SB2026041789 - Multiple vulnerabilities in OpenClaw
Published: April 17, 2026 Updated: April 30, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 20 vulnerabilities.
1) Input validation error (CVE-ID: N/A)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to access host-local media references through a channel action path that expected normalized media.
The vulnerability exists due to improper input validation in Discord eventCreate.image handling when processing Discord event cover image parameters. A remote user can supply crafted event cover image parameters to access host-local media references through a channel action path that expected normalized media.
2) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass SSRF policy enforcement.
The vulnerability exists due to improper access control in existing-session browser interaction and navigation routes when handling existing-session browser interactions. A remote user can use existing-session browser routes to continue interacting with or navigating targets to bypass SSRF policy enforcement.
3) Improper privilege management (CVE-ID: N/A)
CWE-ID: CWE-269 - Improper Privilege Management
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to retain execution in a more privileged context than intended.
The vulnerability exists due to improper privilege management in heartbeat owner-downgrade detection when processing local background exec completion events. A local user can supply untrusted completion content to retain execution in a more privileged context than intended.
The issue occurs because local async exec completion text could be missed by the detection logic.
4) Input validation error (CVE-ID: N/A)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject untrusted input into trusted system event context.
The vulnerability exists due to improper input validation in agent hook event dispatch when processing externally supplied hook metadata. A remote attacker can supply crafted hook metadata to inject untrusted input into trusted system event context.
5) Input validation error (CVE-ID: N/A)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform server-side request forgery.
The vulnerability exists due to improper input validation in browser hostname validation when processing hostname navigation under restrictive policy. A remote attacker can use DNS rebinding to bypass hostname/IP resolution checks to perform server-side request forgery.
The issue occurs because the validated hostname or IP resolution can differ from the address ultimately used by Chromium.
6) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the outbound host-media attachment read helper when loading host-media attachments. A remote user can trigger host-media attachment loading to disclose sensitive information.
Only deployments that allow host read or filesystem root expansion at the global or agent level and rely on sender- or group-scoped policy to deny read for some channel participants are affected.
7) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to access an interactive browser session surface.
The vulnerability exists due to improper access control in the sandbox noVNC helper route when handling requests without the intended bridge authentication. A remote attacker can reach the helper route to access an interactive browser session surface.
8) Allocation of Resources Without Limits or Throttling (CVE-ID: N/A)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in the voice-call realtime WebSocket path when handling oversized WebSocket frames. A remote attacker can send oversized WebSocket frames to cause a denial of service.
Only deployments exposing that webhook path are vulnerable.
9) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass sandbox routing boundaries.
The vulnerability exists due to improper access control in exec routing when processing a host override of node from a sandboxed agent. A remote user can request host: "node" to bypass sandbox routing boundaries.
10) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to trigger server-side request forgery policy bypass.
The vulnerability exists due to improper access control in browser press/type interaction routes when triggering navigation-capable interactions. A remote attacker can cause pressKey or type submit flows to initiate navigation to trigger server-side request forgery policy bypass.
11) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in QQBot outbound media tag handling when processing AI reply text containing host-local file paths. A remote attacker can supply specially crafted reply text to disclose sensitive information.
12) Protection Mechanism Failure (CVE-ID: N/A)
CWE-ID: CWE-693 - Protection Mechanism Failure
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to influence downstream execution or network behavior.
The vulnerability exists due to improper restriction of dangerous environment variables in exec environment policy when processing operator-supplied environment overrides. A remote user can supply crafted interpreter startup variables to influence downstream execution or network behavior.
13) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to load an untrusted plugin during channel setup.
The vulnerability exists due to improper access control in channel setup catalog lookups when resolving plugin entries. A remote user can introduce a workspace plugin shadow to load an untrusted plugin during channel setup.
The issue occurs because setup-time plugin loading can happen before the intended trust gate.
14) Incorrect authorization (CVE-ID: N/A)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify persistent Matrix profile configuration.
The vulnerability exists due to incorrect authorization in Matrix profile persistence when invoking gateway operator.write message-tool paths. A remote user can use write-scoped message tools to modify persistent Matrix profile configuration.
The affected functionality should have required admin-level authority.
15) Incorrect authorization (CVE-ID: N/A)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify persistent memory dreaming settings.
The vulnerability exists due to incorrect authorization in the /dreaming gateway path when handling operator.write commands. A remote user can send a crafted operator.write command to modify persistent memory dreaming settings.
The issue crosses from a write-scoped gateway capability into an admin-class configuration mutation.
16) Incorrect authorization (CVE-ID: N/A)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify profile configuration without required administrative authorization.
The vulnerability exists due to incorrect authorization in Nostr plugin HTTP profile mutation routes when handling profile mutation requests. A remote user can send a crafted profile mutation request to modify profile configuration without required administrative authorization.
The affected route should have required operator.admin scope, but profile configuration could be persisted through a path that did not require admin authority.
17) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to access the Chrome DevTools Protocol outside the intended local or sandbox source range.
The vulnerability exists due to improper access control in the sandbox browser CDP relay when handling DevTools protocol connections. A remote attacker can connect to the exposed relay interface to access the Chrome DevTools Protocol outside the intended local or sandbox source range.
18) Incorrect authorization (CVE-ID: N/A)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to write files outside the intended workspace boundary.
The vulnerability exists due to incorrect authorization in screen_record outPath handling when processing an authorized tool call with an outPath value. A remote user can supply an outPath outside the workspace guard to write files outside the intended workspace boundary.
19) Server-Side Request Forgery (SSRF) (CVE-ID: N/A)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass browser SSRF policy.
The vulnerability exists due to improper access control in the browser /tabs/action select and close routes when handling tab-action requests. A remote user can send a crafted request to bypass browser SSRF policy.
20) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: N/A)
CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose limited information from a different file than the one that passed validation.
The vulnerability exists due to a time-of-check time-of-use race condition in validateScriptFileForShellBleed when validating and then reading a script by mutable pathname. A local user can swap the target path between validation and read to disclose limited information from a different file than the one that passed validation.
The exposed data is limited to derived preflight content such as a matched token, a line number, or the first non-empty JavaScript line in one branch.
Remediation
Install update from vendor's website.
References
- https://github.com/openclaw/openclaw/security/advisories/GHSA-c9h3-5p7r-mrjh
- https://github.com/openclaw/openclaw/security/advisories/GHSA-527m-976r-jf79
- https://github.com/advisories/GHSA-527m-976r-jf79
- https://github.com/openclaw/openclaw/security/advisories/GHSA-g375-h3v6-4873
- https://github.com/openclaw/openclaw/security/advisories/GHSA-7g8c-cfr3-vqqr
- https://github.com/openclaw/openclaw/security/advisories/GHSA-xq94-r468-qwgj
- https://github.com/openclaw/openclaw/security/advisories/GHSA-jhpv-5j76-m56h
- https://github.com/openclaw/openclaw/security/advisories/GHSA-92jp-89mq-4374
- https://github.com/openclaw/openclaw/security/advisories/GHSA-vw3h-q6xq-jjm5
- https://github.com/advisories/GHSA-vw3h-q6xq-jjm5
- https://github.com/openclaw/openclaw/security/advisories/GHSA-736r-jwj6-4w23
- https://github.com/advisories/GHSA-736r-jwj6-4w23
- https://github.com/openclaw/openclaw/security/advisories/GHSA-536q-mj95-h29h
- https://github.com/openclaw/openclaw/security/advisories/GHSA-66r7-m7xm-v49h
- https://github.com/openclaw/openclaw/pull/63271
- https://github.com/openclaw/openclaw/security/advisories/GHSA-vfp4-8x56-j7c5
- https://github.com/openclaw/openclaw/pull/63277
- https://github.com/openclaw/openclaw/security/advisories/GHSA-82qx-6vj7-p8m2
- https://github.com/openclaw/openclaw/security/advisories/GHSA-7jp6-r74r-995q
- https://github.com/openclaw/openclaw/pull/62662
- https://github.com/openclaw/openclaw/security/advisories/GHSA-5gjc-grvm-m88j
- https://github.com/openclaw/openclaw/pull/63872
- https://github.com/openclaw/openclaw/security/advisories/GHSA-f3h5-h452-vp3j
- https://github.com/openclaw/openclaw/pull/63553
- https://github.com/openclaw/openclaw/security/advisories/GHSA-525j-hqq2-66r4
- https://github.com/openclaw/openclaw/pull/61404
- https://github.com/openclaw/openclaw/security/advisories/GHSA-jf25-7968-h2h5
- https://github.com/openclaw/openclaw/pull/63551
- https://github.com/openclaw/openclaw/security/advisories/GHSA-rj2p-j66c-mgqh
- https://github.com/openclaw/openclaw/pull/63332
- https://github.com/openclaw/openclaw/security/advisories/GHSA-gj9q-8w99-mp8j
- https://github.com/openclaw/openclaw/pull/62333