SB2026040852 - Multiple vulnerabilities in OpenClaw
Published: April 8, 2026 Updated: May 1, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 28 vulnerabilities.
1) Insufficient verification of data authenticity (CVE-ID: N/A)
CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to trigger duplicate voice-call processing.
The vulnerability exists due to improper canonicalization in extensions/voice-call/src/webhook-security.ts when verifying and replay-checking Plivo V3 webhooks. A remote attacker can reorder query parameters in a captured valid signed webhook URL to trigger duplicate voice-call processing.
Exploitation requires capture of one valid signed Plivo V3 webhook.
2) Improper Authorization (CVE-ID: CVE-2026-33576)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause unauthorized network fetches and disk writes.
The vulnerability exists due to improper authorization in extensions/zalo/src/monitor.ts when processing inbound media messages before DM or pairing authorization checks. A remote attacker can send a message with media content to cause unauthorized network fetches and disk writes.
The message itself may still be rejected after the media is fetched and stored.
3) Insufficient verification of data authenticity (CVE-ID: N/A)
CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information and modify configuration data.
The vulnerability exists due to improper trust management in src/commands/onboard-remote.ts when accepting discovered gateway endpoints during remote onboarding. A remote attacker can provide a malicious or spoofed discovery endpoint to disclose sensitive information and modify configuration data.
User interaction is required during the onboarding process, and exploitation depends on discovery on the local network.
4) Improper access control (CVE-ID: CVE-2026-33577)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to improper access control in node pairing approval path in src/infra/node-pairing.ts and src/gateway/server-methods/nodes.ts when approving pending node requests with requested scopes. A remote user can approve a pending node request for broader scopes to escalate privileges.
The issue occurs because the approving caller was not consistently required to already hold every scope requested by the node.
5) Improper access control (CVE-ID: CVE-2026-33578)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass sender restrictions.
The vulnerability exists due to improper access control in extensions/googlechat/src/monitor-access.ts and extensions/zalouser/src/monitor.ts when resolving sender policy for routes configured with only a group allowlist. A remote user can interact with the bot from an allowlisted Google Chat space or Zalouser group to bypass sender restrictions.
The issue occurs when only a route-level group allowlist is configured and sender policy resolution downgrades from allowlist to open.
6) Improper Restriction of Excessive Authentication Attempts (CVE-ID: CVE-2026-33580)
CWE-ID: CWE-307 - Improper Restriction of Excessive Authentication Attempts
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to forge inbound webhook events.
The vulnerability exists due to improper restriction of excessive authentication attempts in extensions/nextcloud-talk/src/monitor.ts when handling webhook signature authentication. A remote attacker can brute-force a weak shared secret online to forge inbound webhook events.
The issue is exposed to an attacker who can reach the webhook endpoint.
7) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-34504)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in extensions/fal/image-generation-provider.ts when downloading returned image URLs from the fal provider. A remote attacker can cause the gateway to fetch internal URLs to disclose sensitive information.
Exploitation requires a malicious or compromised fal relay.
8) Incorrect authorization (CVE-ID: N/A)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to approve pending host execution.
The vulnerability exists due to incorrect authorization in Discord text approval commands when processing the `/approve` command for pending exec approvals. A remote user can send an approval command without being in the configured approver allowlist to approve pending host execution.
The issue affects `extensions/discord/src/exec-approvals.ts` and `src/auto-reply/reply/commands-approve.ts`.
9) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to trigger privileged component actions.
The vulnerability exists due to improper access control in extensions/discord/src/monitor/agent-components.ts when handling Discord component interactions. A remote user can send a crafted component interaction from a blocked context to trigger privileged component actions.
The issue occurs because guild and channel policy gates used for normal inbound messages were not consistently reapplied to component interactions.
10) Improper access control (CVE-ID: CVE-2026-34503)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to retain access to an active WebSocket session after token revocation or device removal.
The vulnerability exists due to improper access control in src/gateway/server-methods/devices.ts and src/gateway/server.impl.ts when handling device removal or token revocation for existing WebSocket connections. A remote user can continue using an already-authenticated live session to retain access to an active WebSocket session after token revocation or device removal.
The session remains usable until it reconnects.
11) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a local user to weaken execution approval boundaries.
The vulnerability exists due to improper access control in src/infra/exec-approvals-allowlist.ts when commands are routed through dispatch wrappers. A local user can obtain a one-time approval for a wrapper carrier executable to weaken execution approval boundaries.
A one-time approval could persist a broader future allowlist entry than intended because the wrapper carrier executable could be trusted instead of the actual invoked target.
12) Incomplete List of Disallowed Inputs (CVE-ID: N/A)
CWE-ID: CWE-184 - Incomplete List of Disallowed Inputs
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute untrusted code or load attacker-selected credentials.
The vulnerability exists due to incomplete list of disallowed inputs in src/infra/host-env-security-policy.json and src/infra/host-env-security.ts when processing approved exec requests with environment overrides. A remote user can supply crafted GIT_TEMPLATE_DIR or AWS_CONFIG_FILE values to execute untrusted code or load attacker-selected credentials.
The issue affects host execution environment sanitization for git and AWS CLI behavior.
13) Improper access control (CVE-ID: CVE-2026-33579)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to improper access control in /pair approve command path in extensions/device-pair/index.ts and src/infra/device-pairing.ts when approving pending device requests. A remote user can approve a pending device request asking for broader scopes to escalate privileges.
The issue occurs because caller scopes were not forwarded into the core approval check.
14) Server-Side Request Forgery (SSRF) (CVE-ID: N/A)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to server-side request forgery (SSRF) in src/shared/net/ip.ts and src/infra/net/ssrf.* when processing attacker-controlled fetched URLs. A remote user can supply a URL targeting internal or non-routable IPv6 addresses to disclose sensitive information.
The SSRF/IP classifier incorrectly treated several IPv6 special-use ranges as public.
15) Incorrect authorization (CVE-ID: N/A)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to reset another user's session.
The vulnerability exists due to incorrect authorization in the chat.send /reset command handling in src/gateway/server-methods/chat.ts and src/auto-reply/reply/session.ts when processing chat.send requests that invoke /reset. A remote user can send a crafted chat.send /reset command to reset another user's session.
The issue allows session rotation, archives the prior transcript state, and forces issuance of a new session id through a write-scoped gateway path intended for non-admin use.
16) Incorrect authorization (CVE-ID: N/A)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to incorrect authorization in chat.send and persisted session mutation handling when processing the /verbose command. A remote user can send a write-scoped chat request using /verbose to disclose sensitive information.
The issue allows persistence of verbose output settings for later runs through a path that should be restricted to admin-only session changes.
17) Incorrect Regular Expression (CVE-ID: N/A)
CWE-ID: CWE-185 - Incorrect Regular Expression
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose environment variables.
The vulnerability exists due to incorrect regular expression in src/infra/exec-safe-bin-semantics.ts when evaluating operator-approved safe-bin jq programs. A remote user can use the $ENV filter to disclose environment variables.
The jq safe-bin policy blocked explicit env usage but still allowed access to environment data through $ENV.
18) Improper access control (CVE-ID: CVE-2026-41375)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass authorization checks.
The vulnerability exists due to improper access control in /phone arm and /phone disarm command handling when processing requests for external channels. A remote user can invoke these commands without the required operator.admin scope to bypass authorization checks.
The issue is specific to external channels.
19) Improper Authorization (CVE-ID: CVE-2026-41349)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disable execution approval checks.
The vulnerability exists due to improper authorization in config.patch handling when processing agent-initiated configuration changes. A remote user can submit a crafted config.patch change to disable execution approval checks.
20) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-41399)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in the gateway WebSocket upgrade handling in src/gateway/server-http.ts and src/gateway/server/preauth-connection-budget.ts when processing concurrent unauthenticated WebSocket upgrade requests. A remote attacker can send many WebSocket upgrade requests to cause a denial of service.
The issue occurs before connections are allocated to an authenticated session budget.
21) Reliance on Untrusted Inputs in a Security Decision (CVE-ID: CVE-2026-41299)
CWE-ID: CWE-807 - Reliance on Untrusted Inputs in a Security Decision
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to spoof ACP identity labels and inject reserved provenance fields.
The vulnerability exists due to reliance on untrusted inputs in a security decision in chat.send provenance handling in src/gateway/server-methods/chat.ts and src/gateway/server/ws-connection/message-handler.ts when processing self-declared client metadata from the WebSocket handshake. A remote user can supply spoofed client identity metadata to spoof ACP identity labels and inject reserved provenance fields.
22) Improper Authorization (CVE-ID: CVE-2026-41390)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a local user to execute a different underlying program with persisted trust decisions.
The vulnerability exists due to improper authorization in src/infra/dispatch-wrapper-resolution.ts and src/infra/exec-wrapper-resolution.ts when storing trust decisions for wrapped commands. A local user can obtain approval for one wrapped command to execute a different underlying program with persisted trust decisions.
User interaction is required to approve a wrapped command.
23) Path traversal (CVE-ID: CVE-2026-41363)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to path traversal in extensions/feishu/src/docx.ts when resolving upload file paths for Feishu upload_image actions. A remote user can supply a crafted upload path to disclose sensitive information.
The issue allows files outside the configured localRoots sandbox to be read through the upload path.
24) Untrusted search path (CVE-ID: CVE-2026-41294)
CWE-ID: CWE-426 - Untrusted Search Path
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to override runtime configuration and security-sensitive environment settings.
The vulnerability exists due to an untrusted search path in src/infra/dotenv.ts and src/cli/dotenv.ts when loading the current working directory .env before trusted state-dir configuration. A remote attacker can place a malicious .env file in a repository or workspace to override runtime configuration and security-sensitive environment settings.
User interaction is required because OpenClaw must be started in the malicious repository or workspace.
25) Path traversal (CVE-ID: CVE-2026-32846)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose arbitrary files.
The vulnerability exists due to path traversal in src/media/parse.ts when parsing media paths from external input. A remote attacker can supply a crafted path to disclose arbitrary files.
26) Improper privilege management (CVE-ID: CVE-2026-41359)
CWE-ID: CWE-269 - Improper Privilege Management
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify admin-class Telegram configuration and establish cron persistence.
The vulnerability exists due to improper privilege management in the send functionality when handling authenticated send operations. A remote user can invoke the send sink to modify admin-class Telegram configuration and establish cron persistence.
This is a narrow, authenticated, sink-specific privilege escalation issue.
27) Improper privilege management (CVE-ID: CVE-2026-41379)
CWE-ID: CWE-269 - Improper Privilege Management
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify admin-class Talk Voice configuration.
The vulnerability exists due to improper privilege management in the chat.send functionality when handling requests that persist Talk Voice configuration. A remote user can send a crafted chat.send request to modify admin-class Talk Voice configuration.
28) Inclusion of Functionality from Untrusted Control Sphere (CVE-ID: CVE-2026-41355)
CWE-ID: CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary code on the host.
The vulnerability exists due to inclusion of functionality from an untrusted control sphere in OpenShell mirror mode workspace hooks when synchronizing untrusted sandbox files during gateway startup. A remote user can place crafted files in the sandbox so they are converted into explicitly enabled workspace hooks to execute arbitrary code on the host.
Exploitation requires mirror mode, hooks enabled, explicit hook opt-in, and a gateway restart.
Remediation
Install update from vendor's website.
References
- https://github.com/openclaw/openclaw/security/advisories/GHSA-8689-gm9g-jgr6
- https://github.com/openclaw/openclaw/security/advisories/GHSA-v2v2-f783-358j
- https://github.com/openclaw/openclaw/security/advisories/GHSA-3cw3-5vxw-g2h3
- https://github.com/openclaw/openclaw/security/advisories/GHSA-2x4x-cc5g-qmmg
- https://github.com/openclaw/openclaw/security/advisories/GHSA-63mg-xp9j-jfcm
- https://github.com/openclaw/openclaw/security/advisories/GHSA-9528-x887-j2fp
- https://github.com/openclaw/openclaw/security/advisories/GHSA-qxgf-hmcj-3xw3
- https://github.com/openclaw/openclaw/security/advisories/GHSA-98hh-7ghg-x6rq
- https://github.com/openclaw/openclaw/security/advisories/GHSA-jp4j-q5fc-58gv
- https://github.com/openclaw/openclaw/security/advisories/GHSA-2pr2-hcv6-7gwv
- https://github.com/openclaw/openclaw/security/advisories/GHSA-p4x4-2r7f-wjxg
- https://github.com/openclaw/openclaw/security/advisories/GHSA-m866-6qv5-p2fg
- https://github.com/openclaw/openclaw/security/advisories/GHSA-hc5h-pmr3-3497
- https://github.com/advisories/GHSA-hc5h-pmr3-3497
- https://github.com/openclaw/openclaw/security/advisories/GHSA-g86v-f9qv-rh6m
- https://github.com/openclaw/openclaw/security/advisories/GHSA-5r8f-96gm-5j6g
- https://github.com/openclaw/openclaw/security/advisories/GHSA-5h2w-qmfp-ggp6
- https://github.com/openclaw/openclaw/security/advisories/GHSA-jccr-rrw2-vc8h
- https://github.com/openclaw/openclaw/security/advisories/GHSA-h2v7-xc88-xx8c
- https://github.com/openclaw/openclaw/commit/aa66ae1fc797d3298cc409ed2c5da69a89950a45
- https://github.com/openclaw/openclaw/security/advisories/GHSA-v3qc-wrwx-j3pw
- https://github.com/openclaw/openclaw/commit/76411b2afc4ae721e36c12e0ea24fd23e2fed61e
- https://github.com/openclaw/openclaw/security/advisories/GHSA-f44p-c7w9-7xr7
- https://github.com/openclaw/openclaw/commit/cb5f7e201f
- https://github.com/openclaw/openclaw/security/advisories/GHSA-6xg4-82hv-cp6f
- https://github.com/openclaw/openclaw/commit/4b9542716c
- https://github.com/openclaw/openclaw/security/advisories/GHSA-6pfc-6m7w-m8fx
- https://github.com/openclaw/openclaw/commit/83da3cfe31
- https://github.com/openclaw/openclaw/security/advisories/GHSA-qf48-qfv4-jjm9
- https://github.com/openclaw/openclaw/commit/764394c78b
- https://github.com/openclaw/openclaw/security/advisories/GHSA-8rh7-6779-cjqq
- https://github.com/openclaw/openclaw/security/advisories/GHSA-f6pf-4gjx-c94r
- https://github.com/openclaw/openclaw/commit/4797bbc5b96e2cca5532e43b58915c051746fe37
- https://github.com/openclaw/openclaw/security/advisories/GHSA-767m-xrhc-fxm7
- https://github.com/openclaw/openclaw/commit/b7d70ade3b9900dbe97bd73be9c02e924ff3c986
- https://github.com/openclaw/openclaw/security/advisories/GHSA-3q42-xmxv-9vfr
- https://github.com/openclaw/openclaw/commit/e34694733fc64931ed4a543c73d84ad3435d5df1
- https://github.com/openclaw/openclaw/security/advisories/GHSA-42mx-vp8m-j7qh
- https://github.com/openclaw/openclaw/commit/c02ee8a3a4cb390b23afdf21317aa8b2096854d1