SB2026040844 - Multiple vulnerabilities in OpenClaw



SB2026040844 - Multiple vulnerabilities in OpenClaw

Published: April 8, 2026 Updated: May 1, 2026

Security Bulletin ID SB2026040844
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 17
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 35% Low 65%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 17 vulnerabilities.


1) UNIX symbolic link following (CVE-ID: N/A)

CWE-ID: CWE-61 - UNIX Symbolic Link (Symlink) Following

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to append attacker-controlled content to arbitrary files on the system.

The vulnerability exists due to unix symbolic link following in agents.create and agents.update handlers when appending to IDENTITY.md in the agent workspace. A local user can place a symlink at the IDENTITY.md path and invoke the affected API methods to append attacker-controlled content to arbitrary files on the system.

The issue occurs because an existing symlink at the IDENTITY.md path is not prevented from being followed during the append operation.


2) Incomplete List of Disallowed Inputs (CVE-ID: N/A)

CWE-ID: CWE-184 - Incomplete List of Disallowed Inputs

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass safe-bin restrictions.

The vulnerability exists due to incomplete list of disallowed inputs in safe-bin argument validation and allowlist evaluation when processing GNU long-option abbreviations. A remote attacker can supply a specially crafted abbreviated long option to bypass safe-bin restrictions.

This can create a policy and runtime mismatch where denied options are approved during validation but resolved differently at runtime.


3) Improper Authorization (CVE-ID: CVE-2026-32898)

CWE-ID: CWE-285 - Improper Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass interactive approval prompts for read-class operations.

The vulnerability exists due to improper authorization in resolvePermissionRequest, resolveToolNameForPermission, and shouldAutoApproveToolCall when processing untrusted tool metadata and permissive tool-name heuristics. A remote attacker can supply a malicious or compromised tool invocation with spoofed metadata to bypass interactive approval prompts for read-class operations.

Auto-approval decisions could be influenced by untrusted toolCall.kind values and read-like non-core tool names.


4) Interpretation Conflict (CVE-ID: N/A)

CWE-ID: CWE-436 - Interpretation Conflict

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute unexpected commands.

The vulnerability exists due to interpretation conflict in tools.exec allowlist/safe-bins evaluation when processing wrapper commands using GNU env -S/--split-string semantics. A remote attacker can influence tool command text to execute unexpected commands.

Exploitation requires the ability to influence tool command text reaching an exec-capable flow, such as through untrusted prompt or content injection.


5) Incomplete List of Disallowed Inputs (CVE-ID: CVE-2026-22175)

CWE-ID: CWE-184 - Incomplete List of Disallowed Inputs

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass command execution restrictions.

The vulnerability exists due to an incomplete list of disallowed inputs in exec approval wrapper analysis when processing busybox or toybox shell wrapper invocations with sh -c. A remote user can invoke arbitrary payloads through the same multiplexer wrapper to bypass command execution restrictions.

The issue occurs in allowlist mode after an allow-always approval is granted.


6) Authorization bypass through user-controlled key (CVE-ID: N/A)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass sender authorization.

The vulnerability exists due to improper access control in resolveSenderCandidates() in src/auto-reply/command-auth.ts when evaluating commands.allowFrom authorization checks with conversation identifiers via ctx.From. A remote user can participate in an allowed conversation and invoke command-only or directive-only flows to bypass sender authorization.

The issue occurs when operators configure commands.allowFrom with conversation-like identifiers such as channel or group identifiers.


7) Authentication Bypass by Capture-replay (CVE-ID: CVE-2026-32053)

CWE-ID: CWE-294 - Authentication Bypass by Capture-replay

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to trigger duplicate or stale call-state transitions.

The vulnerability exists due to authentication bypass by capture-replay in the voice-call Twilio webhook handling and manager dedupe logic when processing replayed webhook events. A remote attacker can replay a previously captured webhook event to trigger duplicate or stale call-state transitions.

A replayed event could be treated as new because normalized event IDs were randomized on each parse.


8) Improper access control (CVE-ID: CVE-2026-32002)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the image tool when resolving sandbox mount paths with tools.fs.workspaceOnly=true. A remote user can load mounted out-of-workspace images and forward their contents to vision model providers to disclose sensitive information.

The issue affects mounted out-of-workspace files exposed through the sandbox FS bridge, such as /agent/*.


9) Incorrect authorization (CVE-ID: CVE-2026-32007)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to access and modify mounted paths outside the workspace root.

The vulnerability exists due to improper access control in the experimental apply_patch tool when processing patch operations on sandbox-resolved mounted paths. A remote user can submit a specially crafted patch targeting writable mounted paths outside the workspace root to access and modify mounted paths outside the workspace root.

This issue affects only opt-in sandbox configurations where sandbox mode, the experimental apply_patch tool, workspace-only expectations, and writable mounts outside the workspace are enabled.


10) Incomplete List of Disallowed Inputs (CVE-ID: CVE-2026-31992)

CWE-ID: CWE-184 - Incomplete List of Disallowed Inputs

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute unintended commands.

The vulnerability exists due to an incomplete list of disallowed inputs in the system.run allowlist guard when processing env -S shell wrapper payloads. A remote user can supply crafted tool input to execute unintended commands.

This issue causes a mismatch between policy analysis and runtime execution in allowlist mode.


11) Incorrect authorization (CVE-ID: N/A)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute approved commands on a different node.

The vulnerability exists due to incorrect authorization in exec.approval handling for host=node requests when reusing an approval across nodes under the same operator-controlled gateway fleet. A remote user can replay an approval intended for one node for a different node to execute approved commands on a different node.

The issue affects system.run requests when node identity is not carried through approval and execution checks.


12) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to initiate unintended agent actions.

The vulnerability exists due to improper access control in the openclaw://agent deep-link handler when processing crafted deep links on iOS. A remote attacker can send a specially crafted deep link to initiate unintended agent actions.

User interaction is required to open the crafted deep link, and exploitation is limited to an already-connected iOS node context.


13) Incomplete List of Disallowed Inputs (CVE-ID: CVE-2026-28363)

CWE-ID: CWE-184 - Incomplete List of Disallowed Inputs

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to bypass execution approval checks.

The vulnerability exists due to incomplete list of disallowed inputs in tools.exec.safeBins validation for sort when processing abbreviated GNU long options in allowlist mode. A remote user can supply a specially crafted sort command with abbreviated long options to bypass execution approval checks.

Exploitation requires tools.exec.security=allowlist, tools.exec.ask=on-miss, and tools.exec.safeBins to include sort.


14) Inclusion of Functionality from Untrusted Control Sphere (CVE-ID: CVE-2026-22217)

CWE-ID: CWE-829 - Inclusion of Functionality from Untrusted Control Sphere

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to execute attacker-controlled binaries.

The vulnerability exists due to inclusion of functionality from an untrusted control sphere in shell-env shell selection when processing an attacker-influenced $SHELL value and accepting executable paths under trusted prefixes. A local user can place or reference a crafted executable via $SHELL to execute attacker-controlled binaries.

Exploitation requires a writable trusted-prefix directory and influence over the runtime $SHELL environment variable.


15) Incorrect authorization (CVE-ID: N/A)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass an execution approval prompt.

The vulnerability exists due to incorrect authorization in the allowlist evaluator when resolving path-scoped executables under skill auto-allow handling. A remote user can invoke a path-scoped executable whose basename collides with an allowed skill name to bypass an execution approval prompt.

This issue occurs only in non-default configurations with autoAllowSkills enabled, system.run using security=allowlist, and ask=on-miss.


16) Cross-site scripting (CVE-ID: CVE-2026-32040)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary JavaScript.

The vulnerability exists due to cross-site scripting in src/auto-reply/reply/export-html/template.js when exporting session data containing crafted image MIME types to HTML. A remote user can supply a crafted mimeType value in an image entry to execute arbitrary JavaScript.

User interaction is required to open the exported HTML file.


17) Cross-site scripting (CVE-ID: N/A)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary JavaScript in the exported HTML viewer context.

The vulnerability exists due to cross-site scripting in the exported session HTML viewer when rendering untrusted session content containing raw HTML markdown tokens or unescaped metadata fields. A remote attacker can create a crafted session and trick the victim into opening the exported HTML file to execute arbitrary JavaScript in the exported HTML viewer context.

User interaction is required to open a crafted exported HTML session file.


Remediation

Install update from vendor's website.

References