SB2026050459 - Multiple vulnerabilities in OpenClaw
Published: May 4, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 vulnerabilities.
1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-28467)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to server-side request forgery (SSRF) in attachment/media URL hydration when fetching attacker-influenced media URLs. A remote attacker can provide a crafted media URL to disclose sensitive information.
The issue can cause the gateway to fetch internal-only endpoints such as loopback, private network, or cloud metadata resources and return the fetched bytes as an outbound attachment.
2) Server-Side Request Forgery (SSRF) (CVE-ID: N/A)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to force the server to make HTTP requests to arbitrary internal or restricted network targets.
The vulnerability exists due to server-side request forgery (ssrf) in the Image tool remote fetch functionality when processing attacker-supplied http(s) URLs. A remote user can supply a crafted URL to force the server to make HTTP requests to arbitrary internal or restricted network targets.
Exploitation requires attacker-controlled invocation of the Image tool or a channel that forwards untrusted image arguments into tool calls.
3) Missing Authentication for Critical Function (CVE-ID: CVE-2026-28472)
CWE-ID: CWE-306 - Missing Authentication for Critical Function
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote user to bypass device identity checks and gain operator access.
The vulnerability exists due to missing authentication for the gateway WebSocket connect handshake in src/gateway/server/ws-connection/message-handler.ts when processing a connect request with a non-empty auth.token that has not yet been validated. A remote user can send a specially crafted connect request to bypass device identity checks and gain operator access.
Exploitation is possible in deployments where the gateway WebSocket is reachable and connections can be authorized via Tailscale without validating the shared secret.
4) OS Command Injection (CVE-ID: CVE-2026-28470)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary commands.
The vulnerability exists due to improper neutralization of special elements used in an os command in the exec approvals allowlist analysis when processing command substitution or backticks inside double-quoted input. A remote attacker can supply specially crafted input to execute arbitrary commands.
Only installations with the optional exec approvals allowlist feature explicitly enabled are vulnerable.
5) Improper Authorization (CVE-ID: CVE-2026-28454)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass authorization checks and execute privileged bot commands.
The vulnerability exists due to improper authorization in the Telegram webhook endpoint when handling unauthenticated HTTP POST requests with attacker-controlled update JSON. A remote attacker can send a specially crafted webhook request with spoofed sender identifiers to bypass authorization checks and execute privileged bot commands.
The issue occurs when Telegram webhook mode is enabled without a configured webhook secret.
6) OS Command Injection (CVE-ID: CVE-2026-28391)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute unintended commands.
The vulnerability exists due to command injection in src/infra/node-shell.ts when processing crafted exec requests on Windows nodes through cmd.exe. A remote user can supply a specially crafted command string to execute unintended commands.
Only Windows nodes with exec allowlist or approval gating enabled are vulnerable.
7) Improper Authentication (CVE-ID: CVE-2026-28446)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to bypass inbound access controls and reach the voice-call agent.
The vulnerability exists due to improper authentication in the inbound allowlist check in extensions/voice-call/src/manager.ts when handling inbound calls under allowlist or pairing policy. A remote attacker can place a call with an empty caller ID or a caller number whose digits end with an allowlisted number to bypass inbound access controls and reach the voice-call agent.
Only deployments with the optional voice-call extension installed and enabled are vulnerable.
8) Incorrect authorization (CVE-ID: CVE-2026-28473)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to approve or deny pending exec approval requests.
The vulnerability exists due to incorrect authorization in the /approve chat command path when handling chat messages containing the built-in /approve command. A remote user can send a chat message containing the /approve command to approve or deny pending exec approval requests.
This issue occurs because the command path invokes exec.approval.resolve via an internal privileged gateway client instead of enforcing the operator.approvals scope required for direct RPC calls.
9) Improper access control (CVE-ID: CVE-2026-28471)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass the dm allowlist and reach the routing/agent pipeline.
The vulnerability exists due to improper access control in the Matrix DM allowlist matching logic when processing sender identities. A remote user can use a crafted display name or a matching MXID localpart from another homeserver to bypass the dm allowlist and reach the routing/agent pipeline.
Only deployments with the Matrix plugin installed and enabled are vulnerable.
Remediation
Install update from vendor's website.
References
- https://github.com/openclaw/openclaw/security/advisories/GHSA-wfp2-v9c7-fh79
- https://github.com/openclaw/openclaw/commit/81c68f582d4a9a20d9cca9f367d2da9edc5a65ae
- https://github.com/openclaw/openclaw/security/advisories/GHSA-56f2-hvwg-5743
- https://github.com/openclaw/openclaw/security/advisories/GHSA-rv39-79c4-7459
- https://github.com/openclaw/openclaw/commit/fe81b1d7125a014b8280da461f34efbf5f761575
- https://github.com/openclaw/openclaw/security/advisories/GHSA-3hcm-ggvf-rch5
- https://github.com/openclaw/openclaw/commit/d1ecb46076145deb188abcba8f0699709ea17198
- https://github.com/openclaw/openclaw/security/advisories/GHSA-fhvm-j76f-qmjv
- https://github.com/openclaw/openclaw/commit/ca92597e1f9593236ad86810b66633144b69314d
- https://github.com/openclaw/openclaw/security/advisories/GHSA-qj77-c3c8-9c3q
- https://github.com/openclaw/openclaw/commit/a7f4a53ce80c98ba1452eb90802d447fca9bf3d6
- https://github.com/openclaw/openclaw/security/advisories/GHSA-4rj2-gpmh-qq5x
- https://github.com/openclaw/openclaw/commit/f8dfd034f5d9235c5485f492a9e4ccc114e97fdb
- https://github.com/openclaw/openclaw/security/advisories/GHSA-mqpw-46fh-299h
- https://github.com/openclaw/openclaw/commit/efe2a464afcff55bb5a95b959e6bd9ec0fef086e
- https://github.com/openclaw/openclaw/security/advisories/GHSA-rmxw-jxxx-4cpc
- https://github.com/openclaw/openclaw/commit/8f3bfbd1c4fb967a2ddb5b4b9a05784920814bcf