SB2026050124 - Multiple vulnerabilities in OpenClaw

Description

This security bulletin contains information about 31 secuirty vulnerabilities.

1) External Control of System or Configuration Setting (CVE-ID: CVE-2026-22169)

The vulnerability allows a local privileged user to bypass intended allowlist approval constraints.

The vulnerability exists due to external control of system or configuration setting in tools.exec.safeBins when using the non-default configuration that explicitly adds sort and invoking the --compress-program option. A local privileged user can invoke an external helper to bypass intended allowlist approval constraints.

Only non-default configurations that explicitly add sort to tools.exec.safeBins in allowlist mode are vulnerable.

2) Untrusted search path (CVE-ID: N/A)

The vulnerability allows a remote user to execute commands.

The vulnerability exists due to an untrusted search path in tools.exec.safeBins when resolving safe-bin executables from PATH-derived directories in allowlist mode. A remote user can place a same-name binary in a trusted PATH directory to execute commands.

Exploitation requires that allowlist mode relies on safe bins and that the attacker can influence trusted binary locations.

3) Link following (CVE-ID: CVE-2026-32024)

The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to improper link resolution before file access in avatar handling when resolving local avatar paths. A local user can create a symlink path that resolves outside the configured workspace boundary to disclose sensitive information.

Only files readable by the OpenClaw process can be exposed via gateway avatar surfaces.

4) Incorrect authorization (CVE-ID: CVE-2026-29607)

The vulnerability allows a remote user to execute arbitrary commands.

The vulnerability exists due to incorrect authorization in execution approval persistence flows when approving wrapped system.run commands with allow-always in security=allowlist mode. A remote privileged user can approve a benign wrapped invocation and later execute different inner payloads to execute arbitrary commands.

User interaction is required, and the issue affects gateway and node-host execution approval persistence flows.

5) OS Command Injection (CVE-ID: CVE-2026-28460)

The vulnerability allows a remote attacker to execute unintended commands.

The vulnerability exists due to command injection in the system.run shell-wrapper analysis in allowlist mode when processing shell commands containing line-continuation command substitution inside double quotes. A remote attacker can supply a specially crafted command string to execute unintended commands.

Only deployments that enable tools.exec.security=allowlist with ask=on-miss or off are vulnerable.

6) Authorization bypass through user-controlled key (CVE-ID: N/A)

The vulnerability allows a remote user to bypass sender-scoped authorization.

The vulnerability exists due to improper access control in tools.elevated.allowFrom matching logic when evaluating elevated sender authorization. A remote user can supply broader-than-intended identity signals to bypass sender-scoped authorization.

Only certain elevated-mode configurations are vulnerable.

7) Improper access control (CVE-ID: CVE-2026-32039)

The vulnerability allows a remote attacker to bypass sender authorization policy.

The vulnerability exists due to improper access control in channels.*.groups.*.toolsBySender when matching sender policies with untyped keys. A remote attacker can force an identifier collision to bypass sender authorization policy.

Only deployments that use toolsBySender with untyped keys are vulnerable.

8) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-32021)

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to authorization bypass through a user-controlled key in Feishu allowlist authorization checks when matching sender identities against the allowlist. A remote attacker can set a display name equal to an allowlisted ID string to bypass authorization checks.

Only deployments using Feishu allowlist-based authorization are affected.

9) Input validation error (CVE-ID: CVE-2026-32019)

The vulnerability allows a remote attacker to bypass SSRF restrictions.

The vulnerability exists due to improper input validation in isPrivateIpv4() SSRF guard code used by web_fetch when validating fetched URLs against IPv4 special-use ranges. A remote attacker can supply a URL targeting omitted special-use addresses to bypass SSRF restrictions.

Exploitation requires network reachability to the relevant special-use ranges and a request path that reaches web_fetch URL fetching.

10) External Control of System or Configuration Setting (CVE-ID: N/A)

The vulnerability allows a local user to execute unintended commands.

The vulnerability exists due to external control of system or configuration settings in the shell-env fallback path when executing a login shell with inherited environment values. A local user can supply attacker-influenced environment or config values to execute unintended commands.

Exploitation depends on attacker-controlled environment or configuration input reaching the shell-env fallback on the host process context.

11) OS Command Injection (CVE-ID: N/A)

The vulnerability allows a remote user to execute inline payloads.

The vulnerability exists due to improper neutralization of special elements used in an OS command in tools.exec.safeBins allowlist evaluation when processing configured interpreter-style binaries without an explicit safe-bin profile. A remote user can supply inline code through flags such as -c to execute inline payloads.

Only non-default deployments that explicitly add such binaries to safeBins in allowlist mode are vulnerable.

12) OS Command Injection (CVE-ID: CVE-2026-32003)

The vulnerability allows a remote user to execute arbitrary shell commands.

The vulnerability exists due to improper neutralization of special elements used in an os command in the system.run shell wrapper when invoking bash -lc with request-scoped environment variables. A remote privileged user can supply crafted SHELLOPTS and PS4 environment values to execute arbitrary shell commands.

Exploitation requires the ability to invoke system.run with request-scoped env values, and the issue affects allowlist mode for shell wrappers.

13) Input validation error (CVE-ID: N/A)

The vulnerability allows a remote attacker to bypass rate limiting for hook authentication brute-force attempts.

The vulnerability exists due to improper input validation in hook authentication rate limiting in src/gateway/server-http.ts and src/gateway/auth-rate-limit.ts when processing client IP addresses for failed authentication attempts. A remote attacker can alternate between IPv4 and IPv4-mapped IPv6 address forms to bypass rate limiting for hook authentication brute-force attempts.

The same client can be assigned separate rate-limit buckets when represented as an IPv4 address and as an IPv4-mapped IPv6 address.

14) Path traversal (CVE-ID: N/A)

The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to path traversal in resolveIdentityAvatarUrl in src/gateway/session-utils.ts when processing a crafted local avatar path that follows a symlink outside the agent workspace. A local user can supply a crafted avatar path to disclose sensitive information.

The resulting file contents can be returned in gateway responses as a base64 data URL via agents.list.

15) Key management errors (CVE-ID: CVE-2026-32897)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper cryptographic key management in owner-ID prompt obfuscation in src/agents/cli-runner/helpers.ts, src/agents/pi-embedded-runner/run/attempt.ts, and src/agents/pi-embedded-runner/compact.ts when hashing owner identifiers with commands.ownerDisplay=hash and commands.ownerDisplaySecret unset. A remote user can observe hash outputs exposed to third-party model providers to disclose sensitive information.

No direct plaintext token disclosure is described, and practical risk is highest when weak gateway tokens are used.

16) Code Injection (CVE-ID: N/A)

The vulnerability allows a remote user to execute unintended JavaScript.

The vulnerability exists due to improper control of code generation in webhook transform module import handling when resolving a transform module path through a symlinked entry outside the trusted transform directory. A remote user can cause the gateway to dynamically import attacker-controlled code to execute unintended JavaScript.

Exploitation requires hook transforms to be enabled and reachable, influence over transform path resolution, and a symlink escape to attacker-controlled code.

17) External Control of System or Configuration Setting (CVE-ID: CVE-2026-32056)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to external control of system configuration settings in the system.run shell execution path when processing attacker-supplied environment variables for shell startup. A remote attacker can supply crafted HOME or ZDOTDIR values to execute arbitrary code.

Exploitation relies on shell startup files being processed before the allowlist-evaluated command body.

18) Incorrect authorization (CVE-ID: CVE-2026-27566)

The vulnerability allows a remote user to bypass intended allowlist restrictions and execute non-allowlisted commands.

The vulnerability exists due to incorrect authorization in system.run exec allowlist analysis when processing requests that route execution through env or shell-dispatch wrapper binaries. A remote user can submit a specially crafted system.run request to bypass intended allowlist restrictions and execute non-allowlisted commands.

Exploitation requires the ability to trigger system.run requests under an allowlist policy.

19) Incorrect authorization (CVE-ID: CVE-2026-32016)

The vulnerability allows a local user to bypass path-based execution policy.

The vulnerability exists due to incorrect authorization in exec-approval allowlist matching on macOS node-host when processing basename-only allowlist entries under security=allowlist with ask=on-miss. A local user can place or invoke a same-name local binary to bypass path-based execution policy.

Only the macOS node-host path is affected, and exploitation requires the optional exec approvals feature to be enabled with basename-only allowlist entries configured.

20) OS Command Injection (CVE-ID: CVE-2026-22179)

The vulnerability allows a remote user to execute unintended commands on the node host.

The vulnerability exists due to improper neutralization of special elements used in an os command in the system.run allowlist parsing on the macOS node-host path when processing double-quoted shell text containing command substitution in security=allowlist mode. A remote privileged user can send a specially crafted shell-wrapper command to execute unintended commands on the node host.

Exploitation requires the macOS node-host or companion-app execution path, security=allowlist, and ask mode set to on-miss or off.

21) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-32049)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in several channel ingestion paths when buffering remote media. A remote attacker can send oversized media payloads to cause a denial of service.

22) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-32037)

The vulnerability allows a remote attacker to perform server-side request forgery.

The vulnerability exists due to insufficient destination validation in MSTeams media download flows when processing attachment URLs that trigger redirect chains. A remote attacker can supply or influence an attachment URL to perform server-side request forgery.

The issue affects specific attachment paths where redirects were not consistently constrained to allowlisted targets before fetched content was accepted.

23) Link following (CVE-ID: CVE-2026-32020)

The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to improper link resolution before file access in the Control UI static file handler when serving Control UI assets and SPA fallback files. A local user can place a symlink under the Control UI root to disclose sensitive information.

Exploitation requires symlinks to exist inside the Control UI root.

24) Untrusted search path (CVE-ID: CVE-2026-32032)

The vulnerability allows a local user to execute an attacker-controlled shell.

The vulnerability exists due to untrusted search path in shell environment fallback loading when invoking the shell from an inherited untrusted host environment. A local user can set the SHELL environment variable to an attacker-controlled executable to execute an attacker-controlled shell.

Exploitation requires prior local environment compromise or injection of an untrusted startup environment.

25) Incorrect authorization (CVE-ID: CVE-2026-32001)

The vulnerability allows a remote user to inject unauthorized node events.

The vulnerability exists due to incorrect authorization in the WebSocket connect path when handling role=node connections authenticated with a shared gateway token without device identity or pairing. A remote user can connect as role=node and call node.event to inject unauthorized node events.

This can trigger agent.request and voice.transcript flows without node device pairing.

26) Incorrect authorization (CVE-ID: CVE-2026-22170)

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to incorrect authorization in isAllowedParsedChatSender() and BlueBubbles DM/reaction authorization logic when processing direct messages or reactions with dmPolicy set to pairing or allowlist and allowFrom empty or unset. A remote attacker can send messages or reactions from an untrusted sender to bypass authorization checks.

This issue affects the optional BlueBubbles channel plugin rather than core messaging surfaces.

27) Improper Authentication (CVE-ID: N/A)

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to improper authentication in Discord allowlist name/tag matching when processing slug-normalized Discord names and tags. A remote attacker can use a colliding user tag to bypass authorization checks.

Name-based allowlist entries can unintentionally match different Discord users after slug normalization.

28) Link following (CVE-ID: N/A)

The vulnerability allows a remote attacker to write arbitrary files outside the intended extraction destination.

The vulnerability exists due to improper link resolution before file access in ZIP extraction logic in src/infra/archive.ts when extracting an attacker-controlled archive with a pre-existing symlink in the destination path. A remote attacker can supply a specially crafted archive to write arbitrary files outside the intended extraction destination.

Exploitation requires a pre-existing symlink under the extraction root in a destination path segment.

29) Incomplete List of Disallowed Inputs (CVE-ID: CVE-2026-32010)

The vulnerability allows a remote user to run an external program without expected approval.

The vulnerability exists due to incomplete list of disallowed inputs in the sort safe-bin policy when processing sort --compress-program in safe-bin usage. A remote user can supply a crafted sort invocation with --compress-program to run an external program without expected approval.

Only deployments that explicitly add sort to tools.exec.safeBins and use security=allowlist with ask=on-miss are vulnerable.

30) Authentication Bypass by Spoofing (CVE-ID: CVE-2026-22174)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to authentication bypass by spoofing in loopback CDP probe handling when sending CDP reachability probes to a loopback listener. A remote attacker can bind or control the probed loopback port and read the x-openclaw-relay-token header to disclose sensitive information.

Exploitation is relevant in shared-user or shared-host deployments where an untrusted local process can race or bind the loopback relay port.

31) Incomplete List of Disallowed Inputs (CVE-ID: CVE-2026-31993)

The vulnerability allows a remote user to execute shell-chain commands on the paired macOS host.

The vulnerability exists due to incomplete list-based input validation in system.run exec approvals when processing shell-chain commands under allowlist mode with ask-on-miss enabled. A remote user can submit a shell-chain command that passes allowlist checks to execute shell-chain commands on the paired macOS host.

Exploitation requires operator.write permissions on a paired macOS beta node host, and only systems configured with security=allowlist and ask=on-miss are affected.

Remediation

Install update from vendor's website.

References

• https://github.com/openclaw/openclaw/security/advisories/GHSA-vmqr-rc7x-3446
• https://github.com/openclaw/openclaw/security/advisories/GHSA-qhrr-grqp-6x2g
• https://github.com/openclaw/openclaw/commit/64b273a71cf0b2f2419c974832cede1fc2158729
• https://github.com/openclaw/openclaw/security/advisories/GHSA-rx3g-mvc3-qfjf
• https://github.com/openclaw/openclaw/commit/3d0337504349954237d09e4d957df5cb844d5e77
• https://github.com/openclaw/openclaw/security/advisories/GHSA-6j27-pc5c-m8w8
• https://github.com/openclaw/openclaw/commit/24c954d972400f508814532dea0e4dcb38418bb0
• https://github.com/openclaw/openclaw/security/advisories/GHSA-9868-vxmx-w862
• https://github.com/openclaw/openclaw/commit/3f0b9dbb36c86e308267924c0d3d4a4e1fc4d1e9
• https://github.com/openclaw/openclaw/security/advisories/GHSA-f6h3-846h-2r8w
• https://github.com/openclaw/openclaw/commit/6817c0ec7b4fa830123d4f5c340f075a4bd04ee2
• https://github.com/openclaw/openclaw/security/advisories/GHSA-wpph-cjgr-7c39
• https://github.com/openclaw/openclaw/commit/5547a2275cb69413af3b62c795b93214fe913b57
• https://github.com/openclaw/openclaw/security/advisories/GHSA-j4xf-96qf-rx69
• https://github.com/openclaw/openclaw/commit/4ed87a667263ed2d422b9d5d5a5d326e099f92c7
• https://github.com/openclaw/openclaw/security/advisories/GHSA-4rqq-w8v4-7p47
• https://github.com/openclaw/openclaw/commit/71bd15bb4294d3d1b54386064d69cd0f5f731bd8
• https://github.com/openclaw/openclaw/security/advisories/GHSA-5h2c-8v84-qpvr
• https://github.com/openclaw/openclaw/commit/9363c320d8ffe29290906752fab92621da02c3f7
• https://github.com/openclaw/openclaw/security/advisories/GHSA-8mf7-vv8w-hjr2
• https://github.com/openclaw/openclaw/commit/47c3f742b6c488be26dd7b9636dbbb8676089154
• https://github.com/openclaw/openclaw/security/advisories/GHSA-2fgq-7j6h-9rm4
• https://github.com/openclaw/openclaw/commit/e80c803fa887f9699ad87a9e906ab5c1ff85bd9a
• https://github.com/openclaw/openclaw/security/advisories/GHSA-5847-rm3g-23mw
• https://github.com/openclaw/openclaw/commit/3284d2eb227e7b6536d543bcf5c3e320bc9d13c5
• https://github.com/openclaw/openclaw/security/advisories/GHSA-9mph-4f7v-fmvh
• https://github.com/openclaw/openclaw/security/advisories/GHSA-v6x2-2qvm-6gv8
• https://github.com/openclaw/openclaw/commit/c99e7696e6893083b256f0a6c88fb060f3a76fb7
• https://github.com/openclaw/openclaw/security/advisories/GHSA-659f-22xc-98f2
• https://github.com/openclaw/openclaw/commit/f4dd0577b055f77af783105bd65eae32f3d5e6a1
• https://github.com/openclaw/openclaw/security/advisories/GHSA-xgf2-vxv2-rrmg
• https://github.com/openclaw/openclaw/commit/c2c7114ed39a547ab6276e1e933029b9530ee906
• https://github.com/openclaw/openclaw/security/advisories/GHSA-jj82-76v6-933r
• https://github.com/openclaw/openclaw/commit/2b63592be57782c8946e521bc81286933f0f99c7
• https://github.com/openclaw/openclaw/security/advisories/GHSA-7f4q-9rqh-x36p
• https://github.com/openclaw/openclaw/commit/dd41fadcaf58fd9deb963d6e163c56161e7b35dd
• https://github.com/openclaw/openclaw/security/advisories/GHSA-9p38-94jf-hgjj
• https://github.com/openclaw/openclaw/commit/90a378ca3a9ecbf1634cd247f17a35f4612c6ca6
• https://github.com/openclaw/openclaw/security/advisories/GHSA-rxxp-482v-7mrh
• https://github.com/openclaw/openclaw/commit/73d93dee64127a26f1acd09d0403b794cdeb4f5c
• https://github.com/openclaw/openclaw/security/advisories/GHSA-w76h-8m22-hpgh
• https://github.com/openclaw/openclaw/security/advisories/GHSA-5ghc-98wh-gwwf
• https://github.com/openclaw/openclaw/commit/7c500ff6236fa087ec1ec88696ca9f6881e90dc5
• https://github.com/openclaw/openclaw/security/advisories/GHSA-f8mp-vj46-cq8v
• https://github.com/openclaw/openclaw/commit/25e89cc86338ef475d26be043aa541dfdb95e52a
• https://github.com/openclaw/openclaw/security/advisories/GHSA-rv2q-f2h5-6xmg
• https://github.com/openclaw/openclaw/commit/ddcb2d79b17bf2a42c5037d8aeff1537a12b931e
• https://github.com/openclaw/openclaw/security/advisories/GHSA-jwf4-8wf4-jf2m
• https://github.com/openclaw/openclaw/commit/9632b9bcf032c5f2280c3103961fde912ab1f920
• https://github.com/openclaw/openclaw/security/advisories/GHSA-4cqv-h74h-93j4
• https://github.com/openclaw/openclaw/commit/f97c45c5b5e0698b6667bb5f6badc0cac7dabd12
• https://github.com/openclaw/openclaw/security/advisories/GHSA-jxrq-8fm4-9p58
• https://github.com/openclaw/openclaw/commit/4b226b74f5fd3b106a83a6347fd404172e2fd246
• https://github.com/openclaw/openclaw/security/advisories/GHSA-4gc7-qcvf-38wg
• https://github.com/openclaw/openclaw/commit/57fbbaebca4d34d17549accf6092ae26eb7b605c
• https://github.com/openclaw/openclaw/security/advisories/GHSA-v3j7-34xh-6g3w
• https://github.com/openclaw/openclaw/security/advisories/GHSA-5f9p-f3w2-fwch
• https://github.com/openclaw/openclaw/commit/5da03e622119fa012285cdb590fcf4264c965cb5