SB2026040832 - Multiple vulnerabilities in OpenClaw
Published: April 8, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 15 secuirty vulnerabilities.
1) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-27545)
The vulnerability allows a remote user to execute an approved command from a different filesystem location.
The vulnerability exists due to time-of-check time-of-use race condition in the node system.run approval context for cwd handling when rebinding a writable parent symlink in cwd between approval and execution. A remote user can change a mutable parent symlink while preserving the visible cwd string to execute an approved command from a different filesystem location.
The issue affects host=node executions.
2) Incorrect authorization (CVE-ID: CVE-2026-32067)
The vulnerability allows a remote user to bypass authorization boundaries across accounts and gain unauthorized access to direct message pairing approvals.
The vulnerability exists due to incorrect authorization in pairing-store access for DM pairing policy when handling pairing approvals in multi-account setups. A remote user can reuse a pairing approval from one account to bypass authorization boundaries across accounts and gain unauthorized access to direct message pairing approvals.
User interaction is required, and the issue affects multi-account channel deployments.
3) Authentication Bypass by Capture-replay (CVE-ID: N/A)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to authentication bypass by capture-replay in the voice-call Twilio webhook path when handling replayed signed webhook requests with a mutated unsigned i-twilio-idempotency-token header. A remote attacker can replay a valid signed request while changing only the unsigned idempotency header to cause a denial of service.
Only deployments using the optional voice-call Twilio webhook path are vulnerable.
4) Server-Side Request Forgery (SSRF) (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform server-side request forgery.
The vulnerability exists due to server-side request forgery in Microsoft Teams attachment and media fetch handling when processing Graph metadata, hosted-content, and attachment fetches across mixed fetch paths. A remote attacker can trigger requests through paths that bypass the shared SSRF guard model to perform server-side request forgery.
The issue stems from inconsistent host and DNS enforcement across redirect and fetch hops, including attachment authentication-retry flows.
5) Incorrect authorization (CVE-ID: CVE-2026-32006)
The vulnerability allows a remote user to bypass group authorization checks.
The vulnerability exists due to incorrect authorization in BlueBubbles group authorization handling when processing message and reaction ingress with dmPolicy=pairing and groupPolicy=allowlist. A remote user can send messages or reactions from a DM-paired identity that is not explicitly present in groupAllowFrom to bypass group authorization checks.
Only deployments using BlueBubbles with groupPolicy=allowlist and dmPolicy=pairing are affected, and pairing-store entries must be present.
6) Incorrect authorization (CVE-ID: CVE-2026-32058)
The vulnerability allows a remote user to bypass approval integrity checks and alter execution context for approved node-host commands.
The vulnerability exists due to incorrect authorization in system.run approval handling for host=node workflows when consuming a previously approved request with changed env input. A remote user can reuse an approval id in the same context to bypass approval integrity checks and alter execution context for approved node-host commands.
Exploitation requires approval-enabled host=node workflows, use of exec approvals as an execution-integrity control, access to an approval id in the same context, and user interaction.
7) Incorrect authorization (CVE-ID: CVE-2026-32027)
The vulnerability allows a remote user to bypass group allowlist authorization.
The vulnerability exists due to incorrect authorization in group allowlist authorization checks when evaluating group message paths. A remote user can use an identity approved via DM pairing to bypass group allowlist authorization.
This is an authorization-policy boundary issue between DM pairing and group allowlists.
8) Authentication Bypass by Alternate Name (CVE-ID: CVE-2026-32036)
The vulnerability allows a remote attacker to bypass authentication for protected channel routes.
The vulnerability exists due to authentication bypass by alternate name in gateway plugin route auth protection for /api/channels paths when processing encoded dot-segment traversal path variants that plugin handlers normalize. A remote attacker can send a specially crafted request to bypass authentication for protected channel routes.
Exploitation requires plugin handlers to decode or canonicalize the incoming path and then route it to /api/channels handlers.
9) Incorrect authorization (CVE-ID: CVE-2026-31991)
The vulnerability allows a remote user to bypass group allowlist authorization.
The vulnerability exists due to incorrect authorization in shared DM/group policy resolution when evaluating Signal group authorization under groupPolicy=allowlist. A remote user can use sender identities sourced from DM pairing-store approvals to bypass group allowlist authorization.
User interaction is required.
10) Authentication Bypass by Spoofing (CVE-ID: CVE-2026-32014)
The vulnerability allows a remote user to gain access to commands that should remain blocked for the originally paired platform.
The vulnerability exists due to authentication bypass by spoofing in the node reconnect metadata handling when accepting client-supplied platform and deviceFamily metadata during node reconnection. A remote user can spoof reconnect metadata to gain access to commands that should remain blocked for the originally paired platform.
Exploitation requires an already paired node identity on the trusted network, and affects configurations where node command policy differs by platform.
11) Link following (CVE-ID: N/A)
The vulnerability allows a local user to modify files outside the configured workspace or sandbox boundary.
The vulnerability exists due to improper link resolution before file access in symlink alias handling for workspace-only write flows when processing write paths with dangling symlink hops under missing-target conditions. A local user can supply a crafted path to modify files outside the configured workspace or sandbox boundary.
This issue affects workspace-only write flows, including apply_patch.
12) Link following (CVE-ID: CVE-2026-32055)
The vulnerability allows a remote user to write files outside the workspace boundary.
The vulnerability exists due to improper link resolution before file access in the workspace-only path validation logic when processing a guarded workspace path that traverses an in-workspace symlink pointing outside the workspace to a non-existent leaf. A remote user can perform a first write through the crafted path to write files outside the workspace boundary.
The issue occurs during the initial validation window for a non-existent out-of-root symlink target.
13) Incorrect authorization (CVE-ID: N/A)
The vulnerability allows a remote user to bypass group sender authorization checks and influence group sender authorization.
The vulnerability exists due to incorrect authorization in group allowlist composition when handling LINE group allowlist checks in configurations where DM pairing is enabled. A remote user can use a sender ID approved through DM pairing to bypass group allowlist restrictions and influence group sender authorization.
Under the default DM pairing policy, DM-paired sender IDs could satisfy group allowlist checks in specific LINE configurations.
14) Incorrect authorization (CVE-ID: CVE-2026-32895)
The vulnerability allows a remote user to disclose sensitive information and modify system event processing.
The vulnerability exists due to incorrect authorization in Slack system event handlers in src/slack/monitor/events/members.ts and src/slack/monitor/events/messages.ts when handling member_* and message subtype system events. A remote user can send unauthorized system events from a non-allowlisted sender to disclose sensitive information and modify system event processing.
Deployments relying on Slack DM allowlists or per-channel user allowlists are affected.
15) Authentication bypass using an alternate path or channel (CVE-ID: CVE-2026-32031)
The vulnerability allows a remote attacker to bypass authentication and access plugin channel APIs.
The vulnerability exists due to authentication bypass using an alternate path or channel in the server-http gateway auth guard for plugin channel endpoints when processing request paths that are canonicalized differently by the gateway guard and plugin handler routing. A remote attacker can send a specially crafted request path to bypass authentication and access plugin channel APIs.
Exploitation is possible when a plugin handler canonicalizes path input such that requests skipped by the gateway auth guard are interpreted as protected /api/channels/* routes.
Remediation
Install update from vendor's website.
References
- https://github.com/openclaw/openclaw/security/advisories/GHSA-f7ww-2725-qvw2
- https://github.com/openclaw/openclaw/security/advisories/GHSA-vjp8-wprm-2jw9
- https://github.com/openclaw/openclaw/security/advisories/GHSA-gcj7-r3hg-m7w6
- https://github.com/openclaw/openclaw/security/advisories/GHSA-7qf6-h84j-8fq4
- https://github.com/openclaw/openclaw/security/advisories/GHSA-25pw-4h6w-qwvm
- https://github.com/openclaw/openclaw/security/advisories/GHSA-hjvp-qhm6-wrh2
- https://github.com/openclaw/openclaw/security/advisories/GHSA-jv6r-27ww-4gw4
- https://github.com/openclaw/openclaw/security/advisories/GHSA-mwxv-35wr-4vvj
- https://github.com/openclaw/openclaw/security/advisories/GHSA-wm8r-w8pf-2v6w
- https://github.com/openclaw/openclaw/security/advisories/GHSA-r65x-2hqr-j5hf
- https://github.com/openclaw/openclaw/security/advisories/GHSA-qcc4-p59m-p54m
- https://github.com/openclaw/openclaw/security/advisories/GHSA-mgrq-9f93-wpp5
- https://github.com/openclaw/openclaw/security/advisories/GHSA-gp3q-wpq4-5c5h
- https://github.com/openclaw/openclaw/security/advisories/GHSA-v8cg-4474-49v8
- https://github.com/openclaw/openclaw/security/advisories/GHSA-8j2w-6fmm-m587