SB20260422194 - Multiple vulnerabilities in OpenClaw
Published: April 22, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 11 secuirty vulnerabilities.
1) External Initialization of Trusted Variables or Data Stores (CVE-ID: N/A)
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to external initialization of trusted variables or data stores in the MCP stdio server environment handling when spawning an MCP server process from workspace configuration. A local user can supply a malicious workspace MCP configuration with dangerous startup environment variables to execute arbitrary code.
User interaction is required because the operator must start a session that uses the configured MCP server.
2) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote user to modify protected operator settings.
The vulnerability exists due to improper access control in the gateway config.patch and config.apply guard when processing model-driven gateway configuration mutations. A remote user can use the owner-only gateway tool through a prompt-injected model to modify protected operator settings.
This is a model-to-operator guard bypass rather than a remote unauthenticated gateway compromise.
3) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote attacker to bypass webhook routing isolation.
The vulnerability exists due to improper access control in hook mapping sessionKey handling when rendering templated hook mapping session keys. A remote attacker can influence a template-rendered session key to bypass webhook routing isolation.
This issue does not grant host execution by itself.
4) Server-Side Request Forgery (SSRF) (CVE-ID: N/A)
The vulnerability allows a remote attacker to cause server-side request forgery.
The vulnerability exists due to insufficient server-side request forgery validation in QQBot direct-upload media handling when forwarding attacker-controlled image URLs. A remote attacker can supply a crafted image URL to cause server-side request forgery.
The affected path is limited to QQBot outbound media handling and does not expose arbitrary local files.
5) Incomplete List of Disallowed Inputs (CVE-ID: N/A)
The vulnerability allows a local user to manipulate trusted OpenClaw runtime behavior.
The vulnerability exists due to incomplete list of disallowed inputs in workspace dotenv loading when processing attacker-controlled workspace environment variables. A local user can set crafted OPENCLAW_ variables to manipulate trusted OpenClaw runtime behavior.
Exploitation requires running OpenClaw from an attacker-controlled workspace before source-update or installer flows.
6) Incorrect authorization (CVE-ID: N/A)
The vulnerability allows a remote user to access pairing state information and approve or operate on unrelated pending device pairing requests.
The vulnerability exists due to incorrect authorization in pairing management actions when handling paired-device pairing requests within the same gateway scope. A remote user can use a paired-device session with limited pairing scope to access pairing state information and approve or operate on unrelated pending device pairing requests.
The issue is limited to same-gateway paired-device sessions and is not a remote unauthenticated issue.
7) Incorrect authorization (CVE-ID: N/A)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the Control UI assistant-media route when handling identity-bearing HTTP authentication paths for trusted-proxy callers. A remote user can send a request through a trusted proxy without the required operator.read scope to disclose sensitive information.
The route still requires successful gateway authentication and media-root checks.
8) Improper access control (CVE-ID: N/A)
The vulnerability allows a local user to bypass configured tool policy restrictions.
The vulnerability exists due to improper access control in bundled MCP/LSP tool handling when merging bundled tools into the agent's effective tool set after policy filtering. A local user can use a bundled MCP or LSP tool source that should have been restricted by policy to bypass configured tool policy restrictions.
Exploitation requires a configured bundled MCP or LSP tool source and an operator policy that would otherwise restrict that tool.
9) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote user to bypass dmPolicy restrictions for card-action flows.
The vulnerability exists due to improper access control in Feishu card-action handling when synthesizing and dispatching message events for direct-message conversations. A remote user can trigger a crafted card-action flow from a Feishu direct message to bypass dmPolicy restrictions for card-action flows.
The issue is limited to Feishu card-action handling.
10) Insufficient verification of data authenticity (CVE-ID: N/A)
The vulnerability allows a remote attacker to influence trust labeling of system awareness events.
The vulnerability exists due to improper trust labeling in cron awareness event handling when processing output from webhook-triggered isolated cron agent runs. A remote attacker can trigger an isolated cron run via a webhook to influence trust labeling of system awareness events.
This can strengthen prompt-injection impact, but it does not directly bypass gateway authentication, tool policy, or sandboxing.
11) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the MiniMax request path when loading environment variables from a workspace .env file. A remote user can supply a crafted workspace .env that overrides MINIMAX_API_HOST to disclose sensitive information.
Exploitation requires running OpenClaw from an attacker-controlled workspace.
Remediation
Install update from vendor's website.
References
- https://github.com/openclaw/openclaw/security/advisories/GHSA-mj59-h3q9-ghfh
- https://github.com/openclaw/openclaw/security/advisories/GHSA-7jm2-g593-4qrc
- https://github.com/openclaw/openclaw/security/advisories/GHSA-2xcp-x87w-q377
- https://github.com/openclaw/openclaw/security/advisories/GHSA-c4qg-j8jg-42q5
- https://github.com/openclaw/openclaw/security/advisories/GHSA-hxvm-xjvf-93f3
- https://github.com/openclaw/openclaw/security/advisories/GHSA-xrq9-jm7v-g9h7
- https://github.com/openclaw/openclaw/security/advisories/GHSA-v8qf-fr4g-28p2
- https://github.com/openclaw/openclaw/security/advisories/GHSA-qrp5-gfw2-gxv4
- https://github.com/openclaw/openclaw/security/advisories/GHSA-72q8-jcmc-97wx
- https://github.com/openclaw/openclaw/security/advisories/GHSA-57r2-h2wj-g887
- https://github.com/openclaw/openclaw/security/advisories/GHSA-h2vw-ph2c-jvwf