SB2026040841 - Multiple vulnerabilities in OpenClaw
Published: April 8, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 10 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: N/A)
The vulnerability allows a remote attacker to disclose sensitive information and modify management settings.
The vulnerability exists due to exposure of sensitive information in the Dashboard authentication flow when opening the Control UI in the browser. A remote attacker can access browser-controlled surfaces or persistent browser storage to recover reusable Gateway admin credentials and reuse them to disclose sensitive information and modify management settings.
User interaction is required to open the Dashboard in the browser.
2) Improper Restriction of Excessive Authentication Attempts (CVE-ID: N/A)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper restriction of excessive authentication attempts in the hooks HTTP handler when handling non-POST requests to /hooks/*. A remote attacker can send repeated non-POST requests with an invalid token to cause a denial of service.
Impact is limited to temporary availability loss for hook-triggered wake or automation delivery, and exploitation may affect legitimate webhook delivery when requests collapse to the same hook auth client key, such as in shared proxy or NAT topologies.
3) Incomplete List of Disallowed Inputs (CVE-ID: CVE-2026-32913)
The vulnerability allows a remote attacker to disclose sensitive authorization credentials.
The vulnerability exists due to an incomplete list of disallowed headers in fetchWithSsrFGuard(...) when following cross-origin redirects. A remote attacker can trigger a cross-origin redirect to disclose sensitive authorization credentials.
The issue affects custom authorization headers such as X-Api-Key and Private-Token that are preserved across an origin change.
4) Authorization bypass through user-controlled key (CVE-ID: N/A)
The vulnerability allows a remote user to disclose sensitive information and modify authorization state across accounts.
The vulnerability exists due to incorrect authorization in the /allowlist --store account-scoping logic when processing allowlist store updates. A remote user can add a sender allowlist entry for one account to make it apply to the default account and disclose sensitive information and modify authorization state across accounts.
Exploitation requires the ability to run /allowlist edits, and legacy unscoped allowlist entries are merged into the default account.
5) Incorrect authorization (CVE-ID: N/A)
The vulnerability allows a remote user to modify persistent configuration.
The vulnerability exists due to incorrect authorization in the chat.send slash command handling when routing /config set or /config unset through the internal gateway-chat context. A remote user can send a crafted chat.send request to modify persistent configuration.
Exploitation requires an authenticated gateway client with operator.write, chat.send access, and /config command support enabled.
6) External Control of System or Configuration Setting (CVE-ID: N/A)
The vulnerability allows a remote user to bypass allowlist and approval controls and influence subprocess behavior.
The vulnerability exists due to external control of system or configuration setting in system.run environment override sanitization in src/infra/host-env-security.ts when processing env overrides for spawned processes. A remote user can supply crafted environment overrides to bypass allowlist and approval controls and influence subprocess behavior.
Exploitation requires the ability to invoke system.run with env overrides, and the issue can affect helper-command execution or config-loading behavior that is not represented by the approved command line.
7) Improper access control (CVE-ID: CVE-2026-27646)
The vulnerability allows a remote user to initialize host-side ACP sessions.
The vulnerability exists due to improper access control in the /acp spawn command handler when handling sandboxed /acp spawn requests. A remote user can send a /acp spawn command to initialize host-side ACP sessions.
Exploitation requires an already authorized sender in a sandboxed session, and ACP must be enabled with a backend available.
8) Interpretation Conflict (CVE-ID: N/A)
The vulnerability allows a remote user to bypass allowlist restrictions and persist unauthorized follow-up commands.
The vulnerability exists due to interpretation conflict in the system.run allowlist analysis when deriving allow-always persistence entries for shell commands containing unquoted comments. A remote user can submit a shell command with an unquoted # before a chained payload to bypass allowlist restrictions and persist unauthorized follow-up commands.
The runtime shell executes only the pre-comment portion, while the non-executed tail may still be analyzed and stored as trusted.
9) Interpretation Conflict (CVE-ID: CVE-2026-27183)
The vulnerability allows a remote user to bypass shell approval gating.
The vulnerability exists due to interpretation conflict in the system.run dispatch-wrapper handling when processing commands with exactly four transparent dispatch wrappers before /bin/sh -c. A remote user can supply a crafted wrapped command to bypass shell approval gating.
Exploitation is possible in security=allowlist mode because shell-wrapper approval detection stops at the depth boundary while execution planning continues unwrapping to the shell payload.
10) Incomplete List of Disallowed Inputs (CVE-ID: N/A)
The vulnerability allows a remote user to execute unauthorized PowerShell inline payloads.
The vulnerability exists due to incomplete list of disallowed inputs in the system.run shell-wrapper detection and allowlist approval parsing when processing PowerShell encoded-command wrappers. A remote user can invoke pwsh or powershell with -EncodedCommand, -enc, or -e to execute unauthorized PowerShell inline payloads.
The issue occurs in allowlist mode, where equivalent -Command invocations would require an approval step.
Remediation
Install update from vendor's website.
References
- https://github.com/openclaw/openclaw/security/advisories/GHSA-rchv-x836-w7xp
- https://github.com/openclaw/openclaw/security/advisories/GHSA-6rmx-gvvg-vh6j
- https://github.com/advisories/GHSA-6rmx-gvvg-vh6j
- https://github.com/openclaw/openclaw/security/advisories/GHSA-6mgf-v5j7-45cr
- https://github.com/openclaw/openclaw/security/advisories/GHSA-pjvx-rx66-r3fg
- https://github.com/openclaw/openclaw/security/advisories/GHSA-hfpr-jhpq-x4rm
- https://github.com/openclaw/openclaw/security/advisories/GHSA-j425-whc4-4jgc
- https://github.com/openclaw/openclaw/security/advisories/GHSA-9q36-67vc-rrwg
- https://github.com/openclaw/openclaw/security/advisories/GHSA-9q2p-vc84-2rwm
- https://github.com/openclaw/openclaw/security/advisories/GHSA-r6qf-8968-wj9q
- https://github.com/openclaw/openclaw/security/advisories/GHSA-3h2q-j2v4-6w5r