SB2026050451 - Multiple vulnerabilities in OpenClaw



SB2026050451 - Multiple vulnerabilities in OpenClaw

Published: May 4, 2026

Security Bulletin ID SB2026050451
CSH Severity
High
Patch available
YES
Number of vulnerabilities 14
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 7% Medium 36% Low 57%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 14 vulnerabilities.


1) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a local user to interfere with extension-relay behavior.

The vulnerability exists due to improper access control in the /extension endpoint when handling WebSocket upgrade requests. A local user can connect to the endpoint without the token to interfere with extension-relay behavior.

Only instances with the optional Chrome extension relay enabled are vulnerable.


2) Server-Side Request Forgery (SSRF) (CVE-ID: N/A)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform server-side request forgery against internal or private network targets.

The vulnerability exists due to insufficient destination validation in the SSRF hostname/IP guard when processing crafted URLs containing an ISATAP IPv6 literal with an embedded IPv4 address. A remote attacker can supply a specially crafted URL to perform server-side request forgery against internal or private network targets.

Exploitation requires reaching a URL-fetching path with attacker-controlled input.


3) Inefficient regular expression complexity (CVE-ID: CVE-2026-22178)

CWE-ID: CWE-1333 - Inefficient Regular Expression Complexity

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to inefficient regular expression complexity in stripBotMention() in extensions/feishu/src/bot.ts when processing Feishu mention metadata in RegExp construction. A remote attacker can supply crafted mention metadata with nested quantifiers to cause a denial of service.

The issue can trigger catastrophic backtracking and block message processing.


4) Improper Certificate Validation (CVE-ID: N/A)

CWE-ID: CWE-295 - Improper Certificate Validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to interfere with attachment retrieval.

The vulnerability exists due to improper certificate validation in the remote iMessage attachment SCP handling when fetching remote attachments over SCP on first connection. A remote attacker can perform a machine-in-the-middle or DNS-poisoning attack to interfere with attachment retrieval.

Only remote iMessage deployments that use SCP attachment fetching are affected.


5) OS Command Injection (CVE-ID: N/A)

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to alter SCP argument semantics.

The vulnerability exists due to command injection in channels.imessage.remoteHost when processing remote host tokens for SCP attachment fetching. A remote attacker can supply an unsafe remote host token value to alter SCP argument semantics.

Only remote iMessage deployments that use SCP attachment fetching are affected.


6) Path traversal (CVE-ID: CVE-2026-22171)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to write arbitrary files.

The vulnerability exists due to path traversal in extensions/feishu/src/media.ts when building temporary file paths from untrusted Feishu media keys. A remote user can supply specially crafted media key values to write arbitrary files.

Exploitation is limited to locations writable by the OpenClaw process and requires control over Feishu media key values returned to the client.


7) OS Command Injection (CVE-ID: CVE-2026-32000)

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary commands.

The vulnerability exists due to command injection in extensions/lobster/src/lobster-tool.ts when retrying tool execution with Windows shell fallback after spawn failures. A remote attacker can supply command arguments containing shell metacharacters to execute arbitrary commands.

The issue is exposed on Windows in the fallback path triggered by EINVAL or ENOENT spawn errors.


8) OS Command Injection (CVE-ID: N/A)

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to execute arbitrary OS commands.

The vulnerability exists due to command injection in runtime.system.runCommandWithTimeout when processing plugin-supplied command input. A local user can supply crafted command arguments to execute arbitrary OS commands.

The issue applies within the trusted plugin boundary because plugins run in-process with the same OS privileges as the OpenClaw process.


9) Incorrect authorization (CVE-ID: N/A)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to perform broader-than-intended owner-only gateway actions.

The vulnerability exists due to incorrect authorization in gateway tool access checks when handling specific authenticated non-owner DM tool invocation flows. A remote user can invoke a specific tool path to perform broader-than-intended owner-only gateway actions.

This issue is limited to authenticated non-owner sender sessions in direct messages and does not provide direct code execution by itself.


10) Incomplete List of Disallowed Inputs (CVE-ID: CVE-2026-32017)

CWE-ID: CWE-184 - Incomplete List of Disallowed Inputs

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to perform arbitrary file write operations.

The vulnerability exists due to incomplete list of disallowed inputs in the exec allowlist/safeBins policy when processing attached short-option payloads. A remote user can supply a specially crafted command argument to perform arbitrary file write operations.

Only configurations with tools.exec.security=allowlist and affected binaries included in tools.exec.safeBins are vulnerable.


11) Untrusted search path (CVE-ID: CVE-2026-32015)

CWE-ID: CWE-426 - Untrusted Search Path

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute attacker-controlled trojan binaries.

The vulnerability exists due to an untrusted search path in tools.exec.safeBins when resolving executable paths from the process PATH during gateway startup. A remote user can place a trojan binary with an allowlisted executable name in the search path to execute attacker-controlled trojan binaries.

Exploitation requires influence over the gateway process PATH or launch environment before startup. Request-scoped PATH injection is blocked for host execution.


12) Incomplete List of Disallowed Inputs (CVE-ID: CVE-2026-31996)

CWE-ID: CWE-184 - Incomplete List of Disallowed Inputs

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to read files or write files.

The vulnerability exists due to incomplete restriction of command arguments in tools.exec.safeBins when executing allowed safe-bin commands with sort output flags or recursive grep flags. A remote user can supply crafted command arguments to read files or write files.

Exploitation requires access to command execution flows in deployments that enabled tools.exec.safeBins.


13) Race condition (CVE-ID: CVE-2026-32018)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause sandbox state corruption.

The vulnerability exists due to a race condition in sandbox registry write operations when processing concurrent updateRegistry and removeRegistryEntry operations. A local user can trigger concurrent registry updates to cause sandbox state corruption.

The issue can lead to lost updates or resurrection of removed entries and can affect sandbox list, sandbox prune, and sandbox recreate --all behavior.


14) Path traversal (CVE-ID: CVE-2026-32030)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to path traversal in stageSandboxMedia when processing inbound attachment path metadata. A remote user can supply crafted path metadata to disclose sensitive information.

Exploitation requires iMessage attachment ingestion to be enabled and remote attachment fetching to be active.


Remediation

Install update from vendor's website.

References