SB2026033182 - Multiple vulnerabilities in OpenClaw
Published: March 31, 2026 Updated: May 1, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 17 vulnerabilities.
1) Path traversal (CVE-ID: CVE-2026-3689)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error within the handling of the path parameters provided to the canvas gateway endpoint. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.
2) Authentication Bypass by Spoofing (CVE-ID: CVE-2026-32045)
CWE-ID: CWE-290 - Authentication Bypass by Spoofing
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass authentication requirements for HTTP routes.
The vulnerability exists due to authentication bypass by spoofing in gateway authentication when tokenless Tailscale header authentication is enabled for HTTP gateway auth call sites. A remote attacker can send requests using forwarded-header authentication to bypass authentication requirements for HTTP routes.
Only trusted-network deployments with tokenless Tailscale auth enabled are affected.
3) Incomplete List of Disallowed Inputs (CVE-ID: CVE-2026-32022)
CWE-ID: CWE-184 - Incomplete List of Disallowed Inputs
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to incomplete list of disallowed inputs in tools.exec.safeBins grep policy handling in src/infra/exec-safe-bin-policy.ts when processing grep arguments with -e or --regexp. A remote user can supply a grep command with a regexp flag and a bare filename operand to disclose sensitive information.
Exploitation requires grep to be explicitly included in the safe-bin list, and the issue affects flows expected to be stdin-only.
4) Externally Controlled Reference to a Resource in Another Sphere (CVE-ID: CVE-2026-32008)
CWE-ID: CWE-610 - Externally Controlled Reference to a Resource in Another Sphere
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to externally controlled reference to a resource in another sphere in assertBrowserNavigationAllowed() in src/browser/navigation-guard.ts when handling browser navigation to non-network URL schemes. A remote user can navigate a browser session to a crafted file:// URL to disclose sensitive information.
Only instances with browser tooling enabled are vulnerable, and exploitation requires the ability to invoke browser actions.
5) Improper Neutralization of Argument Delimiters in a Command (CVE-ID: CVE-2026-22168)
CWE-ID: CWE-88 - Argument Injection or Modification
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute commands on the trusted Windows node process account.
The vulnerability exists due to improper neutralization of argument delimiters in the system.run cmd.exe /c handling path when processing system.run requests with cmd.exe /c trailing arguments through the approvals flow. A remote user can submit a request with extra trailing arguments to execute commands on the trusted Windows node process account.
The approval and audit text may reflect only a benign command string while the full argument tail is executed.
6) Missing Authentication for Critical Function (CVE-ID: CVE-2026-32896)
CWE-ID: CWE-306 - Missing Authentication for Critical Function
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to send unauthenticated webhook events.
The vulnerability exists due to missing authentication in extensions/bluebubbles webhook handler when handling incoming webhook events in deployments where webhook password authentication is not configured. A remote attacker can send a crafted webhook request to send unauthenticated webhook events.
Only deployments using the optional BlueBubbles plugin with custom or manual configurations that omitted webhook password authentication are vulnerable.
7) Command injection (CVE-ID: CVE-2026-32063)
CWE-ID: CWE-77 - Command injection
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary commands.
The vulnerability exists due to improper neutralization of special elements in systemd unit generation in src/daemon/systemd-unit.ts when rendering Environment= entries from attacker-controlled configuration values. A local user can supply a crafted environment value containing a newline and injected systemd directives to execute arbitrary commands.
Exploitation requires the attacker to influence config.env.vars, invoke the install or reinstall path to write the unit file, and have the service restarted. The injected command runs with the privileges of the OpenClaw gateway service user.
8) Prototype pollution (CVE-ID: CVE-2026-27524)
CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify object prototype attributes.
The vulnerability exists due to improperly controlled modification of object prototype attributes in the runtime /debug set override handler when processing override object values containing prototype-reserved keys. A remote user can send a crafted override object to modify object prototype attributes.
The issue affects runtime in-memory overrides only and exploitation requires the /debug feature to be enabled.
9) Improper Authorization (CVE-ID: CVE-2026-32034)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to gain privileged operator access.
The vulnerability exists due to improper authorization in the Control UI authentication mechanism when the gateway is exposed over plaintext HTTP with insecure authentication enabled. A remote user can use leaked or intercepted credentials to gain privileged operator access.
Exploitation requires the operator to have explicitly enabled gateway.controlUi.allowInsecureAuth: true and exposed the gateway over plaintext HTTP.
10) External Control of System or Configuration Setting (CVE-ID: N/A)
CWE-ID: CWE-15 - External Control of System or Configuration Setting
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local privileged user to execute unintended shell commands.
The vulnerability exists due to external control of system or configuration settings in spawned shell command execution paths when attacker-controlled environment values are inherited by shell startup processing. A local privileged user can supply crafted BASH_ENV or ENV values to execute unintended shell commands.
Exploitation requires influence over configuration or environment inputs.
11) Reliance on Untrusted Inputs in a Security Decision (CVE-ID: CVE-2026-32029)
CWE-ID: CWE-807 - Reliance on Untrusted Inputs in a Security Decision
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to spoof the client ip used in security decisions.
The vulnerability exists due to reliance on untrusted inputs in a security decision in X-Forwarded-For header parsing when processing requests forwarded by trusted proxies that append or preserve header values. A remote attacker can supply a crafted X-Forwarded-For header to spoof the client ip used in security decisions.
The issue affects deployments behind trusted proxies with non-recommended forwarding behavior.
12) Execution with unnecessary privileges (CVE-ID: N/A)
CWE-ID: CWE-250 - Execution with Unnecessary Privileges
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to facilitate container breakout after compromising a process in an affected container.
The vulnerability exists due to execution with unnecessary privileges in scripts/e2e/ and scripts/docker/ Dockerfiles when running containers built from the affected images. A remote attacker can compromise a process in the container to facilitate container breakout after compromising a process in an affected container.
Test images share the same base image family as production images, creating a risk of accidental deployment of root-running images.
13) Protection Mechanism Failure (CVE-ID: CVE-2026-32046)
CWE-ID: CWE-693 - Protection Mechanism Failure
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to weaken browser isolation.
The vulnerability exists due to protection mechanism failure in the sandbox browser container when launching Chromium with the --no-sandbox option enabled by default. A remote attacker can exploit a renderer-side bug to weaken browser isolation.
Exploitation removes the need for a separate sandbox escape after renderer compromise.
14) Missing Authentication for Critical Function (CVE-ID: CVE-2026-32064)
CWE-ID: CWE-306 - Missing Authentication for Critical Function
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to access the noVNC observer session without authentication.
The vulnerability exists due to missing authentication for a critical function in x11vnc noVNC observer sessions when launching the sandbox browser entrypoint. A local attacker can connect to the exposed VNC service to access the noVNC observer session without authentication.
By default, the noVNC port is published only to host loopback, unless operators expose it more broadly or run the image standalone with broad port publishing.
15) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to access canvas routes beyond intended authorization boundaries.
The vulnerability exists due to improper access control in canvas routes when handling network-visible canvas access requests in mixed-trust deployments. A remote attacker can send requests without an explicit token or session capability to access canvas routes beyond intended authorization boundaries.
Risk is highest in non-loopback or mixed-trust environments.
16) Path traversal (CVE-ID: N/A)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper limitation of a pathname to a restricted directory in the MCP tool result media processing pipeline when processing MCP tool result content containing injected MEDIA: directives or details.path values. A remote attacker can return a specially crafted tool result to disclose sensitive information.
If auto-reply is enabled, exploitation can occur without user interaction.
17) External Control of System or Configuration Setting (CVE-ID: CVE-2026-4039)
CWE-ID: CWE-15 - External Control of System or Configuration Setting
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to influence runtime or child-process behavior.
The vulnerability exists due to external control of system or configuration setting in applySkillConfigEnvOverrides when copying skills.entries.*.env values into the host process environment. A local user can modify local OpenClaw state or configuration to inject dangerous environment variables and influence runtime or child-process behavior.
Dangerous process-level variables such as NODE_OPTIONS may be injected when they are unset.
Remediation
Install update from vendor's website.
References
- https://www.zerodayinitiative.com/advisories/ZDI-26-227/
- https://github.com/openclaw/openclaw/security/advisories/GHSA-jq4x-98m3-ggq6
- https://github.com/openclaw/openclaw/security/advisories/GHSA-hff7-ccv5-52f8
- https://github.com/openclaw/openclaw/commit/356d61aacfa5b0f1d5830716ec59d70682a3e7b8
- https://github.com/openclaw/openclaw/security/advisories/GHSA-3xfw-4pmr-4xc5
- https://github.com/openclaw/openclaw/commit/c6ee14d60e4cbd6a82f9b2d74ebeb1e8ee814964
- https://github.com/openclaw/openclaw/security/advisories/GHSA-45cg-2683-gfmq
- https://github.com/openclaw/openclaw/commit/220bd95eff6838234e8b4b711f86d4565e16e401
- https://github.com/openclaw/openclaw/security/advisories/GHSA-5v6x-rfc3-7qfr
- https://github.com/openclaw/openclaw/commit/6007941f04df1edcca679dd6c95949744fdbd4df
- https://github.com/openclaw/openclaw/security/advisories/GHSA-5mx2-2mgw-x8rm
- https://github.com/openclaw/openclaw/commit/6b2f2811dc623e5faaf2f76afaa9279637174590
- https://github.com/openclaw/openclaw/security/advisories/GHSA-vffc-f7r7-rx2w
- https://github.com/openclaw/openclaw/commit/61f646c41fb43cd87ed48f9125b4718a30d38e84
- https://github.com/openclaw/openclaw/security/advisories/GHSA-62f6-mrcj-v8h5
- https://github.com/openclaw/openclaw/commit/fbb79d4013000552d6a2c23b9613d8b3cb92f6b6
- https://github.com/openclaw/openclaw/security/advisories/GHSA-3cvx-236h-m9fj
- https://github.com/openclaw/openclaw/pull/20684
- https://github.com/openclaw/openclaw/security/advisories/GHSA-w9cg-v44m-4qv8
- https://github.com/openclaw/openclaw/commit/2cdbadee1f8fcaa93302d7debbfc529e19868ea4
- https://github.com/openclaw/openclaw/security/advisories/GHSA-2rgf-hm63-5qph
- https://github.com/openclaw/openclaw/commit/07039dc089e51589a213ec0d16f8d6f2cd871fa1
- https://github.com/openclaw/openclaw/security/advisories/GHSA-w7j5-j98m-w679
- https://github.com/openclaw/openclaw/commit/28e1a65ebc580f07533966f5693f4df0a18d7085
- https://github.com/openclaw/openclaw/security/advisories/GHSA-43x4-g22p-3hrq
- https://github.com/openclaw/openclaw/commit/e7eba01efc4c3c400e9cfd3ce3d661cbc788a631
- https://github.com/openclaw/openclaw/security/advisories/GHSA-25gx-x37c-7pph
- https://github.com/openclaw/openclaw/commit/621d8e1312482f122f18c43c72c67211b141da01
- https://github.com/openclaw/openclaw/security/advisories/GHSA-cjv3-m589-v3rx
- https://github.com/openclaw/openclaw/commit/c45f3c5b004c8d63dc0e282e2176f8c9355d24f1
- https://github.com/openclaw/openclaw/security/advisories/GHSA-jjgj-cpp9-cvpv
- https://github.com/openclaw/openclaw/security/advisories/GHSA-82g8-464f-2mv7
- https://github.com/openclaw/openclaw/commit/8c9f35cdb51692b650ddf05b259ccdd75cc9a83c