SB2026050456 - Multiple vulnerabilities in OpenClaw
Published: May 4, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 38 vulnerabilities.
1) Cross-site request forgery (CVE-ID: CVE-2026-28477)
CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to substitute credentials for another account.
The vulnerability exists due to insufficient OAuth state validation in the manual Chutes OAuth login flow when processing user-supplied OAuth callback data. A remote attacker can provide crafted callback input to substitute credentials for another account.
User interaction is required to paste attacker-provided OAuth callback data during the manual login prompt. The automatic local callback flow is not affected.
2) Unverified Ownership (CVE-ID: CVE-2026-27486)
CWE-ID: CWE-283 - Unverified Ownership
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to terminate unrelated processes.
The vulnerability exists due to unverified ownership in the CLI process cleanup helpers when enumerating system processes and matching command-line patterns during cleanup. A local user can cause a matching unrelated process to be sent SIGKILL to terminate unrelated processes.
On shared hosts, processes not owned by the current OpenClaw process may be affected if they match the cleanup pattern.
3) Path traversal (CVE-ID: CVE-2026-29611)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to path traversal in the sendBlueBubblesMedia function when processing a non-HTTP media source through the mediaPath parameter. A remote attacker can supply a crafted filesystem path to disclose sensitive information.
Exploitation is limited to attackers able to trigger BlueBubbles media sends, and the disclosed files are those accessible to the OpenClaw process.
4) OS Command Injection (CVE-ID: CVE-2026-27487)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary commands.
The vulnerability exists due to command injection in the macOS keychain credential refresh path when writing user-controlled OAuth token data to Keychain via a shell command. A remote user can supply a specially crafted OAuth token value to execute arbitrary commands.
This issue affects macOS only and user interaction is required.
5) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-28451)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to disclose sensitive information from internal services.
The vulnerability exists due to server-side request forgery (SSRF) in the Feishu extension when fetching attacker-controlled remote URLs through sendMediaFeishu(mediaUrl) or Feishu DocX markdown image processing. A remote attacker can supply a specially crafted URL to disclose sensitive information from internal services.
Exploitation requires the ability to influence tool calls, directly or via prompt injection, and the fetched response may be re-uploaded as Feishu media.
6) Path traversal (CVE-ID: CVE-2026-26321)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to path traversal in the sendMediaFeishu function in the Feishu extension when processing attacker-controlled mediaUrl values. A remote attacker can supply a crafted mediaUrl that is treated as a local filesystem path to disclose sensitive information.
Exploitation is possible if the attacker can influence tool calls, including via prompt injection.
7) OS Command Injection (CVE-ID: N/A)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary commands.
The vulnerability exists due to improper neutralization of special elements used in an os command in the Gateway /tools/invoke endpoint when invoking high-risk session orchestration tools over HTTP. A remote user can invoke tools such as sessions_spawn or sessions_send to execute arbitrary commands.
This issue requires a valid Gateway token and may also enable cross-session message injection.
8) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to obtain unintended approvals for risky tool permissions.
The vulnerability exists due to improper access control in ACP permission handling when processing permission requests for non-read or non-search tools. A remote user can trigger permission requests that are auto-approved to obtain unintended approvals for risky tool permissions.
This issue affects ACP-integrated scenarios where insufficient user interaction or guardrails reduce friction for silent execution or mutation.
9) Input validation error (CVE-ID: CVE-2026-28466)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper input validation in the gateway-to-node invocation path for the node.invoke method when forwarding user-controlled system.run parameters. A remote user can inject internal approval control fields into node.invoke parameters to execute arbitrary code.
Exploitation requires access to a gateway account or token and affects connected node hosts that support system.run.
10) Missing Authentication for Critical Function (CVE-ID: CVE-2026-28468)
CWE-ID: CWE-306 - Missing Authentication for Critical Function
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to compromise browser sessions and disclose sensitive information.
The vulnerability exists due to missing authentication in the sandbox browser bridge server when handling requests to browser control endpoints on the local loopback interface. A local user can send crafted HTTP requests to access browser control functions and compromise browser sessions and disclose sensitive information.
Only instances with the sandboxed browser enabled are vulnerable.
11) Improper access control (CVE-ID: CVE-2026-28456)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper access control in hook module path handling when loading configured JavaScript or TypeScript transform modules through dynamic import(). A remote privileged user can modify gateway configuration to cause the process to load an unintended local module and execute arbitrary code.
This issue applies when the attacker can modify gateway configuration, such as through gateway configuration endpoints.
12) Path traversal (CVE-ID: CVE-2026-28393)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local privileged user to execute arbitrary code.
The vulnerability exists due to path traversal in hooks.mappings[].transform.module when processing webhook mappings. A local privileged user can configure a transform path that escapes the intended transforms directory and trigger webhook processing to execute arbitrary code.
Exploitation requires the ability to modify hooks configuration through configuration access or authenticated configuration mechanisms.
13) Path traversal (CVE-ID: CVE-2026-28457)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to write files outside the sandbox workspace.
The vulnerability exists due to path traversal in the sandbox skill mirroring functionality when copying a skill into the sandbox workspace using a crafted skill name from SKILL.md frontmatter. A remote attacker can provide a crafted skill package to write files outside the sandbox workspace.
User interaction is required, and exploitation requires sandbox mode with skill mirroring into the sandbox workspace enabled.
14) Path traversal (CVE-ID: CVE-2026-28486)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a local user to write arbitrary files outside the intended extraction directory.
The vulnerability exists due to path traversal in archive extraction during explicit installation commands when extracting a crafted archive from a local file or download URL. A local user can supply a specially crafted archive to write arbitrary files outside the intended extraction directory.
User interaction is required to run an installation command against an untrusted archive, and the issue is not triggered by receiving messages or normal gateway operation.
15) Path traversal (CVE-ID: CVE-2026-28453)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to write files outside the intended extraction directory.
The vulnerability exists due to path traversal in extractArchive() in src/infra/archive.ts when extracting TAR archives. A remote attacker can supply a specially crafted archive with traversal or absolute entry paths to write files outside the intended extraction directory.
User interaction is required to install an untrusted .tar or .tgz archive through plugin or hook installation flows.
16) Spoofing attack (CVE-ID: CVE-2026-26320)
CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to misrepresent an executed agent message to the user.
The vulnerability exists due to user interface misrepresentation of critical information in the macOS deep link confirmation dialog when handling openclaw://agent deep links without an unattended key. A remote attacker can pad the message with whitespace to conceal malicious content outside the visible preview to misrepresent an executed agent message to the user.
User interaction is required to approve the confirmation dialog, and subsequent agent actions may lead to arbitrary command execution depending on the user's configured tool approvals or allowlists.
17) Incorrect authorization (CVE-ID: N/A)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass authorization checks.
The vulnerability exists due to incorrect authorization in extensions/googlechat/src/monitor.ts when evaluating Google Chat allowlist entries by sender email instead of immutable sender resource name. A remote user can use a reassigned or mutable email principal with a sender-ID mismatch to bypass authorization checks.
Exploitation generally requires Google Workspace or identity-provider administrative control over identity lifecycle, such as reassigning an email address to a different underlying account.
18) Resource exhaustion (CVE-ID: CVE-2026-29609)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in fetchWithGuard in src/media/input-files.ts when fetching URL-backed media responses with missing or incorrect content-length values. A remote attacker can serve a specially crafted oversized response to cause a denial of service.
The issue occurs because the full response body is buffered in memory via arrayBuffer() before maxBytes is enforced.
19) Resource exhaustion (CVE-ID: CVE-2026-29612)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in base64-backed media input handling when decoding oversized base64 media payloads. A remote user can supply an oversized base64 payload to cause a denial of service.
In recommended deployments, exploitation is best modeled against authorized access to the gateway HTTP endpoints.
20) Resource exhaustion (CVE-ID: CVE-2026-28452)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in src/infra/archive.ts extractArchive when processing high-expansion ZIP or TAR archives during install or update flows. A remote attacker can supply a specially crafted archive to cause a denial of service.
21) Cross-site request forgery (CVE-ID: CVE-2026-26317)
CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to trigger unauthorized state changes.
The vulnerability exists due to cross-site request forgery in loopback browser mutation endpoints when handling cross-origin browser requests. A remote attacker can host a malicious website that sends crafted requests to trigger unauthorized state changes.
Exploitation is possible when the browser control service is reachable on loopback in the victim's browser context.
22) Improper access control (CVE-ID: CVE-2026-28469)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause cross-account policy-context misrouting.
The vulnerability exists due to improper access control in extensions/googlechat/src/monitor.ts when routing inbound Google Chat webhook events on a shared HTTP path. A remote attacker can send a valid webhook request that matches more than one registered target to cause cross-account policy-context misrouting.
Exploitation requires multiple Google Chat webhook targets to be registered on the same path and request verification to succeed for more than one target.
23) Authentication Bypass by Spoofing (CVE-ID: CVE-2026-28480)
CWE-ID: CWE-290 - Authentication Bypass by Spoofing
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to authentication bypass by spoofing in the Telegram allowlist authorization mechanism when matching allowlist entries against mutable @username values instead of immutable numeric sender IDs. A remote attacker can use a recycled or reassigned Telegram username to bypass authorization checks.
This issue affects deployments that rely on Telegram allowlists as strict identity controls.
24) Incorrect authorization (CVE-ID: CVE-2026-26328)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to perform unauthorized commands in group contexts.
The vulnerability exists due to incorrect authorization in src/imessage/monitor/monitor-provider.ts when evaluating iMessage group allowlist authorization. A remote user can use a sender identity approved through the DM pairing store to perform unauthorized commands in group contexts.
Only iMessage deployments using groupPolicy=allowlist are vulnerable.
25) Insufficient verification of data authenticity (CVE-ID: CVE-2026-26327)
CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to insufficient verification of data authenticity in discovery TXT record handling when processing unauthenticated Bonjour/mDNS and DNS-SD service advertisements on a shared or untrusted LAN. A remote attacker can advertise a rogue _openclaw-gw._tcp service with crafted TXT records to disclose sensitive information.
This can steer clients to an attacker-controlled endpoint and may cause acceptance of an attacker certificate, potentially exposing Gateway credentials during connection.
26) Information disclosure (CVE-ID: CVE-2026-26326)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information in the skills.status gateway method when returning requirement reports for skill requires.config paths. A remote user can call the method and obtain raw resolved configuration values to disclose sensitive information.
If a skill requires a broad configuration subtree, the returned configChecks data may include secrets such as Discord bot tokens.
27) Path traversal (CVE-ID: CVE-2026-26329)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to path traversal in the browser upload action when handling upload paths supplied to the browser tool. A remote user can supply absolute paths or path traversal sequences to read arbitrary files from the Gateway host and disclose sensitive information.
Exploitation requires valid Gateway authentication and access to the browser tool or the same browser control hook endpoints.
28) Missing Authentication for Critical Function (CVE-ID: CVE-2026-29606)
CWE-ID: CWE-306 - Missing Authentication for Critical Function
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to send forged webhook requests that trigger unauthorized webhook event handling and cause a denial of service.
The vulnerability exists due to missing authentication for Twilio voice-call webhook signature verification in the voice-call webhook endpoint when handling webhook requests with ngrok loopback compatibility enabled. A remote attacker can send a specially crafted webhook request without a valid signature to send forged webhook requests that trigger unauthorized webhook event handling and cause a denial of service.
The issue only affects deployments where the optional voice-call extension is enabled, the webhook endpoint is reachable, and tunnel.allowNgrokFreeTierLoopbackBypass is explicitly enabled.
29) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-26322)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause outbound WebSocket connections to user-specified targets.
The vulnerability exists due to server-side request forgery in the Gateway tool when processing tool-supplied gatewayUrl overrides. A remote user can supply a crafted gatewayUrl value to cause outbound WebSocket connections to user-specified targets.
In environments where the tool caller can observe the results, this can be used for limited network reachability probing. If the target speaks WebSocket and is reachable, further interaction may be possible.
30) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-28476)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to induce the server to make HTTP requests to attacker-chosen hosts.
The vulnerability exists due to server-side request forgery (ssrf) in the Tlon (Urbit) extension authentication flow when constructing an outbound HTTP request from a user-provided base URL. A remote user can supply a crafted base URL to induce the server to make HTTP requests to attacker-chosen hosts.
Only deployments with the Tlon (Urbit) extension installed and configured are vulnerable, and exploitation requires the ability to influence the configured Urbit URL.
31) Missing Authentication for Critical Function (CVE-ID: CVE-2026-26319)
CWE-ID: CWE-306 - Missing Authentication for Critical Function
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to forge Telnyx events.
The vulnerability exists due to missing authentication for the Telnyx webhook handler in TelnyxProvider.verifyWebhook() when handling inbound webhook requests without telnyx.publicKey configured. A remote attacker can send arbitrary HTTP POST requests to the voice-call webhook endpoint to forge Telnyx events.
This only affects deployments where the Voice Call plugin is installed and enabled, and where the webhook endpoint is reachable by the attacker.
32) Path traversal (CVE-ID: CVE-2026-32060)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to write or delete files outside the workspace.
The vulnerability exists due to path traversal in apply_patch when processing crafted relative or absolute paths without workspace containment. A remote user can supply a specially crafted path to write or delete files outside the workspace.
Exploitation requires apply_patch to be enabled and the agent to run without filesystem sandbox containment.
33) Insecure DLL loading (CVE-ID: CVE-2026-29610)
CWE-ID: CWE-427 - Uncontrolled Search Path Element
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute an unintended binary.
The vulnerability exists due to uncontrolled search path element in node host command execution when processing request-scoped PATH overrides in system.run. A remote user can supply a crafted PATH value and cause OpenClaw to execute an attacker-controlled executable to execute an unintended binary.
This scenario requires access to an execution surface that can invoke node-host execution, a connected node host exposing system.run, and a deployment where allowlist or safe-bin restrictions are relied upon.
34) Improper access control (CVE-ID: CVE-2026-28392)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute privileged slash commands.
The vulnerability exists due to improper access control in the Slack slash-command handler when processing direct messages with dmPolicy=open. A remote user can send a direct message containing a slash command to execute privileged slash commands.
Only deployments with Slack direct messages enabled and channels.slack.dm.policy set to open are vulnerable.
35) Improper Neutralization of Argument Delimiters in a Command (CVE-ID: CVE-2026-28463)
CWE-ID: CWE-88 - Argument Injection or Modification
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper neutralization of special elements in the exec approvals allowlist validation for safe bins when executing commands through a real shell with shell expansion. A remote user can supply crafted tokens such as glob patterns or environment variable references to disclose sensitive information.
The issue is configuration-dependent and requires host execution to be enabled with tools.exec.host=gateway|node and security=allowlist; default settings are not affected.
36) Improper access control (CVE-ID: CVE-2026-26325)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass allowlist enforcement and approval prompts.
The vulnerability exists due to improper access control in the node host system.run handler when processing rawCommand and command[] values. A remote user can supply an allowlisted rawCommand while providing a different command[] argv for execution to bypass allowlist enforcement and approval prompts.
Only deployments using the node host execution path with allowlist-based exec policy and approval prompting driven by allowlist misses are vulnerable.
37) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-26324)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to send requests to loopback, private network, or link-local metadata endpoints.
The vulnerability exists due to insufficient SSRF protection in the SSRF guard in src/infra/net/ssrf.ts when processing full-form IPv4-mapped IPv6 literals. A remote attacker can supply a crafted IPv6 address to send requests to loopback, private network, or link-local metadata endpoints.
Full-form IPv4-mapped IPv6 literals such as 0:0:0:0:0:ffff:7f00:1 can bypass IP classification checks.
38) OS Command Injection (CVE-ID: CVE-2026-26323)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a local user to execute arbitrary commands.
The vulnerability exists due to command injection in scripts/update-clawtributors.ts when processing git log author metadata and interpolating a derived GitHub login into a shell command. A local user can craft a malicious commit author email to execute arbitrary commands.
The issue is triggered when a contributor, maintainer, or CI environment runs bun scripts/update-clawtributors.ts from a source checkout.
Remediation
Install update from vendor's website.
References
- https://github.com/openclaw/openclaw/security/advisories/GHSA-7rcp-mxpq-72pj
- https://github.com/openclaw/openclaw/commit/a99ad11a4107ba8eac58f54a3c1a8a0cf5686f47
- https://github.com/openclaw/openclaw/security/advisories/GHSA-jfv4-h8mc-jcp8
- https://github.com/openclaw/openclaw/commit/6084d13b956119e3cf95daaf9a1cae1670ea3557
- https://github.com/openclaw/openclaw/security/advisories/GHSA-rwj8-p9vq-25gv
- https://github.com/openclaw/openclaw/commit/71f357d9498cebb0efe016b0496d5fbe807539fc
- https://github.com/openclaw/openclaw/security/advisories/GHSA-4564-pvr2-qq4h
- https://github.com/openclaw/openclaw/pull/15924
- https://github.com/openclaw/openclaw/security/advisories/GHSA-x22m-j5qq-j49m
- https://github.com/openclaw/openclaw/commit/5b4121d6011a48c71e747e3c18197f180b872c5d
- https://github.com/openclaw/openclaw/security/advisories/GHSA-8jpq-5h99-ff5r
- https://github.com/openclaw/openclaw/security/advisories/GHSA-943q-mwmv-hhvh
- https://github.com/openclaw/openclaw/pull/15390
- https://github.com/openclaw/openclaw/security/advisories/GHSA-gv46-4xfq-jv58
- https://github.com/openclaw/openclaw/commit/318379cdb8d045da0009b0051bd0e712e5c65e2d
- https://github.com/openclaw/openclaw/security/advisories/GHSA-h9g4-589h-68xv
- https://github.com/openclaw/openclaw/commit/4711a943e30bc58016247152ba06472dab09d0b0
- https://github.com/openclaw/openclaw/security/advisories/GHSA-v6c6-vqqg-w888
- https://github.com/openclaw/openclaw/commit/a0361b8ba959e8506dc79d638b6e6a00d12887e4
- https://github.com/openclaw/openclaw/security/advisories/GHSA-7xhj-55q9-pc3m
- https://github.com/openclaw/openclaw/security/advisories/GHSA-xw4p-pw82-hqr7
- https://github.com/openclaw/openclaw/commit/3eb6a31b6fcf8268456988bfa8e3637d373438c2
- https://github.com/openclaw/openclaw/security/advisories/GHSA-v892-hwpg-jwqp
- https://github.com/openclaw/openclaw/commit/3aa94afcfd12104c683c9cad81faf434d0dadf87
- https://github.com/openclaw/openclaw/security/advisories/GHSA-p25h-9q54-ffvw
- https://github.com/openclaw/openclaw/security/advisories/GHSA-7q2j-c4q5-rm27
- https://github.com/openclaw/openclaw/commit/28d9dd7a772501ccc3f71457b4adfee79084fe6f
- https://github.com/openclaw/openclaw/security/advisories/GHSA-chm2-m3w2-wcxm
- https://github.com/openclaw/openclaw/commit/c8424bf29a921e25663b29f308640b3d91a49432
- https://github.com/openclaw/openclaw/security/advisories/GHSA-j27p-hq53-9wgc
- https://github.com/openclaw/openclaw/commit/00a08908892d1743d1fc52e5cbd9499dd5da2fe0
- https://github.com/openclaw/openclaw/security/advisories/GHSA-w2cg-vxx6-5xjg
- https://github.com/openclaw/openclaw/commit/31791233d60495725fa012745dde8d6ee69e9595
- https://github.com/openclaw/openclaw/security/advisories/GHSA-h89v-j3x9-8wqj
- https://github.com/openclaw/openclaw/commit/d3ee5deb87ee2ad0ab83c92c365611165423cb71
- https://github.com/openclaw/openclaw/security/advisories/GHSA-3fqr-4cg8-h96q
- https://github.com/openclaw/openclaw/commit/b566b09f81e2b704bf9398d8d97d5f7a90aa94c3
- https://github.com/openclaw/openclaw/security/advisories/GHSA-rq6g-px6m-c248
- https://github.com/openclaw/openclaw/commit/61d59a802869177d9cef52204767cd83357ab79e
- https://github.com/openclaw/openclaw/security/advisories/GHSA-mj5r-hh7j-4gxf
- https://github.com/openclaw/openclaw/commit/e3b432e481a96b8fd41b91273818e514074e05c3
- https://github.com/openclaw/openclaw/security/advisories/GHSA-g34w-4xqq-h79m
- https://github.com/openclaw/openclaw/commit/872079d42fe105ece2900a1dd6ab321b92da2d59
- https://github.com/openclaw/openclaw/security/advisories/GHSA-pv58-549p-qh99
- https://github.com/openclaw/openclaw/commit/d583782ee322a6faa1fe87ae52455e0d349de586
- https://github.com/openclaw/openclaw/security/advisories/GHSA-8mh7-phf8-xgfm
- https://github.com/openclaw/openclaw/commit/d3428053d95eefbe10ecf04f92218ffcba55ae5a
- https://github.com/openclaw/openclaw/security/advisories/GHSA-cv7m-c9jx-vg7q
- https://github.com/openclaw/openclaw/security/advisories/GHSA-c37p-4qqg-3p76
- https://github.com/openclaw/openclaw/commit/ff11d8793b90c52f8d84dae3fbb99307da51b5c9
- https://github.com/openclaw/openclaw/security/advisories/GHSA-g6q9-8fvw-f7rf
- https://github.com/openclaw/openclaw/commit/c5406e1d2434be2ef6eb4d26d8f1798d718713f4
- https://github.com/openclaw/openclaw/security/advisories/GHSA-pg2v-8xwh-qhcc
- https://github.com/openclaw/openclaw/commit/bfa7d21e997baa8e3437657d59b1e296815cc1b1
- https://github.com/openclaw/openclaw/security/advisories/GHSA-4hg8-92x6-h2f3
- https://github.com/openclaw/openclaw/security/advisories/GHSA-r5fq-947m-xm57
- https://github.com/openclaw/openclaw/pull/16405
- https://github.com/openclaw/openclaw/security/advisories/GHSA-jqpq-mgvm-f9r6
- https://github.com/openclaw/openclaw/commit/013e8f6b3be3333a229a066eef26a45fec47ffcc
- https://github.com/openclaw/openclaw/security/advisories/GHSA-v773-r54f-q32w
- https://github.com/openclaw/openclaw/commit/f19eabee54c49e9a2e264b4965edf28a2f92e657
- https://github.com/openclaw/openclaw/security/advisories/GHSA-xvhf-x56f-2hpp
- https://github.com/openclaw/openclaw/commit/77b89719d5b7e271f48b6f49e334a8b991468c3b
- https://github.com/openclaw/openclaw/security/advisories/GHSA-h3f9-mjwj-w476
- https://github.com/openclaw/openclaw/commit/cb3290fca32593956638f161d9776266b90ab891
- https://github.com/openclaw/openclaw/security/advisories/GHSA-jrvc-8ff5-2f9f
- https://github.com/openclaw/openclaw/commit/c0c0e0f9aecb913e738742f73e091f2f72d39a19
- https://github.com/openclaw/openclaw/security/advisories/GHSA-m7x8-2w3w-pr42
- https://github.com/openclaw/openclaw/commit/a429380e337152746031d290432a4b93aa553d55