SB2026040838 - Multiple vulnerabilities in OpenClaw
Published: April 8, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 17 secuirty vulnerabilities.
1) Incorrect authorization (CVE-ID: CVE-2026-32978)
The vulnerability allows a remote user to execute rewritten local code.
The vulnerability exists due to incorrect authorization in the node-host system.run approval mechanism when handling script-runner commands with mutable file operands. A remote user can obtain approval for a benign script-runner command and then rewrite the referenced script on disk to execute rewritten local code.
User interaction is required for operator approval, and the issue affects unrecognized script runners such as tsx and jiti.
2) Incorrect authorization (CVE-ID: CVE-2026-32923)
The vulnerability allows a remote user to inject reaction text into downstream session context.
The vulnerability exists due to incorrect authorization in Discord guild reaction ingress when handling reaction events for guild channels. A remote user can send a reaction from a non-allowlisted guild member account to inject reaction text into downstream session context.
Accepted reactions are queued as trusted system events for the target session.
3) Improper access control (CVE-ID: CVE-2026-32302)
The vulnerability allows a remote attacker to disclose sensitive information and perform unauthorized modifications.
The vulnerability exists due to improper access control in the WebSocket handshake logic when handling browser-originated WebSocket connections in trusted-proxy mode with proxy headers present. A remote attacker can trick a victim into loading a malicious page that establishes a cross-site WebSocket connection to disclose sensitive information and perform unauthorized modifications.
User interaction is required, and the issue affects deployments that expose the Gateway behind a trusted reverse proxy and rely on browser origin checks to restrict browser access.
4) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-32977)
The vulnerability allows a local user to modify files outside the validated sandbox path.
The vulnerability exists due to a time-of-check time-of-use race condition in the sandbox fs-bridge writeFile commit step when committing a file after path validation. A local user can race parent-path changes inside the sandbox to modify files outside the validated sandbox path.
This issue is a sandbox boundary bypass within the container mount namespace.
5) Improper privilege management (CVE-ID: CVE-2026-32922)
The vulnerability allows a remote user to escalate privileges and execute arbitrary code.
The vulnerability exists due to improper privilege management in device.token.rotate when rotating device tokens for an already paired device. A remote user can mint a token with broader scopes than their own to escalate privileges and execute arbitrary code.
Exploitation can reach node-level code execution on deployments with connected node hosts or companion apps that expose system.run; otherwise, the issue grants unauthorized gateway-admin access.
6) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-32979)
The vulnerability allows a local user to execute unintended local code.
The vulnerability exists due to a time-of-check time-of-use race condition in node-host system.run approval handling when executing interpreter and runtime commands after approval planning. A local user can modify an approved local script before execution to execute unintended local code.
User interaction is required.
7) Incorrect authorization (CVE-ID: CVE-2026-32919)
The vulnerability allows a local user to reset targeted conversation state.
The vulnerability exists due to incorrect authorization in the agent slash-command path when processing agent requests containing /new or /reset. A local user can send a specially crafted agent request to reset targeted conversation state.
The issue crosses the documented boundary between write-scoped messaging and admin-only session mutation.
8) Improper Authorization (CVE-ID: CVE-2026-32916)
The vulnerability allows a remote attacker to perform admin-only gateway actions.
The vulnerability exists due to improper authorization in plugin subagent route handling when invoking runtime.subagent.* from a plugin-owned HTTP route with auth: "plugin". A remote attacker can send a specially crafted request to perform admin-only gateway actions.
The issue affects plugin-owned public routes that call subagent runtime methods and rely on gateway authorization to preserve least-privilege scopes.
9) Not Failing Securely ('Failing Open') (CVE-ID: CVE-2026-32970)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to failing open in local gateway helper credential resolution when processing configured but unavailable local auth SecretRefs in local mode. A local user can trigger credential resolution with unavailable gateway.auth.token or gateway.auth.password SecretRefs to disclose sensitive information.
Remote fallback occurs because the helper logic treats configured-but-unavailable local auth inputs as unset.
10) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-32976)
The vulnerability allows a remote user to modify protected sibling-account configuration.
The vulnerability exists due to authorization bypass through user-controlled key in channel command config mutation handling when processing channel-initiated configuration mutation commands. A remote user can send crafted channel commands targeting another account scope to modify protected sibling-account configuration.
This issue is limited to account-scoped policy bypass within a single gateway deployment.
11) Improper privilege management (CVE-ID: CVE-2026-32915)
The vulnerability allows a local user to bypass sandbox and session-scope boundaries.
The vulnerability exists due to improper privilege management in the subagents control surface when handling subagent control requests. A local user can steer or kill a sibling run to bypass sandbox and session-scope boundaries.
The issue affects sandboxed leaf subagents and arises because control requests are resolved against the parent requester scope instead of the caller's own session tree.
12) Interpretation Conflict (CVE-ID: CVE-2026-32971)
The vulnerability allows a remote user to execute local code.
The vulnerability exists due to interpretation conflict in node-host system.run approvals when displaying approval text for wrapper-shaped commands. A remote user can induce the operator to approve misleading command text to execute local code.
User interaction is required, and exploitation depends on the ability to place or select a local wrapper binary.
13) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-32988)
The vulnerability allows a local user to modify files outside the intended validated path.
The vulnerability exists due to a time-of-check time-of-use race condition in the sandbox fs-bridge staged write flow when creating and populating temporary files before commit. A local user can race a parent-path alias change to cause writes outside the intended validated path.
The issue affects the temporary file materialization step before the final guarded replace operation, resulting in a sandbox boundary bypass within the writable mount scope.
14) Incorrect authorization (CVE-ID: CVE-2026-32972)
The vulnerability allows a remote user to modify browser profile configuration and persist admin-only changes to disk.
The vulnerability exists due to incorrect authorization in the gateway browser.request handling for browser profile management routes when handling requests to browser profile creation and modification endpoints. A remote user can send a crafted request to /profiles/create to modify browser profiles and persist admin-only changes to disk.
The issue exposes an admin-only configuration write primitive through the browser profile management functionality, allowing storage of attacker-chosen remote CDP endpoints without operator.admin.
15) Improper Handling of Case Sensitivity (CVE-ID: CVE-2026-32973)
The vulnerability allows a remote user to execute unapproved commands or executable paths.
The vulnerability exists due to improper handling of case sensitivity in matchesExecAllowlistPattern when matching exec allowlist patterns against POSIX paths. A remote user can provide a crafted command or executable path that overmatches an allowlist entry to execute unapproved commands or executable paths.
The issue also arises because the ? wildcard can match /, allowing matches to cross path segments on POSIX systems.
16) Exposure of Resource to Wrong Sphere (CVE-ID: CVE-2026-33573)
The vulnerability allows a remote user to access files and execute tools outside the intended workspace boundary.
The vulnerability exists due to exposure of resource to the wrong sphere in the public gateway agent RPC when handling caller-supplied spawnedBy and workspaceDir values. A remote user can supply crafted spawnedBy and workspaceDir values to access files and execute tools outside the intended workspace boundary.
The issue affects authenticated operators with operator.write and allows a non-owner operator to re-root an agent run to an arbitrary process-accessible directory.
17) Incorrect authorization (CVE-ID: CVE-2026-32918)
The vulnerability allows a local user to disclose sensitive information and modify session state outside its sandbox scope.
The vulnerability exists due to incorrect authorization in the built-in session_status tool when processing a supplied sessionKey for session status access. A local user can supply another session's sessionKey to disclose sensitive information and modify session state outside its sandbox scope.
The issue affects sandboxed subagents and can expose parent or sibling session data, including persisted model override settings.
Remediation
Install update from vendor's website.
References
- https://github.com/openclaw/openclaw/security/advisories/GHSA-qc36-x95h-7j53
- https://github.com/openclaw/openclaw/security/advisories/GHSA-9vvh-2768-c8vp
- https://github.com/openclaw/openclaw/security/advisories/GHSA-5wcw-8jjv-m286
- https://github.com/openclaw/openclaw/security/advisories/GHSA-xvx8-77m6-gwg6
- https://github.com/openclaw/openclaw/security/advisories/GHSA-4jpw-hj22-2xmc
- https://github.com/openclaw/openclaw/security/advisories/GHSA-xf99-j42q-5w5p
- https://github.com/openclaw/openclaw/security/advisories/GHSA-jf6w-m8jw-jfxc
- https://github.com/openclaw/openclaw/security/advisories/GHSA-xw77-45gv-p728
- https://github.com/openclaw/openclaw/security/advisories/GHSA-qvr7-g57c-mrc7
- https://github.com/openclaw/openclaw/security/advisories/GHSA-8jhh-jcqg-mj5p
- https://github.com/openclaw/openclaw/security/advisories/GHSA-4w7m-58cg-cmff
- https://github.com/openclaw/openclaw/security/advisories/GHSA-rw39-5899-8mxp
- https://github.com/openclaw/openclaw/security/advisories/GHSA-mj4p-rc52-m843
- https://github.com/openclaw/openclaw/security/advisories/GHSA-vmhq-cqm9-6p7q
- https://github.com/openclaw/openclaw/security/advisories/GHSA-f8r2-vg7x-gh8m
- https://github.com/openclaw/openclaw/security/advisories/GHSA-2rqg-gjgv-84jm
- https://github.com/openclaw/openclaw/security/advisories/GHSA-wcxr-59v9-rxr8