SB2026033184 - Multiple vulnerabilities in OpenClaw
Published: March 31, 2026 Updated: April 8, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2026-3691)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the exposure of sensitive data in the authorization URL query string within the implementation of OAuth authorization. A remote attacker can gain unauthorized access to sensitive information on the system.
2) Incorrect authorization (CVE-ID: CVE-2026-32042)
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to improper access control in the operator pairing and scope assignment logic when attaching an unpaired device identity using shared gateway authentication. A remote user can present a self-signed, unpaired device identity and request elevated operator scopes to escalate privileges.
The issue can allow assignment of higher operator scopes, including operator.admin, before pairing approval.
3) Link following (CVE-ID: CVE-2026-32013)
The vulnerability allows a remote user to read and write arbitrary files on the host system.
The vulnerability exists due to improper link resolution before file access in the gateway agents.files.get and agents.files.set methods when processing allowlisted workspace files that are symlinks. A remote user can use a symlinked allowlisted file such as AGENTS.md to access files outside the workspace and read and write arbitrary files on the host system.
Chained impact may include code execution depending on which files are overwritten.
4) Information disclosure (CVE-ID: N/A)
The vulnerability allows a remote attacker to expose a PKCE verifier.
The vulnerability exists due to exposure of sensitive information in the macOS app beta onboarding OAuth flow when handling Anthropic OAuth sign-in. A remote attacker can obtain exposed OAuth state values together with OAuth authorization artifacts to expose a PKCE verifier.
The issue is limited to the macOS beta onboarding OAuth path and does not affect the core CLI or gateway onboarding paths.
5) Authentication Bypass by Capture-replay (CVE-ID: CVE-2026-28449)
The vulnerability allows a remote attacker to trigger duplicate inbound processing.
The vulnerability exists due to authentication bypass by capture-replay in the Nextcloud Talk webhook path when handling previously valid signed webhook requests without durable replay suppression. A remote attacker can replay a captured signed request to trigger duplicate inbound processing.
The issue is limited to deployments using the Nextcloud Talk webhook integration and may be triggered after replay-window expiry or process restart.
6) Server-Side Request Forgery (SSRF) (CVE-ID: N/A)
The vulnerability allows a remote attacker to bypass SSRF preflight checks.
The vulnerability exists due to improper restriction of destination addresses in the SSRF IP classifier when processing IPv6 multicast literals. A remote attacker can supply a URL containing an IPv6 multicast literal to bypass SSRF preflight checks.
OpenClaw's network fetch and navigation paths are constrained to HTTP/HTTPS.
Remediation
Install update from vendor's website.
References
- https://www.zerodayinitiative.com/advisories/ZDI-26-229/
- https://github.com/openclaw/openclaw/security/advisories/GHSA-6g25-pc82-vfwp
- https://github.com/openclaw/openclaw/security/advisories/GHSA-553v-f69r-656j
- https://github.com/openclaw/openclaw/security/advisories/GHSA-fgvx-58p6-gjwc
- https://github.com/openclaw/openclaw/security/advisories/GHSA-r9q5-c7qc-p26w
- https://github.com/openclaw/openclaw/security/advisories/GHSA-h97f-6pqj-q452