SB2026050449 - Multiple vulnerabilities in OpenClaw



SB2026050449 - Multiple vulnerabilities in OpenClaw

Published: May 4, 2026

Security Bulletin ID SB2026050449
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Link following (CVE-ID: CVE-2026-27485)

CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to improper link resolution before file access in skills/skill-creator/scripts/package_skill.py when packaging a crafted local skill directory containing symlinks. A local user can run the packaging script on attacker-controlled skill contents to disclose sensitive information.

This issue is limited to the local manual skill author packaging workflow and is not reachable via normal gateway or chat runtime paths.


2) Missing Authorization (CVE-ID: CVE-2026-27484)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to perform unauthorized moderation actions.

The vulnerability exists due to missing authorization in Discord moderation action handling when processing tool-driven moderation requests. A remote user can spoof sender identity fields to perform unauthorized moderation actions.

Exploitation requires moderation actions to be enabled and the bot to have the necessary guild permissions.


Remediation

Install update from vendor's website.