SB2026040849 - Multiple vulnerabilities in OpenClaw
Published: April 8, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 19 secuirty vulnerabilities.
1) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote user to execute commands beyond intended authorization.
The vulnerability exists due to improper access control in the node pairing reconnect command handling when a previously paired node reconnects with a broader command set. A remote user can reconnect a previously paired node and obtain access to exec-capable commands to execute commands beyond intended authorization.
The issue affects the node re-pairing security boundary for operator/admin-scoped commands.
2) Incorrect permission assignment for critical resource (CVE-ID: N/A)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to incorrect permission assignment for critical resource in Feishu docx upload_file/upload_image handling when processing docx upload blocks. A local user can cause the application to read local files outside the workspace-only file policy to disclose sensitive information.
This issue is limited to the local assistant trust model.
3) Exposure of Resource to Wrong Sphere (CVE-ID: N/A)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to exposure of resource to the wrong sphere in shared reply MEDIA handling when processing a crafted shared reply MEDIA reference. A remote user can supply a crafted shared reply MEDIA reference to disclose sensitive information.
The issue is limited to the product's local assistant trust model and does not assume a multi-tenant service boundary.
4) Trust Boundary Violation (CVE-ID: N/A)
The vulnerability allows a local user to inject prompts into later agent turns.
The vulnerability exists due to trust boundary violation in trusted System: events when processing lower-trust background runtime output and local async exec completion output. A local user can cause lower-trust output to be treated as trusted system events to inject prompts into later agent turns.
This issue is scoped to the product's local trust model and does not assume a multi-tenant service boundary.
5) Trust Boundary Violation (CVE-ID: N/A)
The vulnerability allows a remote user to inject untrusted wake payloads into the trusted system prompt channel.
The vulnerability exists due to trust boundary violation in the /hooks/wake endpoint and mapped wake payload handling when processing authenticated wake hook or mapped wake payload input. A remote user can send a crafted wake payload to inject untrusted content into the trusted system prompt channel.
This issue is scoped to the product's local assistant trust model and does not assume a multi-tenant service boundary.
6) Server-Side Request Forgery (SSRF) (CVE-ID: N/A)
The vulnerability allows a remote user to perform server-side request forgery.
The vulnerability exists due to insufficient server-side request forgery protection in QQ Bot media download paths when fetching media from user-supplied URLs. A remote user can provide a crafted URL to perform server-side request forgery.
7) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote attacker to bypass SSRF navigation checks.
The vulnerability exists due to improper access control in browser navigation handling when processing interaction-triggered navigation. A remote attacker can trigger browser interactions to bypass SSRF navigation checks.
8) Improper input validation (CVE-ID: N/A)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in base64 decode paths when parsing user-supplied base64 input. A local user can provide specially crafted base64 data to cause a denial of service.
9) Improper access control (CVE-ID: N/A)
The vulnerability allows a local user to bypass explicit approval requirements for inline eval commands.
The vulnerability exists due to improper access control in strictInlineEval approval handling on gateway and node exec hosts when processing approval-timeout fallback conditions. A local user can trigger inline eval commands through the approval-timeout fallback to bypass explicit approval requirements for inline eval commands.
This issue is scoped to the product's local trust model and does not assume a multi-tenant service boundary.
10) Incomplete List of Disallowed Inputs (CVE-ID: N/A)
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to incomplete list of disallowed inputs in the exec environment denylist when processing user-controlled build-tool environment variables. A local user can set hostile environment variables to execute arbitrary code.
This issue is scoped to the product's local trust model.
11) Improper privilege management (CVE-ID: N/A)
The vulnerability allows a remote user to approve node pairing without proper privileges.
The vulnerability exists due to improper privilege management in the node.pair.approve method when handling pairing approval requests. A remote user can invoke the pairing approval operation with operator.write scope to approve node pairing without proper privileges.
For exec-capable nodes, the intended requirement includes the narrower pairing scope and an admin requirement.
12) Incorrect authorization (CVE-ID: N/A)
The vulnerability allows a local user to obtain tokens with unapproved roles or scopes.
The vulnerability exists due to improper access control in device.token.rotate when rotating device tokens. A local user can trigger token rotation to obtain tokens with roles or scopes that bypass the intended pairing approval.
This issue is scoped to the product's local trust model rather than a multi-tenant service boundary.
13) Incorrect authorization (CVE-ID: N/A)
The vulnerability allows a local user to mutate persistent browser profiles.
The vulnerability exists due to improper authorization in node.invoke(browser.proxy) when invoking browser proxy functionality. A local user can invoke this path to mutate persistent browser profiles.
This issue is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.
14) Incomplete List of Disallowed Inputs (CVE-ID: N/A)
The vulnerability allows a local user to redirect Git operations.
The vulnerability exists due to an incomplete list of disallowed inputs in the exec environment denylist when executing host commands. A local user can set git plumbing environment variables to redirect Git operations.
This issue is scoped to the product's local assistant trust model and does not assume a multi-tenant service boundary.
15) Insufficient Session Expiration (CVE-ID: N/A)
The vulnerability allows a local user to continue using stale authorization state.
The vulnerability exists due to insufficient session expiration in the resolvedAuth closure when handling newly accepted gateway connections after a config reload. A local user can trigger or rely on a config reload and then establish a new gateway connection to continue using stale authorization state.
This issue is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.
16) Insufficient Session Expiration (CVE-ID: N/A)
The vulnerability allows a remote user to maintain access to an existing WebSocket session after shared gateway token rotation.
The vulnerability exists due to insufficient session expiration in shared-token WebSocket sessions when rotating the shared gateway token. A remote user can continue using an existing WebSocket session to maintain access to an existing WebSocket session after shared gateway token rotation.
17) Missing support for integrity check (CVE-ID: N/A)
The vulnerability allows a local user to install tampered plugin archives.
The vulnerability exists due to missing support for integrity check in ClawHub package downloads when downloading plugin archives. A local user can provide a tampered archive to install tampered plugin archives.
This issue is scoped to the product's local trust model and does not assume a multi-tenant service boundary.
18) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote user to modify allowlists for a different channel.
The vulnerability exists due to improper access control in the /allowlist endpoint when handling cross-channel allowlist write requests. A remote user can send a crafted allowlist write request to modify allowlists for a different channel.
This issue is scoped to the product's local assistant trust model and does not assume a multi-tenant service boundary.
19) Improper privilege management (CVE-ID: N/A)
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to improper access control in gateway plugin HTTP routes using auth: gateway when processing identity-bearing operator.read requests from an upstream trusted proxy. A remote user can send a request that declares read scope to obtain runtime operator.write scope and escalate privileges.
Remediation
Install update from vendor's website.
References
- https://github.com/openclaw/openclaw/security/advisories/GHSA-5wj5-87vq-39xm
- https://github.com/openclaw/openclaw/security/advisories/GHSA-5fc7-f62m-8983
- https://github.com/advisories/GHSA-5fc7-f62m-8983
- https://github.com/openclaw/openclaw/security/advisories/GHSA-qqq7-4hxc-x63c
- https://github.com/openclaw/openclaw/security/advisories/GHSA-gfmx-pph7-g46x
- https://github.com/openclaw/openclaw/security/advisories/GHSA-jf56-mccx-5f3f
- https://github.com/advisories/GHSA-jf56-mccx-5f3f
- https://github.com/openclaw/openclaw/security/advisories/GHSA-3fv3-6p2v-gxwj
- https://github.com/openclaw/openclaw/security/advisories/GHSA-vr5g-mmx7-h897
- https://github.com/openclaw/openclaw/security/advisories/GHSA-ccx3-fw7q-rr2r
- https://github.com/openclaw/openclaw/security/advisories/GHSA-q2gc-xjqw-qp89
- https://github.com/openclaw/openclaw/security/advisories/GHSA-7437-7hg8-frrw
- https://github.com/openclaw/openclaw/security/advisories/GHSA-67mf-f936-ppxf
- https://github.com/openclaw/openclaw/security/advisories/GHSA-whf9-3hcx-gq54
- https://github.com/openclaw/openclaw/security/advisories/GHSA-cmfr-9m2r-xwhq
- https://github.com/openclaw/openclaw/security/advisories/GHSA-cm8v-2vh9-cxf3
- https://github.com/advisories/GHSA-cm8v-2vh9-cxf3
- https://github.com/openclaw/openclaw/security/advisories/GHSA-68x5-xx89-w9mm
- https://github.com/openclaw/openclaw/security/advisories/GHSA-5h3f-885m-v22w
- https://github.com/openclaw/openclaw/security/advisories/GHSA-3vvq-q2qc-7rmp
- https://github.com/openclaw/openclaw/security/advisories/GHSA-vc32-h5mq-453v
- https://github.com/openclaw/openclaw/security/advisories/GHSA-4f8g-77mw-3rxc