SB2026040835 - Multiple vulnerabilities in OpenClaw
Published: April 8, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 12 secuirty vulnerabilities.
1) Incorrect authorization (CVE-ID: CVE-2026-32035)
The vulnerability allows a remote user to access owner-only tool surfaces.
The vulnerability exists due to incorrect authorization in the Discord voice transcript path and agentCommand(...) when processing voice transcript turns without senderIsOwner. A remote user can participate in the same Discord voice channel and trigger transcript-driven commands to access owner-only tool surfaces.
Exploitation requires Discord voice to be enabled and the bot to be present in a channel with non-owner participants. User interaction is required.
2) Server-Side Request Forgery (SSRF) (CVE-ID: N/A)
The vulnerability allows a remote user to cause gateway-host fetches to off-node destinations and disclose limited information, modify limited data, or affect availability.
The vulnerability exists due to server-side request forgery (SSRF) in camera URL payload handling when processing user-supplied camera.snap, camera.clip, camera_snap, or camera_clip URL fields. A remote user can supply a crafted URL to cause gateway-host fetches to off-node destinations and disclose limited information, modify limited data, or affect availability.
User interaction is required, and exploitation is limited to deployments where paired nodes are not fully trusted.
3) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-27670)
The vulnerability allows a local user to write files outside the intended destination directory.
The vulnerability exists due to time-of-check time-of-use race condition in ZIP extraction in src/infra/archive.ts when processing ZIP archives. A local user can rebind a parent-directory symlink between path validation and the final write to write files outside the intended destination directory.
4) Link following (CVE-ID: CVE-2026-31990)
The vulnerability allows a remote attacker to overwrite files outside the sandbox workspace.
The vulnerability exists due to improper link resolution before file access in stageSandboxMedia when handling inbound files during media staging. A remote attacker can place or leverage a symlink in the destination path to overwrite files outside the sandbox workspace.
The issue affects destination writes under media/inbound that follow symlinks outside the intended sandbox workspace boundary.
5) Authentication bypass using an alternate path or channel (CVE-ID: CVE-2026-32004)
The vulnerability allows a remote user to bypass authentication controls.
The vulnerability exists due to authentication bypass using an alternate path or channel in plugin /api/channels route classification when handling deeply encoded alternate-path requests. A remote user can send a specially crafted encoded request to bypass authentication controls.
Exploitation requires deployments that expose plugin HTTP routes and rely on gateway authentication for /api/channels/* protection.
6) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-22181)
The vulnerability allows a remote user to access internal or private network targets.
The vulnerability exists due to a time-of-check time-of-use race condition in strict URL fetch paths when environment proxy variables are configured. A remote user can supply an attacker-influenced URL to access internal or private network targets.
The issue affects strict web-tool flows such as web_fetch and citation redirect resolution, where check-time destination validation can differ from connect-time routing through an environment proxy dispatcher.
7) Improper Neutralization of Argument Delimiters in a Command (CVE-ID: CVE-2026-29608)
The vulnerability allows a local user to execute unintended local scripts.
The vulnerability exists due to improper neutralization of argument delimiters in system.run approval hardening in the node host when rewriting wrapper command argv. A local user can influence wrapper argv and place a local file in the approved working directory to execute unintended local scripts.
User interaction is required because the operator must approve the displayed command.
8) Improper privilege management (CVE-ID: N/A)
The vulnerability allows a remote user to bypass the sandbox boundary and initialize the host-side ACP runtime.
The vulnerability exists due to improper privilege management in sessions_spawn(runtime="acp") when handling sandboxed spawn requests. A remote privileged user can invoke sessions_spawn with runtime="acp" to bypass the sandbox boundary and initialize the host-side ACP runtime.
The issue arises because sandbox inheritance checks enforced for runtime="subagent" were not equivalently enforced for runtime="acp".
9) Link following (CVE-ID: CVE-2026-22180)
The vulnerability allows a local user to write files outside intended roots.
The vulnerability exists due to improper link resolution before file access in browser output handling and related write paths when processing path-boundary flows. A local user can use a crafted path or symlink rebind to write files outside intended roots.
The issue involves browser output as well as related install and skills write paths.
10) Resource exhaustion (CVE-ID: CVE-2026-32011)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in webhook handlers for BlueBubbles and Google Chat when parsing request bodies before authentication and signature checks. A remote attacker can send slow or oversized request bodies to cause a denial of service.
11) Improper handling of highly compressed data (CVE-ID: CVE-2026-32044)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in the tar.bz2 installer path in src/agents/skills-install-download.ts when processing untrusted .tar.bz2 skill archives. A remote attacker can trick the victim into opening a crafted archive to cause a denial of service.
User interaction is required to process the crafted archive during skill install.
12) Incorrect authorization (CVE-ID: N/A)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to incorrect authorization in the image tool path resolution when processing image paths with tools.fs.workspaceOnly enabled. A remote attacker can supply a crafted image path to disclose sensitive information.
The issue affects access to sandbox bridge mounts outside the workspace that other file tools would reject.
Remediation
Install update from vendor's website.
References
- https://github.com/openclaw/openclaw/security/advisories/GHSA-wpg9-4g4v-f9rc
- https://github.com/openclaw/openclaw/security/advisories/GHSA-2858-xg23-26fp
- https://github.com/openclaw/openclaw/security/advisories/GHSA-r54r-wmmq-mh84
- https://github.com/openclaw/openclaw/security/advisories/GHSA-cfvj-7rx7-fc7c
- https://github.com/openclaw/openclaw/security/advisories/GHSA-v865-p3gq-hw6m
- https://github.com/openclaw/openclaw/security/advisories/GHSA-8mvx-p2r9-r375
- https://github.com/openclaw/openclaw/security/advisories/GHSA-h3rm-6x7g-882f
- https://github.com/openclaw/openclaw/security/advisories/GHSA-474h-prjg-mmw3
- https://github.com/openclaw/openclaw/security/advisories/GHSA-3pxq-f3cp-jmxp
- https://github.com/openclaw/openclaw/security/advisories/GHSA-x4vp-4235-65hg
- https://github.com/advisories/GHSA-x4vp-4235-65hg
- https://github.com/openclaw/openclaw/security/advisories/GHSA-77hf-7fqf-f227
- https://github.com/openclaw/openclaw/security/advisories/GHSA-cfp9-w5v9-3q4h