SB2026040850 - Multiple vulnerabilities in OpenClaw
Published: April 8, 2026 Updated: May 29, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 16 vulnerabilities.
1) Inclusion of Functionality from Untrusted Control Sphere (CVE-ID: N/A)
CWE-ID: CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to inclusion of functionality from an untrusted control sphere in built-in channel setup and login when resolving a workspace channel shadow that claims a bundled channel id before the plugin is explicitly trusted. A remote user can provide a crafted workspace plugin to execute arbitrary code.
Exploitation requires opening or using an untrusted cloned workspace, and the code may run even while the workspace plugin is still disabled.
2) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to terminate a running subagent session.
The vulnerability exists due to improper access control in the POST /sessions/:sessionKey/kill endpoint when handling identity-bearing HTTP requests with read-only operator scopes. A remote user can send a crafted request to terminate a running subagent session.
This issue affects the HTTP scope boundary and allows a read-scoped caller to perform a write-class control-plane mutation.
3) Information disclosure (CVE-ID: CVE-2026-34511)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to redeem OAuth tokens.
The vulnerability exists due to exposure of sensitive information in the Gemini OAuth flow when handling the OAuth redirect. A remote attacker can capture the redirect URL to redeem OAuth tokens.
The issue defeats PKCE interception protection because the PKCE verifier is reused as the OAuth state value and reflected back in the redirect URL alongside the authorization code.
4) Improper Handling of Case Sensitivity (CVE-ID: CVE-2026-34426)
CWE-ID: CWE-178 - Improper Handling of Case Sensitivity
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass approval binding for environment overrides.
The vulnerability exists due to improper handling of case sensitivity in system-run approval binding for environment override keys when processing host-exec flows. A remote user can supply windows-compatible environment override keys to bypass approval binding for environment overrides.
An approved command may execute with environment overrides that are not represented in the approval binding.
5) Incomplete List of Disallowed Inputs (CVE-ID: CVE-2026-34425)
CWE-ID: CWE-184 - Incomplete List of Disallowed Inputs
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass script-content preflight validation.
The vulnerability exists due to incomplete list of disallowed inputs in exec script preflight validation when processing complex interpreter invocations such as pipes or other non-simple command forms. A remote attacker can supply an attacker-controlled command shape to bypass script-content preflight validation.
This issue weakens a defense-in-depth guard that was intended to block unsafe script content before execution.
6) Path traversal (CVE-ID: N/A)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper limitation of a pathname to a restricted directory in the QQ Bot structured media payload handling when processing crafted structured payloads. A remote attacker can supply a crafted structured payload with attacker-chosen paths to disclose sensitive information.
The issue can expose any host file readable by the OpenClaw process through the QQ Bot media-send path.
7) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject unauthorized non-owner agent.request runs into the active iOS node session.
The vulnerability exists due to improper access control in the iOS A2UI bridge when loading a page from a local-network or tailnet host. A remote attacker can load a specially crafted page to inject unauthorized non-owner agent.request runs into the active iOS node session.
The demonstrated impact is limited to session-state pollution and budget consumption, and does not include owner-only actions or arbitrary host execution.
8) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to delete the contents of an unintended remote directory and replace them with uploaded workspace data.
The vulnerability exists due to improper access control in the OpenShell mirror backend when processing attacker-influenced remoteWorkspaceDir and remoteAgentWorkspaceDir values in mirror mode. A remote user can supply arbitrary absolute paths to trigger remote cleanup and overwrite operations to delete the contents of an unintended remote directory and replace them with uploaded workspace data.
Exploitation requires the ability to influence those OpenShell configuration values.
9) Information disclosure (CVE-ID: N/A)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information in the Gateway connect success snapshot when handling authenticated client connections. A remote user can receive snapshot metadata containing local configPath and stateDir values to disclose sensitive information.
This issue exposes host filesystem layout and deployment details and may aid host fingerprinting and chained attacks.
10) Information Exposure Through Timing Discrepancy (CVE-ID: N/A)
CWE-ID: CWE-208 - Information Exposure Through Timing Discrepancy
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose secret length information through timing differences.
The vulnerability exists due to observable timing discrepancy in shared-secret comparison call sites when processing shared-secret comparisons with early length-mismatch checks. A remote attacker can measure response timing differences to disclose secret length information through timing differences.
The issue weakens the intended constant-time handling for shared secrets and does not by itself demonstrate authentication bypass.
11) Expected behavior violation (CVE-ID: N/A)
CWE-ID: CWE-440 - Expected Behavior Violation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to expected behavior violation in Zalo webhook replay deduplication logic when processing webhook events from different chats or senders. A remote attacker can send webhook events that collide across chat or sender dimensions to cause a denial of service.
The issue can silently suppress legitimate messages and disrupt bot workflows across conversations.
12) Incorrect authorization (CVE-ID: CVE-2026-41360)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute modified script contents without invalidating a prior approval.
The vulnerability exists due to incorrect authorization in the node-host command-planning path when processing local script operands through a pnpm dlx approval flow. A local user can replace an approved local script before execution to execute modified script contents without invalidating a prior approval.
13) Improper access control (CVE-ID: CVE-2026-41358)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass sender access controls and introduce non-allowlisted Slack messages into the agent context.
The vulnerability exists due to improper access control in Slack thread starter and thread-history context handling when fetching thread context through the API. A remote user can reply in a thread with non-allowlisted messages to bypass sender access controls and introduce non-allowlisted Slack messages into the agent context.
This affects sender allowlist enforcement for Slack thread context and is not a direct channel authorization bypass.
14) Cleartext transmission of sensitive information (CVE-ID: CVE-2026-40045)
CWE-ID: CWE-319 - Cleartext Transmission of Sensitive Information
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose stored gateway credentials in plaintext.
The vulnerability exists due to improper transport layer protection in the Android gateway client when processing forged discovery results or crafted setup codes that direct the client to a cleartext remote ws:// gateway endpoint. A remote attacker can provide a forged discovery result or crafted setup code to disclose stored gateway credentials in plaintext.
User interaction is required to follow the forged discovery result or scan the crafted setup code.
15) Input validation error (CVE-ID: CVE-2026-41372)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper input validation in remote CDP discovery host normalization when processing discovery responses. A remote user can return a crafted discovery response with a trailing-dot localhost host to disclose sensitive information.
Exploitation can retarget authenticated browser control to a localhost-resolving endpoint on the OpenClaw host.
16) OS Command Injection (CVE-ID: N/A)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute shell-provided content outside the intended allowlist rule.
The vulnerability exists due to command injection in the strict inline-eval checks for shell carrier handling when processing a command request that combines allowlisted tools with shell positional arguments. A remote user can send a specially crafted command request to execute shell-provided content outside the intended allowlist rule.
Only configurations where the affected feature is enabled and reachable are vulnerable.
Remediation
Install update from vendor's website.
References
- https://github.com/openclaw/openclaw/security/advisories/GHSA-2qrv-rc5x-2g2h
- https://github.com/openclaw/openclaw/security/advisories/GHSA-5hff-46vh-rxmw
- https://github.com/openclaw/openclaw/security/advisories/GHSA-9jpj-g8vv-j5mf
- https://github.com/openclaw/openclaw/security/advisories/GHSA-98ch-45wp-ch47
- https://github.com/openclaw/openclaw/security/advisories/GHSA-fvx6-pj3r-5q4q
- https://github.com/openclaw/openclaw/security/advisories/GHSA-846p-hgpv-vphc
- https://github.com/openclaw/openclaw/security/advisories/GHSA-4p4f-fc8q-84m3
- https://github.com/openclaw/openclaw/security/advisories/GHSA-m34q-h93w-vg5x
- https://github.com/openclaw/openclaw/security/advisories/GHSA-2f7j-rp58-mr42
- https://github.com/openclaw/openclaw/security/advisories/GHSA-jj6q-rrrf-h66h
- https://github.com/openclaw/openclaw/security/advisories/GHSA-rxmx-g7hr-8mx4
- https://github.com/openclaw/openclaw/security/advisories/GHSA-w6wx-jq6j-6mcj
- https://github.com/openclaw/openclaw/commit/176c059b05357df1bc09d4328a2380670859eeff
- https://github.com/openclaw/openclaw/security/advisories/GHSA-qm77-8qjp-4vcm
- https://github.com/openclaw/openclaw/commit/ac5bc4fb37becc64a2ec314864cca1565e921f2d
- https://github.com/openclaw/openclaw/security/advisories/GHSA-83f3-hh45-vfw9
- https://github.com/openclaw/openclaw/commit/a941a4fef9bc43b2973c92d0dcff5b8a426210c5
- https://github.com/openclaw/openclaw/security/advisories/GHSA-fh32-73r9-rgh5
- https://github.com/openclaw/openclaw/commit/9c22d636697336a6b22b0ae24798d8b8325d7828
- https://github.com/openclaw/openclaw/security/advisories/GHSA-5cj2-3jr2-5h77