In OpenClaw, the sandboxed image tool did not honor tools.fs.workspaceOnly=true for mounted paths resolved by the sandbox FS bridge. This allowed reading out-of-workspace mounted images (for example /agent/*) and forwarding those bytes to vision model providers.
In certain elevated-mode configurations, tools.elevated.allowFrom accepted broader identity signals than intended. The fix tightens matching to sender-scoped identity by default and makes mutable metadata matching explicit.
In shared Slack workspace deployments that rely on sender restrictions (allowFrom, DM policy, or channel user allowlists), some interactive callbacks (block_action, view_submission, view_closed) could be accepted before full sender authorization checks. In that scenario, an unauthorized workspace member could enqueue system-event text into an active session. This issue did not provide unauthenticated access, cross-gateway isolation bypass, or host-level privilege escalation by itself.
In certain workspace-restricted configurations, OpenClaw could follow hardlink aliases inside the workspace that reference files outside the workspace boundary. By default, tools.fs.workspaceOnly is off. This primarily affects deployments that intentionally enable workspace-only filesystem restrictions (and workspace-only apply_patch checks).
BlueBubbles is an optional OpenClaw channel plugin. A configuration-sensitive access-control mismatch allowed DM senders to be treated as authorized when dmPolicy was pairing or allowlist and allowFrom was empty/unset.
A malicious or compromised MCP (Model Context Protocol) tool server can exfiltrate arbitrary local files from the host system by injecting MEDIA: directives into tool result text content. OpenClaw's tool result processing pipeline extracts file paths from MEDIA: tokens without source-level validation, passes them through a localRoots allowlist check that includes os.tmpdir() by default (covering /tmp on Linux/macOS and %TEMP% on Windows), and then reads and delivers the file contents …
OpenClaw's SSRF hostname/IP guard did not detect ISATAP embedded IPv4 addresses (…:5efe:w.x.y.z). A crafted URL containing an ISATAP IPv6 literal could embed a private IPv4 target (for example loopback) and bypass private-address filtering in URL-fetching paths.
isPrivateIpv4() in bundled SSRF guard code missed several IPv4 special-use/non-global ranges, so web_fetch could allow targets that should be blocked by SSRF policy.
OpenClaw had account-scope gaps in pairing-store access for DM pairing policy, which could let a pairing approval from one account authorize the same sender on another account in multi-account setups.
A crafted local avatar path could follow a symlink outside the agent workspace and return arbitrary file contents as a base64 data: URL in gateway responses.
ZDI-CAN-29311: OpenClaw Canvas Authentication Bypass Vulnerability – ABSTRACT ————————————- Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products: OpenClaw - OpenClaw – VULNERABILITY DETAILS ———————— Version tested: openclaw 2026.2.17 Platform tested: macOS 26.3
Sandbox media local-path validation accepted absolute paths under host tmp, even when those paths were outside the active sandbox root.
A missing group-sender authorization check in the Zalo plugin allowed unauthorized GROUP messages to enter agent dispatch paths in configurations intended to restrict group traffic.
openclaw web tools strict URL fetch paths could lose DNS pinning when environment proxy variables are configured (HTTP_PROXY/HTTPS_PROXY/ALL_PROXY, including lowercase variants). In affected builds, strict URL checks (for example web_fetch and citation redirect resolution) validated one destination during SSRF guard checks, but runtime connection routing could proceed through an env-proxy dispatcher.
Twilio webhook replay events could bypass voice-call manager dedupe because normalized event IDs were randomized per parse. A replayed event could be treated as new and trigger duplicate or stale call-state transitions.
The voice-call Twilio webhook path accepted replay/dedupe identity from unsigned request metadata (i-twilio-idempotency-token), enabling replayed signed requests to bypass replay detection and manager dedupe by mutating only that header.
channels..groups..toolsBySender could match a privileged sender policy using a colliding mutable identity value (for example senderName or senderUsername) when deployments used untyped keys. The fix introduces explicit typed sender keys (id:, e164:, username:, name:), keeps legacy untyped keys on a deprecated ID-only path, and adds regression coverage to prevent cross-identifier collisions.
In openclaw allowlist mode, tools.exec.safeBins trusted PATH-derived directories for safe-bin resolution. A same-name binary placed in a trusted PATH directory could satisfy safe-bin checks and execute.
In OpenClaw, tools.exec.safeBins validation for sort could be bypassed via GNU long-option abbreviations in allowlist mode, allowing approval-free execution paths that should require approval.
When tools.exec.safeBins contained a binary without an explicit safe-bin profile, OpenClaw used a permissive generic fallback profile. In allowlist mode, that could let interpreter-style binaries (for example python3, node, ruby) execute inline payloads via flags like -c. This requires explicit operator configuration to add such binaries to safeBins, so impact is limited to non-default/misconfigured deployments.
A missing sender-authorization check in Telegram message_reaction handling allowed unauthorized users to trigger reaction-derived system events.
In openclaw up to and including 2026.2.23 (latest npm release as of February 25, 2026), system.run shell-wrapper inputs could present misleading approval/display text while still carrying hidden positional argv payloads that execute at runtime.
In openclaw@2026.2.24, approval-bound system.run on node hosts could be influenced by mutable symlink cwd targets between approval and execution.
In OpenClaw system.run allowlist mode, shell-wrapper analysis could be bypassed by splitting command substitution as $\ + newline + ( inside double quotes. Analysis treated the payload as allowlisted (for example /bin/echo), while shell runtime folded the line continuation into $(…) and executed non-allowlisted subcommands.
In openclaw versions 2026.2.22 and 2026.2.23, the optional synology-chat channel plugin had an authorization fail-open condition: when dmPolicy was allowlist and allowedUserIds was empty/unset, unauthorized senders were still allowed through to agent dispatch. This is assessed as medium severity because it requires channel/plugin setup and Synology sender access, but can still trigger downstream agent/tool actions.
OpenClaw Slack monitor handled reaction_* and pin_* non-message events before applying sender-policy checks consistently. In affected versions, these events could be added to system-event context even when sender policy would not normally allow them.
In a narrow Signal reaction-notification path, reaction-only inbound events could enqueue a status event before sender access checks were applied.
system.run environment sanitization allowed shell-startup env overrides (HOME, ZDOTDIR) that can execute attacker-controlled startup files before allowlist-evaluated command bodies.
The shell environment fallback path could invoke an attacker-controlled shell when SHELL was inherited from an untrusted host environment. In affected builds, shell-env loading used $SHELL -l -c 'env -0' without validating that SHELL points to a trusted executable. In threat-model terms, this requires local environment compromise or untrusted startup environment injection first; it is not a remote pre-auth path. The hardening patch validates SHELL as an absolute normalized executable, …
Concurrent updateRegistry/removeRegistryEntry operations for sandbox containers and browsers could lose updates or resurrect removed entries under race conditions. The registry writes were read-modify-write in a window with no locking and permissive fallback parsing, so concurrent registry updates could produce stale snapshots and overwrite each other. That desyncs sandbox state and can affect sandbox list, sandbox prune, and sandbox recreate –all behavior.
In openclaw up to and including 2026.2.23 (latest npm release as of February 24, 2026), sandbox bind-source validation could be bypassed when a bind source used a symlinked parent plus a non-existent leaf path.
OpenClaw accepted prototype-reserved keys in runtime /debug set override object values (proto, constructor, prototype).
In authenticated non-owner DM sessions, a narrow tool-invocation path could reach broader-than-intended owner-only gateway actions.
When sort is explicitly added to tools.exec.safeBins (non-default), the –compress-program option can invoke an external helper and bypass the intended safe-bin approval constraints in allowlist mode.
In openclaw versions up to and including 2026.2.22-2, a non-default exec-approval configuration could allow a skill-name collision to bypass an ask=on-miss prompt. When autoAllowSkills=true, a path-scoped executable such as ./skill-bin could resolve to basename skill-bin, satisfy the skills allowlist segment, and run without prompting for approval.
In openclaw@2026.3.1, node system.run approval-path hardening rewrote wrapper command argv in a way that changed execution semantics. A command shown/approved as a shell payload (for example echo SAFE) could execute a different local script when wrapper argv were rewritten.
A client authenticated with a shared gateway token could connect as role=node without device identity/pairing, then call node.event to trigger agent.request and voice.transcript flows.
When Nextcloud Talk webhook signing was valid, replayed requests could be accepted without durable replay suppression, allowing duplicate inbound processing after replay-window expiry or process restart.
In OpenClaw MSTeams media download flows, redirect handling could bypass configured mediaAllowHosts checks in specific attachment paths. Redirect chains were not consistently constrained to allowlisted targets before accepting fetched content.
OpenClaw hook mapping transforms could be loaded via absolute paths or .. traversal, allowing arbitrary JavaScript module loading/execution in the gateway process when an attacker can modify hooks configuration.
OpenClaw hook mapping transforms could be loaded via absolute paths or .. traversal, allowing arbitrary JavaScript module loading/execution in the gateway process when an attacker can modify hooks configuration.
When tokenless Tailscale auth is enabled, OpenClaw should only allow forwarded-header auth for Control UI websocket authentication on trusted hosts. In affected versions, that tokenless path could also be used by HTTP gateway auth call sites, which could bypass token/password requirements for HTTP routes in trusted-network deployments.
system.run exec allowlist analysis treated wrapper binaries as the effective executable and did not fully unwrap env/shell-dispatch wrappers. This allowed wrapper-smuggled payloads (for example env bash -lc …) to satisfy an allowlist entry for the wrapper while executing non-allowlisted commands.
A wrapper-depth parsing mismatch in system.run allowed nested transparent dispatch wrappers (for example repeated /usr/bin/env) to suppress shell-wrapper detection while still matching allowlist resolution. In security=allowlist + ask=on-miss, this could bypass the expected approval prompt for shell execution.
OpenClaw allowed dangerous process-control environment variables from env.vars (for example NODE_OPTIONS, LD_, DYLD_) to flow into gateway service runtime environments, enabling startup-time code execution in the OpenClaw process context.
commands.allowFrom is documented as a sender authorization allowlist for commands/directives, but command authorization could include ctx.From (conversation identity) as a sender candidate. When commands.allowFrom contained conversation-like identifiers (for example Discord channel:<id> or WhatsApp group JIDs), command/directive authorization could be granted to participants in that conversation instead of only the intended sender identity.
This issue is a browser-origin WebSocket auth chain on local loopback deployments using password auth. It is serious, but conditional: an attacker must get the user to open a malicious page and then successfully guess the gateway password.
OpenClaw avatar handling allowed a symlink traversal path that could expose local files outside an agent workspace through gateway avatar surfaces.
The sandbox browser entrypoint launched x11vnc without authentication (-nopw) for noVNC observer sessions. OpenClaw-managed runtime flow publishes the noVNC port to host loopback only (127.0.0.1), so default exposure is local to the host unless operators explicitly expose the port more broadly (or run the image standalone with broad port publishing).
tools.exec.safeBins allowlist checks could be bypassed by PATH-hijacked binaries, allowing execution of attacker-controlled trojan binaries under an allowlisted executable name.
A path confinement bypass in OpenClaw ZIP extraction allowed writes outside the intended destination when a pre-existing symlink was present under the extraction root.
ZIP extraction in OpenClaw could be raced into writing outside the intended destination directory via parent-directory symlink rebind between validation and write.
A path-confinement bypass in browser output handling allowed writes outside intended roots in openclaw versions up to and including 2026.3.1. The fix unifies root-bound, file-descriptor-verified write semantics and canonical path-boundary validation across browser output and related install/skills write paths.
In Telegram DM mode, inbound media was downloaded and written to disk before sender authorization checks completed. An unauthorized sender could trigger inbound media download/write activity (including media groups) even when DM access should be denied.
stageSandboxMedia allowed destination symlink traversal during media staging, which could overwrite files outside the sandbox workspace root.
shell-env fallback trusted prefix-based executable paths for $SHELL, allowing execution of attacker-controlled binaries in local/runtime-env influence scenarios.
Sandboxed sessions_spawn(runtime="acp") could bypass sandbox inheritance and initialize host-side ACP runtime. The fix now fail-closes ACP spawn from sandboxed requester sessions and rejects sandbox="require" for runtime="acp".
A sandbox path validation bypass in openclaw allows host file reads outside sandboxRoot via the media path fallback tmp flow when the fallback tmp root is a symlink alias.
In openclaw<=2026.2.23, safe-bin trust in allowlist mode relied on static default trusted directories that included package-manager paths (notably /opt/homebrew/bin and /usr/local/bin). When a same-name binary (for example jq) is placed in one of those trusted default directories, safe-bin evaluation can be satisfied and execute the attacker-controlled binary.
A paired node device could reconnect with spoofed platform/deviceFamily metadata and broaden node command policy eligibility because reconnect metadata was accepted from the client while these fields were not bound into the device-auth signature.
OpenClaw accepted camera.snap / camera.clip node payload url fields and downloaded them on the gateway/agent host without binding downloads to the resolved node host. In OpenClaw's documented trust model, paired nodes are in the same operator trust boundary, so this is scoped as medium-severity hardening. A malicious or compromised paired node could still steer gateway-host fetches during camera URL retrieval.
In sandboxed runs, native prompt image auto-load did not honor tools.fs.workspaceOnly=true. This optional hardening setting is not enabled by default. When operators enabled it, prompt text could still reference mounted out-of-workspace image paths (for example /agent/secret.png) and load those image bytes for vision-capable model input.
In openclaw MS Teams file-consent flow, pending uploads were authorized by uploadId alone. fileConsent/invoke did not verify the invoke conversation against the conversation that created the pending upload.
Microsoft Teams media handling used mixed fetch paths for Graph metadata/content and attachment auth-retry flows. Some paths bypassed the shared SSRF guard model and created inconsistent host/DNS enforcement across redirect/fetch hops.
On macOS node-host, optional exec-approval allowlist mode previously treated basename-only entries (for example echo) as trusted command matches. This could allow a same-name local binary (for example ./echo) to run without approval under security=allowlist + ask=on-miss.
The affected surface is the OpenClaw macOS app onboarding flow, and the macOS app is currently in beta. In that beta onboarding flow, Anthropic OAuth used the PKCE code_verifier value as OAuth state, exposing that secret in front-channel URL state.
In some opt-in sandbox configurations, the experimental apply_patch tool did not consistently apply workspace-only checks to mounted paths (for example /agent/…).
In openclaw@2026.3.1, the Discord voice transcript path called agentCommand(…) without senderIsOwner, and agentCommand defaults missing senderIsOwner to true. This could allow a non-owner voice participant in the same channel to reach owner-only tool surfaces (gateway, cron) during voice transcript turns.
In OpenClaw <= 2026.2.24, Discord direct-message reaction notifications did not consistently apply the same DM authorization checks (dmPolicy / allowFrom) that are enforced for normal DM message ingress. In restrictive DM setups, a non-allowlisted Discord user who can react to a bot-authored DM message could still enqueue a reaction-derived system event in the session. This is a reaction-only ingress inconsistency. By itself it does not directly execute commands; practical impact …
Sandbox browser container launched Chromium with –no-sandbox by default, disabling Chromium's OS-level sandbox protections.
BlueBubbles webhook auth in the optional beta iMessage plugin allowed a passwordless fallback path. In some reverse-proxy/local routing setups, this could allow unauthenticated webhook events.
OpenClaw Windows Scheduled Task script generation allowed unsafe argument handling in generated gateway.cmd files. In vulnerable versions, cmd metacharacter-only values could be emitted without safe quoting/escaping, which could lead to unintended command execution when the scheduled task runs.
When iMessage remote attachment fetching is enabled (channels.imessage.remoteHost), stageSandboxMedia accepted arbitrary absolute paths and used SCP to copy them into local staging. If a non-attachment path reaches this flow, files outside expected iMessage attachment directories on the remote host can be staged.
OpenClaw’s Feishu media download flow used untrusted Feishu media keys (imageKey / fileKey) when building temporary file paths in extensions/feishu/src/media.ts. Because those keys were interpolated directly into temp-file paths, traversal segments could escape the temp directory and redirect writes outside os.tmpdir().
The HTML session exporter (src/auto-reply/reply/export-html/template.js) interpolates img.mimeType directly into <img src="data:…"> attributes without validation or escaping. A crafted mimeType value (e.g., x" onerror="alert(1)) can break out of the attribute context and execute arbitrary JavaScript.
A successful exploit can expose local secrets and credentials readable by the OpenClaw process user, including API keys and private config material.
A client using shared gateway auth could attach an unpaired device identity and request elevated operator scopes (including operator.admin) before pairing approval, enabling privilege escalation.
The tar.bz2 installer path in src/agents/skills-install-download.ts used shell tar preflight/extract logic that did not share the same hardening guarantees as the centralized archive extractor. This allowed crafted .tar.bz2 archives to bypass special-entry blocking and extracted-size guardrails enforced on other archive paths, causing local availability impact during skill install.
OpenClaw shell-env fallback trusted startup environment values and could execute attacker-influenced login-shell startup paths before loading env keys.
OpenClaw tools.exec.safeBins had a stdin-only policy bypass for grep. If pattern input was supplied through -e / –regexp, the validator consumed the pattern as a flag value and still allowed one positional operand. That positional could be a bare filename like .env.
Auth-secret dual-use across security domains (gateway auth and prompt metadata hashing). Hash outputs are visible to third-party model providers in system prompts. No direct plaintext token disclosure. Practical risk is highest when operators use weak gateway tokens and leave owner hash secret unset.
OpenClaw plugins/extensions run in-process and are treated as trusted code. This advisory tracks trust-boundary clarification around plugin runtime command execution (runtime.system.runCommandWithTimeout).
A local process can capture the OpenClaw Gateway auth token from Chrome CDP probe traffic on loopback.
OpenClaw used left-most X-Forwarded-For values when requests came from configured trusted proxies. In proxy chains that append/preserve header values, this could let attacker-controlled header content influence security decisions tied to client IP.
A command injection vulnerability exists in OpenClaw’s Linux systemd unit generation path. When rendering Environment= entries, attacker-controlled values are not rejected for CR/LF, and systemdEscapeArg() uses an incorrect whitespace-matching regex. This allows newline injection to break out of an Environment= line and inject standalone systemd directives (for example, ExecStartPre=). On service restart, the injected command is executed, resulting in local arbitrary command execution (local RCE) under the gateway service user.
When an attacker can cause a transform module path to reference a symlinked entry that resolves outside the trusted transform directory, the gateway may import and execute unintended JavaScript with gateway-process privileges.
On Windows, the Lobster extension previously retried certain spawn failures (ENOENT/EINVAL) with shell: true for wrapper compatibility. In that fallback path, tool-provided arguments could be interpreted by cmd.exe if fallback was triggered.
system.run allowed SHELLOPTS + PS4 environment injection to trigger command substitution during bash -lc xtrace expansion before the allowlisted command body executed.
The exported session HTML viewer allowed stored XSS when untrusted session content included raw HTML markdown tokens or unescaped metadata fields.
OpenClaw webhook handlers for BlueBubbles and Google Chat accepted and parsed request bodies before authentication and signature checks on vulnerable releases. This allowed unauthenticated clients to hold parser work open with slow/oversized request bodies and degrade availability (slow-request DoS).
Three Dockerfiles in scripts/docker/ and scripts/e2e/ lack a USER directive, meaning all processes run as uid 0 (root). If any process is compromised, the attacker has root inside the container, making container breakout significantly easier. Partial fix (2026-02-08): Commit 28e1a65e added USER sandbox to Dockerfile.sandbox and Dockerfile.sandbox-browser. The E2E/test Dockerfiles listed below remain unpatched. Affected components: scripts/e2e/Dockerfile scripts/e2e/Dockerfile.qr-import scripts/docker/install-sh-e2e/Dockerfile scripts/docker/install-sh-nonroot/Dockerfile (runs as app but with NOPASSWD sudo — see related …
In OpenClaw's macOS node-host path, system.run allowlist parsing in security=allowlist mode failed to reject command substitution tokens when they appeared inside double-quoted shell text. Because of that gap, payloads like echo "ok $(id)" could be treated as allowlist hits (first executable token echo) while still executing non-allowlisted subcommands through shell substitution.
An attacker could split failed hook-auth attempts across both address forms and effectively double the brute-force budget from 20 to 40 attempts per 60-second window.
Gateway plugin route auth protection for /api/channels could be bypassed using encoded dot-segment traversal (for example ..%2f) in path variants that plugin handlers normalize.
tools.exec allowlist/safe-bins evaluation could diverge from runtime execution for wrapper commands using GNU env -S/–split-string semantics. This allowed policy checks to treat a command as a benign safe-bin invocation while runtime executed a different payload.
Encoded alternate-path requests could bypass plugin route auth checks for /api/channels/* due to canonicalization depth mismatch in vulnerable builds.
The Lobster extension tool execution path used a Windows shell fallback (shell: true) after spawn failures (EINVAL/ENOENT). In that fallback path, shell metacharacters in command arguments can be interpreted by the shell, enabling command injection.
This advisory tracks a defense-in-depth hardening for canvas routes. In mixed-trust or network-visible deployments, prior canvas auth/fallback behavior could broaden access beyond intended boundaries.
When the optional Chrome extension relay is enabled, /extension accepted unauthenticated WebSocket upgrades while /json/* and /cdp required auth.
In affected releases, when an operator explicitly enabled gateway.controlUi.allowInsecureAuth: true and exposed the gateway over plaintext HTTP, Control UI authentication could permit privileged operator access without the intended device identity + pairing guarantees. This required an insecure deployment choice and credential exposure risk (for example, plaintext transit or prior token leak). It was fixed on main in commit 40a292619e1f2be3a3b1db663d7494c9c2dc0abf (PR #20684).
In allowlist mode, system.run guardrails could be bypassed through env -S, causing policy-analysis/runtime-execution mismatch for shell wrapper payloads.
A workspace-only file-system guard mismatch allowed @-prefixed absolute paths to bypass boundary validation in some tool path checks.
A trusted-proxy Control UI pairing bypass accepted client.id=control-ui without device identity checks. The bypass did not require operator role, so an authenticated node role session could connect unpaired and reach node event methods.
OpenClaw's SSRF IP classifier did not treat IPv6 multicast literals (ff00::/8) as blocked/private-internal. This allowed literal multicast hosts to pass SSRF preflight checks.
Feishu allowlist authorization could be bypassed by display-name collision.
OpenClaw supports Discord allowlists using either user IDs or names/tags. Name/tag matching depends on slug normalization, so different user tags can collide to the same slug and unintentionally satisfy a name-based allowlist entry.
A command injection vulnerability existed in Windows Scheduled Task script generation for OpenClaw. Environment values were written into gateway.cmd using unquoted set KEY=VALUE, which allowed Windows shell metacharacters in config-provided environment variables to break out of assignment context.
In openclaw@2026.2.25, BlueBubbles group authorization could incorrectly treat DM pairing-store identities as group allowlist identities when dmPolicy=pairing and groupPolicy=allowlist. A sender that was only DM-paired (not explicitly present in groupAllowFrom) could pass group sender checks for message and reaction ingress. Per OpenClaw's SECURITY.md trust model, this is a constrained authorization-consistency issue, not a multi-tenant boundary bypass or host-privilege escalation.
OpenClaw exec allowlist/safeBins policy could be bypassed with attached short-option payloads (for example sort -o/tmp/poc), enabling file-write operations while still satisfying safeBins checks.
DM pairing-store identities were incorrectly eligible for group allowlist authorization checks, enabling cross-context authorization in group message paths.
assertBrowserNavigationAllowed() validated only http:/https: network targets but implicitly allowed other schemes. An authenticated gateway user could navigate browser sessions to file:// URLs and read local files via browser snapshot/extraction flows.
Remote iMessage attachment fetches used SCP with trust-on-first-use host-key behavior and accepted unvalidated remote host tokens. Before the fix: SCP used StrictHostKeyChecking=accept-new in the remote attachment path. channels.imessage.remoteHost was not validated as a strict SSH host token.
BASH_ENV / ENV startup-file injection could lead to unintended pre-command shell execution when attacker-controlled environment values were admitted and then inherited by host command execution paths.
This issue applies to a non-default configuration only. If sort is manually added to tools.exec.safeBins, OpenClaw could treat sort –compress-program=<prog> as valid safe-bin usage. In security=allowlist + ask=on-miss, this could satisfy allowlist checks and skip operator approval, while GNU sort may invoke an external program via –compress-program.
A symlink-retarget TOCTOU race in writeFileWithinRoot could point an attacker-controlled path alias outside the configured root between resolution and write operations.
A sandboxed session could use cross-agent sessions_spawn to create a child under an agent configured with sandbox.mode="off", downgrading runtime confinement.
Files may be written outside the sandbox workspace root (within the permissions of the user running OpenClaw).
Files may be written outside the sandbox workspace root (within the permissions of the user running OpenClaw).
OpenClaw did not consistently enforce configured inbound media byte limits before buffering remote media in several channel ingestion paths. A remote sender could trigger oversized downloads and memory pressure before rejection.
OpenClaw exec approvals could be bypassed in allowlist mode when allow-always was granted through unrecognized multiplexer shell wrappers (notably busybox sh -c and toybox sh -c).
The Control UI static file handler previously validated asset paths lexically and then served files with APIs that follow symbolic links. A symlink placed under the Control UI root could cause out-of-root file reads.
An authorization mismatch allowed authenticated callers with operator.write access to invoke owner-only tool surfaces (gateway, cron) through agent runs in scoped-token deployments.
In openclaw npm releases up to and including 2026.2.21-2, approving wrapped system.run commands with allow-always in security=allowlist mode could persist wrapper-level allowlist entries and enable later approval-bypass execution of different inner payloads.
A paired node could supply Unicode-confusable platform or deviceFamily metadata that passed metadata pinning but classified differently for command policy resolution, broadening default node command allowlists.
For host=node runs, approvals validated command context but did not pin executable identity for non-path-like argv[0] tokens (for example tr). If PATH resolution changed after approval, execution could run a different binary.
system.run approvals in OpenClaw used rendered command text as the approval identity while trimming argv token whitespace. Runtime execution still used raw argv. A crafted trailing-space executable token could therefore execute a different binary than what the approver saw.
Sandbox media handling had a time-of-check/time-of-use gap: media paths could be validated first and read later through a separate path. A symlink retarget between those steps could cause reads outside sandboxRoot.
For host=node executions, approval context could be bypassed after approval-time by rebinding a writable parent symlink in cwd while preserving the visible cwd string.
exec.approval requests for host=node were not explicitly bound to the target nodeId, so an approval intended for one node could be replayed for a different node under the same operator-controlled gateway fleet.
sendAttachment and setGroupIcon message actions could hydrate media from local absolute paths when sandboxRoot was unset, bypassing intended local media root checks. This could allow reads of arbitrary host files reachable by the runtime user when an authorized message-action path was triggered.
OpenClaw Gateway exposes an authenticated HTTP endpoint (POST /tools/invoke) intended for invoking a constrained set of tools. Two issues could combine to significantly increase blast radius in misconfigured or exposed deployments: The HTTP gateway layer did not deny high-risk session orchestration tools by default, allowing a caller with Gateway auth to invoke tools like sessions_spawn / sessions_send and pivot into creating or controlling agent sessions. ACP clients could auto-approve permission …
OpenClaw hooks previously compared the provided hook token using a regular string comparison. Because this comparison is not constant-time, an attacker with network access to the hooks endpoint could potentially use timing measurements across many requests to gradually infer the token. In practice, this typically requires hooks to be exposed to an untrusted network and a large number of requests; real-world latency and jitter can make reliable measurement difficult.
OpenClaw hooks previously compared the provided hook token using a regular string comparison. Because this comparison is not constant-time, an attacker with network access to the hooks endpoint could potentially use timing measurements across many requests to gradually infer the token. In practice, this typically requires hooks to be exposed to an untrusted network and a large number of requests; real-world latency and jitter can make reliable measurement difficult.
When browser control started without explicit auth credentials, OpenClaw attempted to bootstrap auth automatically. In affected versions, if that bootstrap step threw an error, startup could continue and expose browser-control routes without authentication.
A remote code execution (RCE) vulnerability in the gateway-to-node invocation path allowed an authenticated gateway client to bypass node-host exec approvals by injecting internal control fields into node.invoke parameters.
A remote code execution (RCE) vulnerability in the gateway-to-node invocation path allowed an authenticated gateway client to bypass node-host exec approvals by injecting internal control fields into node.invoke parameters.
A path traversal (Zip Slip) issue in archive extraction during explicit installation commands could allow a crafted archive to write files outside the intended extraction directory.
A path traversal (Zip Slip) issue in archive extraction during explicit installation commands could allow a crafted archive to write files outside the intended extraction directory.
@openclaw/voice-call (and the bundled copy shipped in openclaw) accepted media-stream WebSocket upgrades before stream validation. In reachable deployments, unauthenticated pre-start sockets could be held open and increase resource pressure.
In approval-enabled host=node workflows, system.run approvals did not always carry a strict, versioned execution-context binding. In uncommon setups that rely on these approvals as an integrity guardrail, a previously approved request could be reused with changed env input.
In the macOS companion app (currently beta), a parsing mismatch in exec approvals could let shell-chain payloads pass allowlist checks in system.run under specific settings.
OpenClaw versions before 2026.2.14 did not sufficiently validate TAR archive entry paths during extraction. A crafted archive could use path traversal sequences (for example ../../…) to write files outside the intended destination directory (Zip Slip).
OpenClaw versions before 2026.2.14 did not sufficiently validate TAR archive entry paths during extraction. A crafted archive could use path traversal sequences (for example ../../…) to write files outside the intended destination directory (Zip Slip).
A Windows system.run approval-integrity mismatch in the cmd.exe /c path could allow trailing arguments to execute while approval/audit text reflected only a benign command string. This requires an authenticated operator context using the approvals flow and a trusted Windows node.
Gemini web_search citation redirect resolution used a private-network-allowing SSRF policy. A citation URL redirect could target loopback/private/internal destinations and be fetched by the gateway.
Unauthenticated requests to a reachable Zalo webhook endpoint could trigger unbounded in-memory key growth by varying query strings on the same valid webhook route.
In OpenClaw 2026.2.25, Signal group authorization under groupPolicy=allowlist could accept sender identities sourced from DM pairing-store approvals. This allowed DM pairing approvals to leak into group allowlist evaluation.
extensions/feishu/src/bot.ts constructed new RegExp() directly from Feishu mention metadata (mention.name, mention.key) in stripBotMention() without escaping regex metacharacters.
OpenClaw hooks previously compared the provided hook token using a regular string comparison. Because this comparison is not constant-time, an attacker with network access to the hooks endpoint could potentially use timing measurements across many requests to gradually infer the token. In practice, this typically requires hooks to be exposed to an untrusted network and a large number of requests; real-world latency and jitter can make reliable measurement difficult.
OpenClaw hooks previously compared the provided hook token using a regular string comparison. Because this comparison is not constant-time, an attacker with network access to the hooks endpoint could potentially use timing measurements across many requests to gradually infer the token. In practice, this typically requires hooks to be exposed to an untrusted network and a large number of requests; real-world latency and jitter can make reliable measurement difficult.
Browser trace/download output path handling allowed symlink-root and symlink-parent escapes from the managed temp root.
Unauthorized senders could trigger two command paths without sender authorization checks: stop-like natural-language abort triggers /models command output
In openclaw@2026.2.23, sandbox network hardening blocks network=host but still allows network=container:<id>. This can let a sandbox join another container's network namespace and reach services available in that namespace.
The gateway agents.files.get and agents.files.set methods allowed symlink traversal for allowlisted workspace files. A symlinked allowlisted file (for example AGENTS.md) could resolve outside the agent workspace and be read/written by the gateway process. This could enable arbitrary host file read/write within the gateway process permissions, and chained impact up to code execution depending on which files are overwritten.
ZDI-CAN-29312: OpenClaw Canvas Path Traversal Information Disclosure Vulnerability – ABSTRACT ————————————- Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products: OpenClaw - OpenClaw – VULNERABILITY DETAILS ———————— Version tested: openclaw 2026.2.17 Platform tested: macOS 26.3
On Windows ACPX paths, wrapper resolution for .cmd/.bat could fall back to shell execution in ways that allowed cwd influence to alter execution behavior.
applySkillConfigEnvOverrides previously copied skills.entries.*.env values into the host process.env without applying the host env safety policy.
In OpenClaw before 2026.2.23, tools.exec.safeBins validation for sort could be bypassed via GNU long-option abbreviations (such as –compress-prog) in allowlist mode, leading to approval-free execution paths that were intended to require approval. Only an exact string such as –compress-program was denied.
The OpenClaw ACP client could auto-approve tool calls based on untrusted metadata and permissive name heuristics. A malicious or compromised ACP tool invocation could bypass expected interactive approval prompts for read-class operations.
Potential unintentional disclosure of local files from the packaging machine into a generated .skill artifact. Requires local execution of the packaging script on attacker-controlled skill contents.
Local ACP sessions may become less responsive when very large prompts are submitted Larger-than-expected model usage/cost when oversized text is forwarded No privilege escalation and no direct remote attack path in the default ACP model
Affected Packages / Versions openclaw npm package versions <= 2026.2.17. Vulnerability Cron webhook delivery in src/gateway/server-cron.ts used fetch() directly, so webhook targets could reach private/metadata/internal endpoints without SSRF policy checks. Fix Commit(s) 99db4d13e 35851cdaf Thanks @Adam55A-code for reporting.
In setups where Discord moderation actions are enabled and the bot has the necessary guild permissions, a non-admin user could request moderation actions by spoofing sender identity fields.
tools.exec.safeBins could be bypassed for filesystem access when sort output flags (-o / –output) or recursive grep flags were allowed through safe-bin execution paths.
An information disclosure vulnerability in OpenClaw's tools.exec.safeBins approval flow allowed a file-existence oracle. When safe-bin validation examined candidate file paths, command allow/deny behavior could differ based on whether a path already existed on the host filesystem. An attacker could probe for file presence by comparing outcomes for existing vs non-existing filenames.
The sandbox identifier cache key for Docker/browser sandbox configuration used SHA-1 to hash normalized configuration payloads. SHA-1 is deprecated for cryptographic use and has known collision weaknesses. In this code path, deterministic IDs are used to decide whether an existing sandbox container can be reused safely. A collision in this hash could let one configuration be interpreted as another under the same sandbox cache identity, increasing the risk of cache …
The sandbox identifier cache key for Docker/browser sandbox configuration used SHA-1 to hash normalized configuration payloads. SHA-1 is deprecated for cryptographic use and has known collision weaknesses. In this code path, deterministic IDs are used to decide whether an existing sandbox container can be reused safely. A collision in this hash could let one configuration be interpreted as another under the same sandbox cache identity, increasing the risk of cache …
The web_fetch tool could be used to crash the OpenClaw Gateway process (OOM / resource exhaustion) by fetching and attempting to parse attacker-controlled web pages with oversized response bodies or pathological HTML nesting.
The web_fetch tool could be used to crash the OpenClaw Gateway process (OOM / resource exhaustion) by fetching and attempting to parse attacker-controlled web pages with oversized response bodies or pathological HTML nesting.
In affected versions, when apply_patch was enabled and the agent ran without filesystem sandbox containment, crafted paths could cause file writes/deletes outside the configured workspace directory.
OpenClaw versions <= 2026.2.9 construct transcript file paths using an unsanitized sessionId and also accept sessionFile paths without enforcing that they stay within the agent sessions directory. A crafted sessionId and/or sessionFile (example: ../../etc/passwd) can cause path traversal when the gateway performs transcript file read/write operations. Preconditions: an attacker must be able to authenticate to the gateway (gateway token/password). By default the gateway binds to loopback (local-only); configurations that expose …
OpenClaw versions <= 2026.2.9 construct transcript file paths using an unsanitized sessionId and also accept sessionFile paths without enforcing that they stay within the agent sessions directory. A crafted sessionId and/or sessionFile (example: ../../etc/passwd) can cause path traversal when the gateway performs transcript file read/write operations. Preconditions: an attacker must be able to authenticate to the gateway (gateway token/password). By default the gateway binds to loopback (local-only); configurations that expose …
normalizeForHash in src/agents/sandbox/config-hash.ts recursively sorted arrays that contained only primitive values. This made order-sensitive sandbox configuration arrays hash to the same value even when order changed. In OpenClaw sandbox flows, this hash is used to decide whether existing sandbox containers should be recreated. As a result, order-only config changes (for example Docker dns and binds array order) could be treated as unchanged and stale containers could be reused. This is …
Prompt injection may alter agent behavior and could lead to unintended tool use or disclosure of sensitive information.
Disclosure of a Telegram bot token allows an attacker to impersonate the bot and take over Bot API access.
OpenClaw CLI process cleanup used system-wide process enumeration and pattern matching to terminate processes without verifying they were owned by the current OpenClaw process. On shared hosts, unrelated processes could be terminated if they matched the pattern.
OpenClaw CLI process cleanup used system-wide process enumeration and pattern matching to terminate processes without verifying they were owned by the current OpenClaw process. On shared hosts, unrelated processes could be terminated if they matched the pattern.
On macOS, the Claude CLI keychain credential refresh path constructed a shell command to write the updated JSON blob into Keychain via security add-generic-password -w …. Because OAuth tokens are user-controlled data, this created an OS command injection risk. The fix avoids invoking a shell by using execFileSync("security", argv) and passing the updated keychain payload as a literal argument.
On macOS, the Claude CLI keychain credential refresh path constructed a shell command to write the updated JSON blob into Keychain via security add-generic-password -w …. Because OAuth tokens are user-controlled data, this created an OS command injection risk. The fix avoids invoking a shell by using execFileSync("security", argv) and passing the updated keychain payload as a literal argument.
A configuration injection issue in the Docker tool sandbox could allow dangerous Docker options (bind mounts, host networking, unconfined profiles) to be applied, enabling container escape or host data access.
Base64-backed media inputs could be decoded into Buffers before enforcing decoded-size budgets. An attacker supplying oversized base64 payloads can force large allocations, causing memory pressure and denial of service.
Base64-backed media inputs could be decoded into Buffers before enforcing decoded-size budgets. An attacker supplying oversized base64 payloads can force large allocations, causing memory pressure and denial of service.
OpenClaw previously accepted untrusted PATH sources in limited situations. In affected versions, this could cause OpenClaw to resolve and execute an unintended binary ("command hijacking") when running host commands. This issue primarily matters when OpenClaw is relying on allowlist/safe-bin protections and expects PATH to be trustworthy.
OpenClaw previously accepted untrusted PATH sources in limited situations. In affected versions, this could cause OpenClaw to resolve and execute an unintended binary ("command hijacking") when running host commands. This issue primarily matters when OpenClaw is relying on allowlist/safe-bin protections and expects PATH to be trustworthy.
A Twilio webhook signature-verification bypass in the voice-call extension could allow unauthenticated webhook requests when a specific ngrok free-tier compatibility option is enabled.
A Twilio webhook signature-verification bypass in the voice-call extension could allow unauthenticated webhook requests when a specific ngrok free-tier compatibility option is enabled.
Telegram allowlist authorization could match on @username (mutable/recyclable) instead of immutable numeric sender IDs.
Telegram allowlist authorization could match on @username (mutable/recyclable) instead of immutable numeric sender IDs.
When Slack DMs are configured with dmPolicy=open, the Slack slash-command handler incorrectly treated any DM sender as command-authorized. This allowed any Slack user who could DM the bot to execute privileged slash commands via DM, bypassing intended allowlist/access-group restrictions.
When Slack DMs are configured with dmPolicy=open, the Slack slash-command handler incorrectly treated any DM sender as command-authorized. This allowed any Slack user who could DM the bot to execute privileged slash commands via DM, bypassing intended allowlist/access-group restrictions.
Shared-agent, multi-user, less-trusted environments: session-tool access could expose transcript content across peer sessions. Single-agent or trusted environments: practical impact is limited. Telegram webhook mode: account-level secret wiring could be missed unless an explicit monitor webhook secret override was provided.
Inter-session messages sent via sessions_send could be interpreted as direct end-user instructions because they were persisted as role: "user" without provenance metadata.
Under iMessage groupPolicy=allowlist, group authorization could be satisfied by sender identities coming from the DM pairing store, broadening DM trust into group contexts.
The Feishu extension could fetch attacker-controlled remote URLs in two paths without SSRF protections: sendMediaFeishu(mediaUrl) Feishu DocX markdown image URLs (write/append -> image processing)
The Feishu extension could fetch attacker-controlled remote URLs in two paths without SSRF protections: sendMediaFeishu(mediaUrl) Feishu DocX markdown image URLs (write/append -> image processing)
openclaw could start the sandbox browser bridge server without authentication. When the sandboxed browser is enabled, openclaw runs a local (loopback) HTTP bridge that exposes browser control endpoints (for example /profiles, /tabs, /tabs/open, /agent/*). Due to missing auth wiring in the sandbox initialization path, that bridge server accepted requests without requiring gateway auth.
openclaw could start the sandbox browser bridge server without authentication. When the sandboxed browser is enabled, openclaw runs a local (loopback) HTTP bridge that exposes browser control endpoints (for example /profiles, /tabs, /tabs/open, /agent/*). Due to missing auth wiring in the sandbox initialization path, that bridge server accepted requests without requiring gateway auth.
Authenticated attackers can read arbitrary files from the Gateway host by supplying absolute paths or path traversal sequences to the browser tool's upload action. The server passed these paths to Playwright's setInputFiles() APIs without restricting them to a safe root. Severity remains High due to the impact (arbitrary local file read on the Gateway host), even though exploitation requires authenticated access.
OpenClaw’s browser control API accepted user-supplied output paths for trace/download files without consistently constraining writes to OpenClaw-managed temporary directories.
OpenClaw’s browser control API accepted user-supplied output paths for trace/download files without consistently constraining writes to OpenClaw-managed temporary directories.
OpenClaw browser download helpers accepted an unsanitized output path. When invoked via the browser control gateway routes, this allowed path traversal to write downloads outside the intended OpenClaw temp downloads directory. This issue is not exposed via the AI agent tool schema (no download action). Exploitation requires authenticated CLI access or an authenticated gateway RPC token.
The BlueBubbles extension accepted attacker-controlled local filesystem paths via mediaPath and could read arbitrary local files from disk before sending them as media attachments.
The BlueBubbles extension accepted attacker-controlled local filesystem paths via mediaPath and could read arbitrary local files from disk before sending them as media attachments.
Command injection in the maintainer/dev script scripts/update-clawtributors.ts.
A bug in download skill installation allowed targetDir values from skill frontmatter to resolve outside the per-skill tools directory if not strictly validated. In the admin-only skills.install flow, this could write files outside the intended install sandbox.
When multiple Google Chat webhook targets are registered on the same HTTP path, and request verification succeeds for more than one target, inbound webhook events could be routed by first-match semantics. This can cause cross-account policy/context misrouting.
When multiple Google Chat webhook targets are registered on the same HTTP path, and request verification succeeds for more than one target, inbound webhook events could be routed by first-match semantics. This can cause cross-account policy/context misrouting.
OpenClaw's exec-approvals allowlist supports a small set of "safe bins" intended to be stdin-only (no positional file arguments) when running tools.exec.host=gateway|node with security=allowlist. In affected configurations, the allowlist validation checked pre-expansion argv tokens, but execution used a real shell (sh -c) which expands globs and environment variables. This allowed safe bins like head, tail, or grep to read arbitrary local files via tokens such as * or $HOME/… without triggering …
OpenClaw's exec-approvals allowlist supports a small set of "safe bins" intended to be stdin-only (no positional file arguments) when running tools.exec.host=gateway|node with security=allowlist. In affected configurations, the allowlist validation checked pre-expansion argv tokens, but execution used a real shell (sh -c) which expands globs and environment variables. This allowed safe bins like head, tail, or grep to read arbitrary local files via tokens such as * or $HOME/… without triggering …
The manual Chutes OAuth login flow could accept attacker-controlled callback input in a way that bypassed OAuth CSRF state validation, potentially resulting in credential substitution.
The manual Chutes OAuth login flow could accept attacker-controlled callback input in a way that bypassed OAuth CSRF state validation, potentially resulting in credential substitution.
Discovery beacons (Bonjour/mDNS and DNS-SD) include TXT records such as lanHost, tailnetDns, gatewayPort, and gatewayTlsSha256. TXT records are unauthenticated. Prior to the fix, some clients treated TXT values as authoritative routing/pinning inputs: iOS and macOS: used TXT-provided host hints (lanHost/tailnetDns) and ports (gatewayPort) to build the connection URL. iOS and Android: allowed the discovery-provided TLS fingerprint (gatewayTlsSha256) to override a previously stored TLS pin. On a shared/untrusted LAN, an attacker …
Stored XSS in the OpenClaw Control UI when rendering assistant identity (name/avatar) into an inline <script> tag without script-context-safe escaping. A crafted value containing </script> could break out of the script tag and execute attacker-controlled JavaScript in the Control UI origin.
The optional Tlon (Urbit) extension previously accepted a user-provided base URL for authentication and used it to construct an outbound HTTP request, enabling server-side request forgery (SSRF) in affected deployments.
The optional Tlon (Urbit) extension previously accepted a user-provided base URL for authentication and used it to construct an outbound HTTP request, enabling server-side request forgery (SSRF) in affected deployments.
OpenClaw Gateway supports hook mappings with optional JavaScript/TypeScript transform modules. In affected versions, the gateway did not sufficiently constrain configured module paths before passing them to dynamic import(). Under some configurations, a user who can modify gateway configuration could cause the gateway process to load and execute an unintended local module.
OpenClaw Gateway supports hook mappings with optional JavaScript/TypeScript transform modules. In affected versions, the gateway did not sufficiently constrain configured module paths before passing them to dynamic import(). Under some configurations, a user who can modify gateway configuration could cause the gateway process to load and execute an unintended local module.
Multiple webhook handlers accepted and buffered request bodies without a strict unified byte/time limit. A remote unauthenticated attacker could send oversized payloads and cause memory pressure, degrading availability.
Multiple webhook handlers accepted and buffered request bodies without a strict unified byte/time limit. A remote unauthenticated attacker could send oversized payloads and cause memory pressure, degrading availability.
URL-backed media fetch handling allocated the entire response payload in memory (arrayBuffer) before enforcing maxBytes, allowing oversized responses to cause memory exhaustion.
URL-backed media fetch handling allocated the entire response payload in memory (arrayBuffer) before enforcing maxBytes, allowing oversized responses to cause memory exhaustion.
Archive extraction lacked strict resource budgets, allowing high-expansion ZIP/TAR archives to consume excessive CPU/memory/disk during install/update flows.
Archive extraction lacked strict resource budgets, allowing high-expansion ZIP/TAR archives to consume excessive CPU/memory/disk during install/update flows.
Browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins.
On Windows nodes, exec requests were executed via cmd.exe /d /s /c <rawCommand>. In allowlist/approval-gated mode, the allowlist analysis did not model Windows cmd.exe parsing and metacharacter behavior. A crafted command string could cause cmd.exe to interpret additional operations (for example command chaining via &, or expansion via %…% / !…!) beyond what was allowlisted/approved.
On Windows nodes, exec requests were executed via cmd.exe /d /s /c <rawCommand>. In allowlist/approval-gated mode, the allowlist analysis did not model Windows cmd.exe parsing and metacharacter behavior. A crafted command string could cause cmd.exe to interpret additional operations (for example command chaining via &, or expansion via %…% / !…!) beyond what was allowlisted/approved.
The OpenClaw Nostr channel plugin (optional, disabled by default, installed separately) exposes profile management HTTP endpoints under /api/channels/nostr/:accountId/profile (GET/PUT) and /api/channels/nostr/:accountId/profile/import (POST). In affected versions, these routes were dispatched via the gateway plugin HTTP layer without requiring gateway authentication, allowing unauthenticated remote callers to read or mutate the Nostr profile and persist changes to the gateway config. Profile updates are also published as a signed Nostr kind:0 event using the …
The OpenClaw Nostr channel plugin (optional, disabled by default, installed separately) exposes profile management HTTP endpoints under /api/channels/nostr/:accountId/profile (GET/PUT) and /api/channels/nostr/:accountId/profile/import (POST). In affected versions, these routes were dispatched via the gateway plugin HTTP layer without requiring gateway authentication, allowing unauthenticated remote callers to read or mutate the Nostr profile and persist changes to the gateway config. Profile updates are also published as a signed Nostr kind:0 event using the …
The gateway WebSocket connect handshake could allow skipping device identity checks when auth.token was present but not yet validated.
The gateway WebSocket connect handshake could allow skipping device identity checks when auth.token was present but not yet validated.
The Chrome extension relay (ensureChromeExtensionRelayServer) previously treated wildcard hosts (0.0.0.0 / ::) as loopback, which could make it bind the relay HTTP/WS server to all interfaces when a wildcard cdpUrl was passed.
The Chrome extension relay (ensureChromeExtensionRelayServer) previously treated wildcard hosts (0.0.0.0 / ::) as loopback, which could make it bind the relay HTTP/WS server to all interfaces when a wildcard cdpUrl was passed.
In affected versions, the Browser Relay /cdp WebSocket endpoint did not require an authentication token. As a result, a website running in the browser could potentially connect to the local relay (via loopback WebSocket) and use CDP to access cookies from other open tabs and run JavaScript in the context of other tabs.
In affected versions, the Browser Relay /cdp WebSocket endpoint did not require an authentication token. As a result, a website running in the browser could potentially connect to the local relay (via loopback WebSocket) and use CDP to access cookies from other open tabs and run JavaScript in the context of other tabs.
In the optional Twitch channel plugin (extensions/twitch), allowFrom is documented as a hard allowlist of Twitch user IDs, but it was not enforced as a hard gate. If allowedRoles is unset or empty, the access control path defaulted to allow, so any Twitch user who could mention the bot could reach the agent dispatch pipeline. Scope note: This only affects deployments that installed and enabled the Twitch plugin. Core OpenClaw …
In the optional Twitch channel plugin (extensions/twitch), allowFrom is documented as a hard allowlist of Twitch user IDs, but it was not enforced as a hard gate. If allowedRoles is unset or empty, the access control path defaulted to allow, so any Twitch user who could mention the bot could reach the agent dispatch pipeline. Scope note: This only affects deployments that installed and enabled the Twitch plugin. Core OpenClaw …
skills.status could disclose secrets to operator.read clients by returning raw resolved config values in configChecks for skill requires.config paths.
A mismatch between rawCommand and command[] in the node host system.run handler could cause allowlist/approval evaluation to be performed on one command while executing a different argv.
NOTE: This only affects deployments that enable the optional MS Teams extension (Teams channel). If you do not use MS Teams, you are not impacted. When OpenClaw downloads inbound MS Teams attachments / inline images, it may retry a URL with an Authorization: Bearer <token> header after receiving 401 or 403. Because the default download allowlist uses suffix matching (and includes some multi-tenant suffix domains), a message that references an …
NOTE: This only affects deployments that enable the optional MS Teams extension (Teams channel). If you do not use MS Teams, you are not impacted. When OpenClaw downloads inbound MS Teams attachments / inline images, it may retry a URL with an Authorization: Bearer <token> header after receiving 401 or 403. Because the default download allowlist uses suffix matching (and includes some multi-tenant suffix domains), a message that references an …
OpenClaw macOS desktop client registers the openclaw:// URL scheme. For openclaw://agent deep links without an unattended key, the app shows a confirmation dialog that previously displayed only the first 240 characters of the message, but executed the full message after the user clicked "Run". At the time of writing, the OpenClaw macOS desktop client is still in beta. An attacker could pad the message with whitespace to push a malicious …
In openclaw versions prior to 2026.2.13, OpenClaw logged certain WebSocket request headers (including Origin and User-Agent) without neutralization or length limits on the "closed before connect" path. If an unauthenticated client can reach the gateway and send crafted header values, those values may be written into core logs. Under workflows where logs are later read or interpreted by an LLM (for example via AI-assisted debugging), this can increase the risk …
In affected versions, OpenClaw's optional @openclaw/voice-call plugin Telnyx webhook handler could accept unsigned inbound webhook requests when telnyx.publicKey was not configured, allowing unauthenticated callers to forge Telnyx events. This only impacts deployments where the Voice Call plugin is installed, enabled, and the webhook endpoint is reachable from the attacker (for example, publicly exposed via a tunnel/proxy).
The issue is not deterministic session keys by itself. The exploitable path was accepting externally supplied sessionKey values on authenticated hook ingress, allowing a hook token holder to route messages into chosen sessions.
An authentication bypass in the optional voice-call extension/plugin allowed unapproved or anonymous callers to reach the voice-call agent when inbound policy was set to allowlist or pairing. Deployments that do not install/enable the voice-call extension are not affected.
An authentication bypass in the optional voice-call extension/plugin allowed unapproved or anonymous callers to reach the voice-call agent when inbound policy was set to allowlist or pairing. Deployments that do not install/enable the voice-call extension are not affected.
Exec approvals allowlist bypass via command substitution/backticks inside double quotes.
Exec approvals allowlist bypass via command substitution/backticks inside double quotes.
In OpenClaw versions prior to 2026.2.12, the gateway accepted an untrusted sessionFile path when resolving the session transcript file. This could allow an authenticated gateway client to create and append OpenClaw session transcript records at an arbitrary path on the gateway host.
In OpenClaw versions prior to 2026.2.12, the gateway accepted an untrusted sessionFile path when resolving the session transcript file. This could allow an authenticated gateway client to create and append OpenClaw session transcript records at an arbitrary path on the gateway host.
The BlueBubbles webhook handler previously treated any request whose socket remoteAddress was loopback (127.0.0.1, ::1, ::ffff:127.0.0.1) as authenticated. When OpenClaw Gateway is behind a reverse proxy (Tailscale Serve/Funnel, nginx, Cloudflare Tunnel, ngrok), the proxy typically connects to the gateway over loopback, allowing unauthenticated remote requests to bypass the configured webhook password. This could allow an attacker who can reach the proxy endpoint to inject arbitrary inbound BlueBubbles message/reaction events.
The BlueBubbles webhook handler previously treated any request whose socket remoteAddress was loopback (127.0.0.1, ::1, ::ffff:127.0.0.1) as authenticated. When OpenClaw Gateway is behind a reverse proxy (Tailscale Serve/Funnel, nginx, Cloudflare Tunnel, ngrok), the proxy typically connects to the gateway over loopback, allowing unauthenticated remote requests to bypass the configured webhook password. This could allow an attacker who can reach the proxy endpoint to inject arbitrary inbound BlueBubbles message/reaction events.
In Telegram webhook mode, if channels.telegram.webhookSecret is not set, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint is reachable by an attacker, this can allow forged Telegram updates (for example spoofing message.from.id). Note: Telegram webhook mode is not enabled by default. It is enabled only when channels.telegram.webhookUrl is configured.
OpenClaw's SSRF protection could be bypassed using full-form IPv4-mapped IPv6 literals such as 0:0:0:0:0:ffff:7f00:1 (which is 127.0.0.1). This could allow requests that should be blocked (loopback / private network / link-local metadata) to pass the SSRF guard. Vulnerable component: SSRF guard (src/infra/net/ssrf.ts) Issue type: SSRF protection bypass
When Telegram webhook mode is enabled without a configured webhook secret, OpenClaw may accept unauthenticated HTTP POST requests at the Telegram webhook endpoint and trust attacker-controlled update JSON. This can allow forged Telegram updates that spoof message.from.id / chat.id, potentially bypassing sender allowlists and executing privileged bot commands.
When Telegram webhook mode is enabled without a configured webhook secret, OpenClaw may accept unauthenticated HTTP POST requests at the Telegram webhook endpoint and trust attacker-controlled update JSON. This can allow forged Telegram updates that spoof message.from.id / chat.id, potentially bypassing sender allowlists and executing privileged bot commands.
OpenClaw's plugin installation path derivation could be abused by a malicious plugin package.json name to escape the intended extensions directory and write files to a parent directory.
OpenClaw's plugin installation path derivation could be abused by a malicious plugin package.json name to escape the intended extensions directory and write files to a parent directory.
OpenClaw Matrix DM allowlist matching could be bypassed in certain configurations. Matrix support ships as an optional plugin (not bundled with the core install), so this only affects deployments that have installed and enabled the Matrix plugin.
OpenClaw Matrix DM allowlist matching could be bypassed in certain configurations. Matrix support ships as an optional plugin (not bundled with the core install), so this only affects deployments that have installed and enabled the Matrix plugin.
The Feishu extension previously allowed sendMediaFeishu to treat attacker-controlled mediaUrl values as local filesystem paths and read them directly.
Google Chat allowlisting supports matching by sender email in addition to immutable sender resource name (users/<id>). This weakens identity binding if a deployment assumes allowlists are strictly keyed by immutable principals.
The Gateway tool accepted a tool-supplied gatewayUrl without sufficient restrictions, which could cause the OpenClaw host to attempt outbound WebSocket connections to user-specified targets.
In affected versions, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback (127.0.0.1, ::1, ::ffff:127.0.0.1) even when the configured webhook secret was missing or incorrect. This does not affect the default iMessage integration unless BlueBubbles is installed and enabled.
A gateway client authenticated with a device token scoped only to operator.write (without operator.approvals) could approve/deny pending exec approval requests by sending a chat message containing the built-in /approve command. exec.approval.resolve is correctly scoped to operator.approvals for direct RPC calls, but the /approve command path invoked it via an internal privileged gateway client.
A gateway client authenticated with a device token scoped only to operator.write (without operator.approvals) could approve/deny pending exec approval requests by sending a chat message containing the built-in /approve command. exec.approval.resolve is correctly scoped to operator.approvals for direct RPC calls, but the /approve command path invoked it via an internal privileged gateway client.
Versions of the openclaw npm package prior to 2026.2.2 could be coerced into fetching arbitrary http(s) URLs during attachment/media hydration. An attacker who can influence the media URL (for example via model-controlled sendAttachment or auto-reply media URLs) could trigger SSRF to internal resources and exfiltrate the fetched bytes as an outbound attachment.
Versions of the openclaw npm package prior to 2026.2.2 could be coerced into fetching arbitrary http(s) URLs during attachment/media hydration. An attacker who can influence the media URL (for example via model-controlled sendAttachment or auto-reply media URLs) could trigger SSRF to internal resources and exfiltrate the fetched bytes as an outbound attachment.
A server-side request forgery (SSRF) vulnerability in the Image tool allowed attackers to force OpenClaw to make HTTP requests to arbitrary internal or restricted network targets.
When the Slack integration is enabled, Slack channel metadata (topic/description) could be incorporated into the model's system prompt.
An unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user.
An unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user.
The isValidMedia() function in src/media/parse.ts allows arbitrary file paths including absolute paths, home directory paths, and directory traversal sequences. An agent can read any file on the system by outputting MEDIA:/path/to/file, exfiltrating sensitive data to the user/channel.