SB2026040850 - Multiple vulnerabilities in OpenClaw
Published: April 8, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 11 secuirty vulnerabilities.
1) Inclusion of Functionality from Untrusted Control Sphere (CVE-ID: N/A)
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to inclusion of functionality from an untrusted control sphere in built-in channel setup and login when resolving a workspace channel shadow that claims a bundled channel id before the plugin is explicitly trusted. A remote user can provide a crafted workspace plugin to execute arbitrary code.
Exploitation requires opening or using an untrusted cloned workspace, and the code may run even while the workspace plugin is still disabled.
2) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote user to terminate a running subagent session.
The vulnerability exists due to improper access control in the POST /sessions/:sessionKey/kill endpoint when handling identity-bearing HTTP requests with read-only operator scopes. A remote user can send a crafted request to terminate a running subagent session.
This issue affects the HTTP scope boundary and allows a read-scoped caller to perform a write-class control-plane mutation.
3) Information disclosure (CVE-ID: CVE-2026-34511)
The vulnerability allows a remote attacker to redeem OAuth tokens.
The vulnerability exists due to exposure of sensitive information in the Gemini OAuth flow when handling the OAuth redirect. A remote attacker can capture the redirect URL to redeem OAuth tokens.
The issue defeats PKCE interception protection because the PKCE verifier is reused as the OAuth state value and reflected back in the redirect URL alongside the authorization code.
4) Improper Handling of Case Sensitivity (CVE-ID: CVE-2026-34426)
The vulnerability allows a remote user to bypass approval binding for environment overrides.
The vulnerability exists due to improper handling of case sensitivity in system-run approval binding for environment override keys when processing host-exec flows. A remote user can supply windows-compatible environment override keys to bypass approval binding for environment overrides.
An approved command may execute with environment overrides that are not represented in the approval binding.
5) Incomplete List of Disallowed Inputs (CVE-ID: CVE-2026-34425)
The vulnerability allows a remote attacker to bypass script-content preflight validation.
The vulnerability exists due to incomplete list of disallowed inputs in exec script preflight validation when processing complex interpreter invocations such as pipes or other non-simple command forms. A remote attacker can supply an attacker-controlled command shape to bypass script-content preflight validation.
This issue weakens a defense-in-depth guard that was intended to block unsafe script content before execution.
6) Path traversal (CVE-ID: N/A)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper limitation of a pathname to a restricted directory in the QQ Bot structured media payload handling when processing crafted structured payloads. A remote attacker can supply a crafted structured payload with attacker-chosen paths to disclose sensitive information.
The issue can expose any host file readable by the OpenClaw process through the QQ Bot media-send path.
7) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote attacker to inject unauthorized non-owner agent.request runs into the active iOS node session.
The vulnerability exists due to improper access control in the iOS A2UI bridge when loading a page from a local-network or tailnet host. A remote attacker can load a specially crafted page to inject unauthorized non-owner agent.request runs into the active iOS node session.
The demonstrated impact is limited to session-state pollution and budget consumption, and does not include owner-only actions or arbitrary host execution.
8) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote user to delete the contents of an unintended remote directory and replace them with uploaded workspace data.
The vulnerability exists due to improper access control in the OpenShell mirror backend when processing attacker-influenced remoteWorkspaceDir and remoteAgentWorkspaceDir values in mirror mode. A remote user can supply arbitrary absolute paths to trigger remote cleanup and overwrite operations to delete the contents of an unintended remote directory and replace them with uploaded workspace data.
Exploitation requires the ability to influence those OpenShell configuration values.
9) Information disclosure (CVE-ID: N/A)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information in the Gateway connect success snapshot when handling authenticated client connections. A remote user can receive snapshot metadata containing local configPath and stateDir values to disclose sensitive information.
This issue exposes host filesystem layout and deployment details and may aid host fingerprinting and chained attacks.
10) Information Exposure Through Timing Discrepancy (CVE-ID: N/A)
The vulnerability allows a remote attacker to disclose secret length information through timing differences.
The vulnerability exists due to observable timing discrepancy in shared-secret comparison call sites when processing shared-secret comparisons with early length-mismatch checks. A remote attacker can measure response timing differences to disclose secret length information through timing differences.
The issue weakens the intended constant-time handling for shared secrets and does not by itself demonstrate authentication bypass.
11) Expected behavior violation (CVE-ID: N/A)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to expected behavior violation in Zalo webhook replay deduplication logic when processing webhook events from different chats or senders. A remote attacker can send webhook events that collide across chat or sender dimensions to cause a denial of service.
The issue can silently suppress legitimate messages and disrupt bot workflows across conversations.
Remediation
Install update from vendor's website.
References
- https://github.com/openclaw/openclaw/security/advisories/GHSA-2qrv-rc5x-2g2h
- https://github.com/openclaw/openclaw/security/advisories/GHSA-5hff-46vh-rxmw
- https://github.com/openclaw/openclaw/security/advisories/GHSA-9jpj-g8vv-j5mf
- https://github.com/openclaw/openclaw/security/advisories/GHSA-98ch-45wp-ch47
- https://github.com/openclaw/openclaw/security/advisories/GHSA-fvx6-pj3r-5q4q
- https://github.com/openclaw/openclaw/security/advisories/GHSA-846p-hgpv-vphc
- https://github.com/openclaw/openclaw/security/advisories/GHSA-4p4f-fc8q-84m3
- https://github.com/openclaw/openclaw/security/advisories/GHSA-m34q-h93w-vg5x
- https://github.com/openclaw/openclaw/security/advisories/GHSA-2f7j-rp58-mr42
- https://github.com/openclaw/openclaw/security/advisories/GHSA-jj6q-rrrf-h66h
- https://github.com/openclaw/openclaw/security/advisories/GHSA-rxmx-g7hr-8mx4