SB2026040853 - Multiple vulnerabilities in OpenClaw
Published: April 8, 2026 Updated: May 1, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 10 vulnerabilities.
1) Incorrect authorization (CVE-ID: N/A)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose model metadata.
The vulnerability exists due to incorrect authorization in the gateway HTTP /v1/models route when handling authenticated HTTP requests with bearer tokens. A remote user can send a request to /v1/models with a token that lacks operator.read to disclose model metadata.
This issue is a cross-surface authorization inconsistency between the WebSocket RPC interface and the HTTP compatibility interface.
2) Improper privilege management (CVE-ID: N/A)
CWE-ID: CWE-269 - Improper Privilege Management
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify persistent channel authorization policy.
The vulnerability exists due to improper privilege management in the /allowlist command handler when processing /allowlist add or remove commands through the chat.send gateway method. A remote user can send a specially crafted chat.send request to modify persistent channel authorization policy.
The issue affects internal gateway callers because chat.send creates a command-authorized internal context, allowing an operator.write-scoped client to reach config-backed allowlist writes that are intended to be reserved for operator.admin.
3) Improper access control (CVE-ID: CVE-2026-33581)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in src/infra/outbound/message-action-params.ts and src/infra/outbound/message-action-runner.ts when handling mediaUrl and fileUrl alias parameters. A remote user can supply crafted alias parameters to disclose sensitive information.
Exploitation requires the caller to be constrained to sandbox media roots.
4) Untrusted search path (CVE-ID: CVE-2026-41384)
CWE-ID: CWE-426 - Untrusted Search Path
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to untrusted search path in the cli backend runner when processing a malicious workspace configuration. A remote user can inject environment variables via workspace config to execute arbitrary code.
5) Resource exhaustion (CVE-ID: CVE-2026-35665)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in the Feishu webhook handler when processing slow HTTP POST requests before webhook signature verification. A remote attacker can send concurrent slow HTTP POST requests to cause a denial of service.
The issue affects OpenClaw instances running the Feishu channel in webhook mode, and the Feishu webhook endpoint must be publicly accessible for webhook delivery.
6) Improper Authorization (CVE-ID: CVE-2026-35620)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify the current session delivery policy.
The vulnerability exists due to improper authorization in the handleSendPolicyCommand function when processing the owner-only /send on|off|inherit command. A remote user can send a /send command to modify the current session delivery policy.
The issue affects senders who are authorized to run commands but are not treated as the owner, and the change is persisted for the current session.
7) Path traversal (CVE-ID: CVE-2026-35668)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to path traversal in normalizeSandboxMediaParams and handlePluginAction when processing message tool calls with mediaUrl or fileUrl parameter keys. A remote user can supply a crafted mediaUrl or fileUrl value to disclose sensitive information.
The issue can break sandbox isolation and expose files from other agents' workspaces because unchecked parameter keys bypass sandbox path validation and plugins fall back to default media roots.
8) Improper Resource Shutdown or Release (CVE-ID: CVE-2026-35667)
CWE-ID: CWE-404 - Improper Resource Shutdown or Release
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service and disrupt process cleanup.
The vulnerability exists due to improper resource shutdown or release in the !stop chat command via shell-utils.ts when stopping background bash processes. A local user can invoke the !stop or /bash stop command to cause a denial of service and disrupt process cleanup.
Processes are terminated with SIGKILL immediately, which prevents graceful shutdown handlers from running and can leave files, locks, connections, or audit operations incomplete.
9) Incorrect authorization (CVE-ID: CVE-2026-35653)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to reset persistent browser profiles and cause integrity and availability impacts.
The vulnerability exists due to incorrect authorization in the browser.request gateway method and persistent profile reset route when sending a crafted POST request to /reset-profile through the operator.write surface. A remote user can invoke the reachable reset route to reset persistent browser profiles and cause integrity and availability impacts.
The issue affects callers limited to the scoped Gateway method browser.request on the operator.write surface, and the target local browser profile must exist.
10) External Control of System or Configuration Setting (CVE-ID: CVE-2026-35641)
CWE-ID: CWE-15 - External Control of System or Configuration Setting
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper control of externally managed configuration in the local plugin and hook package installation workflow when installing a local plugin or hook directory or archive containing a crafted .npmrc file and a git dependency. A remote attacker can supply a crafted local package that overrides npm's git executable path to execute arbitrary code.
User interaction is required to install the malicious local package, and exploitation occurs during the installation phase before the plugin or hook is loaded.
Remediation
Install update from vendor's website.
References
- https://github.com/openclaw/openclaw/security/advisories/GHSA-68f8-9mhj-h2mp
- https://github.com/openclaw/openclaw/security/advisories/GHSA-94pw-c6m8-p9p9
- https://github.com/openclaw/openclaw/security/advisories/GHSA-v8wv-jg3q-qwpq
- https://github.com/openclaw/openclaw/security/advisories/GHSA-vfw7-6rhc-6xxg
- https://github.com/openclaw/openclaw/commit/c2fb7f1948c3226732a630256b5179a60664ec24
- https://github.com/openclaw/openclaw/security/advisories/GHSA-w6m8-cqvj-pg5v
- https://github.com/openclaw/openclaw/blob/main/extensions/feishu/src/monitor.ts#L276-L280
- https://github.com/openclaw/openclaw/security/advisories/GHSA-39mp-545q-w789
- https://github.com/openclaw/openclaw/security/advisories/GHSA-hr5v-j9h9-xjhg
- https://github.com/moltbot/moltbot/blob/main/src/infra/outbound/message-action-params.ts#L206-L227
- https://github.com/openclaw/openclaw/security/advisories/GHSA-3298-56p6-rpw2
- https://github.com/moltbot/moltbot/blob/f2849c2417/src/agents/shell-utils.ts#L170-L192
- https://github.com/openclaw/openclaw/security/advisories/GHSA-xp9r-prpg-373r
- https://github.com/openclaw/openclaw/security/advisories/GHSA-m3mh-3mpg-37hw