLM (for example via AI-assisted debugging), this can increase the risk of indirect prompt injection (log poisoning). Affected Packages / Versions - Package: openclaw (npm) - Affected: <= 2026.2.12 - Fixed: = 2026.2.13 Details - Component: src/gateway/server/ws-connection.ts - Trigger: WebSocket connection closes before completing the connect/handshake; header values are included in the log message and structured context. Impact This issue is primarily an indirect prompt injection risk and depends on downstream log consumption behavior. If you do not feed logs into an LLM or other automation, impact is limited. Fix Header values written to gateway logs are now sanitized and truncated (including removal of control/format characters and length limiting). - Fix commits: d637a263505448bf4505b85535babbfaacedbaac, e84318e4bcdc948d92e57fda1eb763a65e1774f0 (PR #15592) Workarounds - Upgrade to openclaw@2026.2.13 or later. - Treat logs as untrusted input when using AI-assisted debugging (sanitize/escape, and do not auto-execute instructions derived from logs). - Restrict gateway network exposure; apply reverse-proxy limits on header size where applicable. Thanks @pkerkhofs for reporting.",
"affected": [
"openclaw@<= 2026.2.12"
],
"patched": [
"openclaw@2026.2.13"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-14T20:19:44Z",
"updated": "2026-02-14T20:19:44Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-g27f-9qjv-22pm"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g27f-9qjv-22pm",
"nvd_url": null,
"cvss_score": 3.1,
"cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"cwe_ids": [
"CWE-117"
],
"credits": [
"pkerkhofs"
],
"aliases": [
"GHSA-g27f-9qjv-22pm"
]
},
{
"id": "GHSA-56f2-hvwg-5743",
"ghsa_id": "GHSA-56f2-hvwg-5743",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "high",
"type": "server_side_request_forgery",
"nvd_category_id": "CWE-918",
"title": "SSRF in Image Tool Remote Fetch",
"description": "Summary A server-side request forgery (SSRF) vulnerability in the Image tool allowed attackers to force OpenClaw to make HTTP requests to arbitrary internal or restricted network targets. Affected Versions - npm: openclaw <= 2026.2.1 Patched Versions - npm: openclaw 2026.2.2 and later Fix Commits - 81c68f582d4a9a20d9cca9f367d2da9edc5a65ae (guard remote media fetches with SSRF checks) - 9bd64c8a1f91dda602afc1d5246a2ff2be164647 (expand SSRF guard coverage) Details The Image tool accepts file paths, file:// URLs, data: URLs, and http(s) URLs. In vulnerable versions, http(s) URLs were fetched without SSRF protections, enabling requests to localhost, RFC1918, link-local, and cloud metadata targets. This was fixed by routing remote media fetching through the SSRF guard (private/internal IP + hostname blocking, redirect hardening, DNS pinning). Exploitability Notes - Requires attacker-controlled invocation of the Image tool (direct tool access, or a gateway/channel surface that forwards untrusted image arguments into tool calls). - The image tool expects the fetched content to be an image. Many high-value SSRF targets return text/JSON (for example cloud metadata endpoints), which will typically fail media-type validation. In practice, the most direct confidentiality impact comes from internal endpoints that actually return images (screenshots/renderers, camera snapshots, chart exports, etc.). - Remote fetches are GET-only with no custom headers. Some metadata services require special headers or session tokens (for example GCP Metadata-Flavor, AWS IMDSv2 token), which can further reduce the likelihood of direct credential theft in some environments. - Despite the above constraints, SSRF remains a powerful primitive: it can enable internal network probing and access to unauthenticated/internal HTTP endpoints, and can chain with other weaknesses if present. Related - Duplicate / broader writeup: GHSA-9vf6-3vcv-rpj2 (closed). Thanks @p80n-sec for reporting.",
"affected": [
"openclaw@<=2026.2.1"
],
"patched": [
"openclaw@2026.2.2"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-14T17:21:19Z",
"updated": "2026-02-14T17:21:19Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-56f2-hvwg-5743"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-56f2-hvwg-5743",
"nvd_url": null,
"cvss_score": 7.6,
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"cwe_ids": [
"CWE-918"
],
"credits": [
"p80n-sec"
],
"aliases": [
"GHSA-56f2-hvwg-5743"
]
},
{
"id": "GHSA-hv93-r4j3-q65f",
"ghsa_id": "GHSA-hv93-r4j3-q65f",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "high",
"type": "github_security_advisory",
"nvd_category_id": "CWE-330",
"title": "Hook Session Key Override Enables Targeted Cross-Session Routing",
"description": "Summary The issue is not deterministic session keys by itself. The exploitable path was accepting externally supplied sessionKey values on authenticated hook ingress, allowing a hook token holder to route messages into chosen sessions. Affected Behavior - POST /hooks/agent accepted payload sessionKey and used it directly for session routing. - Common session-key shapes (for example agent:main:dm:<peerId) were often derivable from known metadata, making targeted routing practical when request-level override was enabled. Attack Preconditions - Attacker can call hook endpoints with a valid hook token. - Hook ingress allows request-selected sessionKey values. - Target session keys can be derived or guessed. Without those preconditions, deterministic key formats alone do not provide access. Impact - Integrity: targeted message/prompt injection into chosen sessions. - Persistence: poisoned context can affect subsequent turns when the same session key is reused. - Confidentiality impact is secondary and depends on additional weaknesses. Affected Versions - openclaw = 2.0.0-beta3 and < 2026.2.12 Patched Versions - openclaw = 2026.2.12 Fix OpenClaw now uses secure defaults for hook session routing: - POST /hooks/agent rejects payload sessionKey unless hooks.allowRequestSessionKey=true. - Added hooks.defaultSessionKey for fixed ingress routing. - Added hooks.allowedSessionKeyPrefixes to constrain explicit routing keys. - Security audit warns on unsafe hook session-routing settings. Recommended Configuration Credit Thanks @alpernae for responsible reporting. Fix Commit(s) - 3421b2ec1ee5ae1300e7a89844340c10f5606ad1",
"affected": [
"openclaw@>= 2.0.0-beta3, < 2026.2.12"
],
"patched": [
"openclaw@>= 2026.2.12"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-14T13:36:56Z",
"updated": "2026-02-21T14:11:04Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-hv93-r4j3-q65f"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hv93-r4j3-q65f",
"nvd_url": null,
"cvss_score": 7.1,
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"cwe_ids": [
"CWE-330",
"CWE-639"
],
"credits": [
"alpernae"
],
"aliases": [
"GHSA-hv93-r4j3-q65f"
]
},
{
"id": "GHSA-gv46-4xfq-jv58",
"ghsa_id": "GHSA-gv46-4xfq-jv58",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "critical",
"type": "github_security_advisory",
"nvd_category_id": "CWE-20",
"title": "Remote Code Execution via Node Invoke Approval Bypass in Gateway",
"description": "Summary A remote code execution (RCE) vulnerability in the gateway-to-node invocation path allowed an authenticated gateway client to bypass node-host exec approvals by injecting internal control fields into node.invoke parameters. Affected Component - Gateway method: node.invoke for node command system.run - Node host runner: exec approval gating for system.run Impact If an attacker can authenticate to a gateway (for example via a leaked/shared gateway token or a paired device token with operator.write), they could execute arbitrary commands on connected node hosts that support system.run. This can lead to full compromise of developer workstations, CI runners, and servers running the node host. Technical Details The gateway forwarded user-controlled params to node hosts without sanitizing internal approval fields. The node host treated params.approved === true and/or params.approvalDecision as sufficient to skip the approval workflow. Fix Patched in OpenClaw 2026.2.14. - Commits: - 318379cdb8d045da0009b0051bd0e712e5c65e2d - a7af646fdab124a7536998db6bd6ad567d2b06b0 - c1594627421f95b6bc4ad7c606657dc75b5ad0ce - 0af76f5f0e93540efbdf054895216c398692afcd - Gateway strips untrusted approval control fields from system.run user input. - Gateway only re-attaches approval flags when params.runId references a valid exec.approval.request record and the request context matches. Approval IDs are bound to the requesting device identity (stable across reconnects), preventing replay by other clients. - Gateway forwards only an allowlisted set of system.run parameters, preventing future control-field smuggling. Mitigations - Upgrade to 2026.2.14 or later. - Restrict access to the gateway (do not expose it to untrusted networks/users). - Rotate gateway credentials if you suspect token/password exposure. - Disable remote command execution on nodes by blocking system.run at the gateway (gateway.nodes.denyCommands) and/or by configuring node exec security to deny. Credits Thanks to @222n5 for reporting this issue.",
"affected": [
"openclaw@< 2026.2.14"
],
"patched": [
"openclaw@>= 2026.2.14"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-14T12:06:43Z",
"updated": "2026-02-14T12:32:18Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-gv46-4xfq-jv58"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gv46-4xfq-jv58",
"nvd_url": null,
"cvss_score": 9.9,
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"cwe_ids": [
"CWE-20",
"CWE-441",
"CWE-863"
],
"credits": [
"222n5"
],
"aliases": [
"GHSA-gv46-4xfq-jv58"
]
},
{
"id": "GHSA-943q-mwmv-hhvh",
"ghsa_id": "GHSA-943q-mwmv-hhvh",
"cve_id": null,
"status": "stale",
"stale": true,
"stale_after_days": 60,
"severity": "high",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "OC-02: Gateway /tools/invoke tool escalation + ACP permission auto-approval",
"description": "Summary OpenClaw Gateway exposes an authenticated HTTP endpoint (POST /tools/invoke) intended for invoking a constrained set of tools. Two issues could combine to significantly increase blast radius in misconfigured or exposed deployments: - The HTTP gateway layer did not deny high-risk session orchestration tools by default, allowing a caller with Gateway auth to invoke tools like sessionsspawn / sessionssend and pivot into creating or controlling agent sessions. - ACP clients could auto-approve permission requests for risky tools with insufficient user interaction/guardrails, reducing the friction that should normally prevent silent execution or mutation. Impact If the Gateway is reachable by an attacker and they obtain a valid Gateway token, they may be able to: - Escalate from single-tool invocation to spawning/controlling sessions and reach command execution capabilities depending on tool policy and runtime environment. - Perform cross-session message injection via sessionssend. - In ACP-integrated scenarios, obtain unintended approvals for non-read/search tool permissions. CVSS - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8) Affected versions - openclaw < 2026.2.14 Fixed in - openclaw = 2026.2.14 Remediation The default behavior is now hardened: - PR #15390: deny high-risk tools over HTTP /tools/invoke by default (with gateway.tools.{allow,deny} overrides) and harden ACP permission handling. - Commit bb1c3dfe1: ACP clients now prompt for any non-read/search permission request (fail closed for mutating/execution/fetch operations). - Commit 539689a2f: security audit warns when gateway.tools.allow re-enables default-denied HTTP tools, since this can increase RCE blast radius if the Gateway is reachable. - Commit 153a7644e: ACP safe-kind inference is stricter to avoid accidental auto-approval due to substring matches (still auto-approves only confident read/search). Mitigations / deployment guidance - Keep the Gateway loopback-only unless you have a strong reason not to: gateway.bind=\"loopback\" / openclaw gateway run --bind loopback. - Avoid exposing the Gateway directly to the public internet. Use an SSH tunnel or Tailscale to access a loopback-bound Gateway. - Treat opting in to default-denied HTTP tools (via gateway.tools.allow) as high-risk and audit such configurations carefully. Credits Thanks to @aether-ai-agent for reporting this issue and contributing remediation work.",
"affected": [
"openclaw@<2026.2.14"
],
"patched": [
"openclaw@>=2026.2.14"
],
"platforms": [
"openclaw"
],
"action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.",
"published": "2026-02-14T11:55:07Z",
"updated": "2026-02-14T12:19:32Z",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-943q-mwmv-hhvh"
],
"source": "GitHub Security Advisory",
"repository": "openclaw/openclaw",
"github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-943q-mwmv-hhvh",
"nvd_url": null,
"cvss_score": 8.8,
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-78"
],
"credits": [
"aether-ai-agent"
],
"aliases": [
"GHSA-943q-mwmv-hhvh"
]
}
]
}
Reference in New Issue View Git Blame Copy Permalink