SB2026040851 - Multiple vulnerabilities in OpenClaw



SB2026040851 - Multiple vulnerabilities in OpenClaw

Published: April 8, 2026 Updated: May 4, 2026

Security Bulletin ID SB2026040851
CSH Severity
High
Patch available
YES
Number of vulnerabilities 54
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 4% Medium 39% Low 57%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 54 vulnerabilities.


1) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass channel-level member access restrictions.

The vulnerability exists due to improper access control in the Discord voice manager when accepting Discord voice ingress before channel allowlist authorization. A remote user can initiate voice ingress to bypass channel-level member access restrictions.


2) Improper privilege management (CVE-ID: N/A)

CWE-ID: CWE-269 - Improper Privilege Management

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform privileged runtime actions.

The vulnerability exists due to improper privilege management in plugin-auth HTTP routes when handling unauthenticated requests before plugin authentication completes. A remote attacker can send a request to plugin-auth routes to perform privileged runtime actions.

The issue is limited to plugin routes that actually touch privileged runtime actions before plugin authentication completes.


3) Information disclosure (CVE-ID: N/A)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper handling of sensitive information in config.get when retrieving configuration values. A remote user can read the Nostr privateKey in plaintext to disclose sensitive information.


4) Improper control of a resource through its lifetime (CVE-ID: N/A)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to alter the in-process callback origin.

The vulnerability exists due to improper state management in the Plivo callback origin handling logic when replaying a captured valid callback for a live call. A remote attacker can replay a captured valid callback to alter the in-process callback origin.

Replay rejection occurs only after the callback origin has already been mutated.


5) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute attacker-controlled hook code.

The vulnerability exists due to improper access control in the bundled hooks root configuration when loading workspace environment variables. A remote attacker can provide a specially crafted workspace .env file to execute attacker-controlled hook code.

The issue occurs because a workspace can override the trusted default bundled hooks location.


6) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass webhook replay protection.

The vulnerability exists due to improper access control in the Zalo webhook replay cache when processing authenticated sibling-target delivery paths. A remote user can reuse a messageId across targets to bypass webhook replay protection.


7) Improper Check or Handling of Exceptional Conditions (CVE-ID: N/A)

CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to restore revoked Tlon configuration after restart.

The vulnerability exists due to improper handling of empty-array revocation settings in the startup migration logic when processing file-based configuration during startup. A local user can provide or rely on crafted file configuration state to restore revoked Tlon configuration after restart.


8) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to load untrusted plugins.

The vulnerability exists due to improper access control in the bundled plugin trust root configuration when loading an attacker-controlled workspace. A remote user can provide a workspace .env file that overrides OPENCLAW_BUNDLED_PLUGINS_DIR to load untrusted plugins.

Exploitation depends on the victim loading an attacker-controlled workspace.


9) Insufficient Session Expiration (CVE-ID: N/A)

CWE-ID: CWE-613 - Insufficient Session Expiration

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to maintain access to an active WebSocket session after credential rotation.

The vulnerability exists due to improper session expiration in the WebSocket session handling for the gateway device.token.rotate operation when rotating device credentials. A remote user can continue using an already-authenticated WebSocket session to maintain access to an active WebSocket session after credential rotation.

This is a post-compromise revocation gap affecting already-authenticated sessions.


10) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: N/A)

CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to escape the sandbox and read files outside the intended sandbox.

The vulnerability exists due to a time-of-check time-of-use race condition in the remote FS bridge readFile when processing remote sandbox file reads. A remote attacker can trigger a race between the path check and the file read to escape the sandbox and read files outside the intended sandbox.


11) Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CVE-ID: N/A)

CWE-ID: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to redirect Python package-index traffic.

The vulnerability exists due to improper neutralization of environment variables in host exec environment sanitization in approved or allowlisted package-management exec paths when processing the PIP_INDEX_URL or UV_INDEX_URL environment variables. A remote user can set a crafted package index URL to redirect Python package-index traffic.

The issue is limited to approved or allowlisted package-management execution paths and does not permit arbitrary remote code execution.


12) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-32062)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in the voice-call WebSocket frame parser when processing oversized pre-start voice-call WebSocket frames before start validation. A remote attacker can send specially crafted large WebSocket frames to cause a denial of service.


13) Missing Authorization (CVE-ID: N/A)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass channel and member allowlist restrictions.

The vulnerability exists due to missing authorization in Discord voice ingress authorization when validating channel, name, and stale-role state. A remote user can exploit validation gaps to bypass channel and member allowlist restrictions.


14) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass sender allowlist restrictions.

The vulnerability exists due to improper access control in Feishu thread history and quoted message context handling when fetching quoted, root, or thread context. A remote attacker can send messages that cause disallowed sender content to be included to bypass sender allowlist restrictions.


15) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass sender allowlist restrictions.

The vulnerability exists due to improper access control in thread root and reply context handling when fetching Matrix thread-root or reply context. A remote user can send messages that reference fetched thread-root or reply context to bypass sender allowlist restrictions.


16) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass shared authentication rate limiting.

The vulnerability exists due to improper access control in the mixed WebSocket authentication flow when handling a fake DeviceToken. A remote attacker can supply a fake DeviceToken to bypass shared authentication rate limiting.

The practical risk is primarily limited to deployments that rely on weak shared passwords.


17) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to bypass the sandbox.

The vulnerability exists due to improper access control in heartbeat context inheritance when delivering heartbeat messages that inherit owner identity from node-originated exec completion. A remote user can trigger heartbeat delivery to bypass the sandbox.


18) Not Failing Securely ('Failing Open') (CVE-ID: N/A)

CWE-ID: CWE-636 - Not Failing Securely (\'Failing Open\')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to install an untrusted plugin despite a failed security scan.

The vulnerability exists due to not failing securely in the plugin installation flow when handling a security scan failure during plugin installation. A remote user can choose installation of an untrusted package after the scan failure is shown to install an untrusted plugin despite a failed security scan.

The scan failure was visible rather than silent, and exploitation requires an operator to choose installation of an untrusted package.


19) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass sender allowlist restrictions.

The vulnerability exists due to improper access control in MS Teams thread history handling when processing Graph API-fetched thread history. A remote user can supply thread history messages through the Graph API path to bypass sender allowlist restrictions.


20) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary code on the host.

The vulnerability exists due to improper access control in the node command exposure logic when handling device-paired node access. A remote user can expose node commands without node pairing to execute arbitrary code on the host.

Exploitation requires device pairing and setup prerequisites.


21) Missing Authentication for Critical Function (CVE-ID: N/A)

CWE-ID: CWE-306 - Missing Authentication for Critical Function

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper access control in the Nostr DM ingress path when processing forged direct messages before signature verification. A remote attacker can send a forged DM to cause a denial of service.

The issue can create a pending pairing entry and trigger bounded relay and logging work, but it does not grant message decryption, pairing approval, or broader authorization bypass.


22) Incomplete List of Disallowed Inputs (CVE-ID: N/A)

CWE-ID: CWE-184 - Incomplete List of Disallowed Inputs

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass exec allowlist restrictions.

The vulnerability exists due to incomplete list of disallowed inputs in exec allowlist matching when processing shell-wrapper invocations with init-file options. A remote user can supply a shell-wrapper command using options such as --rcfile, --init-file, or --startup-file to bypass exec allowlist restrictions.

Only configurations with exec allowlist or allow-always behavior enabled are vulnerable, and exploitation requires the ability to steer a shell-wrapper command shape that uses init-file options.


23) Resource exhaustion (CVE-ID: CVE-2026-41343)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper resource management in the LINE webhook handler when handling requests before signature verification. A remote attacker can send multiple requests to cause a denial of service.

The effect is limited to bounded transient availability loss on the public LINE webhook path.


24) Authentication Bypass by Capture-replay (CVE-ID: CVE-2026-41351)

CWE-ID: CWE-294 - Authentication Bypass by Capture-replay

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass replay detection.

The vulnerability exists due to authentication bypass by capture-replay in the Telnyx webhook replay detection logic when processing Telnyx webhook signatures re-encoded between Base64 and Base64URL forms. A remote user can resend a captured webhook with a re-encoded signature to bypass replay detection.

Signature verification still holds, and the issue is limited to replay detection treating equivalent signature encodings as distinct requests.


25) Improper access control (CVE-ID: CVE-2026-41403)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass access restrictions for the diffs viewer.

The vulnerability exists due to improper access control in the diffs viewer when handling proxied remote requests while allowRemoteViewer is disabled. A remote attacker can send a proxied request that is misclassified as loopback to bypass access restrictions for the diffs viewer.

Only configurations with allowRemoteViewer disabled are affected.


26) Improper access control (CVE-ID: CVE-2026-41362)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improper access control in the Zalo webhook replay-dedupe cache when handling authenticated webhook events in multi-account gateway deployments. A remote user can send a replay on one authenticated webhook path to suppress a legitimate event on another account to cause a denial of service.

This issue affects multi-account deployments where authenticated webhook targets share the same gateway, and it does not provide cross-account authentication or data access.


27) Improper access control (CVE-ID: CVE-2026-41346)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improper access control in pending pairing-request cap enforcement when handling pairing requests in multi-account channel setups. A remote user can submit pairing requests from another account to cause a denial of service.

The issue is limited to availability and does not allow cross-account approval, data access, or authorization bypass.


28) Improper access control (CVE-ID: CVE-2026-41340)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass account trust boundaries.

The vulnerability exists due to improper access control in the Telegram legacy allowFrom migration logic when migrating default-account trust settings into named accounts. A remote user can rely on inherited trust relationships to bypass account trust boundaries.


29) Improper access control (CVE-ID: CVE-2026-41393)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose operator credentials.

The vulnerability exists due to improper access control in macOS wide-area discovery when accepting an arbitrary tailnet peer as a DNS authority. A remote user can present a CA-trusted endpoint and induce user selection to disclose operator credentials.

Exploitation requires a same-tailnet position, a CA-trusted endpoint, and user selection.


30) Insufficient verification of data authenticity (CVE-ID: CVE-2026-41300)

CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper trust handling in the remote onboarding endpoint selection logic when preserving a discovered endpoint after trust is declined and presenting it in the manual prompt. A remote attacker can cause a malicious endpoint to remain prefilled so that gateway credentials are routed to it to disclose sensitive information.

User interaction is required because the operator must accept the prefilled endpoint in the manual prompt.


31) Resource exhaustion (CVE-ID: CVE-2026-41408)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper resource management in the Tlon media download handling path when downloading media through the bundled plugin path. A remote attacker can trigger media downloads that bypass core size, count, and cleanup limits to cause a denial of service.

This issue is limited to availability impact in a bundled plugin path.


32) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-41302)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform server-side request forgery.

The vulnerability exists due to insufficient destination validation in marketplace plugin download functionality when fetching user-supplied URLs. A remote attacker can supply a crafted URL to perform server-side request forgery.


33) Insecure DLL loading (CVE-ID: CVE-2026-41373)

CWE-ID: CWE-427 - Uncontrolled Search Path Element

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute unintended compiler binaries.

The vulnerability exists due to uncontrolled search path elements in host-env-security-policy.json when processing approved host exec requests with environment overrides. A remote user can supply overridden compiler-related environment variables to execute unintended compiler binaries.

Exploitation requires an approved host-exec request inside the existing exec trust domain.


34) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-41334)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper handling of oversized pixel counts in the image processing logic when processing crafted image files on sips. A remote attacker can supply a decompression-bomb image to cause a denial of service.


35) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: CVE-2026-41357)

CWE-ID: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to improper neutralization of environment variables in SSH-based sandbox backends when spawning child processes. A local user can influence process.env values passed to local SSH child processes to disclose sensitive information.

Remote leakage depends on non-default SSH environment forwarding.


36) Link following (CVE-ID: CVE-2026-41364)

CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to write arbitrary files on the remote host.

The vulnerability exists due to improper link resolution in SSH sandbox tar upload when uploading a tar archive containing symlinks. A remote user can upload a specially crafted tar archive to write arbitrary files on the remote host.


37) Information disclosure (CVE-ID: CVE-2026-41345)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper handling of authorization headers in media download redirect handling when following cross-origin redirects during media downloads. A remote user can trigger a cross-origin redirect to disclose sensitive information.


38) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-41297)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform server-side request forgery.

The vulnerability exists due to improper control of outbound requests in src/plugins/marketplace.ts when downloading marketplace plugin archives and following redirects. A remote attacker can cause the application to follow a crafted redirect to perform server-side request forgery.


39) Improper access control (CVE-ID: CVE-2026-41330)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to bypass proxy, TLS, Docker, and Git TLS controls.

The vulnerability exists due to improper access control in the host exec environment override handling when executing host commands. A local user can set crafted environment overrides to bypass proxy, TLS, Docker, and Git TLS controls.


40) Files or Directories Accessible to External Parties (CVE-ID: CVE-2026-41366)

CWE-ID: CWE-552 - Files or Directories Accessible to External Parties

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to files or directories accessible to external parties in appendLocalMediaParentRoots when expanding tool-fs roots for local media parent directories. A remote user can cause model-initiated access to arbitrary host files to disclose sensitive information.

Exploitation requires configuration that already permits tool-fs root expansion.


41) Incomplete List of Disallowed Inputs (CVE-ID: CVE-2026-41369)

CWE-ID: CWE-184 - Incomplete List of Disallowed Inputs

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to influence host execution behavior.

The vulnerability exists due to an incomplete list of disallowed inputs in the host exec environment sanitization policy when processing environment variables for host execution. A remote user can set package, registry, Docker, compiler, or TLS override variables to influence host execution behavior.


42) Improper access control (CVE-ID: CVE-2026-41331)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause resource consumption.

The vulnerability exists due to improper access control in the Telegram audio preflight transcription logic when processing audio messages from unauthorized Telegram group senders before allowlist enforcement. A remote attacker can send audio messages to cause resource consumption.

The impact is limited to resource or billing burn rather than direct data exposure or host compromise.


43) Improper access control (CVE-ID: CVE-2026-41374)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper access control in the Discord audio preflight transcription logic when processing Discord audio before member allowlist rejection. A remote attacker can submit audio for preflight transcription to cause a denial of service.


44) Link following (CVE-ID: CVE-2026-41397)

CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to escape the sandbox and access unintended files.

The vulnerability exists due to improper link resolution before file access in the Mirror Sync file synchronization feature when processing synced files and symlinks. A remote attacker can upload or transfer a specially crafted symlink to escape the sandbox and access unintended files.


45) Improper access control (CVE-ID: CVE-2026-41378)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary code on the gateway.

The vulnerability exists due to improper access control in node.event agent dispatch when processing agent.request messages from a paired node. A remote user can send a crafted node.event agent.request to execute arbitrary code on the gateway.

Exploitation requires a trusted paired node foothold with the role=node client.


46) Missing Authentication for Critical Function (CVE-ID: CVE-2026-41405)

CWE-ID: CWE-306 - Missing Authentication for Critical Function

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper access control in the MS Teams webhook handler when processing webhook requests before JWT validation. A remote attacker can send a specially crafted request body to cause a denial of service.


47) Origin validation error (CVE-ID: CVE-2026-41347)

CWE-ID: CWE-346 - Origin Validation Error

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to perform cross-site request forgery against operator endpoints.

The vulnerability exists due to improper origin validation in HTTP operator endpoints when operating in trusted-proxy mode. A remote user can cause the victim's browser to send a crafted request to perform cross-site request forgery against operator endpoints.

Exploitation depends on identity-bearing trusted-proxy browser deployments rather than the shared-secret HTTP operator model.


48) Incorrect authorization (CVE-ID: CVE-2026-41404)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to incorrect authorization in trusted-proxy authentication mode when processing identity-bearing authentication paths for non-Control-UI clients. A remote user can self-declare operator scopes to escalate privileges.

Only non-Control-UI clients using trusted-proxy authentication mode are affected.


49) Path traversal (CVE-ID: CVE-2026-41370)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to path traversal in ACP dispatch inbound channel attachment path handling when processing attachment paths. A remote attacker can supply a crafted attachment path to disclose sensitive information.


50) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-41338)

CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to bypass sandbox file operation protections.

The vulnerability exists due to a check-then-act race condition in sandbox workspace file operations when performing apply_patch, remove, or mkdir operations. A local user can manipulate filesystem state between the check and the act to bypass sandbox file operation protections.

The issue is limited to the sandbox-workspace mutation boundary.


51) Information disclosure (CVE-ID: CVE-2026-41335)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in the gateway control interface bootstrap JSON when handling requests to the control interface. A remote attacker can request the bootstrap JSON to disclose sensitive information.

The exposed data includes the version and assistant agent id.


52) Improper access control (CVE-ID: CVE-2026-41348)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass a channel restriction.

The vulnerability exists due to improper access control in the native Discord slash and autocomplete paths when handling slash commands in group DM channels. A remote user can invoke slash commands through those paths to bypass a channel restriction.

The impact is limited to already-authorized Discord users and does not cross a stronger trust boundary.


53) Improper access control (CVE-ID: CVE-2026-41341)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass Group DM policy checks.

The vulnerability exists due to improper access control in extensions/discord/src/monitor/agent-components-helpers.ts when routing Discord component interactions. A remote user can send a crafted component interaction from a Group DM to bypass Group DM policy checks.

The issue is limited to Group DM policy or session misclassification.


54) Incorrect authorization (CVE-ID: CVE-2026-41350)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass session visibility restrictions.

The vulnerability exists due to incorrect authorization in the session_status functionality when handling unsandboxed invocations. A remote user can invoke session_status in an unsandboxed context to bypass session visibility restrictions.

This is a same-agent session-policy bypass rather than a broader host-boundary break.


Remediation

Install update from vendor's website.

References