SB2026052912 - Multiple vulnerabilities in OpenClaw
Published: May 29, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Incorrect authorization (CVE-ID: N/A)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to obtain agent responses intended for a configured sender.
The vulnerability exists due to incorrect authorization in the BlueBubbles sender policy when matching conversation metadata. A remote user can influence mutable conversation-level identifiers to obtain agent responses intended for a configured sender.
Exploitation requires the affected feature to be enabled and reachable, and practical impact depends on whether lower-trust input can reach that path.
2) Incomplete Comparison with Missing Factors (CVE-ID: N/A)
CWE-ID: CWE-1023 - Incomplete Comparison with Missing Factors
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to incomplete comparison with missing factors in the trusted retry endpoint validation logic when processing a retry endpoint URL chosen by lower-trust input. A remote user can supply a hostname-prefixed endpoint URL to disclose sensitive information.
Only instances where the affected feature is enabled and reachable are vulnerable.
3) Authentication Bypass by Spoofing (CVE-ID: N/A)
CWE-ID: CWE-290 - Authentication Bypass by Spoofing
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to gain agent access intended for another Discord identity.
The vulnerability exists due to authentication bypass by spoofing in the Discord allowFrom feature when matching policy entries against mutable display or global name metadata. A remote user can change Discord display metadata to gain agent access intended for another Discord identity.
Exploitation requires the affected feature to be enabled and reachable, and practical impact depends on the operator's configuration and whether lower-trust input can reach that path.
4) Authentication Bypass by Spoofing (CVE-ID: N/A)
CWE-ID: CWE-290 - Authentication Bypass by Spoofing
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to gain access intended for another Matrix identity.
The vulnerability exists due to authentication bypass by spoofing in the Matrix allowFrom feature when matching policy entries against mutable display name metadata. A remote user can change display name metadata to gain access intended for another Matrix identity.
Exploitation is possible only when the affected feature is enabled and reachable.
Remediation
Install update from vendor's website.
References
- https://github.com/openclaw/openclaw/security/advisories/GHSA-8j37-5w68-wj2g
- https://github.com/openclaw/openclaw/security/advisories/GHSA-77q5-rr5v-x43q
- https://github.com/openclaw/openclaw/security/advisories/GHSA-cw4q-gqg5-g38h
- https://github.com/openclaw/openclaw/security/advisories/GHSA-7hxm-f538-3xp6