SB2026052909 - Multiple vulnerabilities in OpenClaw

Description

This security bulletin contains information about 10 vulnerabilities.

1) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: N/A)

CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to bypass an intended allowlist decision and execute inline shell content.

The vulnerability exists due to a time-of-check time-of-use race condition in the exec revalidation logic when processing command requests with combined POSIX shell flags. A remote user can send a crafted command request to bypass an intended allowlist decision and execute inline shell content.

Only configurations where the affected feature is enabled and reachable are vulnerable.

2) OS Command Injection (CVE-ID: N/A)

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute unauthorized commands.

The vulnerability exists due to improper neutralization of special elements used in an os command in the bundled MCP session-spawn path when handling reachable loopback session-spawn requests. A remote user can bypass the exec denylist to execute unauthorized commands.

Only configurations with the affected bundled MCP loopback feature enabled and reachable are vulnerable.

3) Information disclosure (CVE-ID: N/A)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in MCP Streamable HTTP redirect handling when processing cross-origin redirects from a configured MCP endpoint. A remote user can cause a malicious or compromised MCP endpoint to redirect to another origin to disclose sensitive information.

This issue is limited to MCP Streamable HTTP servers configured with custom headers, and the exposed data is limited to those configured headers.

4) Improper privilege management (CVE-ID: N/A)

CWE-ID: CWE-269 - Improper Privilege Management

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to retain broader pending pairing authority than intended.

The vulnerability exists due to improper privilege management in the bootstrap token pairing feature when reusing a pending bootstrap token before approval with a broader requested scope set. A remote user can replay a pending bootstrap token with expanded requested scopes to retain broader pending pairing authority than intended.

Only instances where the affected feature is enabled and reachable are vulnerable.

5) Incomplete List of Disallowed Inputs (CVE-ID: N/A)

CWE-ID: CWE-184 - Incomplete List of Disallowed Inputs

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute shell content without the intended approval or allowlist prompt.

The vulnerability exists due to incomplete list of disallowed inputs in the shell inline-command parser when processing shell inline-command forms. A remote user can send a crafted command request to execute shell content without the intended approval or allowlist prompt.

Only instances with the affected feature enabled and reachable are vulnerable, and practical impact depends on whether lower-trust input can reach that path.

6) Improper Authorization (CVE-ID: N/A)

CWE-ID: CWE-285 - Improper Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to trigger unintended agent processing.

The vulnerability exists due to improper authorization in the Slack reaction event handling feature when processing Slack reaction events delivered to the configured app. A remote user can send or cause a reaction event to be delivered to the app to trigger unintended agent processing.

Only deployments with the affected feature enabled and reachable are vulnerable.

7) Incorrect authorization (CVE-ID: N/A)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to bypass intended approval restrictions.

The vulnerability exists due to improper access control in the Slack plugin approval gate when handling plugin approval actions. A remote user can resolve a plugin approval through the exec approver gate to bypass intended approval restrictions.

Exploitation requires the affected feature to be enabled and reachable.

8) Cross-site scripting (CVE-ID: N/A)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to cross-site scripting in exported session HTML when rendering markdown links into generated HTML. A remote attacker can supply content containing unsafe javascript: or data: links to execute arbitrary script in the victim's browser.

User interaction is required to open the exported file and activate the link, and the issue is limited to cases where the affected feature is enabled and reachable.

9) Incomplete List of Disallowed Inputs (CVE-ID: N/A)

CWE-ID: CWE-184 - Incomplete List of Disallowed Inputs

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to bypass exec allowlist checks and execute encoded PowerShell content.

The vulnerability exists due to incomplete list of disallowed inputs in the exec allowlist parser when processing command requests that use abbreviated PowerShell encoded-command flags. A remote user can send a specially crafted command request to bypass exec allowlist checks and execute encoded PowerShell content.

Only instances where the affected feature is enabled and reachable are vulnerable.

10) Protection Mechanism Failure (CVE-ID: N/A)

CWE-ID: CWE-693 - Protection Mechanism Failure

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to bypass configured argument restrictions and execute disallowed arguments for an allowlisted executable.

The vulnerability exists due to protection mechanism failure in exec allowlist enforcement when processing exec requests on Linux or macOS gateways with allowlist mode enabled. A remote user can influence a tool-enabled agent to invoke an allowlisted executable with arguments that should have been blocked to bypass configured argument restrictions and execute disallowed arguments for an allowlisted executable.

This issue affects only deployments using tools.exec.security: "allowlist" where at least one allowlist entry uses argPattern; Windows is not affected, and path-only allowlist entries are not additionally affected.

Remediation

Install update from vendor's website.

References

• https://github.com/openclaw/openclaw/security/advisories/GHSA-vxx3-6hc9-7cc3
• https://github.com/openclaw/openclaw/security/advisories/GHSA-qh2f-99mv-mrcf
• https://github.com/openclaw/openclaw/security/advisories/GHSA-rjxq-qqhf-8hwh
• https://github.com/openclaw/openclaw/security/advisories/GHSA-9v8j-9c9g-w66c
• https://github.com/openclaw/openclaw/security/advisories/GHSA-f397-5vjw-v2c2
• https://github.com/openclaw/openclaw/security/advisories/GHSA-fcvx-5cxc-v5p8
• https://github.com/openclaw/openclaw/security/advisories/GHSA-wv26-j37q-2g7p
• https://github.com/openclaw/openclaw/security/advisories/GHSA-w9hf-3pp7-pvxv
• https://github.com/openclaw/openclaw/security/advisories/GHSA-j472-gf56-x589
• https://github.com/openclaw/openclaw/security/advisories/GHSA-v2ww-5rh7-2h5v