SB2026040851 - Multiple vulnerabilities in OpenClaw
Published: April 8, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 22 secuirty vulnerabilities.
1) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote user to bypass channel-level member access restrictions.
The vulnerability exists due to improper access control in the Discord voice manager when accepting Discord voice ingress before channel allowlist authorization. A remote user can initiate voice ingress to bypass channel-level member access restrictions.
2) Improper privilege management (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform privileged runtime actions.
The vulnerability exists due to improper privilege management in plugin-auth HTTP routes when handling unauthenticated requests before plugin authentication completes. A remote attacker can send a request to plugin-auth routes to perform privileged runtime actions.
The issue is limited to plugin routes that actually touch privileged runtime actions before plugin authentication completes.
3) Information disclosure (CVE-ID: N/A)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper handling of sensitive information in config.get when retrieving configuration values. A remote user can read the Nostr privateKey in plaintext to disclose sensitive information.
4) Improper control of a resource through its lifetime (CVE-ID: N/A)
The vulnerability allows a remote attacker to alter the in-process callback origin.
The vulnerability exists due to improper state management in the Plivo callback origin handling logic when replaying a captured valid callback for a live call. A remote attacker can replay a captured valid callback to alter the in-process callback origin.
Replay rejection occurs only after the callback origin has already been mutated.
5) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute attacker-controlled hook code.
The vulnerability exists due to improper access control in the bundled hooks root configuration when loading workspace environment variables. A remote attacker can provide a specially crafted workspace .env file to execute attacker-controlled hook code.
The issue occurs because a workspace can override the trusted default bundled hooks location.
6) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote user to bypass webhook replay protection.
The vulnerability exists due to improper access control in the Zalo webhook replay cache when processing authenticated sibling-target delivery paths. A remote user can reuse a messageId across targets to bypass webhook replay protection.
7) Improper Check or Handling of Exceptional Conditions (CVE-ID: N/A)
The vulnerability allows a local user to restore revoked Tlon configuration after restart.
The vulnerability exists due to improper handling of empty-array revocation settings in the startup migration logic when processing file-based configuration during startup. A local user can provide or rely on crafted file configuration state to restore revoked Tlon configuration after restart.
8) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote user to load untrusted plugins.
The vulnerability exists due to improper access control in the bundled plugin trust root configuration when loading an attacker-controlled workspace. A remote user can provide a workspace .env file that overrides OPENCLAW_BUNDLED_PLUGINS_DIR to load untrusted plugins.
Exploitation depends on the victim loading an attacker-controlled workspace.
9) Insufficient Session Expiration (CVE-ID: N/A)
The vulnerability allows a remote user to maintain access to an active WebSocket session after credential rotation.
The vulnerability exists due to improper session expiration in the WebSocket session handling for the gateway device.token.rotate operation when rotating device credentials. A remote user can continue using an already-authenticated WebSocket session to maintain access to an active WebSocket session after credential rotation.
This is a post-compromise revocation gap affecting already-authenticated sessions.
10) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: N/A)
The vulnerability allows a remote attacker to escape the sandbox and read files outside the intended sandbox.
The vulnerability exists due to a time-of-check time-of-use race condition in the remote FS bridge readFile when processing remote sandbox file reads. A remote attacker can trigger a race between the path check and the file read to escape the sandbox and read files outside the intended sandbox.
11) Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CVE-ID: N/A)
The vulnerability allows a remote user to redirect Python package-index traffic.
The vulnerability exists due to improper neutralization of environment variables in host exec environment sanitization in approved or allowlisted package-management exec paths when processing the PIP_INDEX_URL or UV_INDEX_URL environment variables. A remote user can set a crafted package index URL to redirect Python package-index traffic.
The issue is limited to approved or allowlisted package-management execution paths and does not permit arbitrary remote code execution.
12) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-32062)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in the voice-call WebSocket frame parser when processing oversized pre-start voice-call WebSocket frames before start validation. A remote attacker can send specially crafted large WebSocket frames to cause a denial of service.
13) Missing Authorization (CVE-ID: N/A)
The vulnerability allows a remote user to bypass channel and member allowlist restrictions.
The vulnerability exists due to missing authorization in Discord voice ingress authorization when validating channel, name, and stale-role state. A remote user can exploit validation gaps to bypass channel and member allowlist restrictions.
14) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote attacker to bypass sender allowlist restrictions.
The vulnerability exists due to improper access control in Feishu thread history and quoted message context handling when fetching quoted, root, or thread context. A remote attacker can send messages that cause disallowed sender content to be included to bypass sender allowlist restrictions.
15) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote user to bypass sender allowlist restrictions.
The vulnerability exists due to improper access control in thread root and reply context handling when fetching Matrix thread-root or reply context. A remote user can send messages that reference fetched thread-root or reply context to bypass sender allowlist restrictions.
16) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote attacker to bypass shared authentication rate limiting.
The vulnerability exists due to improper access control in the mixed WebSocket authentication flow when handling a fake DeviceToken. A remote attacker can supply a fake DeviceToken to bypass shared authentication rate limiting.
The practical risk is primarily limited to deployments that rely on weak shared passwords.
17) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote user to bypass the sandbox.
The vulnerability exists due to improper access control in heartbeat context inheritance when delivering heartbeat messages that inherit owner identity from node-originated exec completion. A remote user can trigger heartbeat delivery to bypass the sandbox.
18) Not Failing Securely ('Failing Open') (CVE-ID: N/A)
The vulnerability allows a remote user to install an untrusted plugin despite a failed security scan.
The vulnerability exists due to not failing securely in the plugin installation flow when handling a security scan failure during plugin installation. A remote user can choose installation of an untrusted package after the scan failure is shown to install an untrusted plugin despite a failed security scan.
The scan failure was visible rather than silent, and exploitation requires an operator to choose installation of an untrusted package.
19) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote user to bypass sender allowlist restrictions.
The vulnerability exists due to improper access control in MS Teams thread history handling when processing Graph API-fetched thread history. A remote user can supply thread history messages through the Graph API path to bypass sender allowlist restrictions.
20) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote user to execute arbitrary code on the host.
The vulnerability exists due to improper access control in the node command exposure logic when handling device-paired node access. A remote user can expose node commands without node pairing to execute arbitrary code on the host.
Exploitation requires device pairing and setup prerequisites.
21) Missing Authentication for Critical Function (CVE-ID: N/A)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper access control in the Nostr DM ingress path when processing forged direct messages before signature verification. A remote attacker can send a forged DM to cause a denial of service.
The issue can create a pending pairing entry and trigger bounded relay and logging work, but it does not grant message decryption, pairing approval, or broader authorization bypass.
22) Incomplete List of Disallowed Inputs (CVE-ID: N/A)
The vulnerability allows a remote user to bypass exec allowlist restrictions.
The vulnerability exists due to incomplete list of disallowed inputs in exec allowlist matching when processing shell-wrapper invocations with init-file options. A remote user can supply a shell-wrapper command using options such as --rcfile, --init-file, or --startup-file to bypass exec allowlist restrictions.
Only configurations with exec allowlist or allow-always behavior enabled are vulnerable, and exploitation requires the ability to steer a shell-wrapper command shape that uses init-file options.
Remediation
Install update from vendor's website.
References
- https://github.com/openclaw/openclaw/security/advisories/GHSA-cqgw-44wg-44rf
- https://github.com/openclaw/openclaw/security/advisories/GHSA-mhgq-xpfq-6r66
- https://github.com/openclaw/openclaw/security/advisories/GHSA-jjw7-3vjf-fg5j
- https://github.com/openclaw/openclaw/security/advisories/GHSA-89r3-6x4j-v7wf
- https://github.com/openclaw/openclaw/security/advisories/GHSA-3qpv-xf3v-mm45
- https://github.com/openclaw/openclaw/security/advisories/GHSA-hhq4-97c2-p447
- https://github.com/openclaw/openclaw/security/advisories/GHSA-3pm9-5j7m-59vc
- https://github.com/openclaw/openclaw/security/advisories/GHSA-qcj9-wwgw-6gm8
- https://github.com/openclaw/openclaw/security/advisories/GHSA-rfqg-qgf8-xr9x
- https://github.com/openclaw/openclaw/security/advisories/GHSA-9p3r-hh9g-5cmg
- https://github.com/openclaw/openclaw/security/advisories/GHSA-7ggg-pvrf-458v
- https://github.com/openclaw/openclaw/security/advisories/GHSA-2w79-r9g8-wmcr
- https://github.com/openclaw/openclaw/security/advisories/GHSA-x2m8-53h4-6hch
- https://github.com/openclaw/openclaw/security/advisories/GHSA-877v-w3f5-3pcq
- https://github.com/openclaw/openclaw/security/advisories/GHSA-rg8m-3943-vm6q
- https://github.com/openclaw/openclaw/security/advisories/GHSA-6p8r-6m93-557f
- https://github.com/openclaw/openclaw/security/advisories/GHSA-g5cg-8x5w-7jpm
- https://github.com/openclaw/openclaw/security/advisories/GHSA-cwq8-6f96-g3q4
- https://github.com/openclaw/openclaw/security/advisories/GHSA-chfm-xgc4-47rj
- https://github.com/openclaw/openclaw/security/advisories/GHSA-xj9w-5r6q-x6v4
- https://github.com/openclaw/openclaw/security/advisories/GHSA-h43v-27wg-5mf9
- https://github.com/openclaw/openclaw/security/advisories/GHSA-wpc6-37g7-8q4w