SB2026050455 - Multiple vulnerabilities in OpenClaw



SB2026050455 - Multiple vulnerabilities in OpenClaw

Published: May 4, 2026

Security Bulletin ID SB2026050455
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 10
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 30% Low 70%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 10 vulnerabilities.


1) Reversible One-Way Hash (CVE-ID: CVE-2026-28479)

CWE-ID: CWE-328 - Use of Weak Hash

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to cause unsafe sandbox state reuse.

The vulnerability exists due to the use of a collision-prone hash algorithm in the sandbox identifier cache key generation logic when hashing normalized sandbox configuration payloads. A remote attacker can provide a crafted configuration that collides with another cache identity to cause unsafe sandbox state reuse.

The issue may also increase the risk of cache poisoning when deterministic identifiers are used to decide whether an existing sandbox container can be reused safely.


2) Improper Validation of Specified Type of Input (CVE-ID: CVE-2026-27007)

CWE-ID: CWE-1287 - Improper Validation of Specified Type of Input

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to cause sandbox containers to be incorrectly reused.

The vulnerability exists due to improper handling of order-sensitive configuration data in normalizeForHash in src/agents/sandbox/config-hash.ts when processing sandbox configuration arrays. A remote user can supply a configuration change that only alters primitive array order to cause sandbox containers to be incorrectly reused.

This affects sandbox recreation decisions for order-sensitive arrays such as Docker dns and binds entries.


3) Command injection (CVE-ID: CVE-2026-27001)

CWE-ID: CWE-77 - Command injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information or influence agent behavior.

The vulnerability exists due to improper neutralization of special elements in the agent system prompt when embedding the current working directory path into LLM prompts. A remote user can cause OpenClaw to run inside a specially crafted directory name to disclose sensitive information or influence agent behavior.

The crafted directory name may contain control or format characters, including newlines or Unicode bidi or zero-width markers.


4) Execution with unnecessary privileges (CVE-ID: CVE-2026-27002)

CWE-ID: CWE-250 - Execution with Unnecessary Privileges

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to disclose sensitive host information or gain control of the host.

The vulnerability exists due to improper access control in the Docker tool sandbox configuration handling when processing sandbox Docker configuration. A remote user can inject dangerous Docker options such as bind mounts, host networking, or unconfined profiles to disclose sensitive host information or gain control of the host.

Exploitation requires the ability to influence sandbox Docker configuration or to have an operator paste untrusted configuration.


5) Improper access control (CVE-ID: CVE-2026-27004)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in session tools when handling session-targeting operations in shared-agent multi-user deployments. A remote user can access broader peer session data to disclose sensitive information.

Exploitation is relevant in shared-agent multi-user environments where peers are not equally trusted.


6) Cross-site scripting (CVE-ID: CVE-2026-27009)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a local user to execute arbitrary JavaScript in the Control UI origin.

The vulnerability exists due to cross-site scripting in the Control UI inline script rendering of assistant identity values when rendering assistant name or avatar values into an inline script block without script-context-safe escaping. A local user can set a crafted assistant identity value to execute arbitrary JavaScript in the Control UI origin.

User interaction is required for a Control UI visitor to load the affected interface.


7) Path traversal (CVE-ID: CVE-2026-27008)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to write files outside the intended install sandbox.

The vulnerability exists due to improper path restriction in the download skill installation target directory validation when processing targetDir values from skill frontmatter during the skills.install flow. A remote user can supply a specially crafted skill package to write files outside the intended install sandbox.

The issue is limited to the admin-only skills.install flow.


8) Command injection (CVE-ID: N/A)

CWE-ID: CWE-77 - Command injection

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to stage ignored files.

The vulnerability exists due to command injection in git-hooks/pre-commit when processing maliciously named files during commits. A local user can create a specially named file beginning with a hyphen to stage ignored files.

This issue only affects contributors using the repository's built-in git hook setup from a repository checkout or source release, and only when sensitive ignored files are present in the working directory.


9) Insufficiently protected credentials (CVE-ID: CVE-2026-27003)

CWE-ID: CWE-522 - Insufficiently Protected Credentials

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose a Telegram bot token.

The vulnerability exists due to insufficiently protected credentials in log handling when processing error messages and stack traces containing Telegram bot API URLs. A remote attacker can obtain exposed log output to disclose a Telegram bot token.

Exposed tokens may appear in crash reports, CI output, or support bundles.


10) Resource exhaustion (CVE-ID: CVE-2026-28394)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in the web_fetch tool when parsing attacker-controlled web pages with oversized response bodies or pathological HTML nesting. A remote attacker can trick a user or automation into fetching a malicious url to cause a denial of service.

User interaction or automated use of the web_fetch feature is required.


Remediation

Install update from vendor's website.

References