SB2026050452 - Multiple vulnerabilities in OpenClaw



SB2026050452 - Multiple vulnerabilities in OpenClaw

Published: May 4, 2026

Security Bulletin ID SB2026050452
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 40% Low 60%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 vulnerabilities.


1) OS Command Injection (CVE-ID: CVE-2026-27209)

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute unexpected shell commands.

The vulnerability exists due to command injection in the shell allowlist analyzer in src/infra/exec-approvals-analysis.ts when processing unquoted heredoc bodies in allowlisted exec commands. A remote user can supply a crafted unquoted heredoc containing expansion tokens to execute unexpected shell commands.

Only deployments with exec enabled in security=allowlist mode are vulnerable; standard default installations are not affected.


2) Missing Authorization (CVE-ID: CVE-2026-27158)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass JID authorization restrictions for reaction targeting.

The vulnerability exists due to missing authorization in the WhatsApp reaction action when handling reaction requests with a forged chatJid and a valid messageId. A remote user can submit a crafted reaction request to bypass JID authorization restrictions for reaction targeting.

The issue is limited to reaction actions in allowFrom-restricted WhatsApp workflows.


3) Input validation error (CVE-ID: CVE-2026-27159)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to cause increased resource consumption.

The vulnerability exists due to improper input validation in the tts model directive handling when processing model-generated TTS directives. A remote attacker can influence a reply to include a crafted provider override directive to cause increased resource consumption.

Exploitation requires multiple TTS providers to be configured.


4) Code Injection (CVE-ID: CVE-2026-27165)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to inject attacker-controlled prompt text into the LLM context.

The vulnerability exists due to improper input validation in src/acp/event-mapper.ts when interpolating ACP resource_link metadata into prompt text. A remote attacker can supply crafted title or uri fields to inject attacker-controlled prompt text into the LLM context.


5) Resource exhaustion (CVE-ID: CVE-2026-27164)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause increased resource consumption.

The vulnerability exists due to uncontrolled resource consumption in src/agents/pi-embedded-runner/run.ts when processing adversarial overflow inputs. A remote attacker can trigger repeated overflow recovery retries to cause increased resource consumption.

Successful tool-result truncation resets the overflow retry counter while truncation itself remains a one-shot action, which preserves eventual termination but amplifies bounded retry and cost cycles.


Remediation

Install update from vendor's website.