SB2026050123 - Multiple vulnerabilities in OpenClaw

Description

This security bulletin contains information about 12 secuirty vulnerabilities.

1) Incorrect authorization (CVE-ID: N/A)

The vulnerability allows a remote attacker to trigger unauthorized agent processing.

The vulnerability exists due to incorrect authorization in the Zalo plugin GROUP message dispatch path when processing Zalo GROUP messages under allowlist-style group handling. A remote attacker can send a GROUP message from a sender not present in the intended allowlist to trigger unauthorized agent processing.

Only configurations intended to restrict group traffic with allowlist-style controls are affected.

2) Incorrect authorization (CVE-ID: CVE-2026-31998)

The vulnerability allows a remote user to trigger downstream agent or tool actions.

The vulnerability exists due to incorrect authorization in the synology-chat channel plugin webhook authorization logic when handling inbound Synology direct messages with dmPolicy set to allowlist and allowedUserIds empty or unset. A remote user can send messages through Synology Chat to trigger downstream agent or tool actions.

Exploitation requires the optional synology-chat channel plugin to be configured.

3) Untrusted search path (CVE-ID: CVE-2026-32009)

The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to untrusted search path in safeBins allowlist mode when resolving executables from static default trusted directories. A local user can place a same-name binary in a trusted writable directory to execute arbitrary code.

Exploitation requires the ability to write into a trusted host binary directory.

4) Path traversal (CVE-ID: CVE-2026-32026)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to path traversal in sandbox media path resolution when processing attacker-controlled media references. A remote attacker can supply a crafted absolute path under the host temporary directory to disclose sensitive information.

This affects deployments that rely on sandboxRoot as a strict local filesystem boundary.

5) Path traversal (CVE-ID: CVE-2026-27522)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to path traversal in sendAttachment and setGroupIcon message actions when hydrating media from local absolute paths with sandboxRoot unset. A remote user can trigger an authorized message-action path to disclose sensitive information.

Only deployments with sandboxRoot unset are vulnerable.

6) Interpretation Conflict (CVE-ID: CVE-2026-32052)

The vulnerability allows a remote attacker to execute hidden commands.

The vulnerability exists due to interpretation conflict in system.run shell-wrapper handling when processing shell-wrapper forms with trailing positional argv values. A remote attacker can supply a crafted shell-wrapper command that presents misleading approval text to execute hidden commands.

The issue occurs because operator-visible approval or display text can omit executed argv carriers while runtime execution still uses the full argv vector.

7) Link following (CVE-ID: CVE-2026-27523)

The vulnerability allows a remote attacker to bypass sandbox path restrictions.

The vulnerability exists due to improper link resolution before file access in validateBindMounts when validating bind source paths that use a symlinked parent and a non-existent leaf path. A remote attacker can supply a crafted bind source path to bypass sandbox path restrictions.

The issue occurs because parent symlink traversal was not fully canonicalized before allowed-root and blocked-path checks.

8) Incorrect Behavior Order: Validate Before Canonicalize (CVE-ID: CVE-2026-32033)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to validate-before-canonicalize behavior in tool path checks when processing @-prefixed absolute paths with workspace-only file-system restrictions enabled. A remote user can supply a specially crafted path to disclose sensitive information.

Only instances with non-default tools.fs.workspaceOnly=true configuration are vulnerable.

9) Improper access control (CVE-ID: N/A)

The vulnerability allows a remote attacker to trigger unauthorized media download and disk write activity.

The vulnerability exists due to improper access control in the Telegram DM handler when processing inbound media messages before sender authorization checks complete. A remote attacker can send unauthorized media messages, including media groups, to trigger unauthorized media download and disk write activity.

The issue affects Telegram DM mode, and inbound channel activity tracking in the Telegram message context path also occurred after authorization logic was corrected.

10) Improper access control (CVE-ID: CVE-2026-32038)

The vulnerability allows a remote user to bypass sandbox network isolation.

The vulnerability exists due to improper access control in sandbox Docker network mode validation when processing trusted sandbox network configuration. A remote user can set the sandbox network mode to container:<id> to bypass sandbox network isolation.

Exploitation requires the ability to influence trusted sandbox network configuration, such as agents.defaults.sandbox.docker.network, and may allow access to services reachable within another container's network namespace.

11) Incorrect authorization (CVE-ID: CVE-2026-32023)

The vulnerability allows a remote user to bypass approval gating for shell execution.

The vulnerability exists due to incorrect authorization in system.run allowlist resolution and shell-wrapper detection when processing nested transparent dispatch wrappers. A remote user can supply a wrapper chain that resolves through repeated /usr/bin/env to bypass approval gating for shell execution.

Exploitation requires security=allowlist with ask=on-miss enabled.

12) Improper access control (CVE-ID: N/A)

The vulnerability allows a remote user to disclose sensitive information from out-of-workspace mounted image paths.

The vulnerability exists due to improper access control in native prompt image ingestion functions detectAndLoadPromptImages / loadImageFromRef when processing prompt text that references mounted out-of-workspace image paths in sandboxed runs. A remote user can reference a mounted out-of-workspace image path in prompt text to disclose sensitive information from out-of-workspace mounted image paths.

Exploitation requires sandbox mode, tools.fs.workspaceOnly=true, a reachable out-of-workspace mount path from the sandbox, and a vision-capable model path active for native prompt image loading.

Remediation

Install update from vendor's website.

References

• https://github.com/openclaw/openclaw/security/advisories/GHSA-534w-2vm4-89xr
• https://github.com/openclaw/openclaw/commit/b4010a0b627025c809c0e5dbdbd4770f3bc59ef8
• https://github.com/openclaw/openclaw/security/advisories/GHSA-gw85-xp4q-5gp9
• https://github.com/openclaw/openclaw/commit/0ee30361b8f6ef3f110f3a7b001da6dd3df96bb5
• https://github.com/openclaw/openclaw/security/advisories/GHSA-5gj7-jf77-q2q2
• https://github.com/openclaw/openclaw/commit/b67e600bff696ff2ed9b470826590c0ce6b3bb0a
• https://github.com/openclaw/openclaw/security/advisories/GHSA-33hm-cq8r-wc49
• https://github.com/openclaw/openclaw/commit/d3da67c7a9b463edc1a9b1c1f7af107a34ca32f5
• https://github.com/openclaw/openclaw/security/advisories/GHSA-fqcm-97m6-w7rm
• https://github.com/openclaw/openclaw/commit/270ab03e379f9653e15f7033c9830399b66b7e51
• https://github.com/openclaw/openclaw/security/advisories/GHSA-6rcp-vxwf-3mfp
• https://github.com/openclaw/openclaw/commit/0f0a680d3df81739ea5088a2f88e65f938b7936b
• https://github.com/openclaw/openclaw/security/advisories/GHSA-m8v2-6wwh-r4gc
• https://github.com/openclaw/openclaw/commit/b5787e4abba0dcc6baf09051099f6773c1679ec1
• https://github.com/openclaw/openclaw/security/advisories/GHSA-27cr-4p5m-74rj
• https://github.com/openclaw/openclaw/commit/9ef0fc2ff8fa7b145d1e746d6eb030b1bf692260
• https://github.com/openclaw/openclaw/security/advisories/GHSA-h656-5vcf-cm23
• https://github.com/openclaw/openclaw/commit/9514201fb9b51de5d0b23151110d0ff5d9c8bd67
• https://github.com/openclaw/openclaw/security/advisories/GHSA-ww6v-v748-x7g9
• https://github.com/openclaw/openclaw/commit/14b6eea6e
• https://github.com/openclaw/openclaw/security/advisories/GHSA-ccg8-46r6-9qgj
• https://github.com/openclaw/openclaw/commit/57c9a18180c8b14885bbd95474cbb17ff2d03f0b
• https://github.com/openclaw/openclaw/security/advisories/GHSA-9f72-qcpw-2hxc
• https://github.com/openclaw/openclaw/commit/370d115549c0dadace0902775eea0d5094aedfdc