Advisories for Npm/Openclaw package

Workspace provider auth choices could auto-enable untrusted provider plugins.

Workspace .env could inject OpenClaw runtime-control variables.

Webchat tool-result media normalization could pass local and UNC-style file paths into the host-side media embedding path without applying the configured local-root containment policy.

Voice-call realtime WebSocket accepted oversized frames.

Shell-wrapper detection missed env-argv assignment injection forms.

OpenClaw's outbound host-media attachment read helper could enable host-local file reads based on global or agent-level read access without also honoring sender and group-scoped tool policy. In channel deployments that used toolsBySender or group policy to deny read for less-trusted senders, a denied sender could still trigger host-media attachment loading and cause readable local files to be returned through the outbound media path.

screen_record outPath bypassed workspace-only filesystem guard.

Sandboxed agents could escape exec routing via host=node override.

Sandbox noVNC helper route exposed interactive browser session credentials.

Sandbox browser CDP relay could expose DevTools protocol on 0.0.0.0.

QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes.

QQBot media tags could read arbitrary local files through reply text.

The QMD backend memory_get read path accepted arbitrary workspace Markdown paths that were inside the workspace but outside the canonical memory locations or indexed QMD result set.

Nostr profile mutation routes allowed operator.write config persistence.

Microsoft Teams SSO invoke handler missed sender authorization checks.

Memory dreaming config persistence was reachable from operator.write commands.

Matrix profile config persistence was reachable from operator.write message tools.

Heartbeat owner downgrade missed untrusted webhook wake events.

Heartbeat owner downgrade missed local async exec completion events.

Gateway HTTP and WebSocket handlers captured the resolved bearer-auth configuration when the server started. After a SecretRef rotation, the already-running gateway could continue accepting the old bearer token until restart.

Feishu webhook mode accepted missing encryptKey configuration as valid and blank card-action callback tokens as usable lifecycle tokens. Together, those fail-open paths could allow unauthenticated webhook or card-action traffic to reach command dispatch in affected deployments.

Existing-session browser interaction routes bypassed SSRF policy enforcement.

Exec environment denylist missed high-risk interpreter startup variables.

Empty approver lists could grant explicit approval authorization.

Discord event cover images bypassed sandbox media normalization.

Delivery queue recovery could lose group tool-policy context for media replay.

config.get redaction bypass through sourceConfig and runtimeConfig aliases.

Collect-mode queue batches could reuse the last sender authorization context.

Channel setup catalog lookups could include untrusted workspace plugin shadows.

CDP /json/version WebSocket URL could pivot to untrusted second-hop targets.

busybox and toybox applet execution weakened exec approval binding.

Browser tabs action select and close routes bypassed SSRF policy.

Browser SSRF policy default allowed private-network navigation.

Browser SSRF hostname validation could be bypassed by DNS rebinding.

Browser snapshot and screenshot routes could expose internal page content after navigation.

Browser press/type interaction routes missed complete navigation guard coverage.

Browser interaction routes could pivot into local CDP and regain file reads.

Agent hook events could enqueue trusted system events from unsanitized external input.

OpenClaw's exec script preflight validator previously validated and then read a script by mutable pathname. A local race could swap the path between validation and read, causing preflight analysis to inspect a different file identity than the one that passed the workspace boundary check.

A weakness has been identified in OpenClaw up to 2026.1.26. Affected by this issue is some unknown functionality of the file src/agents/tools/web-fetch.ts of the component assertPublicHostname Handler. Executing a manipulation can lead to server-side request forgery. The attack can be executed remotely. This attack is characterized by high complexity. The exploitation is known to be difficult. The exploit has been made available to the public and could be used for …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-vfg3-pqpq-93m4. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.22 performs cite expansion before completing channel and DM authorization checks, allowing cite work and content handling prior to final auth decisions. Attackers can exploit this timing vulnerability to access or manipulate content before proper authorization validation occurs.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-vcx4-4qxg-mfp4. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in Telegram webhook authentication that allows attackers to brute-force weak webhook secrets. The vulnerability enables repeated authentication guesses without throttling, permitting attackers to systematically guess webhook secrets through brute-force attacks.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mf5g-6r6f-ghhm. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.25 contains a pre-authentication rate-limit bypass vulnerability in webhook token validation that allows attackers to brute-force weak webhook secrets. The vulnerability exists because invalid webhook tokens are rejected without throttling repeated authentication attempts, enabling attackers to guess weak tokens through rapid successive requests.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7xr2-q9vf-x4r5. This link is maintained to preserve external references. Original Description OpenClaw through 2026.2.22 contains a symlink traversal vulnerability in agents.create and agents.update handlers that use fs.appendFile on IDENTITY.md without symlink containment checks. Attackers with workspace access can plant symlinks to append attacker-controlled content to arbitrary files, enabling remote code execution via crontab injection or unauthorized access …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rhfg-j8jq-7v2h. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.25 contains a server-side request forgery vulnerability in multiple channel extensions that fail to properly guard configured base URLs against SSRF attacks. Attackers can exploit unprotected fetch() calls against configured endpoints to rebind requests to blocked internal destinations and access restricted resources.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-4qwc-c7g9-4xcw. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.22 contains an unbounded memory allocation vulnerability in remote media HTTP error handling that allows attackers to trigger excessive memory consumption. Attackers can send crafted HTTP error responses with large bodies to remote media endpoints, causing the application to allocate unbounded memory before failure …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-cg6c-q2hx-69h7. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.23 contains a replay identity vulnerability in Plivo V2 signature verification that allows attackers to bypass replay protection by modifying query parameters. The verification path derives replay keys from the full URL including query strings instead of the canonicalized base URL, enabling attackers to …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-65h8-27jh-q8wv. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.22 performs cryptographic and dispatch operations on inbound Nostr direct messages before enforcing sender and pairing policy validation. Attackers can trigger unauthorized pre-authentication computation by sending crafted DM messages, enabling denial of service through resource exhaustion.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xhq5-45pm-2gjr. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.22 contains a policy confusion vulnerability in room authorization that matches colliding room names instead of stable room tokens. Attackers can exploit similarly named rooms to bypass allowlist policies and gain unauthorized access to protected Nextcloud Talk rooms.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-52q4-3xjc-6778. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Google Chat group policy enforcement that relies on mutable space display names. Attackers can rebind group policies by changing or colliding space display names to gain unauthorized access to protected resources.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mp66-rf4f-mhh8. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.22 contains an improper authentication verification vulnerability in Google Chat app-url webhook handling that accepts add-on principals outside intended deployment bindings. Attackers can bypass webhook authentication by providing non-deployment add-on principals to execute unauthorized actions through the Google Chat integration.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-h4jx-hjr3-fhgc. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in the gateway plugin subagent fallback deleteSession function that uses a synthetic operator.admin runtime scope. Attackers can exploit this by triggering session deletion without a request-scoped client to execute privileged operations with unintended administrative scope.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-6mqc-jqh6-x8fc. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.23 contains an authentication bypass vulnerability in the Canvas gateway where authorizeCanvasRequest() unconditionally allows local-direct requests without validating bearer tokens or canvas capabilities. Attackers can send unauthenticated loopback HTTP and WebSocket requests to Canvas routes to bypass authentication and gain unauthorized access.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-3h52-cx59-c456. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.25 parses JSON request bodies before validating webhook signatures, allowing unauthenticated attackers to force resource-intensive parsing operations. Remote attackers can send malicious webhook requests to trigger denial of service by exhausting server resources through forced JSON parsing before signature rejection.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xq8g-hgh6-87hv. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in webhook authentication that allows attackers to brute-force weak webhook passwords without throttling. Remote attackers can repeatedly submit incorrect password guesses to the webhook endpoint to compromise authentication and gain unauthorized access.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rm59-992w-x2mv. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.22 contains an unauthenticated resource exhaustion vulnerability in voice call webhook handling that buffers request bodies before provider signature checks. Attackers can send large or malicious webhook requests to exhaust server resources without authentication by bypassing signature validation.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hf68-49fm-59cq. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the device.pair.approve method that allows an operator.pairing approver to approve pending device requests with broader operator scopes than the approver actually holds. Attackers can exploit insufficient scope validation to escalate privileges to operator.admin and achieve remote code …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rqp8-q22p-5j9q This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in the Synology Chat extension that allows attackers to collapse multi-account configurations onto shared webhook paths. Attackers can exploit inherited or duplicate webhook paths to bypass per-account DM access control policies and replace route ownership across …

strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts. The approval-timeout fallback could allow inline eval commands that strictInlineEval was meant to require explicit approval for. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.

Strict browser SSRF bypass in Playwright redirect handling leaves private targets reachable. Strict browser SSRF checks could miss Playwright request-time navigation to private targets. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.

Shared reply MEDIA: paths are treated as trusted and can trigger cross-channel local file exfiltration. A crafted shared reply MEDIA reference could cause another channel to read a local file path as trusted generated media. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.

resolvedAuth closure becomes stale after config reload. After a config reload, newly accepted gateway connections could continue using stale resolved auth state. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.

Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement. A previously paired node could reconnect with a broader command set, including exec-capable commands, without forcing the operator/admin re-pairing path. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.

Multiple Code Paths Missing Base64 Pre-Allocation Size Checks. Several base64 decode paths could allocate before enforcing decoded-size limits. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.

Lower-trust background runtime output is injected into trusted System: events, and local async exec completion misses the intended exec-event downgrade. Lower-trust runtime/background output could be promoted into trusted System events, allowing prompt-injection into later agent turns. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.

HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class). Missing denylist entries allowed hostile build-tool environment variables to influence host exec commands. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.

GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant). Git plumbing environment variables were not removed before host exec and could redirect Git operations. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.

Gateway plugin HTTP auth: gateway widens identity-bearing operator.read requests into runtime operator.write. Plugin HTTP routes using gateway auth could receive runtime write scopes even when the upstream trusted-proxy request only declared read. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.

Feishu docx upload_file/upload_image Bypasses Workspace-Only Filesystem Policy (GHSA-qf48-qfv4-jjm9 Incomplete Fix). Feishu document uploads could read local files outside the workspace-only file policy when processing docx upload blocks. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.

Existing WS sessions survive shared gateway token rotation. Rotating the shared gateway token did not disconnect existing shared-token WebSocket sessions. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.

Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths. Concurrent asynchronous shared-secret auth attempts could race the per-key rate-limit budget. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.

Authenticated /hooks/wake and mapped wake payloads are promoted into the trusted System: prompt channel. An authenticated wake hook or mapped wake payload could be promoted into the trusted System prompt channel instead of an untrusted event. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.

fetchWithSsrFGuard replays unsafe request bodies across cross-origin redirects. A guarded fetch could resend unsafe request bodies or headers when following cross-origin redirects. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.

fetchWithSsrFGuard replays unsafe request bodies across cross-origin redirects. A guarded fetch could resend unsafe request bodies or headers when following cross-origin redirects. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.

/allowlist omits owner-only enforcement for cross-channel allowlist writes. An authorized non-owner sender could attempt allowlist writes against a different channel. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.

QQ Bot Extension: Missing SSRF Protection on All Media Fetch Paths. QQ Bot media download paths were not consistently routed through the SSRF guard and allowlist policy. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.

OpenClaw Host-Exec Environment Variable Injection. Host exec could inherit environment variables that influence interpreters, shells, or build tools. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.

Browser SSRF Policy Bypass via Interaction-Triggered Navigation. Browser interactions could trigger navigations that bypassed the normal SSRF navigation checks. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.

B-M3: ClawHub package downloads are not enforced with integrity verification. ClawHub downloads could install plugin archives without enforcing archive or per-file integrity metadata. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.

OpenClaw node.pair.approve placed in operator.write scope instead of operator.pairing allows unprivileged pairing approval. The pairing approval method accepted operator.write instead of the narrower pairing scope and admin requirement for exec-capable nodes. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.

OpenClaw node.invoke(browser.proxy) bypasses browser.request persistent profile-mutation guard. node.invoke(browser.proxy) could mutate persistent browser profiles through a path that bypassed the browser.request guard. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.

OpenClaw device.token.rotate mints tokens for unapproved roles, bypassing device role-upgrade pairing. Device token rotation could mint or preserve roles/scopes that had not gone through the intended pairing approval. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-qx8j-g322-qj6m. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.31 (patched in 2026.4.8) contains a request body replay vulnerability in fetchWithSsrFGuard that allows unsafe request bodies to be resent across cross-origin redirects. Attackers can exploit this by triggering redirects to exfiltrate sensitive request data or headers to unintended origins.

Before OpenClaw 2026.4.2, Zalo webhook replay dedupe keys were not scoped strongly enough across chat and sender dimensions. Legitimate events from different conversations or senders could collide and be dropped as duplicates.

Before OpenClaw 2026.3.31, the Zalo webhook replay-dedupe cache was shared across authenticated webhook targets and keyed too broadly. In multi-account deployments, a replay seen on one account could suppress a legitimate event on another account if event_name and message_id matched.

Before OpenClaw 2026.4.2, system-run approval binding normalized environment override keys differently from host execution. Windows-compatible keys could be omitted from the approval binding while still being injected at execution time.

Before OpenClaw 2026.4.2, built-in channel setup and login could resolve an untrusted workspace channel shadow before the plugin was explicitly trusted. A malicious workspace plugin that claimed a bundled channel id could execute during channel setup even while still disabled.

Before OpenClaw 2026.4.2, built-in channel setup and login could resolve an untrusted workspace channel shadow before the plugin was explicitly trusted. A malicious workspace plugin that claimed a bundled channel id could execute during channel setup even while still disabled.

Before OpenClaw 2026.4.2, remote CDP discovery could return a trailing-dot localhost host such as localhost. and bypass OpenClaw's loopback-host normalization. That let a non-loopback remote CDP profile pivot the follow-up connection back onto localhost.

Tlon media downloads can bypass core safety limits and exhaust disk

Before OpenClaw 2026.3.31, exec allowlist matching could treat shell init-file wrapper invocations as if the approved script itself were being executed. Shell options such as –rcfile, –init-file, and –startup-file could therefore inherit allowlist trust from a matched script path even though the shell loaded attacker-chosen initialization first.

Before OpenClaw 2026.4.2, several shared-secret comparison call sites still used early length-mismatch checks instead of the shared fixed-length comparison helper. Those paths could leak secret-length information through measurable timing differences.

Before OpenClaw 2026.4.2, POST /sessions/:sessionKey/kill did not enforce write scopes in identity-bearing HTTP modes. A caller limited to read-only operator scopes could still terminate a running subagent session.

Before OpenClaw 2026.4.2, POST /sessions/:sessionKey/kill did not enforce write scopes in identity-bearing HTTP modes. A caller limited to read-only operator scopes could still terminate a running subagent session.

Before OpenClaw 2026.4.2, QQ Bot structured media payloads could read local files from attacker-chosen paths. A crafted structured payload could escape QQ Bot-owned media roots and cause arbitrary file reads on the host.

Before OpenClaw 2026.4.2, pnpm dlx approval planning did not bind local script operands the same way as related pnpm exec flows. A local script approved through a pnpm dlx path could be replaced before execution without invalidating the approval.

Before OpenClaw 2026.3.31, pending pairing-request caps were enforced per channel file instead of per account. On multi-account channel setups, requests from other accounts could fill the shared pending window and block new pairing challenges on an unaffected account.

Before OpenClaw 2026.4.2, the OpenShell mirror backend accepted arbitrary absolute remoteWorkspaceDir and remoteAgentWorkspaceDir values. In mirror mode, those paths were then used as the target of remote cleanup and overwrite operations.

OpenShell mirror mode can convert untrusted sandbox files into explicitly enabled workspace hooks and execute them on the host during gateway startup

Marketplace Plugin Download Follows Redirects Without SSRF Protection

Marketplace Plugin Download Follows Redirects Without SSRF Protection

Before OpenClaw 2026.4.2, the iOS A2UI bridge treated generic local-network pages as trusted bridge origins. A page loaded from a local-network or tailnet host could trigger agent.request dispatch without the stricter trusted-canvas origin check.

Gateway operator.write Can Reach Admin-Class Telegram Config and Cron Persistence via send

Gateway operator.write Can Reach Admin-Class Talk Voice Config Persistence via chat.send

Before OpenClaw 2026.4.2, the Gateway connect success snapshot exposed local configPath and stateDir metadata to non-admin clients. Low-privilege authenticated clients could learn host filesystem layout and deployment details that were not needed for their role.

Before OpenClaw 2026.3.31, the Nostr DM ingress path could issue pairing challenges before validating the event signature. A forged DM could create a pending pairing entry and trigger a pairing-reply attempt before signature rejection.

Before OpenClaw 2026.3.31, the Nostr DM ingress path could issue pairing challenges before validating the event signature. A forged DM could create a pending pairing entry and trigger a pairing-reply attempt before signature rejection.

Before OpenClaw 2026.4.2, Android accepted non-loopback cleartext ws:// gateway endpoints and would send stored gateway credentials over that connection. Discovery beacons or setup codes could therefore steer the client onto a cleartext remote endpoint.

Before OpenClaw 2026.4.2, Android accepted non-loopback cleartext ws:// gateway endpoints and would send stored gateway credentials over that connection. Discovery beacons or setup codes could therefore steer the client onto a cleartext remote endpoint.

session_status still bypasses configured tools.sessions.visibility for unsandboxed invocations

/phone arm//phone disarm Bypasses operator.admin Scope Check for External Channels

Incomplete Fix for CVE-2026-4039: CLI Backend Environment Variable Injection via Workspace Config

Before OpenClaw 2026.4.2, exec script preflight validation could fail open on complex interpreter invocations such as pipes or other non-simple command forms. In those cases, script-content validation could be skipped entirely.

Before OpenClaw 2026.4.2, the Gemini OAuth flow reused the PKCE verifier as the OAuth state value. Because the provider reflected state back in the redirect URL, the verifier could be exposed alongside the authorization code.

Before OpenClaw 2026.4.2, the Gemini OAuth flow reused the PKCE verifier as the OAuth state value. Because the provider reflected state back in the redirect URL, the verifier could be exposed alongside the authorization code.

Workspace .env can override the bundled plugin trust root

Incomplete fix for CVE-2026-32062: voice-call still parses large WebSocket frames before start validation

Bootstrap setup codes were not bound to the intended device role and scopes, allowing first-use privilege escalation during pairing.

Tlon Startup Migration Rehydrates Empty-Array Revocations From File Config

Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding

Telegram legacy allowFrom migration fans default-account trust into all named accounts

Telegram audio preflight transcription enables resource consumption by unauthorized senders

Telegram audio preflight transcription enables resource consumption by unauthorized senders

Media Local Roots Self-Whitelisting in appendLocalMediaParentRoots Allows Model-Initiated Arbitrary Host File Read and Credential Exfiltration

Sandbox file operations use check-then-act, bypassing fd-based TOCTOU defenses

Sandbox escape via TOCTOU race in remote FS bridge readFile

Sandbox escape via TOCTOU race in remote FS bridge readFile

Path traversal via inbound channel attachment path in ACP dispatch allows arbitrary file read

Paired node escalates to gateway RCE via unrestricted node.event agent dispatch

OpenShell Mirror Sync: Sandbox Escape via Unrestricted File Sync + Symlink Traversal

Node browser proxy allowProfiles bypass through persistent profile mutation and runtime profile selection

MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion

OpenClaw <= 2026.3.24 Media Parsing Path Traversal to Arbitrary File Read

Media download follows cross-origin redirects with Authorization headers intact

macOS Wide-Area Discovery Accepts Arbitrary Tailnet Peer as DNS Authority and Exfiltrates Operator Credentials

Incomplete scope-clearing fix allows operator.admin escalation via trusted-proxy auth mode

Incomplete host-env-security-policy.json allows untrusted model to substitute compiler binaries (CC, CXX, CARGO_BUILD_RUSTC, CMAKE_C_COMPILER) via env overrides on approved host exec requests

Image pixel-limit guard can fail open on sips and allow decompression-bomb DoS

HTTP operator endpoints lack browser-origin validation in trusted-proxy mode

Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables

Host exec environment overrides miss proxy, TLS, Docker, and Git TLS controls

Host exec environment overrides miss proxy, TLS, Docker, and Git TLS controls

Gateway device.token.rotate does not terminate active WebSocket sessions after credential rotation

Fake DeviceToken Bypasses Shared Auth Rate Limiting

Remote onboarding preserves attacker-discovered endpoint after trust decline, routing gateway credentials to it

Remote onboarding preserves attacker-discovered endpoint after trust decline, routing gateway credentials to it

Discord voice manager bypasses channel-level member access allowlist

Discord voice ingress authorization can be bypassed via channel, name, and stale-role validation gaps

Discord Slash Commands Bypass Group DM Channel Allowlist

Discord Component Interaction Misclassifies Group DM as Direct Message

diffs viewer misclassifies proxied remote requests as loopback when allowRemoteViewer is disabled

Device-Paired Node Skips Node Scope Gate → Host RCE.md

Agentic Consent Bypass: LLM Agent Can Silently Disable Exec Approval via config.patch

Discord audio preflight transcription before member authorization

OpenClaw Gateway Control Interface Information Disclosure Vulnerability

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-9jpj-g8vv-j5mf. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling token redemption.

Zalo webhook replay cache cross-target messageId scope bypass

Workspace .env can override the bundled hooks root and load attacker hook code

Voice-call Plivo replay mutates in-process callback origin before replay rejection

Unauthenticated plugin-auth HTTP routes receive operator runtime scopes

SSRF via Unguarded fetch() in Marketplace Plugin Download and Ollama Model Discovery

SSRF via Unguarded fetch() in Marketplace Plugin Download and Ollama Model Discovery

SSH-based sandbox backends pass unsanitized process.env to child processes

SSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host

Security Scan Failure Does Not Block Plugin Installation (Fail-Open)

PIP_INDEX_URL and UV_INDEX_URL bypass host exec env sanitization and redirect Python package-index traffic

MSTeams thread history bypasses sender allowlist via Graph API

Matrix thread root and reply context bypass sender allowlist

LINE webhook handler lacks shared pre-auth concurrency budget before signature verification

Heartbeat context inheritance bypasses sandbox via senderIsOwner escalation

Heartbeat context inheritance bypasses sandbox via senderIsOwner escalation

Feishu thread history and quoted messages bypass sender allowlist

OpenClaw Nostr privateKey config redaction bypass leaks plaintext signing key via config.get

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-fvx6-pj3r-5q4q. This link is maintained to preserve external references. Original Description OpenClaw versions prior to commit 8aceaf5 contain a preflight validation bypass vulnerability in shell-bleed protection that allows attackers to execute blocked script content by using piped or complex command forms that the parser fails to recognize. Attackers can craft commands such as piped execution, command substitution, …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-h3x4-hc5v-v2gm. This link is maintained to preserve external references. Original Description OpenClaw versions prior to commit b57b680 contain an approval bypass vulnerability due to inconsistent environment variable normalization between approval and execution paths, allowing attackers to inject attacker-controlled environment variables into execution without approval system validation. Attackers can exploit differing normalization logic to discard non-portable keys during …

The node pairing approval path did not consistently enforce that the approving caller already held every scope requested by the node.

When only a route-level group allowlist was configured, sender policy resolution silently downgraded from allowlist to open instead of preserving the configured group policy.

OpenClaw loaded the current working directory .env before trusted state-dir configuration, allowing untrusted workspace state to inject host environment values.

OpenClaw loaded the current working directory .env before trusted state-dir configuration, allowing untrusted workspace state to inject host environment values.

Allow-always persistence could trust wrapper carrier executables instead of the actual invoked target when commands were routed through dispatch wrappers.

The chat.send path reused command authorization to trigger /reset session rotation even though direct session reset is an admin-only control-plane operation.

The fal provider used raw fetches for both provider API traffic and returned image download URLs instead of the existing SSRF-guarded fetch path.

The fal provider used raw fetches for both provider API traffic and returned image download URLs instead of the existing SSRF-guarded fetch path.

Nextcloud Talk webhook signature failures were not throttled even though the integration relies on an operator-configured shared secret that may be weak.

Nextcloud Talk webhook signature failures were not throttled even though the integration relies on an operator-configured shared secret that may be weak.

The message tool accepted mediaUrl and fileUrl aliases without applying the same sandbox localRoots validation as the canonical media path handling.

Host exec env override sanitization did not fail closed for several package-manager and related redirect variables that can steer dependency fetches or startup behavior.

Discord button and component interaction ingress did not consistently reapply the same guild and channel policy gates used for normal inbound messages.

Removing a device or revoking its token updated stored credentials but did not disconnect already-authenticated WebSocket sessions.

The Zalo image path fetched and stored inbound media before the DM/pairing authorization checks ran.

Plivo V3 signature verification canonicalized query ordering, but replay detection hashed the raw verification URL. Reordering query parameters preserved a valid signature while producing a fresh replay-cache key.

The gateway accepted unbounded concurrent unauthenticated WebSocket upgrades before allocating them to an authenticated session budget.

ACP-only provenance fields in chat.send were gated by self-declared client metadata from the WebSocket handshake rather than verified authorization state.

ACP-only provenance fields in chat.send were gated by self-declared client metadata from the WebSocket handshake rather than verified authorization state.

The chat.send path let authorized write-scoped callers persist /verbose session overrides even though the same stored session mutation is admin-only through sessions.patch.

Feishu upload path resolution could read files outside the configured localRoots sandbox before handing them to the upload path.

Discord text approval commands resolved pending exec approvals without honoring the configured approver allowlist.

Discord text approval commands resolved pending exec approvals without honoring the configured approver allowlist.

Remote onboarding accepted discovered gateway endpoints without an explicit trust confirmation before persisting the remote URL and connection details.

The /pair approve command path called device approval without forwarding caller scopes into the core approval check.

The /pair approve command path called device approval without forwarding caller scopes into the core approval check.

The SSRF/IP classifier treated several IPv6 special-use ranges as public and allowed fetches to proceed.

The jq safe-bin policy blocked explicit env usage but still allowed jq programs that accessed environment data through $ENV.

Host execution env sanitization did not block GIT_TEMPLATE_DIR or AWS_CONFIG_FILE, even though both can redirect trusted tooling to attacker-controlled content.

Allow-always persistence did not unwrap /usr/bin/script and similar wrappers to the actual executed target before storing trust decisions.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-8g75-q649-6pv6. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run where mutable script operands are not bound across approval and execution phases. Attackers can obtain approval for script execution, modify the approved script file before execution, and execute different content while maintaining the same approved command …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-9528-x887-j2fp. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication that allows attackers to brute-force weak shared secrets. Attackers who can reach the webhook endpoint can exploit this to forge inbound webhook events by repeatedly attempting authentication without throttling.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-g7cr-9h7q-4qxq. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message handler synthesizes wildcard sender authorization, permitting any sender in …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-v8wv-jg3q-qwpq. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows attackers to read arbitrary local files by using mediaUrl and fileUrl alias parameters that bypass localRoots validation. Remote attackers can exploit this by routing file requests through unvalidated alias parameters to access …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2pr2-hcv6-7gwv. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-5m9r-p9g7-679c. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to bypass rate limits and brute-force webhook secrets. Attackers can submit repeated authentication requests with invalid secrets without triggering rate limit responses, enabling systematic secret guessing and subsequent forged webhook submission.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-99qw-6mr3-36qr. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.12 automatically discovers and loads plugins from .OpenClaw/extensions/ without explicit trust verification, allowing arbitrary code execution. Attackers can execute malicious code by including crafted workspace plugins in cloned repositories that execute when users run OpenClaw from the directory.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-qvr7-g57c-mrc7. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.11 contains a credential fallback vulnerability where unavailable local gateway.auth.token and gateway.auth.password SecretRefs are treated as unset, allowing fallback to remote credentials in local mode. Attackers can exploit misconfigured local auth references to cause CLI and helper paths to select incorrect credential sources, potentially …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xvx8-77m6-gwg6. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in the fs-bridge writeFile commit step that uses an unanchored container path during the final move operation. An attacker can exploit a time-of-check-time-of-use race condition by modifying parent paths inside the sandbox to redirect committed files outside …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xw77-45gv-p728. This link is maintained to preserve external references. Original Description OpenClaw versions 2026.3.7 before 2026.3.11 contain an authorization bypass vulnerability where plugin subagent routes execute gateway methods through a synthetic operator client with broad administrative scopes. Remote unauthenticated requests to plugin-owned routes can invoke runtime.subagent methods to perform privileged gateway actions including session deletion and agent …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rw39-5899-8mxp. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.11 contains an approval-integrity vulnerability in node-host system.run approvals that displays extracted shell payloads instead of the executed argv. Attackers can place wrapper binaries and induce wrapper-shaped commands to execute local code after operators approve misleading command text.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hc5h-pmr3-3497. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privileges but without admin privileges can approve pending device requests asking for broader scopes including admin access …

Duplicate Advisory This advisory has been withdrawn because CVE-2026-34508 has been rejected as a duplicate of CVE-2026-34505. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.12 applies rate limiting only after webhook authentication succeeds, allowing attackers to bypass rate limits and brute-force webhook secrets without triggering 429 responses. Attackers can repeatedly guess invalid secrets to discover valid credentials and subsequently submit forged Zalo webhook traffic.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-qxgf-hmcj-3xw3. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.28 contains a server-side request forgery vulnerability in the fal provider image-generation-provider.ts component that allows attackers to fetch internal URLs. A malicious or compromised fal relay can exploit unguarded image download fetches to expose internal service metadata and responses through the image pipeline.

Fixed in OpenClaw 2026.3.24, the current shipping release. Title Non-owner command-authorized sender can change the owner-only /send session delivery policy CWE CWE-285 Improper Authorization CVSS v3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L Base score: 5.4 (Medium) Severity Assessment Medium. This is a real owner-only authorization bypass, but the demonstrated impact is limited to persistent mutation of the current session’s delivery policy rather than direct code execution, sandbox escape, or cross-host compromise. Impact A non-owner sender …

Fixed in OpenClaw 2026.3.24, the current shipping release. Title Non-owner command-authorized sender can change the owner-only /send session delivery policy CWE CWE-285 Improper Authorization CVSS v3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L Base score: 5.4 (Medium) Severity Assessment Medium. This is a real owner-only authorization bypass, but the demonstrated impact is limited to persistent mutation of the current session’s delivery policy rather than direct code execution, sandbox escape, or cross-host compromise. Impact A non-owner sender …

Fixed in OpenClaw 2026.3.24, the current shipping release. Title Mutating internal /allowlist chat commands missed operator.admin scope enforcement CWE CWE-862 Missing Authorization CVSS v3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Base score: 6.5 (Medium) Severity Assessment Medium. This is a real authorization flaw in OpenClaw’s internal control plane. The issue does not require host access, trusted local state tampering, or multi-tenant assumptions, but exploitation does require an already authenticated internal Gateway caller with operator.write. Impact …

The shared /allowlist command persists channel authorization config through writeConfigFile(…) but does not re-validate gateway client scopes for internal gateway callers. Because chat.send is intentionally reachable to operator.write callers and still creates a generic command-authorized internal context, an authenticated write-scoped gateway client can indirectly mutate channel allowFrom and groupAllowFrom policy that direct config.patch correctly reserves to operator.admin. This is not just a generic code smell. The current code already shows …

The shared /allowlist command persists channel authorization config through writeConfigFile(…) but does not re-validate gateway client scopes for internal gateway callers. Because chat.send is intentionally reachable to operator.write callers and still creates a generic command-authorized internal context, an authenticated write-scoped gateway client can indirectly mutate channel allowFrom and groupAllowFrom policy that direct config.patch correctly reserves to operator.admin. This is not just a generic code smell. The current code already shows …

Fixed in OpenClaw 2026.3.24, the current shipping release.

Fixed in OpenClaw 2026.3.24, the current shipping release.

A path traversal vulnerability in the agent sandbox enforcement allows a sandboxed agent to read arbitrary files from other agents' workspaces by using the mediaUrl or fileUrl parameter key in message tool calls. The normalizeSandboxMediaParams function only checks ["media", "path", "filePath"] keys, while mediaUrl and fileUrl escape normalization entirely. Combined with handlePluginAction dropping mediaLocalRoots from the dispatch context, this enables a full sandbox escape where any agent can read files …

A path traversal vulnerability in the agent sandbox enforcement allows a sandboxed agent to read arbitrary files from other agents' workspaces by using the mediaUrl or fileUrl parameter key in message tool calls. The normalizeSandboxMediaParams function only checks ["media", "path", "filePath"] keys, while mediaUrl and fileUrl escape normalization entirely. Combined with handlePluginAction dropping mediaLocalRoots from the dispatch context, this enables a full sandbox escape where any agent can read files …

The patch for CVE-2026-32011 tightened pre-auth body parsing limits (from 1MB/30s to 64KB/5s) across several webhook handlers. However, the Feishu extension's webhook handler was not included in the patch and still accepts request bodies with the old permissive limits (1MB body, 30-second timeout) before verifying the webhook signature. An unauthenticated attacker can exhaust server connection resources by sending concurrent slow HTTP POST requests to the Feishu webhook endpoint.

The patch for CVE-2026-32011 tightened pre-auth body parsing limits (from 1MB/30s to 64KB/5s) across several webhook handlers. However, the Feishu extension's webhook handler was not included in the patch and still accepts request bodies with the old permissive limits (1MB body, 30-second timeout) before verifying the webhook signature. An unauthenticated attacker can exhaust server connection resources by sending concurrent slow HTTP POST requests to the Feishu webhook endpoint.

The !stop (and /bash stop) chat command kills background bash processes using SIGKILL directly, without first sending SIGTERM to allow graceful shutdown. This is because bash-command.ts imports killProcessTree() from src/agents/shell-utils.ts, which still contains the pre-CVE-2026-27486 aggressive kill logic, rather than from the patched src/process/kill-tree.ts.

The !stop (and /bash stop) chat command kills background bash processes using SIGKILL directly, without first sending SIGTERM to allow graceful shutdown. This is because bash-command.ts imports killProcessTree() from src/agents/shell-utils.ts, which still contains the pre-CVE-2026-27486 aggressive kill logic, rather than from the patched src/process/kill-tree.ts.

During the installation phase of OpenClaw local plugins/hooks, the Git executable can be hijacked by a project-level .npmrc file, leading to arbitrary code execution during installation.

During the installation phase of OpenClaw local plugins/hooks, the Git executable can be hijacked by a project-level .npmrc file, leading to arbitrary code execution during installation.

The OpenAI-compatible HTTP endpoint /v1/models accepts bearer auth but does not enforce operator method scopes. In contrast, the WebSocket RPC path enforces operator.read for models.list. A caller connected with operator.approvals (no read scope) is rejected for models.list (missing scope: operator.read) but can still enumerate model metadata through HTTP /v1/models. Confirmed on current main at commit 06de515b6c42816b62ec752e1c221cab67b38501.

The OpenAI-compatible HTTP endpoint /v1/models accepts bearer auth but does not enforce operator method scopes. In contrast, the WebSocket RPC path enforces operator.read for models.list. A caller connected with operator.approvals (no read scope) is rejected for models.list (missing scope: operator.read) but can still enumerate model metadata through HTTP /v1/models. Confirmed on current main at commit 06de515b6c42816b62ec752e1c221cab67b38501.

Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State

Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State

Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Weak Webhook Token

Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Weak Webhook Token

SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476)

SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476)

MS Teams Feedback Invoke Bypasses Sender Allowlists and Records Unauthorized Session Feedback

MS Teams Feedback Invoke Bypasses Sender Allowlists and Records Unauthorized Session Feedback

Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName

Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName

Gateway Plugin Subagent Fallback deleteSession Uses Synthetic operator.admin

Gateway Plugin Subagent Fallback deleteSession Uses Synthetic operator.admin

Gateway HTTP Session History Route Bypasses Operator Read Scope

Gateway HTTP Session History Route Bypasses Operator Read Scope

Feishu webhook reads and parses unauthenticated request bodies before signature validation

Feishu webhook reads and parses unauthenticated request bodies before signature validation

Feishu Raw card Send Surface Can Mint Legacy Card Callbacks That Bypass DM Pairing

Feishu Raw card Send Surface Can Mint Legacy Card Callbacks That Bypass DM Pairing

session_status sessionId resolution bypasses sandboxed session-tree visibility

ACP CLI approval prompt ANSI escape sequence injection

ACP CLI approval prompt ANSI escape sequence injection

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-vhwf-4x96-vqx2. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.8 contains a path traversal vulnerability in the skills download installer that validates the tools root lexically but reuses the mutable path during archive download and copy operations. A local attacker can rebind the tools-root path between validation and final write to redirect the …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-qc36-x95h-7j53. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.11 contains an approval integrity vulnerability where system.run approvals fail to bind mutable file operands for certain script runners like tsx and jiti. Attackers can obtain approval for benign script commands, rewrite referenced scripts on disk, and execute modified code under the approved run …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xf99-j42q-5w5p. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.11 contains an approval integrity vulnerability allowing attackers to execute rewritten local code by modifying scripts between approval and execution when exact file binding cannot occur. Remote attackers can change approved local scripts before execution to achieve unintended code execution as the OpenClaw runtime …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-g353-mgv3-8pcj. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.12 contains an authentication bypass vulnerability in Feishu webhook mode when only verificationToken is configured without encryptKey, allowing acceptance of forged events. Unauthenticated network attackers can inject forged Feishu events and trigger downstream tool execution by reaching the webhook endpoint.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-jq3f-vjww-8rq7. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.13 reads and buffers Telegram webhook request bodies before validating the x-telegram-bot-api-secret-token header, allowing unauthenticated attackers to exhaust server resources. Attackers can send POST requests to the webhook endpoint to force memory consumption, socket time, and JSON parsing work before authentication validation occurs.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-vr7j-g7jv-h5mp. This link is maintained to preserve external references. Original Description OpenClaw before 2026.2.17 creates session transcript JSONL files with overly broad default permissions, allowing local users to read transcript contents. Attackers with local access can read transcript files to extract sensitive information including secrets from tool output.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-wcxr-59v9-rxr8. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.11 contains a session sandbox escape vulnerability in the session_status tool that allows sandboxed subagents to access parent or sibling session state. Attackers can supply arbitrary sessionKey values to read or modify session data outside their sandbox scope, including persisted model overrides.

Telegram Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Secret

Telegram Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Secret

Gateway local shared-auth reconnect silently widens paired device scope from operator.read to operator.admin and reach node RCE

Matrix Verification Notices Bypass Matrix DM Policy and Reply to Unpaired DM Peers

Matrix Verification Notices Bypass Matrix DM Policy and Reply to Unpaired DM Peers

Gateway Plugin HTTP auth: "gateway" Mints operator.admin Runtime Scope

Gateway Plugin HTTP auth: "gateway" Mints operator.admin Runtime Scope

Gateway HTTP /sessions/:sessionKey/kill Reaches Admin Kill Path Without Caller Scope Binding.

Gateway Backend Reconnect lets Non-Admin Operator Scopes Self-Claim operator.admin

Gateway Backend Reconnect lets Non-Admin Operator Scopes Self-Claim operator.admin

BlueBubbles Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Password

BlueBubbles Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Password

BlueBubbles Group Reactions Bypass requireMention and Still Enqueue Agent-Visible System Events

Trusted-proxy Control UI sessions without device identity could retain self-declared privileged scopes on the device-less allow path.

Allow-always exec approvals did not unwrap /usr/bin/time, so an unregistered time wrapper could bypass executable binding and reuse approval state for the inner command.

Allow-always exec approvals did not unwrap /usr/bin/time, so an unregistered time wrapper could bypass executable binding and reuse approval state for the inner command.

Mutating internal ACP chat commands missed the operator.admin gate that should separate read-only and mutating control-plane actions.

ACP permission resolution trusted conflicting tool identity hints from rawInput and metadata, which could suppress dangerous-tool prompting.

ACP permission resolution trusted conflicting tool identity hints from rawInput and metadata, which could suppress dangerous-tool prompting.

Windows local-media handling accepted remote-host file URLs and UNC-style paths before local-path validation, so network-hosted file targets could be treated as local content.

Windows local-media handling accepted remote-host file URLs and UNC-style paths before local-path validation, so network-hosted file targets could be treated as local content.

Tlon settings reconciliation treated explicit empty allowlists as unset, which could silently undo an intended deny-all revocation.

Tlon settings reconciliation treated explicit empty allowlists as unset, which could silently undo an intended deny-all revocation.

Tlon cite expansion happened before channel and DM authorization completed, allowing cite work and content handling before the final auth decision.

Tlon cite expansion happened before channel and DM authorization completed, allowing cite work and content handling before the final auth decision.

Synology Chat reply delivery could rebind to a mutable username match instead of the stable numeric user_id recorded by the webhook event.

Synology Chat reply delivery could rebind to a mutable username match instead of the stable numeric user_id recorded by the webhook event.

The patch for CVE-2026-32013 introduced symlink resolution and workspace boundary enforcement for agents.files.get and agents.files.set. However, two other handlers in the same file (agents.create and agents.update) still use raw fs.appendFile on the IDENTITY.md file without any symlink containment check. An attacker who can place a symlink in the agent workspace can hijack the IDENTITY.md path to append attacker-controlled content to arbitrary files on the system.

The patch for CVE-2026-32013 introduced symlink resolution and workspace boundary enforcement for agents.files.get and agents.files.set. However, two other handlers in the same file (agents.create and agents.update) still use raw fs.appendFile on the IDENTITY.md file without any symlink containment check. An attacker who can place a symlink in the agent workspace can hijack the IDENTITY.md path to append attacker-controlled content to arbitrary files on the system.

Remote media HTTP error bodies were read without a hard size cap before failure handling, allowing unbounded allocation on error responses.

Remote media HTTP error bodies were read without a hard size cap before failure handling, allowing unbounded allocation on error responses.

Before v2026.3.23, the Plivo V2 verification path treated query-only variants of the same signed request as fresh verified work. Plivo V2 signatures authenticate baseUrl + nonce, but the replay key was derived from the full verification URL including the query string, so unsigned query-only changes minted a new verifiedRequestKey.

Before v2026.3.23, the Plivo V2 verification path treated query-only variants of the same signed request as fresh verified work. Plivo V2 signatures authenticate baseUrl + nonce, but the replay key was derived from the full verification URL including the query string, so unsigned query-only changes minted a new verifiedRequestKey.

Nostr inbound DM handling could perform crypto and dispatch work before sender and pairing policy enforcement, enabling unauthorized pre-auth computation.

Nostr inbound DM handling could perform crypto and dispatch work before sender and pairing policy enforcement, enabling unauthorized pre-auth computation.

Nextcloud Talk room authorization matched on collidable room names instead of the stable room token, allowing policy confusion across similarly named rooms.

Nextcloud Talk room authorization matched on collidable room names instead of the stable room token, allowing policy confusion across similarly named rooms.

Mattermost interactive callback dispatch could run action handlers before normal sender authorization checks completed.

Mattermost interactive callback dispatch could run action handlers before normal sender authorization checks completed.

The image tool did not fully honor the tools.fs.workspaceOnly filesystem boundary. In affected releases, image-path resolution could still traverse sandbox bridge mounts outside the workspace and read files from mounted directories that the other file tools would reject.

The image tool did not fully honor the tools.fs.workspaceOnly filesystem boundary. In affected releases, image-path resolution could still traverse sandbox bridge mounts outside the workspace and read files from mounted directories that the other file tools would reject.

Google Chat app-url webhook verification accepted add-on principals outside the intended deployment binding.

Google Chat app-url webhook verification accepted add-on principals outside the intended deployment binding.

Before v2026.3.23, Canvas and A2UI loopback requests could bypass Canvas bearer-or-capability authentication because authorizeCanvasRequest(…) treated isLocalDirectRequest(…) as an unconditional allow path.

Before v2026.3.23, Canvas and A2UI loopback requests could bypass Canvas bearer-or-capability authentication because authorizeCanvasRequest(…) treated isLocalDirectRequest(…) as an unconditional allow path.

Before v2026.3.23, the Gateway agent RPC accepted /reset and /new for callers with only operator.write, even though the direct sessions.reset RPC correctly requires operator.admin.

Before v2026.3.23, the Gateway agent RPC accepted /reset and /new for callers with only operator.write, even though the direct sessions.reset RPC correctly requires operator.admin.

When gateway.trustedProxies was configured, spoofed loopback hops in forwarding headers could be accepted as the client origin and weaken downstream auth and rate-limit decisions.

When gateway.trustedProxies was configured, spoofed loopback hops in forwarding headers could be accepted as the client origin and weaken downstream auth and rate-limit decisions.

Bonjour and DNS-SD TXT metadata could still steer CLI routing even when actual service resolution failed, allowing unresolved hints to influence the chosen target.

Bonjour and DNS-SD TXT metadata could still steer CLI routing even when actual service resolution failed, allowing unresolved hints to influence the chosen target.

Android Canvas WebView pages from untrusted origins could invoke the JavascriptInterface bridge and inject instructions into the app.

Android Canvas WebView pages from untrusted origins could invoke the JavascriptInterface bridge and inject instructions into the app.

Queued node actions were not revalidated against current command policy when later delivered, so stale allowlists or declarations could survive policy tightening.

Queued node actions were not revalidated against current command policy when later delivered, so stale allowlists or declarations could survive policy tightening.

Leaf subagents could still use the send action to message controlled child sessions even when their controlScope was narrower than children.

Leaf subagents could still use the send action to message controlled child sessions even when their controlScope was narrower than children.

Voice Call webhook handling buffered request bodies before provider signature checks, enabling bounded unauthenticated resource exhaustion.

Voice Call webhook handling buffered request bodies before provider signature checks, enabling bounded unauthenticated resource exhaustion.

OpenClaw through 2026.3.23 (fixed in commit 4797bbc) contains a path traversal vulnerability in media parsing that allows attackers to read arbitrary files by bypassing path validation in the isLikelyLocalPath() and isValidMedia() functions. Attackers can exploit incomplete validation and the allowBareFilename bypass to reference files outside the intended application sandbox, resulting in disclosure of sensitive information including system files, environment files, and SSH keys.

Gateway host exec env override handling did not consistently apply the shared host environment policy, so blocked or malformed override keys could slip through inconsistent sanitization paths.

Gateway host exec env override handling did not consistently apply the shared host environment policy, so blocked or malformed override keys could slip through inconsistent sanitization paths.

device.pair.approve allowed an operator.pairing approver to approve a pending device request for broader operator scopes than the approver actually held.

device.pair.approve allowed an operator.pairing approver to approve a pending device request for broader operator scopes than the approver actually held.

Read-scoped gateway snapshots could expose credentials embedded in channel baseUrl and related endpoint fields.

Synology Chat multi-account configuration could collapse onto a shared webhook path, replacing route ownership and bypassing per-account DM policy separation.

Synology Chat multi-account configuration could collapse onto a shared webhook path, replacing route ownership and bypassing per-account DM policy separation.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-vqx8-9xxw-f2m7. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized event IDs are randomized per parse, allowing replay events to bypass manager dedupe checks. Attackers can replay Twilio webhook events to trigger duplicate or stale call-state transitions, potentially causing incorrect call …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-6rcp-vxwf-3mfp. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run shell-wrapper that allows attackers to execute hidden commands by injecting positional argv carriers after inline shell payloads. Attackers can craft misleading approval text while executing arbitrary commands through trailing positional arguments that bypass …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mwcg-wfq3-4gjc. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.25 contain a time-of-check-time-of-use vulnerability in approval-bound system.run execution where the cwd parameter is validated at approval time but resolved at execution time. Attackers can retarget a symlinked cwd between approval and execution to bypass command execution restrictions and execute arbitrary commands …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rm2p-j3r7-4x4j]. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.25 fail to consistently apply sender-policy checks to reaction_* and pin_* non-message events before adding them to system-event context. Attackers can bypass configured DM policies and channel user allowlists to inject unauthorized reaction and pin events from restricted senders.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-792q-qw95-f446. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.25 contain an access control vulnerability in signal reaction notification handling that allows unauthorized senders to enqueue status events before authorization checks are applied. Attackers can exploit the reaction-only event path in event-handler.ts to queue signal reaction status lines for sessions without …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xgf2-vxv2-rrmg. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the system.run function, allowing attackers to bypass command allowlist protections. Remote attackers can inject malicious startup files such as .bash_profile or .zshenv to achieve arbitrary code execution before allowlist-evaluated commands …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-p7gr-f84w-hqg5. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.3.1 fail to enforce sandbox inheritance during cross-agent sessions_spawn operations, allowing sandboxed sessions to create child processes under unsandboxed agents. An attacker with a sandboxed session can exploit this to spawn child runtimes with sandbox.mode set to off, bypassing runtime confinement restrictions.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rxxp-482v-7mrh. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.22 fail to consistently enforce configured inbound media byte limits before buffering remote media across multiple channel ingestion paths. Remote attackers can send oversized media payloads to trigger elevated memory usage and potential process instability.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hff7-ccv5-52f8. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.21 incorrectly apply tokenless Tailscale header authentication to HTTP gateway routes, allowing bypass of token and password requirements. Attackers on trusted networks can exploit this misconfiguration to access HTTP gateway routes without proper authentication credentials.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-25gx-x37c-7pph. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.21 sandbox browser entrypoint launches x11vnc without authentication for noVNC observer sessions, allowing unauthenticated access to the VNC interface. Remote attackers on the host loopback interface can connect to the exposed noVNC port to observe or interact with the sandbox browser without …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mgrq-9f93-wpp5. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.26 contain a path traversal vulnerability in workspace boundary validation that allows attackers to write files outside the workspace through in-workspace symlinks pointing to non-existent out-of-root targets. The vulnerability exists because the boundary check improperly resolves aliases, permitting the first write operation …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hwpq-rrpf-pgcq. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.25 contain an approval-integrity bypass vulnerability in system.run where rendered command text is used as approval identity while trimming argv token whitespace, but runtime execution uses raw argv. An attacker can craft a trailing-space executable token to execute a different binary than …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-v8cg-4474-49v8. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.26 fail to enforce sender authorization in member and message subtype system event handlers, allowing unauthorized events to be enqueued. Attackers can bypass Slack DM allowlists and per-channel user allowlists by sending system events from non-allowlisted senders through message_changed, message_deleted, and thread_broadcast …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-5mx2-2mgw-x8rm. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.21 BlueBubbles webhook handler contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local routing configurations. Attackers can bypass webhook authentication by exploiting the loopback/proxy heuristics to send unauthenticated webhook events to the BlueBubbles plugin.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-v6x2-2qvm-6gv8. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.22 reuse gateway.auth.token as a fallback hash secret for owner-ID prompt obfuscation when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset, creating dual-use of authentication secrets across security domains. Attackers with access to system prompts sent to third-party model providers can …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hjvp-qhm6-wrh2. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness in system.run execution flows with host=node that allows reuse of previously approved requests with modified environment variables. Attackers with access to an approval id can exploit this by reusing an approval with changed env input, bypassing …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-36h3-7c54-j27r. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in browser trace and download output path handling that allows local attackers to escape the managed temp root directory. An attacker with local access can create symlinks to route file writes outside the intended temp directory, …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-43x4-g22p-3hrq. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.21 contain an improper sandbox configuration vulnerability that allows attackers to execute arbitrary code by exploiting renderer-side vulnerabilities without requiring a sandbox escape. Attackers can leverage the disabled OS-level sandbox protections in the Chromium browser container to achieve code execution on the …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-vvgp-4c28-m3jm. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.25 contain an authentication bypass vulnerability in the trusted-proxy Control UI pairing mechanism that accepts client.id=control-ui without proper device identity verification. An authenticated node role websocket client can exploit this by using the control-ui client identifier to skip pairing requirements and gain …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7jx5-9fjg-hp4m. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP client that auto-approves tool calls based on untrusted toolCall.kind metadata and permissive name heuristics. Attackers can bypass interactive approval prompts for read-class operations by spoofing tool metadata or using non-core read-like names to …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rqpp-rjj8-7wv8. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.3.12 contain an authorization bypass vulnerability in the WebSocket connect path that allows shared-token or password-authenticated connections to self-declare elevated scopes without server-side binding. Attackers can exploit this logic flaw to present unauthorized scopes such as operator.admin and perform admin-only gateway operations.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-g99v-8hwm-g76g. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.3.1 contain a server-side request forgery vulnerability in web_search citation redirect resolution that uses a private-network-allowing SSRF policy. An attacker who can influence citation redirect targets can trigger internal-network requests from the OpenClaw host to loopback, private, or internal destinations.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-gw85-xp4q-5gp9. This link is maintained to preserve external references. Original Description OpenClaw versions 2026.2.22 and 2026.2.23 contain an authorization bypass vulnerability in the synology-chat channel plugin where dmPolicy set to allowlist with empty allowedUserIds fails open. Attackers with Synology sender access can bypass authorization checks and trigger unauthorized agent dispatch and downstream tool actions.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-wm8r-w8pf-2v6w. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where Signal group allowlist policy incorrectly accepts sender identities from DM pairing-store approvals. Attackers can exploit this boundary weakness by obtaining DM pairing approval to bypass group allowlist checks and gain unauthorized group access.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-4685-c5cp-vp95. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.19 tools.exec.safeBins contains an input validation bypass vulnerability that allows attackers to execute unintended filesystem operations through sort output flags or recursive grep flags. Attackers with command execution access can leverage sort -o flag for arbitrary file writes or grep -R flag …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-9868-vxmx-w862. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run that allows attackers to execute non-allowlisted commands by splitting command substitution using shell line-continuation characters. Attackers can bypass security analysis by injecting $\ followed by a newline and opening parenthesis inside double quotes, causing …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-h3rm-6x7g-882f. This link is maintained to preserve external references. Original Description OpenClaw 2026.3.1 contains an approval integrity vulnerability in system.run node-host execution where argv rewriting changes command semantics. Attackers can place malicious local scripts in the working directory to execute unintended code despite operator approval of different command text.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-r9q5-c7qc-p26w. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.25 lack durable replay state for Nextcloud Talk webhook events, allowing valid signed webhook requests to be replayed without suppression. Attackers can capture and replay previously valid signed webhook requests to trigger duplicate inbound message processing and cause integrity or availability issues.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-6j27-pc5c-m8w8. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in allow-always wrapper persistence that allows attackers to bypass approval checks by persisting wrapper-level allowlist entries instead of validating inner executable intent. Remote attackers can approve benign wrapped system.run commands and subsequently execute different payloads without …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7fcc-cw49-xm78. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension tool execution that uses Windows shell fallback with shell: true after spawn failures. Attackers can inject shell metacharacters in command arguments to execute arbitrary commands when subprocess launch fails with EINVAL or …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-q399-23r3-hfx4. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.3.1 fail to pin executable identity for non-path-like argv[0] tokens in system.run approvals, allowing post-approval executable rebind attacks. Attackers can modify PATH resolution after approval to execute a different binary than the operator approved, enabling arbitrary command execution.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-cfvj-7rx7-fc7c. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.3.2 contain a vulnerability in the stageSandboxMedia function in which it fails to validate destination symlinks during media staging, allowing writes to follow symlinks outside the sandbox workspace. Attackers can exploit this by placing symlinks in the media/inbound directory to overwrite arbitrary …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mqr9-vqhq-3jxw. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.19 contain a local command injection vulnerability in Windows scheduled task script generation due to unsafe handling of cmd metacharacters and expansion-sensitive characters in gateway.cmd files. Local attackers with control over service script generation arguments can inject arbitrary commands by providing metacharacter-only …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-5f9p-f3w2-fwch. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.22 contain an allowlist parsing mismatch vulnerability in the macOS companion app that allows authenticated operators to bypass exec approval checks. Attackers with operator.write privileges and a paired macOS beta node can craft shell-chain payloads that pass incomplete allowlist validation and execute …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-fg3m-vhrr-8gj6. This link is maintained to preserve external references. Original Description OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism that allows attackers to inject arbitrary commands through tool-provided arguments. When spawn failures trigger shell fallback with shell: true, attackers can exploit cmd.exe command interpretation to execute …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-jj82-76v6-933r. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run exec analysis that fails to unwrap env and shell-dispatch wrapper chains. Attackers can route execution through wrapper binaries like env bash to smuggle payloads that satisfy allowlist entries while executing non-allowlisted commands.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-pj5x-38rw-6fph. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.19 contain a command injection vulnerability in Windows Scheduled Task script generation where environment variables are written to gateway.cmd using unquoted set KEY=VALUE assignments, allowing shell metacharacters to break out of assignment context. Attackers can inject arbitrary commands through environment variable values …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-48wf-g7cp-gr3m. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.23 contain an allowlist bypass vulnerability in system.run guardrails that allows authenticated operators to execute unintended commands. When /usr/bin/env is allowlisted, attackers can use env -S to bypass policy analysis and execute shell wrapper payloads at runtime.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-6f6j-wx9w-ff4j. This link is maintained to preserve external references. Original Description OpenClaw versions 2026.2.26 prior to 2026.3.1 on Windows contain a current working directory injection vulnerability in wrapper resolution for .cmd/.bat files that allows attackers to influence execution behavior through cwd manipulation. Remote attackers can exploit improper shell execution fallback mechanisms to achieve command execution integrity loss …

openclaw versions <= 2026.3.12 accepted unsanitized iMessage remote attachment paths when staging files over SCP, allowing shell metacharacters in the remote path operand.

openclaw versions <= 2026.3.12 read and buffered Telegram webhook request bodies before validating x-telegram-bot-api-secret-token. This let unauthenticated callers force up to the configured webhook body limit of pre-auth body I/O and JSON parse work per request.

openclaw versions <= 2026.3.12 read and buffered Telegram webhook request bodies before validating x-telegram-bot-api-secret-token. This let unauthenticated callers force up to the configured webhook body limit of pre-auth body I/O and JSON parse work per request.

openclaw versions <= 2026.3.12 could include raw Telegram bot tokens in media fetch error strings when inbound Telegram media downloads failed.

openclaw created new session transcript JSONL files with overly broad default permissions in affected releases. On multi-user hosts, other local users or processes could read transcript contents, including secrets that might appear in tool output.

openclaw created new session transcript JSONL files with overly broad default permissions in affected releases. On multi-user hosts, other local users or processes could read transcript contents, including secrets that might appear in tool output.

openclaw versions <= 2026.3.12 allowed bootstrap setup codes to be replayed before approval, which could widen the scopes on a pending device pairing request.

OpenClaw's Zalouser allowlist mode accepted mutable group names and normalized slugs as authorization matches instead of requiring stable group IDs. In deployments that used name-based channels.zalouser.groups entries together with permissive sender allowlists, a different group could be accepted by reusing the same display name as an allowlisted group.

The Zalo webhook handler applied request rate limiting only after webhook authentication succeeded. Requests with an invalid secret returned 401 but did not count against the rate limiter, allowing repeated secret guesses without triggering 429.

The Zalo webhook handler applied request rate limiting only after webhook authentication succeeded. Requests with an invalid secret returned 401 but did not count against the rate limiter, allowing repeated secret guesses without triggering 429.

In affected versions of openclaw, a gateway caller with operator.write could issue agent requests containing /new or /reset and reach the same reset path used by the admin-only sessions.reset RPC.

OpenClaw automatically discovered and loaded plugins from .openclaw/extensions/ inside the current workspace without an explicit trust or install step. A malicious repository could include a crafted workspace plugin that executed as soon as a user ran OpenClaw from that cloned directory.

OpenClaw automatically discovered and loaded plugins from .openclaw/extensions/ inside the current workspace without an explicit trust or install step. A malicious repository could include a crafted workspace plugin that executed as soon as a user ran OpenClaw from that cloned directory.

A logic flaw in the OpenClaw gateway WebSocket connect path allowed certain device-less shared-token or password-authenticated backend connections to keep client-declared scopes without server-side binding. A shared-authenticated client could present elevated scopes such as operator.admin even though those scopes were not tied to a device identity or an explicitly trusted Control UI path.

A logic flaw in the OpenClaw gateway WebSocket connect path allowed certain device-less shared-token or password-authenticated backend connections to keep client-declared scopes without server-side binding. A shared-authenticated client could present elevated scopes such as operator.admin even though those scopes were not tied to a device identity or an explicitly trusted Control UI path.

In affected versions of openclaw, node-host system.run approvals did not bind a mutable file operand for some script runners, including forms such as tsx and jiti. An attacker could obtain approval for a benign script-runner command, rewrite the referenced script on disk, and have the modified code execute under the already approved run context.

In affected versions of openclaw, node-host system.run approvals did not bind a mutable file operand for some script runners, including forms such as tsx and jiti. An attacker could obtain approval for a benign script-runner command, rewrite the referenced script on disk, and have the modified code execute under the already approved run context.

In affected versions of openclaw, node-host system.run approvals could still execute rewritten local code for interpreter and runtime commands when OpenClaw could not bind exactly one concrete local file operand during approval planning.

In affected versions of openclaw, node-host system.run approvals could still execute rewritten local code for interpreter and runtime commands when OpenClaw could not bind exactly one concrete local file operand during approval planning.

In affected versions of openclaw, local gateway helper credential resolution treated configured but unavailable gateway.auth.token and gateway.auth.password SecretRefs as if they were unset and could fall back to gateway.remote.* credentials in local mode.

In affected versions of openclaw, local gateway helper credential resolution treated configured but unavailable gateway.auth.token and gateway.auth.password SecretRefs as if they were unset and could fall back to gateway.remote.* credentials in local mode.

In affected versions of openclaw, sandbox fs-bridge writes validated the destination before commit, but temporary file creation and population were not pinned to a verified parent directory. A raced parent-path alias change could cause the staged temp file to be created outside the intended writable mount before the final guarded replace step.

In affected versions of openclaw, the sandbox fs-bridge writeFile commit step used an unanchored container path during the final move into place. An attacker racing parent-path changes inside the sandbox could redirect the committed file outside the validated sandbox path.

In affected versions of openclaw, the sandbox fs-bridge writeFile commit step used an unanchored container path during the final move into place. An attacker racing parent-path changes inside the sandbox could redirect the committed file outside the validated sandbox path.

In affected versions of openclaw, the plugin subagent runtime dispatched gateway methods through a synthetic operator client that always carried broad administrative scopes. Plugin-owned HTTP routes using auth: "plugin" could therefore trigger admin-only gateway actions without normal gateway authorization.

In affected versions of openclaw, the plugin subagent runtime dispatched gateway methods through a synthetic operator client that always carried broad administrative scopes. Plugin-owned HTTP routes using auth: "plugin" could therefore trigger admin-only gateway actions without normal gateway authorization.

In affected versions of openclaw, a caller holding only operator.pairing could use device.token.rotate to mint a new token with broader scopes for an already paired device. If the target device was approved for operator.admin, the attacker could obtain an administrative token without already holding administrative scope.

OpenClaw pairing setup codes generated by /pair and openclaw qr embedded the configured shared gateway token or password directly in the setup payload. Anyone who obtained that code from chat history, logs, screenshots, or copied QR payloads could recover the long-lived shared credential.

In affected versions of openclaw, node-host system.run approvals could display only an extracted shell payload such as jq –version while execution still ran a different outer wrapper argv such as ./env sh -c 'jq –version'.

In affected versions of openclaw, node-host system.run approvals could display only an extracted shell payload such as jq –version while execution still ran a different outer wrapper argv such as ./env sh -c 'jq –version'.

In affected versions of openclaw, sandboxed leaf subagents could still access the subagents control surface and resolve against the parent requester scope instead of remaining confined to their own session tree.

The public gateway agent RPC allowed an authenticated operator with operator.write to supply attacker-controlled spawnedBy and workspaceDir values. That let the caller re-root the agent run outside its configured workspace boundary.

Feishu webhook mode allowed deployments that configured only verificationToken without encryptKey. In that state, forged inbound events could be accepted because the weaker configuration did not provide the required cryptographic verification boundary.

Feishu webhook mode allowed deployments that configured only verificationToken without encryptKey. In that state, forged inbound events could be accepted because the weaker configuration did not provide the required cryptographic verification boundary.

A Feishu reaction-originated synthetic event could misclassify a group conversation as p2p when the inbound reaction payload omitted chat_type. Authorization and mention-gating logic keyed off that incorrect chat type and evaluated the event as a direct message instead of a group message.

matchesExecAllowlistPattern normalized patterns and targets with lowercasing and compiled glob matching too broadly on POSIX. In addition, the ? wildcard could match /, which allowed matches to cross path segments.

In affected versions of openclaw, Discord reaction ingestion for guild channels did not enforce the same member users and roles allowlist checks used for normal inbound guild messages. A non-allowlisted guild member could still trigger reaction events that were accepted and queued as trusted system events for the target session.

OpenClaw documented /config and /debug as owner-only commands, but the command handlers checked only whether the sender was command-authorized. A lower-trust sender who was intentionally allowed to run commands could still reach privileged configuration and debugging surfaces.

In affected versions of openclaw, channel-initiated config mutations were authorized against the originating account's configWrites policy but did not consistently re-check the targeted account scope. An authorized sender on one account could mutate protected sibling-account configuration when the target account had configWrites: false.

An authorization mismatch in the gateway let an authenticated caller with only operator.write use browser.request to reach browser profile management routes that persist configuration to disk. In practice, this exposed an admin-only configuration write primitive through /profiles/create.

The built-in session_status tool did not enforce the intended session-visibility boundary. A sandboxed subagent could supply another session's sessionKey and inspect or modify state outside its own sandbox scope.

The built-in session_status tool did not enforce the intended session-visibility boundary. A sandboxed subagent could supply another session's sessionKey and inspect or modify state outside its own sandbox scope.

OpenClaw's system.run approval flow did not bind mutable interpreter-style script operands across approval and execution. A caller could obtain approval for an execution such as sh ./script.sh, rewrite the approved script before execution, and then execute different content under the previously approved command shape. The approved argv values remained the same, but the mutable script operand content could drift after approval. Latest published npm version verified vulnerable: 2026.3.7 The initial …

OpenClaw's system.run approval flow did not bind mutable interpreter-style script operands across approval and execution. A caller could obtain approval for an execution such as sh ./script.sh, rewrite the approved script before execution, and then execute different content under the previously approved command shape. The approved argv values remained the same, but the mutable script operand content could drift after approval. Latest published npm version verified vulnerable: 2026.3.7 The initial …

OpenClaw's skills download installer validated the intended per-skill tools root lexically, but later reused that mutable path while downloading and copying the archive into place. If a local attacker could rebind that tools-root path between validation and the final write, the installer could be redirected to write outside the intended tools directory. The fix pins the canonical per-skill tools root immediately after validation and derives later download/copy paths from that …

OpenClaw's skills download installer validated the intended per-skill tools root lexically, but later reused that mutable path while downloading and copying the archive into place. If a local attacker could rebind that tools-root path between validation and the final write, the installer could be redirected to write outside the intended tools directory. The fix pins the canonical per-skill tools root immediately after validation and derives later download/copy paths from that …

OpenClaw's Microsoft Teams plugin widened group sender authorization when a team/channel route allowlist was configured but groupAllowFrom was empty. Before the fix, a matching route allowlist entry could cause the message handler to synthesize wildcard sender authorization for that route, allowing any sender in the matched team/channel to bypass the intended groupPolicy: "allowlist" sender check. This does not affect default unauthenticated access, but it does weaken a documented Teams group …

OpenClaw's Microsoft Teams plugin widened group sender authorization when a team/channel route allowlist was configured but groupAllowFrom was empty. Before the fix, a matching route allowlist entry could cause the message handler to synthesize wildcard sender authorization for that route, allowing any sender in the matched team/channel to bypass the intended groupPolicy: "allowlist" sender check. This does not affect default unauthenticated access, but it does weaken a documented Teams group …

openclaw had a workspace boundary bypass in workspace-only path validation: when an in-workspace symlink pointed outside the workspace to a non-existent leaf, the first write could pass validation and create the file outside the workspace.

openclaw had a workspace boundary bypass in workspace-only path validation: when an in-workspace symlink pointed outside the workspace to a non-existent leaf, the first write could pass validation and create the file outside the workspace.

In affected versions of openclaw, browser-originated WebSocket connections could bypass origin validation when gateway.auth.mode was set to trusted-proxy and the request arrived with proxy headers. A page served from an untrusted origin could connect through a trusted reverse proxy, inherit proxy-authenticated identity, and establish a privileged operator session.

Slack member_* and message subtype system events (message_changed, message_deleted, thread_broadcast) were not consistently enforcing sender authorization before enqueueing system events.

Slack member_* and message subtype system events (message_changed, message_deleted, thread_broadcast) were not consistently enforcing sender authorization before enqueueing system events.

A sandbox boundary-validation gap in symlink alias handling allowed certain workspace-only write paths to be treated as in-boundary even when they could resolve outside the workspace/sandbox root.

In specific LINE configurations, sender IDs approved through DM pairing could also satisfy group allowlist checks when operators expected group sender access to be scoped only to explicit group allowlists.

Gateway auth for plugin channel endpoints can be bypassed when path canonicalization differs between the gateway guard and plugin handler routing.

Gateway auth for plugin channel endpoints can be bypassed when path canonicalization differs between the gateway guard and plugin handler routing.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-82g8-464f-2mv7. This link is maintained to preserve external references. Original Description A vulnerability was determined in OpenClaw 2026.2.19-2. This vulnerability affects the function applySkillConfigenvOverrides of the component Skill Env Handler. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. Upgrading to version 2026.2.21-beta.1 is able to resolve this issue. This …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-6c9j-x93c-rw6j. This link is maintained to preserve external references. Original Description A vulnerability was identified in OpenClaw up to 2026.2.17. This issue affects the function tools.exec.safeBins of the component File Existence Handler. The manipulation leads to information exposure through discrepancy. The attack needs to be performed locally. Upgrading to version 2026.2.19-beta.1 is capable of addressing this issue. …

OpenClaw's system.run shell-wrapper detection did not recognize PowerShell -EncodedCommand forms as inline-command wrappers. In allowlist mode, a caller with access to system.run could invoke pwsh or powershell using -EncodedCommand, -enc, or -e, and the request would fall back to plain argv analysis instead of the normal shell-wrapper approval path. This could allow a PowerShell inline payload to execute without the approval step that equivalent -Command invocations would require. Latest published …

OpenClaw's hooks HTTP handler counted hook authentication failures before rejecting unsupported HTTP methods. An unauthenticated client could send repeated non-POST requests (for example GET) with an invalid token to consume the hook auth failure budget and trigger the temporary lockout window for that client key. The fix moves the hook method gate ahead of auth-failure accounting so unsupported methods return 405 Method Not Allowed without incrementing the hook auth limiter.

OpenClaw's macOS Dashboard flow exposed Gateway authentication material to browser-controlled surfaces. Before the fix, the macOS app appended the shared Gateway token and password to the Dashboard URL query string when opening the Control UI in the browser. The Control UI then imported the token and persisted it into browser localStorage under openclaw.control.settings.v1. This expanded exposure of reusable Gateway admin credentials into browser address-bar/query surfaces and persistent script-readable storage.

system.run env override sanitization allowed dangerous override-only helper-command pivots to reach subprocesses. A caller who could invoke system.run with env overrides could bypass allowlist/approval intent by steering an allowlisted tool through helper-command or config-loading environment variables such as GIT_SSH_COMMAND, editor/pager hooks, and GIT_CONFIG_* / NPM_CONFIG_*.

OpenClaw's system.run dispatch-wrapper handling applied different depth-boundary rules to shell-wrapper approval detection and execution planning. With exactly four transparent dispatch wrappers such as repeated env invocations before /bin/sh -c, the approval classifier could stop treating the command as a shell wrapper at the depth boundary while execution planning still unwrapped through to the shell payload. In security=allowlist mode, that mismatch could skip the expected approval-required path for the shell wrapper …

OpenClaw's system.run dispatch-wrapper handling applied different depth-boundary rules to shell-wrapper approval detection and execution planning. With exactly four transparent dispatch wrappers such as repeated env invocations before /bin/sh -c, the approval classifier could stop treating the command as a shell wrapper at the depth boundary while execution planning still unwrapped through to the shell payload. In security=allowlist mode, that mismatch could skip the expected approval-required path for the shell wrapper …

OpenClaw's system.run allowlist analysis did not honor POSIX shell comment semantics when deriving allow-always persistence entries. A caller in security=allowlist mode who received an allow-always decision could submit a shell command whose tail was commented out at runtime, for example by using an unquoted # before a chained payload. The runtime shell would execute only the pre-comment portion, but allowlist persistence could still analyze and store the non-executed tail as …

Sandboxed requester sessions could reach host-side ACP session initialization through /acp spawn. OpenClaw already blocked sessions_spawn({ runtime: "acp" }) from sandboxed sessions, but the slash-command path initialized ACP directly without applying the same host-runtime guard first.

Sandboxed requester sessions could reach host-side ACP session initialization through /acp spawn. OpenClaw already blocked sessions_spawn({ runtime: "acp" }) from sandboxed sessions, but the slash-command path initialized ACP directly without applying the same host-runtime guard first.

OpenClaw's fetchWithSsrFGuard(…) followed cross-origin redirects while preserving arbitrary caller-supplied headers except for a narrow denylist (Authorization, Proxy-Authorization, Cookie, Cookie2). This allowed custom authorization headers such as X-Api-Key, Private-Token, and similar sensitive headers to be forwarded to a different origin after a redirect. The fix switches cross-origin redirect handling from a narrow sensitive-header denylist to a safe-header allowlist, so only benign headers such as content negotiation and cache validators survive an …

OpenClaw's fetchWithSsrFGuard(…) followed cross-origin redirects while preserving arbitrary caller-supplied headers except for a narrow denylist (Authorization, Proxy-Authorization, Cookie, Cookie2). This allowed custom authorization headers such as X-Api-Key, Private-Token, and similar sensitive headers to be forwarded to a different origin after a redirect. The fix switches cross-origin redirect handling from a narrow sensitive-header denylist to a safe-header allowlist, so only benign headers such as content negotiation and cache validators survive an …

/allowlist … –store resolved the selected channel accountId for reads, but store writes still dropped that accountId and wrote into the legacy unscoped pairing allowlist store. Because default-account reads still merge legacy unscoped entries, a store entry intended for one account could silently authorize the same sender on the default account. This is a real cross-account sender-authorization scoping bug. Severity is set to medium because exploitation requires an already-authorized user …

A gateway client authenticated with operator.write could route /config set or /config unset through chat.send and reach persistent config mutation even though direct config RPC methods are admin-scoped.

In OpenClaw, the sandboxed image tool did not honor tools.fs.workspaceOnly=true for mounted paths resolved by the sandbox FS bridge. This allowed reading out-of-workspace mounted images (for example /agent/*) and forwarding those bytes to vision model providers.

In OpenClaw, the sandboxed image tool did not honor tools.fs.workspaceOnly=true for mounted paths resolved by the sandbox FS bridge. This allowed reading out-of-workspace mounted images (for example /agent/*) and forwarding those bytes to vision model providers.

In certain elevated-mode configurations, tools.elevated.allowFrom accepted broader identity signals than intended. The fix tightens matching to sender-scoped identity by default and makes mutable metadata matching explicit.

In shared Slack workspace deployments that rely on sender restrictions (allowFrom, DM policy, or channel user allowlists), some interactive callbacks (block_action, view_submission, view_closed) could be accepted before full sender authorization checks. In that scenario, an unauthorized workspace member could enqueue system-event text into an active session. This issue did not provide unauthenticated access, cross-gateway isolation bypass, or host-level privilege escalation by itself.

In shared Slack workspace deployments that rely on sender restrictions (allowFrom, DM policy, or channel user allowlists), some interactive callbacks (block_action, view_submission, view_closed) could be accepted before full sender authorization checks. In that scenario, an unauthorized workspace member could enqueue system-event text into an active session. This issue did not provide unauthenticated access, cross-gateway isolation bypass, or host-level privilege escalation by itself.

In certain workspace-restricted configurations, OpenClaw could follow hardlink aliases inside the workspace that reference files outside the workspace boundary. By default, tools.fs.workspaceOnly is off. This primarily affects deployments that intentionally enable workspace-only filesystem restrictions (and workspace-only apply_patch checks).

BlueBubbles is an optional OpenClaw channel plugin. A configuration-sensitive access-control mismatch allowed DM senders to be treated as authorized when dmPolicy was pairing or allowlist and allowFrom was empty/unset.

BlueBubbles is an optional OpenClaw channel plugin. A configuration-sensitive access-control mismatch allowed DM senders to be treated as authorized when dmPolicy was pairing or allowlist and allowFrom was empty/unset.

A malicious or compromised MCP (Model Context Protocol) tool server can exfiltrate arbitrary local files from the host system by injecting MEDIA: directives into tool result text content. OpenClaw's tool result processing pipeline extracts file paths from MEDIA: tokens without source-level validation, passes them through a localRoots allowlist check that includes os.tmpdir() by default (covering /tmp on Linux/macOS and %TEMP% on Windows), and then reads and delivers the file contents …

OpenClaw's SSRF hostname/IP guard did not detect ISATAP embedded IPv4 addresses (…:5efe:w.x.y.z). A crafted URL containing an ISATAP IPv6 literal could embed a private IPv4 target (for example loopback) and bypass private-address filtering in URL-fetching paths.

isPrivateIpv4() in bundled SSRF guard code missed several IPv4 special-use/non-global ranges, so web_fetch could allow targets that should be blocked by SSRF policy.

isPrivateIpv4() in bundled SSRF guard code missed several IPv4 special-use/non-global ranges, so web_fetch could allow targets that should be blocked by SSRF policy.

OpenClaw had account-scope gaps in pairing-store access for DM pairing policy, which could let a pairing approval from one account authorize the same sender on another account in multi-account setups.

OpenClaw had account-scope gaps in pairing-store access for DM pairing policy, which could let a pairing approval from one account authorize the same sender on another account in multi-account setups.

A crafted local avatar path could follow a symlink outside the agent workspace and return arbitrary file contents as a base64 data: URL in gateway responses.

ZDI-CAN-29311: OpenClaw Canvas Authentication Bypass Vulnerability – ABSTRACT ————————————- Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products: OpenClaw - OpenClaw – VULNERABILITY DETAILS ———————— Version tested: openclaw 2026.2.17 Platform tested: macOS 26.3

Sandbox media local-path validation accepted absolute paths under host tmp, even when those paths were outside the active sandbox root.

Sandbox media local-path validation accepted absolute paths under host tmp, even when those paths were outside the active sandbox root.

A missing group-sender authorization check in the Zalo plugin allowed unauthorized GROUP messages to enter agent dispatch paths in configurations intended to restrict group traffic.

openclaw web tools strict URL fetch paths could lose DNS pinning when environment proxy variables are configured (HTTP_PROXY/HTTPS_PROXY/ALL_PROXY, including lowercase variants). In affected builds, strict URL checks (for example web_fetch and citation redirect resolution) validated one destination during SSRF guard checks, but runtime connection routing could proceed through an env-proxy dispatcher.

openclaw web tools strict URL fetch paths could lose DNS pinning when environment proxy variables are configured (HTTP_PROXY/HTTPS_PROXY/ALL_PROXY, including lowercase variants). In affected builds, strict URL checks (for example web_fetch and citation redirect resolution) validated one destination during SSRF guard checks, but runtime connection routing could proceed through an env-proxy dispatcher.

Twilio webhook replay events could bypass voice-call manager dedupe because normalized event IDs were randomized per parse. A replayed event could be treated as new and trigger duplicate or stale call-state transitions.

Twilio webhook replay events could bypass voice-call manager dedupe because normalized event IDs were randomized per parse. A replayed event could be treated as new and trigger duplicate or stale call-state transitions.

The voice-call Twilio webhook path accepted replay/dedupe identity from unsigned request metadata (i-twilio-idempotency-token), enabling replayed signed requests to bypass replay detection and manager dedupe by mutating only that header.

channels..groups..toolsBySender could match a privileged sender policy using a colliding mutable identity value (for example senderName or senderUsername) when deployments used untyped keys. The fix introduces explicit typed sender keys (id:, e164:, username:, name:), keeps legacy untyped keys on a deprecated ID-only path, and adds regression coverage to prevent cross-identifier collisions.

channels..groups..toolsBySender could match a privileged sender policy using a colliding mutable identity value (for example senderName or senderUsername) when deployments used untyped keys. The fix introduces explicit typed sender keys (id:, e164:, username:, name:), keeps legacy untyped keys on a deprecated ID-only path, and adds regression coverage to prevent cross-identifier collisions.

In openclaw allowlist mode, tools.exec.safeBins trusted PATH-derived directories for safe-bin resolution. A same-name binary placed in a trusted PATH directory could satisfy safe-bin checks and execute.

In OpenClaw, tools.exec.safeBins validation for sort could be bypassed via GNU long-option abbreviations in allowlist mode, allowing approval-free execution paths that should require approval.

In OpenClaw, tools.exec.safeBins validation for sort could be bypassed via GNU long-option abbreviations in allowlist mode, allowing approval-free execution paths that should require approval.

When tools.exec.safeBins contained a binary without an explicit safe-bin profile, OpenClaw used a permissive generic fallback profile. In allowlist mode, that could let interpreter-style binaries (for example python3, node, ruby) execute inline payloads via flags like -c. This requires explicit operator configuration to add such binaries to safeBins, so impact is limited to non-default/misconfigured deployments.

A missing sender-authorization check in Telegram message_reaction handling allowed unauthorized users to trigger reaction-derived system events.

In openclaw up to and including 2026.2.23 (latest npm release as of February 25, 2026), system.run shell-wrapper inputs could present misleading approval/display text while still carrying hidden positional argv payloads that execute at runtime.

In openclaw up to and including 2026.2.23 (latest npm release as of February 25, 2026), system.run shell-wrapper inputs could present misleading approval/display text while still carrying hidden positional argv payloads that execute at runtime.

In openclaw@2026.2.24, approval-bound system.run on node hosts could be influenced by mutable symlink cwd targets between approval and execution.

In openclaw@2026.2.24, approval-bound system.run on node hosts could be influenced by mutable symlink cwd targets between approval and execution.

In OpenClaw system.run allowlist mode, shell-wrapper analysis could be bypassed by splitting command substitution as $\ + newline + ( inside double quotes. Analysis treated the payload as allowlisted (for example /bin/echo), while shell runtime folded the line continuation into $(…) and executed non-allowlisted subcommands.

In OpenClaw system.run allowlist mode, shell-wrapper analysis could be bypassed by splitting command substitution as $\ + newline + ( inside double quotes. Analysis treated the payload as allowlisted (for example /bin/echo), while shell runtime folded the line continuation into $(…) and executed non-allowlisted subcommands.

In openclaw versions 2026.2.22 and 2026.2.23, the optional synology-chat channel plugin had an authorization fail-open condition: when dmPolicy was allowlist and allowedUserIds was empty/unset, unauthorized senders were still allowed through to agent dispatch. This is assessed as medium severity because it requires channel/plugin setup and Synology sender access, but can still trigger downstream agent/tool actions.

In openclaw versions 2026.2.22 and 2026.2.23, the optional synology-chat channel plugin had an authorization fail-open condition: when dmPolicy was allowlist and allowedUserIds was empty/unset, unauthorized senders were still allowed through to agent dispatch. This is assessed as medium severity because it requires channel/plugin setup and Synology sender access, but can still trigger downstream agent/tool actions.

OpenClaw Slack monitor handled reaction_* and pin_* non-message events before applying sender-policy checks consistently. In affected versions, these events could be added to system-event context even when sender policy would not normally allow them.

OpenClaw Slack monitor handled reaction_* and pin_* non-message events before applying sender-policy checks consistently. In affected versions, these events could be added to system-event context even when sender policy would not normally allow them.

In a narrow Signal reaction-notification path, reaction-only inbound events could enqueue a status event before sender access checks were applied.

In a narrow Signal reaction-notification path, reaction-only inbound events could enqueue a status event before sender access checks were applied.

system.run environment sanitization allowed shell-startup env overrides (HOME, ZDOTDIR) that can execute attacker-controlled startup files before allowlist-evaluated command bodies.

system.run environment sanitization allowed shell-startup env overrides (HOME, ZDOTDIR) that can execute attacker-controlled startup files before allowlist-evaluated command bodies.

The shell environment fallback path could invoke an attacker-controlled shell when SHELL was inherited from an untrusted host environment. In affected builds, shell-env loading used $SHELL -l -c 'env -0' without validating that SHELL points to a trusted executable. In threat-model terms, this requires local environment compromise or untrusted startup environment injection first; it is not a remote pre-auth path. The hardening patch validates SHELL as an absolute normalized executable, …

The shell environment fallback path could invoke an attacker-controlled shell when SHELL was inherited from an untrusted host environment. In affected builds, shell-env loading used $SHELL -l -c 'env -0' without validating that SHELL points to a trusted executable. In threat-model terms, this requires local environment compromise or untrusted startup environment injection first; it is not a remote pre-auth path. The hardening patch validates SHELL as an absolute normalized executable, …

Concurrent updateRegistry/removeRegistryEntry operations for sandbox containers and browsers could lose updates or resurrect removed entries under race conditions. The registry writes were read-modify-write in a window with no locking and permissive fallback parsing, so concurrent registry updates could produce stale snapshots and overwrite each other. That desyncs sandbox state and can affect sandbox list, sandbox prune, and sandbox recreate –all behavior.

Concurrent updateRegistry/removeRegistryEntry operations for sandbox containers and browsers could lose updates or resurrect removed entries under race conditions. The registry writes were read-modify-write in a window with no locking and permissive fallback parsing, so concurrent registry updates could produce stale snapshots and overwrite each other. That desyncs sandbox state and can affect sandbox list, sandbox prune, and sandbox recreate –all behavior.

In openclaw up to and including 2026.2.23 (latest npm release as of February 24, 2026), sandbox bind-source validation could be bypassed when a bind source used a symlinked parent plus a non-existent leaf path.

In openclaw up to and including 2026.2.23 (latest npm release as of February 24, 2026), sandbox bind-source validation could be bypassed when a bind source used a symlinked parent plus a non-existent leaf path.

OpenClaw accepted prototype-reserved keys in runtime /debug set override object values (proto, constructor, prototype).

OpenClaw accepted prototype-reserved keys in runtime /debug set override object values (proto, constructor, prototype).

In authenticated non-owner DM sessions, a narrow tool-invocation path could reach broader-than-intended owner-only gateway actions.

When sort is explicitly added to tools.exec.safeBins (non-default), the –compress-program option can invoke an external helper and bypass the intended safe-bin approval constraints in allowlist mode.

When sort is explicitly added to tools.exec.safeBins (non-default), the –compress-program option can invoke an external helper and bypass the intended safe-bin approval constraints in allowlist mode.

In openclaw versions up to and including 2026.2.22-2, a non-default exec-approval configuration could allow a skill-name collision to bypass an ask=on-miss prompt. When autoAllowSkills=true, a path-scoped executable such as ./skill-bin could resolve to basename skill-bin, satisfy the skills allowlist segment, and run without prompting for approval.

In openclaw@2026.3.1, node system.run approval-path hardening rewrote wrapper command argv in a way that changed execution semantics. A command shown/approved as a shell payload (for example echo SAFE) could execute a different local script when wrapper argv were rewritten.

In openclaw@2026.3.1, node system.run approval-path hardening rewrote wrapper command argv in a way that changed execution semantics. A command shown/approved as a shell payload (for example echo SAFE) could execute a different local script when wrapper argv were rewritten.

A client authenticated with a shared gateway token could connect as role=node without device identity/pairing, then call node.event to trigger agent.request and voice.transcript flows.

A client authenticated with a shared gateway token could connect as role=node without device identity/pairing, then call node.event to trigger agent.request and voice.transcript flows.

When Nextcloud Talk webhook signing was valid, replayed requests could be accepted without durable replay suppression, allowing duplicate inbound processing after replay-window expiry or process restart.

When Nextcloud Talk webhook signing was valid, replayed requests could be accepted without durable replay suppression, allowing duplicate inbound processing after replay-window expiry or process restart.

In OpenClaw MSTeams media download flows, redirect handling could bypass configured mediaAllowHosts checks in specific attachment paths. Redirect chains were not consistently constrained to allowlisted targets before accepting fetched content.

In OpenClaw MSTeams media download flows, redirect handling could bypass configured mediaAllowHosts checks in specific attachment paths. Redirect chains were not consistently constrained to allowlisted targets before accepting fetched content.

OpenClaw hook mapping transforms could be loaded via absolute paths or .. traversal, allowing arbitrary JavaScript module loading/execution in the gateway process when an attacker can modify hooks configuration.

OpenClaw hook mapping transforms could be loaded via absolute paths or .. traversal, allowing arbitrary JavaScript module loading/execution in the gateway process when an attacker can modify hooks configuration.

When tokenless Tailscale auth is enabled, OpenClaw should only allow forwarded-header auth for Control UI websocket authentication on trusted hosts. In affected versions, that tokenless path could also be used by HTTP gateway auth call sites, which could bypass token/password requirements for HTTP routes in trusted-network deployments.

When tokenless Tailscale auth is enabled, OpenClaw should only allow forwarded-header auth for Control UI websocket authentication on trusted hosts. In affected versions, that tokenless path could also be used by HTTP gateway auth call sites, which could bypass token/password requirements for HTTP routes in trusted-network deployments.

system.run exec allowlist analysis treated wrapper binaries as the effective executable and did not fully unwrap env/shell-dispatch wrappers. This allowed wrapper-smuggled payloads (for example env bash -lc …) to satisfy an allowlist entry for the wrapper while executing non-allowlisted commands.

system.run exec allowlist analysis treated wrapper binaries as the effective executable and did not fully unwrap env/shell-dispatch wrappers. This allowed wrapper-smuggled payloads (for example env bash -lc …) to satisfy an allowlist entry for the wrapper while executing non-allowlisted commands.

A wrapper-depth parsing mismatch in system.run allowed nested transparent dispatch wrappers (for example repeated /usr/bin/env) to suppress shell-wrapper detection while still matching allowlist resolution. In security=allowlist + ask=on-miss, this could bypass the expected approval prompt for shell execution.

A wrapper-depth parsing mismatch in system.run allowed nested transparent dispatch wrappers (for example repeated /usr/bin/env) to suppress shell-wrapper detection while still matching allowlist resolution. In security=allowlist + ask=on-miss, this could bypass the expected approval prompt for shell execution.

OpenClaw allowed dangerous process-control environment variables from env.vars (for example NODE_OPTIONS, LD_, DYLD_) to flow into gateway service runtime environments, enabling startup-time code execution in the OpenClaw process context.

OpenClaw allowed dangerous process-control environment variables from env.vars (for example NODE_OPTIONS, LD_, DYLD_) to flow into gateway service runtime environments, enabling startup-time code execution in the OpenClaw process context.

commands.allowFrom is documented as a sender authorization allowlist for commands/directives, but command authorization could include ctx.From (conversation identity) as a sender candidate. When commands.allowFrom contained conversation-like identifiers (for example Discord channel:<id> or WhatsApp group JIDs), command/directive authorization could be granted to participants in that conversation instead of only the intended sender identity.

This issue is a browser-origin WebSocket auth chain on local loopback deployments using password auth. It is serious, but conditional: an attacker must get the user to open a malicious page and then successfully guess the gateway password.

This issue is a browser-origin WebSocket auth chain on local loopback deployments using password auth. It is serious, but conditional: an attacker must get the user to open a malicious page and then successfully guess the gateway password.

OpenClaw avatar handling allowed a symlink traversal path that could expose local files outside an agent workspace through gateway avatar surfaces.

OpenClaw avatar handling allowed a symlink traversal path that could expose local files outside an agent workspace through gateway avatar surfaces.

The sandbox browser entrypoint launched x11vnc without authentication (-nopw) for noVNC observer sessions. OpenClaw-managed runtime flow publishes the noVNC port to host loopback only (127.0.0.1), so default exposure is local to the host unless operators explicitly expose the port more broadly (or run the image standalone with broad port publishing).

The sandbox browser entrypoint launched x11vnc without authentication (-nopw) for noVNC observer sessions. OpenClaw-managed runtime flow publishes the noVNC port to host loopback only (127.0.0.1), so default exposure is local to the host unless operators explicitly expose the port more broadly (or run the image standalone with broad port publishing).

tools.exec.safeBins allowlist checks could be bypassed by PATH-hijacked binaries, allowing execution of attacker-controlled trojan binaries under an allowlisted executable name.

tools.exec.safeBins allowlist checks could be bypassed by PATH-hijacked binaries, allowing execution of attacker-controlled trojan binaries under an allowlisted executable name.

A path confinement bypass in OpenClaw ZIP extraction allowed writes outside the intended destination when a pre-existing symlink was present under the extraction root.

ZIP extraction in OpenClaw could be raced into writing outside the intended destination directory via parent-directory symlink rebind between validation and write.

ZIP extraction in OpenClaw could be raced into writing outside the intended destination directory via parent-directory symlink rebind between validation and write.

A path-confinement bypass in browser output handling allowed writes outside intended roots in openclaw versions up to and including 2026.3.1. The fix unifies root-bound, file-descriptor-verified write semantics and canonical path-boundary validation across browser output and related install/skills write paths.

A path-confinement bypass in browser output handling allowed writes outside intended roots in openclaw versions up to and including 2026.3.1. The fix unifies root-bound, file-descriptor-verified write semantics and canonical path-boundary validation across browser output and related install/skills write paths.

In Telegram DM mode, inbound media was downloaded and written to disk before sender authorization checks completed. An unauthorized sender could trigger inbound media download/write activity (including media groups) even when DM access should be denied.

stageSandboxMedia allowed destination symlink traversal during media staging, which could overwrite files outside the sandbox workspace root.

stageSandboxMedia allowed destination symlink traversal during media staging, which could overwrite files outside the sandbox workspace root.

shell-env fallback trusted prefix-based executable paths for $SHELL, allowing execution of attacker-controlled binaries in local/runtime-env influence scenarios.

shell-env fallback trusted prefix-based executable paths for $SHELL, allowing execution of attacker-controlled binaries in local/runtime-env influence scenarios.

Sandboxed sessions_spawn(runtime="acp") could bypass sandbox inheritance and initialize host-side ACP runtime. The fix now fail-closes ACP spawn from sandboxed requester sessions and rejects sandbox="require" for runtime="acp".

A sandbox path validation bypass in openclaw allows host file reads outside sandboxRoot via the media path fallback tmp flow when the fallback tmp root is a symlink alias.

In openclaw<=2026.2.23, safe-bin trust in allowlist mode relied on static default trusted directories that included package-manager paths (notably /opt/homebrew/bin and /usr/local/bin). When a same-name binary (for example jq) is placed in one of those trusted default directories, safe-bin evaluation can be satisfied and execute the attacker-controlled binary.

In openclaw<=2026.2.23, safe-bin trust in allowlist mode relied on static default trusted directories that included package-manager paths (notably /opt/homebrew/bin and /usr/local/bin). When a same-name binary (for example jq) is placed in one of those trusted default directories, safe-bin evaluation can be satisfied and execute the attacker-controlled binary.

A paired node device could reconnect with spoofed platform/deviceFamily metadata and broaden node command policy eligibility because reconnect metadata was accepted from the client while these fields were not bound into the device-auth signature.

A paired node device could reconnect with spoofed platform/deviceFamily metadata and broaden node command policy eligibility because reconnect metadata was accepted from the client while these fields were not bound into the device-auth signature.

OpenClaw accepted camera.snap / camera.clip node payload url fields and downloaded them on the gateway/agent host without binding downloads to the resolved node host. In OpenClaw's documented trust model, paired nodes are in the same operator trust boundary, so this is scoped as medium-severity hardening. A malicious or compromised paired node could still steer gateway-host fetches during camera URL retrieval.

In sandboxed runs, native prompt image auto-load did not honor tools.fs.workspaceOnly=true. This optional hardening setting is not enabled by default. When operators enabled it, prompt text could still reference mounted out-of-workspace image paths (for example /agent/secret.png) and load those image bytes for vision-capable model input.

In openclaw MS Teams file-consent flow, pending uploads were authorized by uploadId alone. fileConsent/invoke did not verify the invoke conversation against the conversation that created the pending upload.

Microsoft Teams media handling used mixed fetch paths for Graph metadata/content and attachment auth-retry flows. Some paths bypassed the shared SSRF guard model and created inconsistent host/DNS enforcement across redirect/fetch hops.

On macOS node-host, optional exec-approval allowlist mode previously treated basename-only entries (for example echo) as trusted command matches. This could allow a same-name local binary (for example ./echo) to run without approval under security=allowlist + ask=on-miss.

On macOS node-host, optional exec-approval allowlist mode previously treated basename-only entries (for example echo) as trusted command matches. This could allow a same-name local binary (for example ./echo) to run without approval under security=allowlist + ask=on-miss.

The affected surface is the OpenClaw macOS app onboarding flow, and the macOS app is currently in beta. In that beta onboarding flow, Anthropic OAuth used the PKCE code_verifier value as OAuth state, exposing that secret in front-channel URL state.

In some opt-in sandbox configurations, the experimental apply_patch tool did not consistently apply workspace-only checks to mounted paths (for example /agent/…).

In some opt-in sandbox configurations, the experimental apply_patch tool did not consistently apply workspace-only checks to mounted paths (for example /agent/…).

In openclaw@2026.3.1, the Discord voice transcript path called agentCommand(…) without senderIsOwner, and agentCommand defaults missing senderIsOwner to true. This could allow a non-owner voice participant in the same channel to reach owner-only tool surfaces (gateway, cron) during voice transcript turns.

In openclaw@2026.3.1, the Discord voice transcript path called agentCommand(…) without senderIsOwner, and agentCommand defaults missing senderIsOwner to true. This could allow a non-owner voice participant in the same channel to reach owner-only tool surfaces (gateway, cron) during voice transcript turns.

In OpenClaw <= 2026.2.24, Discord direct-message reaction notifications did not consistently apply the same DM authorization checks (dmPolicy / allowFrom) that are enforced for normal DM message ingress. In restrictive DM setups, a non-allowlisted Discord user who can react to a bot-authored DM message could still enqueue a reaction-derived system event in the session. This is a reaction-only ingress inconsistency. By itself it does not directly execute commands; practical impact …

In OpenClaw <= 2026.2.24, Discord direct-message reaction notifications did not consistently apply the same DM authorization checks (dmPolicy / allowFrom) that are enforced for normal DM message ingress. In restrictive DM setups, a non-allowlisted Discord user who can react to a bot-authored DM message could still enqueue a reaction-derived system event in the session. This is a reaction-only ingress inconsistency. By itself it does not directly execute commands; practical impact …

Sandbox browser container launched Chromium with –no-sandbox by default, disabling Chromium's OS-level sandbox protections.

Sandbox browser container launched Chromium with –no-sandbox by default, disabling Chromium's OS-level sandbox protections.

BlueBubbles webhook auth in the optional beta iMessage plugin allowed a passwordless fallback path. In some reverse-proxy/local routing setups, this could allow unauthenticated webhook events.

BlueBubbles webhook auth in the optional beta iMessage plugin allowed a passwordless fallback path. In some reverse-proxy/local routing setups, this could allow unauthenticated webhook events.

OpenClaw Windows Scheduled Task script generation allowed unsafe argument handling in generated gateway.cmd files. In vulnerable versions, cmd metacharacter-only values could be emitted without safe quoting/escaping, which could lead to unintended command execution when the scheduled task runs.

OpenClaw Windows Scheduled Task script generation allowed unsafe argument handling in generated gateway.cmd files. In vulnerable versions, cmd metacharacter-only values could be emitted without safe quoting/escaping, which could lead to unintended command execution when the scheduled task runs.

When iMessage remote attachment fetching is enabled (channels.imessage.remoteHost), stageSandboxMedia accepted arbitrary absolute paths and used SCP to copy them into local staging. If a non-attachment path reaches this flow, files outside expected iMessage attachment directories on the remote host can be staged.

When iMessage remote attachment fetching is enabled (channels.imessage.remoteHost), stageSandboxMedia accepted arbitrary absolute paths and used SCP to copy them into local staging. If a non-attachment path reaches this flow, files outside expected iMessage attachment directories on the remote host can be staged.

OpenClaw’s Feishu media download flow used untrusted Feishu media keys (imageKey / fileKey) when building temporary file paths in extensions/feishu/src/media.ts. Because those keys were interpolated directly into temp-file paths, traversal segments could escape the temp directory and redirect writes outside os.tmpdir().

OpenClaw’s Feishu media download flow used untrusted Feishu media keys (imageKey / fileKey) when building temporary file paths in extensions/feishu/src/media.ts. Because those keys were interpolated directly into temp-file paths, traversal segments could escape the temp directory and redirect writes outside os.tmpdir().

The HTML session exporter (src/auto-reply/reply/export-html/template.js) interpolates img.mimeType directly into <img src="data:…"> attributes without validation or escaping. A crafted mimeType value (e.g., x" onerror="alert(1)) can break out of the attribute context and execute arbitrary JavaScript.

The HTML session exporter (src/auto-reply/reply/export-html/template.js) interpolates img.mimeType directly into <img src="data:…"> attributes without validation or escaping. A crafted mimeType value (e.g., x" onerror="alert(1)) can break out of the attribute context and execute arbitrary JavaScript.

A successful exploit can expose local secrets and credentials readable by the OpenClaw process user, including API keys and private config material.

A successful exploit can expose local secrets and credentials readable by the OpenClaw process user, including API keys and private config material.

A client using shared gateway auth could attach an unpaired device identity and request elevated operator scopes (including operator.admin) before pairing approval, enabling privilege escalation.

The tar.bz2 installer path in src/agents/skills-install-download.ts used shell tar preflight/extract logic that did not share the same hardening guarantees as the centralized archive extractor. This allowed crafted .tar.bz2 archives to bypass special-entry blocking and extracted-size guardrails enforced on other archive paths, causing local availability impact during skill install.

OpenClaw shell-env fallback trusted startup environment values and could execute attacker-influenced login-shell startup paths before loading env keys.

OpenClaw tools.exec.safeBins had a stdin-only policy bypass for grep. If pattern input was supplied through -e / –regexp, the validator consumed the pattern as a flag value and still allowed one positional operand. That positional could be a bare filename like .env.

OpenClaw tools.exec.safeBins had a stdin-only policy bypass for grep. If pattern input was supplied through -e / –regexp, the validator consumed the pattern as a flag value and still allowed one positional operand. That positional could be a bare filename like .env.

Auth-secret dual-use across security domains (gateway auth and prompt metadata hashing). Hash outputs are visible to third-party model providers in system prompts. No direct plaintext token disclosure. Practical risk is highest when operators use weak gateway tokens and leave owner hash secret unset.

Auth-secret dual-use across security domains (gateway auth and prompt metadata hashing). Hash outputs are visible to third-party model providers in system prompts. No direct plaintext token disclosure. Practical risk is highest when operators use weak gateway tokens and leave owner hash secret unset.

OpenClaw plugins/extensions run in-process and are treated as trusted code. This advisory tracks trust-boundary clarification around plugin runtime command execution (runtime.system.runCommandWithTimeout).

A local process can capture the OpenClaw Gateway auth token from Chrome CDP probe traffic on loopback.

A local process can capture the OpenClaw Gateway auth token from Chrome CDP probe traffic on loopback.

OpenClaw used left-most X-Forwarded-For values when requests came from configured trusted proxies. In proxy chains that append/preserve header values, this could let attacker-controlled header content influence security decisions tied to client IP.

OpenClaw used left-most X-Forwarded-For values when requests came from configured trusted proxies. In proxy chains that append/preserve header values, this could let attacker-controlled header content influence security decisions tied to client IP.

A command injection vulnerability exists in OpenClaw’s Linux systemd unit generation path. When rendering Environment= entries, attacker-controlled values are not rejected for CR/LF, and systemdEscapeArg() uses an incorrect whitespace-matching regex. This allows newline injection to break out of an Environment= line and inject standalone systemd directives (for example, ExecStartPre=). On service restart, the injected command is executed, resulting in local arbitrary command execution (local RCE) under the gateway service user.

A command injection vulnerability exists in OpenClaw’s Linux systemd unit generation path. When rendering Environment= entries, attacker-controlled values are not rejected for CR/LF, and systemdEscapeArg() uses an incorrect whitespace-matching regex. This allows newline injection to break out of an Environment= line and inject standalone systemd directives (for example, ExecStartPre=). On service restart, the injected command is executed, resulting in local arbitrary command execution (local RCE) under the gateway service user.

When an attacker can cause a transform module path to reference a symlinked entry that resolves outside the trusted transform directory, the gateway may import and execute unintended JavaScript with gateway-process privileges.

On Windows, the Lobster extension previously retried certain spawn failures (ENOENT/EINVAL) with shell: true for wrapper compatibility. In that fallback path, tool-provided arguments could be interpreted by cmd.exe if fallback was triggered.

On Windows, the Lobster extension previously retried certain spawn failures (ENOENT/EINVAL) with shell: true for wrapper compatibility. In that fallback path, tool-provided arguments could be interpreted by cmd.exe if fallback was triggered.

system.run allowed SHELLOPTS + PS4 environment injection to trigger command substitution during bash -lc xtrace expansion before the allowlisted command body executed.

system.run allowed SHELLOPTS + PS4 environment injection to trigger command substitution during bash -lc xtrace expansion before the allowlisted command body executed.

The exported session HTML viewer allowed stored XSS when untrusted session content included raw HTML markdown tokens or unescaped metadata fields.

OpenClaw webhook handlers for BlueBubbles and Google Chat accepted and parsed request bodies before authentication and signature checks on vulnerable releases. This allowed unauthenticated clients to hold parser work open with slow/oversized request bodies and degrade availability (slow-request DoS).

OpenClaw webhook handlers for BlueBubbles and Google Chat accepted and parsed request bodies before authentication and signature checks on vulnerable releases. This allowed unauthenticated clients to hold parser work open with slow/oversized request bodies and degrade availability (slow-request DoS).

Three Dockerfiles in scripts/docker/ and scripts/e2e/ lack a USER directive, meaning all processes run as uid 0 (root). If any process is compromised, the attacker has root inside the container, making container breakout significantly easier. Partial fix (2026-02-08): Commit 28e1a65e added USER sandbox to Dockerfile.sandbox and Dockerfile.sandbox-browser. The E2E/test Dockerfiles listed below remain unpatched. Affected components: scripts/e2e/Dockerfile scripts/e2e/Dockerfile.qr-import scripts/docker/install-sh-e2e/Dockerfile scripts/docker/install-sh-nonroot/Dockerfile (runs as app but with NOPASSWD sudo — see related …

In OpenClaw's macOS node-host path, system.run allowlist parsing in security=allowlist mode failed to reject command substitution tokens when they appeared inside double-quoted shell text. Because of that gap, payloads like echo "ok $(id)" could be treated as allowlist hits (first executable token echo) while still executing non-allowlisted subcommands through shell substitution.

In OpenClaw's macOS node-host path, system.run allowlist parsing in security=allowlist mode failed to reject command substitution tokens when they appeared inside double-quoted shell text. Because of that gap, payloads like echo "ok $(id)" could be treated as allowlist hits (first executable token echo) while still executing non-allowlisted subcommands through shell substitution.

An attacker could split failed hook-auth attempts across both address forms and effectively double the brute-force budget from 20 to 40 attempts per 60-second window.

Gateway plugin route auth protection for /api/channels could be bypassed using encoded dot-segment traversal (for example ..%2f) in path variants that plugin handlers normalize.

Gateway plugin route auth protection for /api/channels could be bypassed using encoded dot-segment traversal (for example ..%2f) in path variants that plugin handlers normalize.

tools.exec allowlist/safe-bins evaluation could diverge from runtime execution for wrapper commands using GNU env -S/–split-string semantics. This allowed policy checks to treat a command as a benign safe-bin invocation while runtime executed a different payload.

Encoded alternate-path requests could bypass plugin route auth checks for /api/channels/* due to canonicalization depth mismatch in vulnerable builds.

Encoded alternate-path requests could bypass plugin route auth checks for /api/channels/* due to canonicalization depth mismatch in vulnerable builds.

The Lobster extension tool execution path used a Windows shell fallback (shell: true) after spawn failures (EINVAL/ENOENT). In that fallback path, shell metacharacters in command arguments can be interpreted by the shell, enabling command injection.

The Lobster extension tool execution path used a Windows shell fallback (shell: true) after spawn failures (EINVAL/ENOENT). In that fallback path, shell metacharacters in command arguments can be interpreted by the shell, enabling command injection.

This advisory tracks a defense-in-depth hardening for canvas routes. In mixed-trust or network-visible deployments, prior canvas auth/fallback behavior could broaden access beyond intended boundaries.

When the optional Chrome extension relay is enabled, /extension accepted unauthenticated WebSocket upgrades while /json/* and /cdp required auth.

In affected releases, when an operator explicitly enabled gateway.controlUi.allowInsecureAuth: true and exposed the gateway over plaintext HTTP, Control UI authentication could permit privileged operator access without the intended device identity + pairing guarantees. This required an insecure deployment choice and credential exposure risk (for example, plaintext transit or prior token leak). It was fixed on main in commit 40a292619e1f2be3a3b1db663d7494c9c2dc0abf (PR #20684).

In affected releases, when an operator explicitly enabled gateway.controlUi.allowInsecureAuth: true and exposed the gateway over plaintext HTTP, Control UI authentication could permit privileged operator access without the intended device identity + pairing guarantees. This required an insecure deployment choice and credential exposure risk (for example, plaintext transit or prior token leak). It was fixed on main in commit 40a292619e1f2be3a3b1db663d7494c9c2dc0abf (PR #20684).

In allowlist mode, system.run guardrails could be bypassed through env -S, causing policy-analysis/runtime-execution mismatch for shell wrapper payloads.

In allowlist mode, system.run guardrails could be bypassed through env -S, causing policy-analysis/runtime-execution mismatch for shell wrapper payloads.

A workspace-only file-system guard mismatch allowed @-prefixed absolute paths to bypass boundary validation in some tool path checks.

A workspace-only file-system guard mismatch allowed @-prefixed absolute paths to bypass boundary validation in some tool path checks.

A trusted-proxy Control UI pairing bypass accepted client.id=control-ui without device identity checks. The bypass did not require operator role, so an authenticated node role session could connect unpaired and reach node event methods.

A trusted-proxy Control UI pairing bypass accepted client.id=control-ui without device identity checks. The bypass did not require operator role, so an authenticated node role session could connect unpaired and reach node event methods.

OpenClaw's SSRF IP classifier did not treat IPv6 multicast literals (ff00::/8) as blocked/private-internal. This allowed literal multicast hosts to pass SSRF preflight checks.

Feishu allowlist authorization could be bypassed by display-name collision.

Feishu allowlist authorization could be bypassed by display-name collision.

OpenClaw supports Discord allowlists using either user IDs or names/tags. Name/tag matching depends on slug normalization, so different user tags can collide to the same slug and unintentionally satisfy a name-based allowlist entry.

A command injection vulnerability existed in Windows Scheduled Task script generation for OpenClaw. Environment values were written into gateway.cmd using unquoted set KEY=VALUE, which allowed Windows shell metacharacters in config-provided environment variables to break out of assignment context.

A command injection vulnerability existed in Windows Scheduled Task script generation for OpenClaw. Environment values were written into gateway.cmd using unquoted set KEY=VALUE, which allowed Windows shell metacharacters in config-provided environment variables to break out of assignment context.

In openclaw@2026.2.25, BlueBubbles group authorization could incorrectly treat DM pairing-store identities as group allowlist identities when dmPolicy=pairing and groupPolicy=allowlist. A sender that was only DM-paired (not explicitly present in groupAllowFrom) could pass group sender checks for message and reaction ingress. Per OpenClaw's SECURITY.md trust model, this is a constrained authorization-consistency issue, not a multi-tenant boundary bypass or host-privilege escalation.

In openclaw@2026.2.25, BlueBubbles group authorization could incorrectly treat DM pairing-store identities as group allowlist identities when dmPolicy=pairing and groupPolicy=allowlist. A sender that was only DM-paired (not explicitly present in groupAllowFrom) could pass group sender checks for message and reaction ingress. Per OpenClaw's SECURITY.md trust model, this is a constrained authorization-consistency issue, not a multi-tenant boundary bypass or host-privilege escalation.

OpenClaw exec allowlist/safeBins policy could be bypassed with attached short-option payloads (for example sort -o/tmp/poc), enabling file-write operations while still satisfying safeBins checks.

OpenClaw exec allowlist/safeBins policy could be bypassed with attached short-option payloads (for example sort -o/tmp/poc), enabling file-write operations while still satisfying safeBins checks.

DM pairing-store identities were incorrectly eligible for group allowlist authorization checks, enabling cross-context authorization in group message paths.

DM pairing-store identities were incorrectly eligible for group allowlist authorization checks, enabling cross-context authorization in group message paths.

assertBrowserNavigationAllowed() validated only http:/https: network targets but implicitly allowed other schemes. An authenticated gateway user could navigate browser sessions to file:// URLs and read local files via browser snapshot/extraction flows.

assertBrowserNavigationAllowed() validated only http:/https: network targets but implicitly allowed other schemes. An authenticated gateway user could navigate browser sessions to file:// URLs and read local files via browser snapshot/extraction flows.

Remote iMessage attachment fetches used SCP with trust-on-first-use host-key behavior and accepted unvalidated remote host tokens. Before the fix: SCP used StrictHostKeyChecking=accept-new in the remote attachment path. channels.imessage.remoteHost was not validated as a strict SSH host token.

BASH_ENV / ENV startup-file injection could lead to unintended pre-command shell execution when attacker-controlled environment values were admitted and then inherited by host command execution paths.

This issue applies to a non-default configuration only. If sort is manually added to tools.exec.safeBins, OpenClaw could treat sort –compress-program=<prog> as valid safe-bin usage. In security=allowlist + ask=on-miss, this could satisfy allowlist checks and skip operator approval, while GNU sort may invoke an external program via –compress-program.

This issue applies to a non-default configuration only. If sort is manually added to tools.exec.safeBins, OpenClaw could treat sort –compress-program=<prog> as valid safe-bin usage. In security=allowlist + ask=on-miss, this could satisfy allowlist checks and skip operator approval, while GNU sort may invoke an external program via –compress-program.

A symlink-retarget TOCTOU race in writeFileWithinRoot could point an attacker-controlled path alias outside the configured root between resolution and write operations.

A sandboxed session could use cross-agent sessions_spawn to create a child under an agent configured with sandbox.mode="off", downgrading runtime confinement.

A sandboxed session could use cross-agent sessions_spawn to create a child under an agent configured with sandbox.mode="off", downgrading runtime confinement.

Files may be written outside the sandbox workspace root (within the permissions of the user running OpenClaw).

Files may be written outside the sandbox workspace root (within the permissions of the user running OpenClaw).

OpenClaw did not consistently enforce configured inbound media byte limits before buffering remote media in several channel ingestion paths. A remote sender could trigger oversized downloads and memory pressure before rejection.

OpenClaw did not consistently enforce configured inbound media byte limits before buffering remote media in several channel ingestion paths. A remote sender could trigger oversized downloads and memory pressure before rejection.

OpenClaw exec approvals could be bypassed in allowlist mode when allow-always was granted through unrecognized multiplexer shell wrappers (notably busybox sh -c and toybox sh -c).

OpenClaw exec approvals could be bypassed in allowlist mode when allow-always was granted through unrecognized multiplexer shell wrappers (notably busybox sh -c and toybox sh -c).

The Control UI static file handler previously validated asset paths lexically and then served files with APIs that follow symbolic links. A symlink placed under the Control UI root could cause out-of-root file reads.

The Control UI static file handler previously validated asset paths lexically and then served files with APIs that follow symbolic links. A symlink placed under the Control UI root could cause out-of-root file reads.

An authorization mismatch allowed authenticated callers with operator.write access to invoke owner-only tool surfaces (gateway, cron) through agent runs in scoped-token deployments.

In openclaw npm releases up to and including 2026.2.21-2, approving wrapped system.run commands with allow-always in security=allowlist mode could persist wrapper-level allowlist entries and enable later approval-bypass execution of different inner payloads.

In openclaw npm releases up to and including 2026.2.21-2, approving wrapped system.run commands with allow-always in security=allowlist mode could persist wrapper-level allowlist entries and enable later approval-bypass execution of different inner payloads.

A paired node could supply Unicode-confusable platform or deviceFamily metadata that passed metadata pinning but classified differently for command policy resolution, broadening default node command allowlists.

For host=node runs, approvals validated command context but did not pin executable identity for non-path-like argv[0] tokens (for example tr). If PATH resolution changed after approval, execution could run a different binary.

For host=node runs, approvals validated command context but did not pin executable identity for non-path-like argv[0] tokens (for example tr). If PATH resolution changed after approval, execution could run a different binary.

system.run approvals in OpenClaw used rendered command text as the approval identity while trimming argv token whitespace. Runtime execution still used raw argv. A crafted trailing-space executable token could therefore execute a different binary than what the approver saw.

system.run approvals in OpenClaw used rendered command text as the approval identity while trimming argv token whitespace. Runtime execution still used raw argv. A crafted trailing-space executable token could therefore execute a different binary than what the approver saw.

Sandbox media handling had a time-of-check/time-of-use gap: media paths could be validated first and read later through a separate path. A symlink retarget between those steps could cause reads outside sandboxRoot.

For host=node executions, approval context could be bypassed after approval-time by rebinding a writable parent symlink in cwd while preserving the visible cwd string.

For host=node executions, approval context could be bypassed after approval-time by rebinding a writable parent symlink in cwd while preserving the visible cwd string.

exec.approval requests for host=node were not explicitly bound to the target nodeId, so an approval intended for one node could be replayed for a different node under the same operator-controlled gateway fleet.

sendAttachment and setGroupIcon message actions could hydrate media from local absolute paths when sandboxRoot was unset, bypassing intended local media root checks. This could allow reads of arbitrary host files reachable by the runtime user when an authorized message-action path was triggered.

sendAttachment and setGroupIcon message actions could hydrate media from local absolute paths when sandboxRoot was unset, bypassing intended local media root checks. This could allow reads of arbitrary host files reachable by the runtime user when an authorized message-action path was triggered.

OpenClaw Gateway exposes an authenticated HTTP endpoint (POST /tools/invoke) intended for invoking a constrained set of tools. Two issues could combine to significantly increase blast radius in misconfigured or exposed deployments: The HTTP gateway layer did not deny high-risk session orchestration tools by default, allowing a caller with Gateway auth to invoke tools like sessions_spawn / sessions_send and pivot into creating or controlling agent sessions. ACP clients could auto-approve permission …

OpenClaw hooks previously compared the provided hook token using a regular string comparison. Because this comparison is not constant-time, an attacker with network access to the hooks endpoint could potentially use timing measurements across many requests to gradually infer the token. In practice, this typically requires hooks to be exposed to an untrusted network and a large number of requests; real-world latency and jitter can make reliable measurement difficult.

OpenClaw hooks previously compared the provided hook token using a regular string comparison. Because this comparison is not constant-time, an attacker with network access to the hooks endpoint could potentially use timing measurements across many requests to gradually infer the token. In practice, this typically requires hooks to be exposed to an untrusted network and a large number of requests; real-world latency and jitter can make reliable measurement difficult.

When browser control started without explicit auth credentials, OpenClaw attempted to bootstrap auth automatically. In affected versions, if that bootstrap step threw an error, startup could continue and expose browser-control routes without authentication.

When browser control started without explicit auth credentials, OpenClaw attempted to bootstrap auth automatically. In affected versions, if that bootstrap step threw an error, startup could continue and expose browser-control routes without authentication.

A remote code execution (RCE) vulnerability in the gateway-to-node invocation path allowed an authenticated gateway client to bypass node-host exec approvals by injecting internal control fields into node.invoke parameters.

A remote code execution (RCE) vulnerability in the gateway-to-node invocation path allowed an authenticated gateway client to bypass node-host exec approvals by injecting internal control fields into node.invoke parameters.

A path traversal (Zip Slip) issue in archive extraction during explicit installation commands could allow a crafted archive to write files outside the intended extraction directory.

A path traversal (Zip Slip) issue in archive extraction during explicit installation commands could allow a crafted archive to write files outside the intended extraction directory.

@openclaw/voice-call (and the bundled copy shipped in openclaw) accepted media-stream WebSocket upgrades before stream validation. In reachable deployments, unauthenticated pre-start sockets could be held open and increase resource pressure.

@openclaw/voice-call (and the bundled copy shipped in openclaw) accepted media-stream WebSocket upgrades before stream validation. In reachable deployments, unauthenticated pre-start sockets could be held open and increase resource pressure.

In approval-enabled host=node workflows, system.run approvals did not always carry a strict, versioned execution-context binding. In uncommon setups that rely on these approvals as an integrity guardrail, a previously approved request could be reused with changed env input.

In approval-enabled host=node workflows, system.run approvals did not always carry a strict, versioned execution-context binding. In uncommon setups that rely on these approvals as an integrity guardrail, a previously approved request could be reused with changed env input.

In the macOS companion app (currently beta), a parsing mismatch in exec approvals could let shell-chain payloads pass allowlist checks in system.run under specific settings.

In the macOS companion app (currently beta), a parsing mismatch in exec approvals could let shell-chain payloads pass allowlist checks in system.run under specific settings.

OpenClaw versions before 2026.2.14 did not sufficiently validate TAR archive entry paths during extraction. A crafted archive could use path traversal sequences (for example ../../…) to write files outside the intended destination directory (Zip Slip).

OpenClaw versions before 2026.2.14 did not sufficiently validate TAR archive entry paths during extraction. A crafted archive could use path traversal sequences (for example ../../…) to write files outside the intended destination directory (Zip Slip).

A Windows system.run approval-integrity mismatch in the cmd.exe /c path could allow trailing arguments to execute while approval/audit text reflected only a benign command string. This requires an authenticated operator context using the approvals flow and a trusted Windows node.

A Windows system.run approval-integrity mismatch in the cmd.exe /c path could allow trailing arguments to execute while approval/audit text reflected only a benign command string. This requires an authenticated operator context using the approvals flow and a trusted Windows node.

Gemini web_search citation redirect resolution used a private-network-allowing SSRF policy. A citation URL redirect could target loopback/private/internal destinations and be fetched by the gateway.

Gemini web_search citation redirect resolution used a private-network-allowing SSRF policy. A citation URL redirect could target loopback/private/internal destinations and be fetched by the gateway.

Unauthenticated requests to a reachable Zalo webhook endpoint could trigger unbounded in-memory key growth by varying query strings on the same valid webhook route.

Unauthenticated requests to a reachable Zalo webhook endpoint could trigger unbounded in-memory key growth by varying query strings on the same valid webhook route.

In OpenClaw 2026.2.25, Signal group authorization under groupPolicy=allowlist could accept sender identities sourced from DM pairing-store approvals. This allowed DM pairing approvals to leak into group allowlist evaluation.

In OpenClaw 2026.2.25, Signal group authorization under groupPolicy=allowlist could accept sender identities sourced from DM pairing-store approvals. This allowed DM pairing approvals to leak into group allowlist evaluation.

extensions/feishu/src/bot.ts constructed new RegExp() directly from Feishu mention metadata (mention.name, mention.key) in stripBotMention() without escaping regex metacharacters.

extensions/feishu/src/bot.ts constructed new RegExp() directly from Feishu mention metadata (mention.name, mention.key) in stripBotMention() without escaping regex metacharacters.

OpenClaw hooks previously compared the provided hook token using a regular string comparison. Because this comparison is not constant-time, an attacker with network access to the hooks endpoint could potentially use timing measurements across many requests to gradually infer the token. In practice, this typically requires hooks to be exposed to an untrusted network and a large number of requests; real-world latency and jitter can make reliable measurement difficult.

OpenClaw hooks previously compared the provided hook token using a regular string comparison. Because this comparison is not constant-time, an attacker with network access to the hooks endpoint could potentially use timing measurements across many requests to gradually infer the token. In practice, this typically requires hooks to be exposed to an untrusted network and a large number of requests; real-world latency and jitter can make reliable measurement difficult.

Browser trace/download output path handling allowed symlink-root and symlink-parent escapes from the managed temp root.

Browser trace/download output path handling allowed symlink-root and symlink-parent escapes from the managed temp root.

Unauthorized senders could trigger two command paths without sender authorization checks: stop-like natural-language abort triggers /models command output

In openclaw@2026.2.23, sandbox network hardening blocks network=host but still allows network=container:<id>. This can let a sandbox join another container's network namespace and reach services available in that namespace.

In openclaw@2026.2.23, sandbox network hardening blocks network=host but still allows network=container:<id>. This can let a sandbox join another container's network namespace and reach services available in that namespace.

The gateway agents.files.get and agents.files.set methods allowed symlink traversal for allowlisted workspace files. A symlinked allowlisted file (for example AGENTS.md) could resolve outside the agent workspace and be read/written by the gateway process. This could enable arbitrary host file read/write within the gateway process permissions, and chained impact up to code execution depending on which files are overwritten.

The gateway agents.files.get and agents.files.set methods allowed symlink traversal for allowlisted workspace files. A symlinked allowlisted file (for example AGENTS.md) could resolve outside the agent workspace and be read/written by the gateway process. This could enable arbitrary host file read/write within the gateway process permissions, and chained impact up to code execution depending on which files are overwritten.

ZDI-CAN-29312: OpenClaw Canvas Path Traversal Information Disclosure Vulnerability – ABSTRACT ————————————- Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products: OpenClaw - OpenClaw – VULNERABILITY DETAILS ———————— Version tested: openclaw 2026.2.17 Platform tested: macOS 26.3

On Windows ACPX paths, wrapper resolution for .cmd/.bat could fall back to shell execution in ways that allowed cwd influence to alter execution behavior.

On Windows ACPX paths, wrapper resolution for .cmd/.bat could fall back to shell execution in ways that allowed cwd influence to alter execution behavior.

applySkillConfigEnvOverrides previously copied skills.entries.*.env values into the host process.env without applying the host env safety policy.

applySkillConfigEnvOverrides previously copied skills.entries.*.env values into the host process.env without applying the host env safety policy.

In OpenClaw before 2026.2.23, tools.exec.safeBins validation for sort could be bypassed via GNU long-option abbreviations (such as –compress-prog) in allowlist mode, leading to approval-free execution paths that were intended to require approval. Only an exact string such as –compress-program was denied.

The OpenClaw ACP client could auto-approve tool calls based on untrusted metadata and permissive name heuristics. A malicious or compromised ACP tool invocation could bypass expected interactive approval prompts for read-class operations.

The OpenClaw ACP client could auto-approve tool calls based on untrusted metadata and permissive name heuristics. A malicious or compromised ACP tool invocation could bypass expected interactive approval prompts for read-class operations.

Potential unintentional disclosure of local files from the packaging machine into a generated .skill artifact. Requires local execution of the packaging script on attacker-controlled skill contents.

Local ACP sessions may become less responsive when very large prompts are submitted Larger-than-expected model usage/cost when oversized text is forwarded No privilege escalation and no direct remote attack path in the default ACP model

Affected Packages / Versions openclaw npm package versions <= 2026.2.17. Vulnerability Cron webhook delivery in src/gateway/server-cron.ts used fetch() directly, so webhook targets could reach private/metadata/internal endpoints without SSRF policy checks. Fix Commit(s) 99db4d13e 35851cdaf Thanks @Adam55A-code for reporting.

In setups where Discord moderation actions are enabled and the bot has the necessary guild permissions, a non-admin user could request moderation actions by spoofing sender identity fields.

tools.exec.safeBins could be bypassed for filesystem access when sort output flags (-o / –output) or recursive grep flags were allowed through safe-bin execution paths.

tools.exec.safeBins could be bypassed for filesystem access when sort output flags (-o / –output) or recursive grep flags were allowed through safe-bin execution paths.

An information disclosure vulnerability in OpenClaw's tools.exec.safeBins approval flow allowed a file-existence oracle. When safe-bin validation examined candidate file paths, command allow/deny behavior could differ based on whether a path already existed on the host filesystem. An attacker could probe for file presence by comparing outcomes for existing vs non-existing filenames.

An information disclosure vulnerability in OpenClaw's tools.exec.safeBins approval flow allowed a file-existence oracle. When safe-bin validation examined candidate file paths, command allow/deny behavior could differ based on whether a path already existed on the host filesystem. An attacker could probe for file presence by comparing outcomes for existing vs non-existing filenames.

The sandbox identifier cache key for Docker/browser sandbox configuration used SHA-1 to hash normalized configuration payloads. SHA-1 is deprecated for cryptographic use and has known collision weaknesses. In this code path, deterministic IDs are used to decide whether an existing sandbox container can be reused safely. A collision in this hash could let one configuration be interpreted as another under the same sandbox cache identity, increasing the risk of cache …

The sandbox identifier cache key for Docker/browser sandbox configuration used SHA-1 to hash normalized configuration payloads. SHA-1 is deprecated for cryptographic use and has known collision weaknesses. In this code path, deterministic IDs are used to decide whether an existing sandbox container can be reused safely. A collision in this hash could let one configuration be interpreted as another under the same sandbox cache identity, increasing the risk of cache …

The web_fetch tool could be used to crash the OpenClaw Gateway process (OOM / resource exhaustion) by fetching and attempting to parse attacker-controlled web pages with oversized response bodies or pathological HTML nesting.

The web_fetch tool could be used to crash the OpenClaw Gateway process (OOM / resource exhaustion) by fetching and attempting to parse attacker-controlled web pages with oversized response bodies or pathological HTML nesting.

In affected versions, when apply_patch was enabled and the agent ran without filesystem sandbox containment, crafted paths could cause file writes/deletes outside the configured workspace directory.

In affected versions, when apply_patch was enabled and the agent ran without filesystem sandbox containment, crafted paths could cause file writes/deletes outside the configured workspace directory.

OpenClaw versions <= 2026.2.9 construct transcript file paths using an unsanitized sessionId and also accept sessionFile paths without enforcing that they stay within the agent sessions directory. A crafted sessionId and/or sessionFile (example: ../../etc/passwd) can cause path traversal when the gateway performs transcript file read/write operations. Preconditions: an attacker must be able to authenticate to the gateway (gateway token/password). By default the gateway binds to loopback (local-only); configurations that expose …

OpenClaw versions <= 2026.2.9 construct transcript file paths using an unsanitized sessionId and also accept sessionFile paths without enforcing that they stay within the agent sessions directory. A crafted sessionId and/or sessionFile (example: ../../etc/passwd) can cause path traversal when the gateway performs transcript file read/write operations. Preconditions: an attacker must be able to authenticate to the gateway (gateway token/password). By default the gateway binds to loopback (local-only); configurations that expose …

normalizeForHash in src/agents/sandbox/config-hash.ts recursively sorted arrays that contained only primitive values. This made order-sensitive sandbox configuration arrays hash to the same value even when order changed. In OpenClaw sandbox flows, this hash is used to decide whether existing sandbox containers should be recreated. As a result, order-only config changes (for example Docker dns and binds array order) could be treated as unchanged and stale containers could be reused. This is …

Prompt injection may alter agent behavior and could lead to unintended tool use or disclosure of sensitive information.

Disclosure of a Telegram bot token allows an attacker to impersonate the bot and take over Bot API access.

OpenClaw CLI process cleanup used system-wide process enumeration and pattern matching to terminate processes without verifying they were owned by the current OpenClaw process. On shared hosts, unrelated processes could be terminated if they matched the pattern.

OpenClaw CLI process cleanup used system-wide process enumeration and pattern matching to terminate processes without verifying they were owned by the current OpenClaw process. On shared hosts, unrelated processes could be terminated if they matched the pattern.

On macOS, the Claude CLI keychain credential refresh path constructed a shell command to write the updated JSON blob into Keychain via security add-generic-password -w …. Because OAuth tokens are user-controlled data, this created an OS command injection risk. The fix avoids invoking a shell by using execFileSync("security", argv) and passing the updated keychain payload as a literal argument.

On macOS, the Claude CLI keychain credential refresh path constructed a shell command to write the updated JSON blob into Keychain via security add-generic-password -w …. Because OAuth tokens are user-controlled data, this created an OS command injection risk. The fix avoids invoking a shell by using execFileSync("security", argv) and passing the updated keychain payload as a literal argument.

A configuration injection issue in the Docker tool sandbox could allow dangerous Docker options (bind mounts, host networking, unconfined profiles) to be applied, enabling container escape or host data access.

Base64-backed media inputs could be decoded into Buffers before enforcing decoded-size budgets. An attacker supplying oversized base64 payloads can force large allocations, causing memory pressure and denial of service.

Base64-backed media inputs could be decoded into Buffers before enforcing decoded-size budgets. An attacker supplying oversized base64 payloads can force large allocations, causing memory pressure and denial of service.

OpenClaw previously accepted untrusted PATH sources in limited situations. In affected versions, this could cause OpenClaw to resolve and execute an unintended binary ("command hijacking") when running host commands. This issue primarily matters when OpenClaw is relying on allowlist/safe-bin protections and expects PATH to be trustworthy.

OpenClaw previously accepted untrusted PATH sources in limited situations. In affected versions, this could cause OpenClaw to resolve and execute an unintended binary ("command hijacking") when running host commands. This issue primarily matters when OpenClaw is relying on allowlist/safe-bin protections and expects PATH to be trustworthy.

A Twilio webhook signature-verification bypass in the voice-call extension could allow unauthenticated webhook requests when a specific ngrok free-tier compatibility option is enabled.

A Twilio webhook signature-verification bypass in the voice-call extension could allow unauthenticated webhook requests when a specific ngrok free-tier compatibility option is enabled.

Telegram allowlist authorization could match on @username (mutable/recyclable) instead of immutable numeric sender IDs.

Telegram allowlist authorization could match on @username (mutable/recyclable) instead of immutable numeric sender IDs.

When Slack DMs are configured with dmPolicy=open, the Slack slash-command handler incorrectly treated any DM sender as command-authorized. This allowed any Slack user who could DM the bot to execute privileged slash commands via DM, bypassing intended allowlist/access-group restrictions.

When Slack DMs are configured with dmPolicy=open, the Slack slash-command handler incorrectly treated any DM sender as command-authorized. This allowed any Slack user who could DM the bot to execute privileged slash commands via DM, bypassing intended allowlist/access-group restrictions.

Shared-agent, multi-user, less-trusted environments: session-tool access could expose transcript content across peer sessions. Single-agent or trusted environments: practical impact is limited. Telegram webhook mode: account-level secret wiring could be missed unless an explicit monitor webhook secret override was provided.

Inter-session messages sent via sessions_send could be interpreted as direct end-user instructions because they were persisted as role: "user" without provenance metadata.

Under iMessage groupPolicy=allowlist, group authorization could be satisfied by sender identities coming from the DM pairing store, broadening DM trust into group contexts.

The Feishu extension could fetch attacker-controlled remote URLs in two paths without SSRF protections: sendMediaFeishu(mediaUrl) Feishu DocX markdown image URLs (write/append -> image processing)

The Feishu extension could fetch attacker-controlled remote URLs in two paths without SSRF protections: sendMediaFeishu(mediaUrl) Feishu DocX markdown image URLs (write/append -> image processing)

openclaw could start the sandbox browser bridge server without authentication. When the sandboxed browser is enabled, openclaw runs a local (loopback) HTTP bridge that exposes browser control endpoints (for example /profiles, /tabs, /tabs/open, /agent/*). Due to missing auth wiring in the sandbox initialization path, that bridge server accepted requests without requiring gateway auth.

openclaw could start the sandbox browser bridge server without authentication. When the sandboxed browser is enabled, openclaw runs a local (loopback) HTTP bridge that exposes browser control endpoints (for example /profiles, /tabs, /tabs/open, /agent/*). Due to missing auth wiring in the sandbox initialization path, that bridge server accepted requests without requiring gateway auth.

Authenticated attackers can read arbitrary files from the Gateway host by supplying absolute paths or path traversal sequences to the browser tool's upload action. The server passed these paths to Playwright's setInputFiles() APIs without restricting them to a safe root. Severity remains High due to the impact (arbitrary local file read on the Gateway host), even though exploitation requires authenticated access.

OpenClaw’s browser control API accepted user-supplied output paths for trace/download files without consistently constraining writes to OpenClaw-managed temporary directories.

OpenClaw’s browser control API accepted user-supplied output paths for trace/download files without consistently constraining writes to OpenClaw-managed temporary directories.

OpenClaw browser download helpers accepted an unsanitized output path. When invoked via the browser control gateway routes, this allowed path traversal to write downloads outside the intended OpenClaw temp downloads directory. This issue is not exposed via the AI agent tool schema (no download action). Exploitation requires authenticated CLI access or an authenticated gateway RPC token.

The BlueBubbles extension accepted attacker-controlled local filesystem paths via mediaPath and could read arbitrary local files from disk before sending them as media attachments.

The BlueBubbles extension accepted attacker-controlled local filesystem paths via mediaPath and could read arbitrary local files from disk before sending them as media attachments.

Command injection in the maintainer/dev script scripts/update-clawtributors.ts.

A bug in download skill installation allowed targetDir values from skill frontmatter to resolve outside the per-skill tools directory if not strictly validated. In the admin-only skills.install flow, this could write files outside the intended install sandbox.

When multiple Google Chat webhook targets are registered on the same HTTP path, and request verification succeeds for more than one target, inbound webhook events could be routed by first-match semantics. This can cause cross-account policy/context misrouting.

When multiple Google Chat webhook targets are registered on the same HTTP path, and request verification succeeds for more than one target, inbound webhook events could be routed by first-match semantics. This can cause cross-account policy/context misrouting.

OpenClaw's exec-approvals allowlist supports a small set of "safe bins" intended to be stdin-only (no positional file arguments) when running tools.exec.host=gateway|node with security=allowlist. In affected configurations, the allowlist validation checked pre-expansion argv tokens, but execution used a real shell (sh -c) which expands globs and environment variables. This allowed safe bins like head, tail, or grep to read arbitrary local files via tokens such as * or $HOME/… without triggering …

OpenClaw's exec-approvals allowlist supports a small set of "safe bins" intended to be stdin-only (no positional file arguments) when running tools.exec.host=gateway|node with security=allowlist. In affected configurations, the allowlist validation checked pre-expansion argv tokens, but execution used a real shell (sh -c) which expands globs and environment variables. This allowed safe bins like head, tail, or grep to read arbitrary local files via tokens such as * or $HOME/… without triggering …

The manual Chutes OAuth login flow could accept attacker-controlled callback input in a way that bypassed OAuth CSRF state validation, potentially resulting in credential substitution.

The manual Chutes OAuth login flow could accept attacker-controlled callback input in a way that bypassed OAuth CSRF state validation, potentially resulting in credential substitution.

Discovery beacons (Bonjour/mDNS and DNS-SD) include TXT records such as lanHost, tailnetDns, gatewayPort, and gatewayTlsSha256. TXT records are unauthenticated. Prior to the fix, some clients treated TXT values as authoritative routing/pinning inputs: iOS and macOS: used TXT-provided host hints (lanHost/tailnetDns) and ports (gatewayPort) to build the connection URL. iOS and Android: allowed the discovery-provided TLS fingerprint (gatewayTlsSha256) to override a previously stored TLS pin. On a shared/untrusted LAN, an attacker …

Stored XSS in the OpenClaw Control UI when rendering assistant identity (name/avatar) into an inline <script> tag without script-context-safe escaping. A crafted value containing </script> could break out of the script tag and execute attacker-controlled JavaScript in the Control UI origin.

The optional Tlon (Urbit) extension previously accepted a user-provided base URL for authentication and used it to construct an outbound HTTP request, enabling server-side request forgery (SSRF) in affected deployments.

The optional Tlon (Urbit) extension previously accepted a user-provided base URL for authentication and used it to construct an outbound HTTP request, enabling server-side request forgery (SSRF) in affected deployments.

OpenClaw Gateway supports hook mappings with optional JavaScript/TypeScript transform modules. In affected versions, the gateway did not sufficiently constrain configured module paths before passing them to dynamic import(). Under some configurations, a user who can modify gateway configuration could cause the gateway process to load and execute an unintended local module.

OpenClaw Gateway supports hook mappings with optional JavaScript/TypeScript transform modules. In affected versions, the gateway did not sufficiently constrain configured module paths before passing them to dynamic import(). Under some configurations, a user who can modify gateway configuration could cause the gateway process to load and execute an unintended local module.

Multiple webhook handlers accepted and buffered request bodies without a strict unified byte/time limit. A remote unauthenticated attacker could send oversized payloads and cause memory pressure, degrading availability.

Multiple webhook handlers accepted and buffered request bodies without a strict unified byte/time limit. A remote unauthenticated attacker could send oversized payloads and cause memory pressure, degrading availability.

URL-backed media fetch handling allocated the entire response payload in memory (arrayBuffer) before enforcing maxBytes, allowing oversized responses to cause memory exhaustion.

URL-backed media fetch handling allocated the entire response payload in memory (arrayBuffer) before enforcing maxBytes, allowing oversized responses to cause memory exhaustion.

Archive extraction lacked strict resource budgets, allowing high-expansion ZIP/TAR archives to consume excessive CPU/memory/disk during install/update flows.

Archive extraction lacked strict resource budgets, allowing high-expansion ZIP/TAR archives to consume excessive CPU/memory/disk during install/update flows.

Browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins.

On Windows nodes, exec requests were executed via cmd.exe /d /s /c <rawCommand>. In allowlist/approval-gated mode, the allowlist analysis did not model Windows cmd.exe parsing and metacharacter behavior. A crafted command string could cause cmd.exe to interpret additional operations (for example command chaining via &, or expansion via %…% / !…!) beyond what was allowlisted/approved.

On Windows nodes, exec requests were executed via cmd.exe /d /s /c <rawCommand>. In allowlist/approval-gated mode, the allowlist analysis did not model Windows cmd.exe parsing and metacharacter behavior. A crafted command string could cause cmd.exe to interpret additional operations (for example command chaining via &, or expansion via %…% / !…!) beyond what was allowlisted/approved.

The OpenClaw Nostr channel plugin (optional, disabled by default, installed separately) exposes profile management HTTP endpoints under /api/channels/nostr/:accountId/profile (GET/PUT) and /api/channels/nostr/:accountId/profile/import (POST). In affected versions, these routes were dispatched via the gateway plugin HTTP layer without requiring gateway authentication, allowing unauthenticated remote callers to read or mutate the Nostr profile and persist changes to the gateway config. Profile updates are also published as a signed Nostr kind:0 event using the …

The OpenClaw Nostr channel plugin (optional, disabled by default, installed separately) exposes profile management HTTP endpoints under /api/channels/nostr/:accountId/profile (GET/PUT) and /api/channels/nostr/:accountId/profile/import (POST). In affected versions, these routes were dispatched via the gateway plugin HTTP layer without requiring gateway authentication, allowing unauthenticated remote callers to read or mutate the Nostr profile and persist changes to the gateway config. Profile updates are also published as a signed Nostr kind:0 event using the …

The gateway WebSocket connect handshake could allow skipping device identity checks when auth.token was present but not yet validated.

The gateway WebSocket connect handshake could allow skipping device identity checks when auth.token was present but not yet validated.

The Chrome extension relay (ensureChromeExtensionRelayServer) previously treated wildcard hosts (0.0.0.0 / ::) as loopback, which could make it bind the relay HTTP/WS server to all interfaces when a wildcard cdpUrl was passed.

The Chrome extension relay (ensureChromeExtensionRelayServer) previously treated wildcard hosts (0.0.0.0 / ::) as loopback, which could make it bind the relay HTTP/WS server to all interfaces when a wildcard cdpUrl was passed.

In affected versions, the Browser Relay /cdp WebSocket endpoint did not require an authentication token. As a result, a website running in the browser could potentially connect to the local relay (via loopback WebSocket) and use CDP to access cookies from other open tabs and run JavaScript in the context of other tabs.

In affected versions, the Browser Relay /cdp WebSocket endpoint did not require an authentication token. As a result, a website running in the browser could potentially connect to the local relay (via loopback WebSocket) and use CDP to access cookies from other open tabs and run JavaScript in the context of other tabs.

In the optional Twitch channel plugin (extensions/twitch), allowFrom is documented as a hard allowlist of Twitch user IDs, but it was not enforced as a hard gate. If allowedRoles is unset or empty, the access control path defaulted to allow, so any Twitch user who could mention the bot could reach the agent dispatch pipeline. Scope note: This only affects deployments that installed and enabled the Twitch plugin. Core OpenClaw …

In the optional Twitch channel plugin (extensions/twitch), allowFrom is documented as a hard allowlist of Twitch user IDs, but it was not enforced as a hard gate. If allowedRoles is unset or empty, the access control path defaulted to allow, so any Twitch user who could mention the bot could reach the agent dispatch pipeline. Scope note: This only affects deployments that installed and enabled the Twitch plugin. Core OpenClaw …

skills.status could disclose secrets to operator.read clients by returning raw resolved config values in configChecks for skill requires.config paths.

A mismatch between rawCommand and command[] in the node host system.run handler could cause allowlist/approval evaluation to be performed on one command while executing a different argv.

NOTE: This only affects deployments that enable the optional MS Teams extension (Teams channel). If you do not use MS Teams, you are not impacted. When OpenClaw downloads inbound MS Teams attachments / inline images, it may retry a URL with an Authorization: Bearer <token> header after receiving 401 or 403. Because the default download allowlist uses suffix matching (and includes some multi-tenant suffix domains), a message that references an …

NOTE: This only affects deployments that enable the optional MS Teams extension (Teams channel). If you do not use MS Teams, you are not impacted. When OpenClaw downloads inbound MS Teams attachments / inline images, it may retry a URL with an Authorization: Bearer <token> header after receiving 401 or 403. Because the default download allowlist uses suffix matching (and includes some multi-tenant suffix domains), a message that references an …

OpenClaw macOS desktop client registers the openclaw:// URL scheme. For openclaw://agent deep links without an unattended key, the app shows a confirmation dialog that previously displayed only the first 240 characters of the message, but executed the full message after the user clicked "Run". At the time of writing, the OpenClaw macOS desktop client is still in beta. An attacker could pad the message with whitespace to push a malicious …

In openclaw versions prior to 2026.2.13, OpenClaw logged certain WebSocket request headers (including Origin and User-Agent) without neutralization or length limits on the "closed before connect" path. If an unauthenticated client can reach the gateway and send crafted header values, those values may be written into core logs. Under workflows where logs are later read or interpreted by an LLM (for example via AI-assisted debugging), this can increase the risk …

In affected versions, OpenClaw's optional @openclaw/voice-call plugin Telnyx webhook handler could accept unsigned inbound webhook requests when telnyx.publicKey was not configured, allowing unauthenticated callers to forge Telnyx events. This only impacts deployments where the Voice Call plugin is installed, enabled, and the webhook endpoint is reachable from the attacker (for example, publicly exposed via a tunnel/proxy).

The issue is not deterministic session keys by itself. The exploitable path was accepting externally supplied sessionKey values on authenticated hook ingress, allowing a hook token holder to route messages into chosen sessions.

An authentication bypass in the optional voice-call extension/plugin allowed unapproved or anonymous callers to reach the voice-call agent when inbound policy was set to allowlist or pairing. Deployments that do not install/enable the voice-call extension are not affected.

An authentication bypass in the optional voice-call extension/plugin allowed unapproved or anonymous callers to reach the voice-call agent when inbound policy was set to allowlist or pairing. Deployments that do not install/enable the voice-call extension are not affected.

Exec approvals allowlist bypass via command substitution/backticks inside double quotes.

Exec approvals allowlist bypass via command substitution/backticks inside double quotes.

In OpenClaw versions prior to 2026.2.12, the gateway accepted an untrusted sessionFile path when resolving the session transcript file. This could allow an authenticated gateway client to create and append OpenClaw session transcript records at an arbitrary path on the gateway host.

In OpenClaw versions prior to 2026.2.12, the gateway accepted an untrusted sessionFile path when resolving the session transcript file. This could allow an authenticated gateway client to create and append OpenClaw session transcript records at an arbitrary path on the gateway host.

The BlueBubbles webhook handler previously treated any request whose socket remoteAddress was loopback (127.0.0.1, ::1, ::ffff:127.0.0.1) as authenticated. When OpenClaw Gateway is behind a reverse proxy (Tailscale Serve/Funnel, nginx, Cloudflare Tunnel, ngrok), the proxy typically connects to the gateway over loopback, allowing unauthenticated remote requests to bypass the configured webhook password. This could allow an attacker who can reach the proxy endpoint to inject arbitrary inbound BlueBubbles message/reaction events.

The BlueBubbles webhook handler previously treated any request whose socket remoteAddress was loopback (127.0.0.1, ::1, ::ffff:127.0.0.1) as authenticated. When OpenClaw Gateway is behind a reverse proxy (Tailscale Serve/Funnel, nginx, Cloudflare Tunnel, ngrok), the proxy typically connects to the gateway over loopback, allowing unauthenticated remote requests to bypass the configured webhook password. This could allow an attacker who can reach the proxy endpoint to inject arbitrary inbound BlueBubbles message/reaction events.

In Telegram webhook mode, if channels.telegram.webhookSecret is not set, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint is reachable by an attacker, this can allow forged Telegram updates (for example spoofing message.from.id). Note: Telegram webhook mode is not enabled by default. It is enabled only when channels.telegram.webhookUrl is configured.

OpenClaw's SSRF protection could be bypassed using full-form IPv4-mapped IPv6 literals such as 0:0:0:0:0:ffff:7f00:1 (which is 127.0.0.1). This could allow requests that should be blocked (loopback / private network / link-local metadata) to pass the SSRF guard. Vulnerable component: SSRF guard (src/infra/net/ssrf.ts) Issue type: SSRF protection bypass

When Telegram webhook mode is enabled without a configured webhook secret, OpenClaw may accept unauthenticated HTTP POST requests at the Telegram webhook endpoint and trust attacker-controlled update JSON. This can allow forged Telegram updates that spoof message.from.id / chat.id, potentially bypassing sender allowlists and executing privileged bot commands.

When Telegram webhook mode is enabled without a configured webhook secret, OpenClaw may accept unauthenticated HTTP POST requests at the Telegram webhook endpoint and trust attacker-controlled update JSON. This can allow forged Telegram updates that spoof message.from.id / chat.id, potentially bypassing sender allowlists and executing privileged bot commands.

OpenClaw's plugin installation path derivation could be abused by a malicious plugin package.json name to escape the intended extensions directory and write files to a parent directory.

OpenClaw's plugin installation path derivation could be abused by a malicious plugin package.json name to escape the intended extensions directory and write files to a parent directory.

OpenClaw Matrix DM allowlist matching could be bypassed in certain configurations. Matrix support ships as an optional plugin (not bundled with the core install), so this only affects deployments that have installed and enabled the Matrix plugin.

OpenClaw Matrix DM allowlist matching could be bypassed in certain configurations. Matrix support ships as an optional plugin (not bundled with the core install), so this only affects deployments that have installed and enabled the Matrix plugin.

The Feishu extension previously allowed sendMediaFeishu to treat attacker-controlled mediaUrl values as local filesystem paths and read them directly.

Google Chat allowlisting supports matching by sender email in addition to immutable sender resource name (users/<id>). This weakens identity binding if a deployment assumes allowlists are strictly keyed by immutable principals.

The Gateway tool accepted a tool-supplied gatewayUrl without sufficient restrictions, which could cause the OpenClaw host to attempt outbound WebSocket connections to user-specified targets.

In affected versions, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback (127.0.0.1, ::1, ::ffff:127.0.0.1) even when the configured webhook secret was missing or incorrect. This does not affect the default iMessage integration unless BlueBubbles is installed and enabled.

A gateway client authenticated with a device token scoped only to operator.write (without operator.approvals) could approve/deny pending exec approval requests by sending a chat message containing the built-in /approve command. exec.approval.resolve is correctly scoped to operator.approvals for direct RPC calls, but the /approve command path invoked it via an internal privileged gateway client.

A gateway client authenticated with a device token scoped only to operator.write (without operator.approvals) could approve/deny pending exec approval requests by sending a chat message containing the built-in /approve command. exec.approval.resolve is correctly scoped to operator.approvals for direct RPC calls, but the /approve command path invoked it via an internal privileged gateway client.

Versions of the openclaw npm package prior to 2026.2.2 could be coerced into fetching arbitrary http(s) URLs during attachment/media hydration. An attacker who can influence the media URL (for example via model-controlled sendAttachment or auto-reply media URLs) could trigger SSRF to internal resources and exfiltrate the fetched bytes as an outbound attachment.

Versions of the openclaw npm package prior to 2026.2.2 could be coerced into fetching arbitrary http(s) URLs during attachment/media hydration. An attacker who can influence the media URL (for example via model-controlled sendAttachment or auto-reply media URLs) could trigger SSRF to internal resources and exfiltrate the fetched bytes as an outbound attachment.

A server-side request forgery (SSRF) vulnerability in the Image tool allowed attackers to force OpenClaw to make HTTP requests to arbitrary internal or restricted network targets.

When the Slack integration is enabled, Slack channel metadata (topic/description) could be incorporated into the model's system prompt.

An unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user.

An unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user.

The isValidMedia() function in src/media/parse.ts allows arbitrary file paths including absolute paths, home directory paths, and directory traversal sequences. An agent can read any file on the system by outputting MEDIA:/path/to/file, exfiltrating sensitive data to the user/channel.