SB2026033184 - Multiple vulnerabilities in OpenClaw
Published: March 31, 2026 Updated: May 1, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 19 vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2026-3691)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the exposure of sensitive data in the authorization URL query string within the implementation of OAuth authorization. A remote attacker can gain unauthorized access to sensitive information on the system.
2) Incorrect authorization (CVE-ID: CVE-2026-32042)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to improper access control in the operator pairing and scope assignment logic when attaching an unpaired device identity using shared gateway authentication. A remote user can present a self-signed, unpaired device identity and request elevated operator scopes to escalate privileges.
The issue can allow assignment of higher operator scopes, including operator.admin, before pairing approval.
3) Link following (CVE-ID: CVE-2026-32013)
CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to read and write arbitrary files on the host system.
The vulnerability exists due to improper link resolution before file access in the gateway agents.files.get and agents.files.set methods when processing allowlisted workspace files that are symlinks. A remote user can use a symlinked allowlisted file such as AGENTS.md to access files outside the workspace and read and write arbitrary files on the host system.
Chained impact may include code execution depending on which files are overwritten.
4) Information disclosure (CVE-ID: N/A)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to expose a PKCE verifier.
The vulnerability exists due to exposure of sensitive information in the macOS app beta onboarding OAuth flow when handling Anthropic OAuth sign-in. A remote attacker can obtain exposed OAuth state values together with OAuth authorization artifacts to expose a PKCE verifier.
The issue is limited to the macOS beta onboarding OAuth path and does not affect the core CLI or gateway onboarding paths.
5) Authentication Bypass by Capture-replay (CVE-ID: CVE-2026-28449)
CWE-ID: CWE-294 - Authentication Bypass by Capture-replay
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to trigger duplicate inbound processing.
The vulnerability exists due to authentication bypass by capture-replay in the Nextcloud Talk webhook path when handling previously valid signed webhook requests without durable replay suppression. A remote attacker can replay a captured signed request to trigger duplicate inbound processing.
The issue is limited to deployments using the Nextcloud Talk webhook integration and may be triggered after replay-window expiry or process restart.
6) Server-Side Request Forgery (SSRF) (CVE-ID: N/A)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass SSRF preflight checks.
The vulnerability exists due to improper restriction of destination addresses in the SSRF IP classifier when processing IPv6 multicast literals. A remote attacker can supply a URL containing an IPv6 multicast literal to bypass SSRF preflight checks.
OpenClaw's network fetch and navigation paths are constrained to HTTP/HTTPS.
7) Incorrect authorization (CVE-ID: CVE-2026-32050)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to inject an unauthorized reaction status line into agent context.
The vulnerability exists due to incorrect authorization in src/signal/monitor/event-handler.ts when handling reaction-only inbound events. A remote user can send a reaction-only inbound event to inject an unauthorized reaction status line into agent context.
Only reaction-only inbound events with reaction notifications enabled are affected. Normal DM delivery and direct host command execution are not directly enabled.
8) Incorrect authorization (CVE-ID: N/A)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to inject unauthorized system events.
The vulnerability exists due to incorrect authorization in Telegram message_reaction handling when processing reaction notifications. A remote attacker can send reaction updates from an unauthorized sender to inject unauthorized system events.
Only instances with reaction notifications enabled are vulnerable.
9) Link following (CVE-ID: CVE-2026-32054)
CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to overwrite arbitrary files.
The vulnerability exists due to improper link resolution before file access in browser trace/download output path handling when processing attacker-influenced output paths in the managed temp root. A local user can create a symlink path that escapes the temp root to overwrite arbitrary files.
Exploitation requires a relevant local foothold and the ability to influence output paths.
10) Incorrect authorization (CVE-ID: CVE-2026-32028)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to enqueue unauthorized reaction-derived system events.
The vulnerability exists due to incorrect authorization in the Discord DM reaction-notification ingress path when processing reactions to bot-authored direct messages in restricted DM setups. A remote user can react to a bot-authored DM message to enqueue unauthorized reaction-derived system events.
This issue is limited to reaction-based ingress and does not directly execute commands; practical impact depends on downstream automation or tool policy.
11) Reliance on Untrusted Inputs in a Security Decision (CVE-ID: CVE-2026-32057)
CWE-ID: CWE-807 - Reliance on Untrusted Inputs in a Security Decision
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass an authorization boundary.
The vulnerability exists due to reliance on untrusted inputs in a security decision in the trusted-proxy Control UI pairing logic when handling websocket connections with a user-controlled client.id value. A remote user can supply client.id=control-ui to bypass an authorization boundary.
Exploitation requires trusted-proxy authentication to be enabled, and an authenticated session with the node role can connect unpaired and reach node event methods.
12) Interpretation Conflict (CVE-ID: CVE-2026-32065)
CWE-ID: CWE-436 - Interpretation Conflict
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute an unexpected command.
The vulnerability exists due to interpretation conflict in the system.run approval identity handling when processing command argv containing a crafted trailing-space executable token. A remote user can supply a crafted command argv and reuse or obtain a matching approval context to execute an unexpected command.
The command may run under the OpenClaw runtime user, and the executed binary can differ from the one shown to the approver.
13) Link following (CVE-ID: N/A)
CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to read or modify files outside the workspace boundary.
The vulnerability exists due to improper link resolution before file access in workspace-only filesystem checks when processing in-workspace hardlink aliases that reference files outside the workspace. A remote user can create or use an in-workspace hardlink alias to read or modify files outside the workspace boundary.
This primarily affects deployments that explicitly enable workspace-only filesystem restrictions, including workspace-only apply_patch checks. By default, tools.fs.workspaceOnly is off.
14) Incorrect authorization (CVE-ID: CVE-2026-32899)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to introduce unauthorized reaction or pin context signals.
The vulnerability exists due to incorrect authorization in Slack non-message event handlers when processing reaction_* and pin_* events before applying sender-policy checks consistently. A remote attacker can send unauthorized non-message events to introduce unauthorized reaction or pin context signals.
The issue affects system-event context for non-message Slack ingress.
15) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-32043)
CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute approved commands in an unintended working directory.
The vulnerability exists due to a time-of-check time-of-use race condition in system.run on node hosts when resolving a symlinked cwd between approval and execution. A remote user can retarget the symlink after approval and before process spawn to execute approved commands in an unintended working directory.
The issue affects approval-bound command execution where cwd is provided as a symlink path.
16) Link following (CVE-ID: N/A)
CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper link resolution before file access in resolveSandboxedMediaSource() and resolvePreferredOpenClawTmpDir() when processing media paths through the fallback tmp flow. A remote attacker can submit a crafted media path via a symlink alias tmp root to disclose sensitive information.
Exploitation requires the fallback tmp root to be a symlink alias and occurs when /tmp/openclaw is unavailable or unsafe.
17) Authorization bypass through user-controlled key (CVE-ID: N/A)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to interfere with another conversation's pending file upload.
The vulnerability exists due to authorization bypass through user-controlled key in the MS Teams file-consent invoke handler when processing fileConsent/invoke requests using an uploadId without verifying the originating conversation. A remote attacker can submit a valid uploadId within its time-to-live to interfere with another conversation's pending file upload.
The issue affects both the accept path for cross-conversation upload completion and the decline path for canceling a victim pending upload.
18) Incorrect authorization (CVE-ID: CVE-2026-32005)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass sender restrictions and enqueue system-event text into an active session.
The vulnerability exists due to incorrect authorization in Slack interactive callback handling when processing shared-workspace interactive callbacks before full sender authorization checks. A remote user can send a crafted interactive callback to bypass sender restrictions and enqueue system-event text into an active session.
The issue affects the block_action, view_submission, and view_closed callback flows in shared Slack workspace deployments that rely on allowFrom, DM policy, or channel user allowlists.
19) Improper Restriction of Excessive Authentication Attempts (CVE-ID: CVE-2026-32025)
CWE-ID: CWE-307 - Improper Restriction of Excessive Authentication Attempts
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to establish an authenticated operator WebSocket session.
The vulnerability exists due to improper authentication in the WebSocket authentication flow when a browser-origin client connects to the loopback gateway and performs password authentication. A remote attacker can trick the victim into opening attacker-controlled web content and brute-force the gateway password to establish an authenticated operator WebSocket session.
Exploitation requires the gateway to be reachable on loopback, password authentication mode to be enabled, and the password to be guessable within feasible brute-force or dictionary attempts.
Remediation
Install update from vendor's website.
References
- https://www.zerodayinitiative.com/advisories/ZDI-26-229/
- https://github.com/openclaw/openclaw/security/advisories/GHSA-6g25-pc82-vfwp
- https://github.com/openclaw/openclaw/security/advisories/GHSA-553v-f69r-656j
- https://github.com/openclaw/openclaw/security/advisories/GHSA-fgvx-58p6-gjwc
- https://github.com/openclaw/openclaw/security/advisories/GHSA-r9q5-c7qc-p26w
- https://github.com/openclaw/openclaw/security/advisories/GHSA-h97f-6pqj-q452
- https://github.com/openclaw/openclaw/security/advisories/GHSA-792q-qw95-f446
- https://github.com/openclaw/openclaw/security/advisories/GHSA-qj22-xqjr-v83v
- https://github.com/openclaw/openclaw/commit/e56b0cf1a04f992ac6ebc775899f48ea31687640
- https://github.com/openclaw/openclaw/security/advisories/GHSA-36h3-7c54-j27r
- https://github.com/openclaw/openclaw/commit/496a76c03ba85e15ea715e5a583e498ae04d36e3
- https://github.com/openclaw/openclaw/security/advisories/GHSA-354r-7mfh-7rh2
- https://github.com/openclaw/openclaw/commit/aedf62ac7e669a89c7b299201bf6537dc6b12e0e
- https://github.com/openclaw/openclaw/security/advisories/GHSA-vvgp-4c28-m3jm
- https://github.com/openclaw/openclaw/commit/ec45c317f5d0631a3d333b236da58c4749ede2a3
- https://github.com/openclaw/openclaw/security/advisories/GHSA-hwpq-rrpf-pgcq
- https://github.com/openclaw/openclaw/commit/03e689fc89bbecbcd02876a95957ef1ad9caa176
- https://github.com/openclaw/openclaw/security/advisories/GHSA-3jx4-q2m7-r496
- https://github.com/openclaw/openclaw/commit/04d91d0319b82fd4de91ed05e9fc5219ff2ab64e
- https://github.com/openclaw/openclaw/security/advisories/GHSA-rm2p-j3r7-4x4j
- https://github.com/openclaw/openclaw/security/advisories/GHSA-mwcg-wfq3-4gjc
- https://github.com/openclaw/openclaw/security/advisories/GHSA-xmv6-r34m-62p4
- https://github.com/openclaw/openclaw/security/advisories/GHSA-j26j-7qc4-3mrf
- https://github.com/openclaw/openclaw/commit/347f7b9550064f5f5b33c6e07f64e85b9657b6f1
- https://github.com/openclaw/openclaw/security/advisories/GHSA-x2ff-j5c2-ggpr
- https://github.com/openclaw/openclaw/commit/ce8c67c314b93f570f53c2a9abc124e1e3a54715
- https://github.com/openclaw/openclaw/security/advisories/GHSA-jmmg-jqc7-5qf4