SB2026040852 - Multiple vulnerabilities in OpenClaw
Published: April 8, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 17 secuirty vulnerabilities.
1) Insufficient verification of data authenticity (CVE-ID: N/A)
The vulnerability allows a remote attacker to trigger duplicate voice-call processing.
The vulnerability exists due to improper canonicalization in extensions/voice-call/src/webhook-security.ts when verifying and replay-checking Plivo V3 webhooks. A remote attacker can reorder query parameters in a captured valid signed webhook URL to trigger duplicate voice-call processing.
Exploitation requires capture of one valid signed Plivo V3 webhook.
2) Improper Authorization (CVE-ID: CVE-2026-33576)
The vulnerability allows a remote attacker to cause unauthorized network fetches and disk writes.
The vulnerability exists due to improper authorization in extensions/zalo/src/monitor.ts when processing inbound media messages before DM or pairing authorization checks. A remote attacker can send a message with media content to cause unauthorized network fetches and disk writes.
The message itself may still be rejected after the media is fetched and stored.
3) Insufficient verification of data authenticity (CVE-ID: N/A)
The vulnerability allows a remote attacker to disclose sensitive information and modify configuration data.
The vulnerability exists due to improper trust management in src/commands/onboard-remote.ts when accepting discovered gateway endpoints during remote onboarding. A remote attacker can provide a malicious or spoofed discovery endpoint to disclose sensitive information and modify configuration data.
User interaction is required during the onboarding process, and exploitation depends on discovery on the local network.
4) Improper access control (CVE-ID: CVE-2026-33577)
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to improper access control in node pairing approval path in src/infra/node-pairing.ts and src/gateway/server-methods/nodes.ts when approving pending node requests with requested scopes. A remote user can approve a pending node request for broader scopes to escalate privileges.
The issue occurs because the approving caller was not consistently required to already hold every scope requested by the node.
5) Improper access control (CVE-ID: CVE-2026-33578)
The vulnerability allows a remote user to bypass sender restrictions.
The vulnerability exists due to improper access control in extensions/googlechat/src/monitor-access.ts and extensions/zalouser/src/monitor.ts when resolving sender policy for routes configured with only a group allowlist. A remote user can interact with the bot from an allowlisted Google Chat space or Zalouser group to bypass sender restrictions.
The issue occurs when only a route-level group allowlist is configured and sender policy resolution downgrades from allowlist to open.
6) Improper Restriction of Excessive Authentication Attempts (CVE-ID: CVE-2026-33580)
The vulnerability allows a remote attacker to forge inbound webhook events.
The vulnerability exists due to improper restriction of excessive authentication attempts in extensions/nextcloud-talk/src/monitor.ts when handling webhook signature authentication. A remote attacker can brute-force a weak shared secret online to forge inbound webhook events.
The issue is exposed to an attacker who can reach the webhook endpoint.
7) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-34504)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in extensions/fal/image-generation-provider.ts when downloading returned image URLs from the fal provider. A remote attacker can cause the gateway to fetch internal URLs to disclose sensitive information.
Exploitation requires a malicious or compromised fal relay.
8) Incorrect authorization (CVE-ID: N/A)
The vulnerability allows a remote user to approve pending host execution.
The vulnerability exists due to incorrect authorization in Discord text approval commands when processing the `/approve` command for pending exec approvals. A remote user can send an approval command without being in the configured approver allowlist to approve pending host execution.
The issue affects `extensions/discord/src/exec-approvals.ts` and `src/auto-reply/reply/commands-approve.ts`.
9) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote user to trigger privileged component actions.
The vulnerability exists due to improper access control in extensions/discord/src/monitor/agent-components.ts when handling Discord component interactions. A remote user can send a crafted component interaction from a blocked context to trigger privileged component actions.
The issue occurs because guild and channel policy gates used for normal inbound messages were not consistently reapplied to component interactions.
10) Improper access control (CVE-ID: CVE-2026-34503)
The vulnerability allows a remote user to retain access to an active WebSocket session after token revocation or device removal.
The vulnerability exists due to improper access control in src/gateway/server-methods/devices.ts and src/gateway/server.impl.ts when handling device removal or token revocation for existing WebSocket connections. A remote user can continue using an already-authenticated live session to retain access to an active WebSocket session after token revocation or device removal.
The session remains usable until it reconnects.
11) Improper access control (CVE-ID: N/A)
The vulnerability allows a local user to weaken execution approval boundaries.
The vulnerability exists due to improper access control in src/infra/exec-approvals-allowlist.ts when commands are routed through dispatch wrappers. A local user can obtain a one-time approval for a wrapper carrier executable to weaken execution approval boundaries.
A one-time approval could persist a broader future allowlist entry than intended because the wrapper carrier executable could be trusted instead of the actual invoked target.
12) Incomplete List of Disallowed Inputs (CVE-ID: N/A)
The vulnerability allows a remote user to execute untrusted code or load attacker-selected credentials.
The vulnerability exists due to incomplete list of disallowed inputs in src/infra/host-env-security-policy.json and src/infra/host-env-security.ts when processing approved exec requests with environment overrides. A remote user can supply crafted GIT_TEMPLATE_DIR or AWS_CONFIG_FILE values to execute untrusted code or load attacker-selected credentials.
The issue affects host execution environment sanitization for git and AWS CLI behavior.
13) Improper access control (CVE-ID: CVE-2026-33579)
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to improper access control in /pair approve command path in extensions/device-pair/index.ts and src/infra/device-pairing.ts when approving pending device requests. A remote user can approve a pending device request asking for broader scopes to escalate privileges.
The issue occurs because caller scopes were not forwarded into the core approval check.
14) Server-Side Request Forgery (SSRF) (CVE-ID: N/A)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to server-side request forgery (SSRF) in src/shared/net/ip.ts and src/infra/net/ssrf.* when processing attacker-controlled fetched URLs. A remote user can supply a URL targeting internal or non-routable IPv6 addresses to disclose sensitive information.
The SSRF/IP classifier incorrectly treated several IPv6 special-use ranges as public.
15) Incorrect authorization (CVE-ID: N/A)
The vulnerability allows a remote user to reset another user's session.
The vulnerability exists due to incorrect authorization in the chat.send /reset command handling in src/gateway/server-methods/chat.ts and src/auto-reply/reply/session.ts when processing chat.send requests that invoke /reset. A remote user can send a crafted chat.send /reset command to reset another user's session.
The issue allows session rotation, archives the prior transcript state, and forces issuance of a new session id through a write-scoped gateway path intended for non-admin use.
16) Incorrect authorization (CVE-ID: N/A)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to incorrect authorization in chat.send and persisted session mutation handling when processing the /verbose command. A remote user can send a write-scoped chat request using /verbose to disclose sensitive information.
The issue allows persistence of verbose output settings for later runs through a path that should be restricted to admin-only session changes.
17) Incorrect Regular Expression (CVE-ID: N/A)
The vulnerability allows a remote user to disclose environment variables.
The vulnerability exists due to incorrect regular expression in src/infra/exec-safe-bin-semantics.ts when evaluating operator-approved safe-bin jq programs. A remote user can use the $ENV filter to disclose environment variables.
The jq safe-bin policy blocked explicit env usage but still allowed access to environment data through $ENV.
Remediation
Install update from vendor's website.
References
- https://github.com/openclaw/openclaw/security/advisories/GHSA-8689-gm9g-jgr6
- https://github.com/openclaw/openclaw/security/advisories/GHSA-v2v2-f783-358j
- https://github.com/openclaw/openclaw/security/advisories/GHSA-3cw3-5vxw-g2h3
- https://github.com/openclaw/openclaw/security/advisories/GHSA-2x4x-cc5g-qmmg
- https://github.com/openclaw/openclaw/security/advisories/GHSA-63mg-xp9j-jfcm
- https://github.com/openclaw/openclaw/security/advisories/GHSA-9528-x887-j2fp
- https://github.com/openclaw/openclaw/security/advisories/GHSA-qxgf-hmcj-3xw3
- https://github.com/openclaw/openclaw/security/advisories/GHSA-98hh-7ghg-x6rq
- https://github.com/openclaw/openclaw/security/advisories/GHSA-jp4j-q5fc-58gv
- https://github.com/openclaw/openclaw/security/advisories/GHSA-2pr2-hcv6-7gwv
- https://github.com/openclaw/openclaw/security/advisories/GHSA-p4x4-2r7f-wjxg
- https://github.com/openclaw/openclaw/security/advisories/GHSA-m866-6qv5-p2fg
- https://github.com/openclaw/openclaw/security/advisories/GHSA-hc5h-pmr3-3497
- https://github.com/advisories/GHSA-hc5h-pmr3-3497
- https://github.com/openclaw/openclaw/security/advisories/GHSA-g86v-f9qv-rh6m
- https://github.com/openclaw/openclaw/security/advisories/GHSA-5r8f-96gm-5j6g
- https://github.com/openclaw/openclaw/security/advisories/GHSA-5h2w-qmfp-ggp6
- https://github.com/openclaw/openclaw/security/advisories/GHSA-jccr-rrw2-vc8h