SB2026040842 - Multiple vulnerabilities in OpenClaw
Published: April 8, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 12 secuirty vulnerabilities.
1) Missing Authentication for Critical Function (CVE-ID: CVE-2026-32041)
The vulnerability allows a local user to access browser-control routes without authentication.
The vulnerability exists due to missing authentication for critical function in browser-control routes when browser control starts without explicit auth credentials and automatic auth bootstrap fails. A local user can access exposed browser-control routes to access browser-control routes without authentication.
A loopback-reachable SSRF path may also reach the exposed routes.
2) Resource exhaustion (CVE-ID: CVE-2026-28461)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in the Zalo webhook endpoint when handling unauthenticated requests with varying query strings on the same valid webhook route. A remote attacker can send repeated requests with churned query-string keys to cause a denial of service.
The issue can lead to memory pressure, process instability, or out-of-memory conditions.
3) Incorrect authorization (CVE-ID: CVE-2026-32051)
The vulnerability allows a remote user to perform control-plane actions beyond intended write scope.
The vulnerability exists due to incorrect authorization in owner-only tool surfaces accessed through agent runs when processing authenticated agent execution requests in scoped-token deployments. A remote user can invoke owner-only tool surfaces through agent runs to perform control-plane actions beyond intended write scope.
Only scoped-token deployments are vulnerable.
4) Improper Handling of Unicode Encoding (CVE-ID: N/A)
The vulnerability allows a remote user to bypass command policy restrictions.
The vulnerability exists due to improper handling of unicode encoding in node metadata policy classification when processing paired node metadata. A remote user can supply unicode-confusable platform or deviceFamily metadata to bypass command policy restrictions.
The issue occurs within the paired-node trust boundary and can broaden default node command allowlists.
5) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-31997)
The vulnerability allows a remote user to execute a different executable than the operator approved.
The vulnerability exists due to a time-of-check time-of-use race condition in node system.run approvals when resolving non-path-like argv[0] PATH tokens for host=node runs. A remote user can change PATH resolution after approval to execute a different executable than the operator approved.
The issue affects previously approved actions that use non-path-like command tokens such as tr.
6) Improper privilege management (CVE-ID: CVE-2026-32048)
The vulnerability allows a remote user to escape sandbox restrictions.
The vulnerability exists due to improper privilege management in sessions_spawn when creating cross-agent child sessions. A remote user can spawn a child under an agent configured with sandbox.mode="off" to escape sandbox restrictions.
Exploitation requires a mixed-agent setup that allows cross-agent spawning.
7) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: N/A)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to time-of-check time-of-use race condition in sandbox media handling when processing media attachment and image paths. A remote attacker can retarget a symlink between path validation and file read to disclose sensitive information.
The issue can cause file reads outside sandboxRoot.
8) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: N/A)
The vulnerability allows a local user to create or truncate files outside the configured root boundaries.
The vulnerability exists due to time-of-check time-of-use race condition in writeFileWithinRoot when handling an attacker-controlled path alias during file write operations. A local user can retarget a symlink between resolution and write operations to create or truncate files outside the configured root boundaries.
9) Incorrect authorization (CVE-ID: N/A)
The vulnerability allows a remote attacker to disrupt active sessions.
The vulnerability exists due to improper access control in stop-like natural-language abort triggers when handling sender messages. A remote attacker can send unauthorized stop-like trigger messages to disrupt active sessions.
10) Incorrect authorization (CVE-ID: N/A)
The vulnerability allows a remote attacker to disclose model and authentication metadata.
The vulnerability exists due to improper access control in the /models command when processing command requests. A remote attacker can invoke the /models command to disclose model and authentication metadata.
11) OS Command Injection (CVE-ID: CVE-2026-31999)
The vulnerability allows a remote attacker to execute unintended commands.
The vulnerability exists due to command injection in ACPX Windows wrapper resolution when resolving .cmd/.bat wrappers through shell fallback on Windows ACPX paths. A remote attacker can influence the current working directory to alter execution behavior and execute unintended commands.
Only affected Windows ACPX configurations are vulnerable.
12) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-31989)
The vulnerability allows a remote attacker to trigger internal-network requests.
The vulnerability exists due to server-side request forgery (SSRF) in web_search citation redirect resolution when processing citation URL redirects. A remote attacker can supply a citation redirect target to trigger internal-network requests.
Remediation
Install update from vendor's website.
References
- https://github.com/openclaw/openclaw/security/advisories/GHSA-vpj2-69hf-rppw
- https://github.com/openclaw/openclaw/security/advisories/GHSA-wr6m-jg37-68xh
- https://github.com/openclaw/openclaw/security/advisories/GHSA-jr6x-2q95-fh2g
- https://github.com/openclaw/openclaw/security/advisories/GHSA-392f-ggf5-fp3c
- https://github.com/openclaw/openclaw/security/advisories/GHSA-q399-23r3-hfx4
- https://github.com/openclaw/openclaw/security/advisories/GHSA-p7gr-f84w-hqg5
- https://github.com/openclaw/openclaw/security/advisories/GHSA-7xmq-g46g-f8pv
- https://github.com/openclaw/openclaw/security/advisories/GHSA-x82f-27x3-q89c
- https://github.com/openclaw/openclaw/security/advisories/GHSA-8m9v-xpgf-g99m
- https://github.com/advisories/GHSA-8m9v-xpgf-g99m
- https://github.com/openclaw/openclaw/security/advisories/GHSA-6f6j-wx9w-ff4j
- https://github.com/openclaw/openclaw/security/advisories/GHSA-g99v-8hwm-g76g