SB2026040849 - Multiple vulnerabilities in OpenClaw



SB2026040849 - Multiple vulnerabilities in OpenClaw

Published: April 8, 2026 Updated: May 4, 2026

Security Bulletin ID SB2026040849
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 22
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 5% Medium 14% Low 82%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 22 vulnerabilities.


1) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute commands beyond intended authorization.

The vulnerability exists due to improper access control in the node pairing reconnect command handling when a previously paired node reconnects with a broader command set. A remote user can reconnect a previously paired node and obtain access to exec-capable commands to execute commands beyond intended authorization.

The issue affects the node re-pairing security boundary for operator/admin-scoped commands.


2) Incorrect permission assignment for critical resource (CVE-ID: N/A)

CWE-ID: CWE-732 - Incorrect Permission Assignment for Critical Resource

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to incorrect permission assignment for critical resource in Feishu docx upload_file/upload_image handling when processing docx upload blocks. A local user can cause the application to read local files outside the workspace-only file policy to disclose sensitive information.

This issue is limited to the local assistant trust model.


3) Exposure of Resource to Wrong Sphere (CVE-ID: N/A)

CWE-ID: CWE-668 - Exposure of resource to wrong sphere

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to exposure of resource to the wrong sphere in shared reply MEDIA handling when processing a crafted shared reply MEDIA reference. A remote user can supply a crafted shared reply MEDIA reference to disclose sensitive information.

The issue is limited to the product's local assistant trust model and does not assume a multi-tenant service boundary.


4) Trust Boundary Violation (CVE-ID: N/A)

CWE-ID: CWE-501 - Trust Boundary Violation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to inject prompts into later agent turns.

The vulnerability exists due to trust boundary violation in trusted System: events when processing lower-trust background runtime output and local async exec completion output. A local user can cause lower-trust output to be treated as trusted system events to inject prompts into later agent turns.

This issue is scoped to the product's local trust model and does not assume a multi-tenant service boundary.


5) Trust Boundary Violation (CVE-ID: N/A)

CWE-ID: CWE-501 - Trust Boundary Violation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to inject untrusted wake payloads into the trusted system prompt channel.

The vulnerability exists due to trust boundary violation in the /hooks/wake endpoint and mapped wake payload handling when processing authenticated wake hook or mapped wake payload input. A remote user can send a crafted wake payload to inject untrusted content into the trusted system prompt channel.

This issue is scoped to the product's local assistant trust model and does not assume a multi-tenant service boundary.


6) Server-Side Request Forgery (SSRF) (CVE-ID: N/A)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to perform server-side request forgery.

The vulnerability exists due to insufficient server-side request forgery protection in QQ Bot media download paths when fetching media from user-supplied URLs. A remote user can provide a crafted URL to perform server-side request forgery.


7) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass SSRF navigation checks.

The vulnerability exists due to improper access control in browser navigation handling when processing interaction-triggered navigation. A remote attacker can trigger browser interactions to bypass SSRF navigation checks.


8) Improper input validation (CVE-ID: N/A)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in base64 decode paths when parsing user-supplied base64 input. A local user can provide specially crafted base64 data to cause a denial of service.


9) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to bypass explicit approval requirements for inline eval commands.

The vulnerability exists due to improper access control in strictInlineEval approval handling on gateway and node exec hosts when processing approval-timeout fallback conditions. A local user can trigger inline eval commands through the approval-timeout fallback to bypass explicit approval requirements for inline eval commands.

This issue is scoped to the product's local trust model and does not assume a multi-tenant service boundary.


10) Incomplete List of Disallowed Inputs (CVE-ID: N/A)

CWE-ID: CWE-184 - Incomplete List of Disallowed Inputs

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to incomplete list of disallowed inputs in the exec environment denylist when processing user-controlled build-tool environment variables. A local user can set hostile environment variables to execute arbitrary code.

This issue is scoped to the product's local trust model.


11) Improper privilege management (CVE-ID: N/A)

CWE-ID: CWE-269 - Improper Privilege Management

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to approve node pairing without proper privileges.

The vulnerability exists due to improper privilege management in the node.pair.approve method when handling pairing approval requests. A remote user can invoke the pairing approval operation with operator.write scope to approve node pairing without proper privileges.

For exec-capable nodes, the intended requirement includes the narrower pairing scope and an admin requirement.


12) Incorrect authorization (CVE-ID: N/A)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to obtain tokens with unapproved roles or scopes.

The vulnerability exists due to improper access control in device.token.rotate when rotating device tokens. A local user can trigger token rotation to obtain tokens with roles or scopes that bypass the intended pairing approval.

This issue is scoped to the product's local trust model rather than a multi-tenant service boundary.


13) Incorrect authorization (CVE-ID: N/A)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to mutate persistent browser profiles.

The vulnerability exists due to improper authorization in node.invoke(browser.proxy) when invoking browser proxy functionality. A local user can invoke this path to mutate persistent browser profiles.

This issue is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.


14) Incomplete List of Disallowed Inputs (CVE-ID: N/A)

CWE-ID: CWE-184 - Incomplete List of Disallowed Inputs

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to redirect Git operations.

The vulnerability exists due to an incomplete list of disallowed inputs in the exec environment denylist when executing host commands. A local user can set git plumbing environment variables to redirect Git operations.

This issue is scoped to the product's local assistant trust model and does not assume a multi-tenant service boundary.


15) Insufficient Session Expiration (CVE-ID: N/A)

CWE-ID: CWE-613 - Insufficient Session Expiration

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to continue using stale authorization state.

The vulnerability exists due to insufficient session expiration in the resolvedAuth closure when handling newly accepted gateway connections after a config reload. A local user can trigger or rely on a config reload and then establish a new gateway connection to continue using stale authorization state.

This issue is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.


16) Insufficient Session Expiration (CVE-ID: N/A)

CWE-ID: CWE-613 - Insufficient Session Expiration

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to maintain access to an existing WebSocket session after shared gateway token rotation.

The vulnerability exists due to insufficient session expiration in shared-token WebSocket sessions when rotating the shared gateway token. A remote user can continue using an existing WebSocket session to maintain access to an existing WebSocket session after shared gateway token rotation.


17) Missing support for integrity check (CVE-ID: N/A)

CWE-ID: CWE-353 - Missing Support for Integrity Check

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to install tampered plugin archives.

The vulnerability exists due to missing support for integrity check in ClawHub package downloads when downloading plugin archives. A local user can provide a tampered archive to install tampered plugin archives.

This issue is scoped to the product's local trust model and does not assume a multi-tenant service boundary.


18) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to modify allowlists for a different channel.

The vulnerability exists due to improper access control in the /allowlist endpoint when handling cross-channel allowlist write requests. A remote user can send a crafted allowlist write request to modify allowlists for a different channel.

This issue is scoped to the product's local assistant trust model and does not assume a multi-tenant service boundary.


19) Improper privilege management (CVE-ID: N/A)

CWE-ID: CWE-269 - Improper Privilege Management

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper access control in gateway plugin HTTP routes using auth: gateway when processing identity-bearing operator.read requests from an upstream trusted proxy. A remote user can send a request that declares read scope to obtain runtime operator.write scope and escalate privileges.


20) Open redirect (CVE-ID: CVE-2026-40037)

CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to cause sensitive request bodies or headers to be sent to an unintended cross-origin destination.

The vulnerability exists due to improper handling of cross-origin redirects in fetchWithSsrFGuard when following cross-origin redirects. A remote attacker can trigger a redirect chain that replays an unsafe request body or headers to cause sensitive request bodies or headers to be sent to an unintended cross-origin destination.


21) OS Command Injection (CVE-ID: CVE-2026-22177)

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to execute arbitrary commands.

The vulnerability exists due to command injection in the host exec feature when inheriting environment variables that influence interpreters, shells, or build tools. A local user can control environment variables to execute arbitrary commands.

The issue is scoped to the product's user-controlled local assistant trust model.


22) Improper access control (CVE-ID: CVE-2026-42430)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to reach private network targets.

The vulnerability exists due to improper access control in Playwright redirect handling when processing request-time navigation redirects. A remote user can trigger a redirect to a private target to reach private network targets.

The issue is scoped to the product's local assistant trust model.


Remediation

Install update from vendor's website.

References