SB2026063011 - Multiple vulnerabilities in OpenClaw



SB2026063011 - Multiple vulnerabilities in OpenClaw

Published: June 30, 2026

Security Bulletin ID SB2026063011
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 10
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 70% Low 30%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 10 vulnerabilities.


1) Incorrect authorization (CVE-ID: N/A)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to perform unauthorized actions.

The vulnerability exists due to improper access control in the Feishu tools feature when handling lower-trust caller or configured input paths. A remote user can invoke the affected path to perform unauthorized actions.

Only instances where the affected feature is enabled and reachable are vulnerable.


2) Incorrect authorization (CVE-ID: N/A)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to perform unauthorized actions.

The vulnerability exists due to improper access control in Feishu permission tools when handling configured input paths. A remote user can supply lower-trust input to bypass per-account disablement and perform unauthorized actions.

Only instances where the affected feature is enabled and reachable are vulnerable.


3) Link following (CVE-ID: N/A)

CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to bypass authorization or policy checks.

The vulnerability exists due to improper link resolution before file access in the OpenShell mirror sync feature when processing a configured input path containing remote symlink parents. A remote user can provide a crafted input path to bypass authorization or policy checks.

Only instances where the affected feature is enabled and reachable are vulnerable, and practical impact depends on whether lower-trust input can reach that path.


4) Incorrect authorization (CVE-ID: N/A)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute or persist actions beyond the caller's intended authorization.

The vulnerability exists due to incorrect authorization in flock wrapper when the affected feature is enabled and reachable. A remote user can invoke a lower-trust caller or configured input path to execute or persist actions beyond the caller's intended authorization.

This issue is limited to the named feature and configuration.


5) Incorrect authorization (CVE-ID: N/A)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass authorization checks and perform unauthorized actions.

The vulnerability exists due to incorrect authorization in message mutations when handling lower-trust caller input through the affected feature and configuration. A remote user can invoke a reachable mutation path to bypass authorization checks and perform unauthorized actions.

Only instances where the affected feature is enabled and reachable are vulnerable, and practical impact depends on whether lower-trust input can reach that path.


6) Incorrect authorization (CVE-ID: N/A)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to perform unauthorized actions.

The vulnerability exists due to improper access control in discord guild actions when handling cross-provider requester authorization. A remote user can invoke a lower-trust caller or configured input path to perform unauthorized actions.

Exploitation is limited to the affected feature and configuration, and practical impact depends on whether lower-trust input can reach the vulnerable path.


7) Incorrect authorization (CVE-ID: N/A)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass install policy and execute or persist actions beyond the caller's intended authorization.

The vulnerability exists due to incorrect authorization in plugin install wrappers when handling plugin installation through the affected feature and configuration. A remote privileged user can invoke a lower-trust caller or configured input path to bypass install policy and execute or persist actions beyond the caller's intended authorization.

Only instances where the affected feature is enabled and reachable are vulnerable, and practical impact depends on whether lower-trust input can reach that path.


8) Improper privilege management (CVE-ID: N/A)

CWE-ID: CWE-269 - Improper Privilege Management

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute or persist actions beyond the caller's intended authorization.

The vulnerability exists due to improper privilege management in plugin install commands when handling lower-trust caller input or configured input paths. A remote user can invoke the affected functionality to execute or persist actions beyond the caller's intended authorization.

Only instances where the affected feature is enabled and reachable are vulnerable.


9) Incorrect authorization (CVE-ID: N/A)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute or persist actions beyond the caller's intended authorization.

The vulnerability exists due to incorrect authorization in isolated cron jobs when the affected feature is enabled and reachable. A remote user can supply lower-trust input to that path to execute or persist actions beyond the caller's intended authorization.

This issue is limited to the named feature and configuration.


10) Incorrect authorization (CVE-ID: N/A)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to perform unauthorized moderation actions.

The vulnerability exists due to incorrect authorization in Discord moderation actions when handling lower-trust caller or configured input paths. A remote user can invoke the affected feature through a reachable lower-trust path to perform unauthorized moderation actions.

Only instances where the affected feature is enabled and reachable are vulnerable, and practical impact depends on whether lower-trust input can reach that path.


Remediation

Install update from vendor's website.