SB2026063011 - Multiple vulnerabilities in OpenClaw
Published: June 30, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 10 vulnerabilities.
1) Incorrect authorization (CVE-ID: N/A)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to perform unauthorized actions.
The vulnerability exists due to improper access control in the Feishu tools feature when handling lower-trust caller or configured input paths. A remote user can invoke the affected path to perform unauthorized actions.
Only instances where the affected feature is enabled and reachable are vulnerable.
2) Incorrect authorization (CVE-ID: N/A)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to perform unauthorized actions.
The vulnerability exists due to improper access control in Feishu permission tools when handling configured input paths. A remote user can supply lower-trust input to bypass per-account disablement and perform unauthorized actions.
Only instances where the affected feature is enabled and reachable are vulnerable.
3) Link following (CVE-ID: N/A)
CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to bypass authorization or policy checks.
The vulnerability exists due to improper link resolution before file access in the OpenShell mirror sync feature when processing a configured input path containing remote symlink parents. A remote user can provide a crafted input path to bypass authorization or policy checks.
Only instances where the affected feature is enabled and reachable are vulnerable, and practical impact depends on whether lower-trust input can reach that path.
4) Incorrect authorization (CVE-ID: N/A)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute or persist actions beyond the caller's intended authorization.
The vulnerability exists due to incorrect authorization in flock wrapper when the affected feature is enabled and reachable. A remote user can invoke a lower-trust caller or configured input path to execute or persist actions beyond the caller's intended authorization.
This issue is limited to the named feature and configuration.
5) Incorrect authorization (CVE-ID: N/A)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass authorization checks and perform unauthorized actions.
The vulnerability exists due to incorrect authorization in message mutations when handling lower-trust caller input through the affected feature and configuration. A remote user can invoke a reachable mutation path to bypass authorization checks and perform unauthorized actions.
Only instances where the affected feature is enabled and reachable are vulnerable, and practical impact depends on whether lower-trust input can reach that path.
6) Incorrect authorization (CVE-ID: N/A)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to perform unauthorized actions.
The vulnerability exists due to improper access control in discord guild actions when handling cross-provider requester authorization. A remote user can invoke a lower-trust caller or configured input path to perform unauthorized actions.
Exploitation is limited to the affected feature and configuration, and practical impact depends on whether lower-trust input can reach the vulnerable path.
7) Incorrect authorization (CVE-ID: N/A)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass install policy and execute or persist actions beyond the caller's intended authorization.
The vulnerability exists due to incorrect authorization in plugin install wrappers when handling plugin installation through the affected feature and configuration. A remote privileged user can invoke a lower-trust caller or configured input path to bypass install policy and execute or persist actions beyond the caller's intended authorization.
Only instances where the affected feature is enabled and reachable are vulnerable, and practical impact depends on whether lower-trust input can reach that path.
8) Improper privilege management (CVE-ID: N/A)
CWE-ID: CWE-269 - Improper Privilege Management
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute or persist actions beyond the caller's intended authorization.
The vulnerability exists due to improper privilege management in plugin install commands when handling lower-trust caller input or configured input paths. A remote user can invoke the affected functionality to execute or persist actions beyond the caller's intended authorization.
Only instances where the affected feature is enabled and reachable are vulnerable.
9) Incorrect authorization (CVE-ID: N/A)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute or persist actions beyond the caller's intended authorization.
The vulnerability exists due to incorrect authorization in isolated cron jobs when the affected feature is enabled and reachable. A remote user can supply lower-trust input to that path to execute or persist actions beyond the caller's intended authorization.
This issue is limited to the named feature and configuration.
10) Incorrect authorization (CVE-ID: N/A)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to perform unauthorized moderation actions.
The vulnerability exists due to incorrect authorization in Discord moderation actions when handling lower-trust caller or configured input paths. A remote user can invoke the affected feature through a reachable lower-trust path to perform unauthorized moderation actions.
Only instances where the affected feature is enabled and reachable are vulnerable, and practical impact depends on whether lower-trust input can reach that path.
Remediation
Install update from vendor's website.
References
- https://github.com/openclaw/openclaw/security/advisories/GHSA-2q7j-2vhx-56g8
- https://github.com/openclaw/openclaw/security/advisories/GHSA-w8wf-3qvj-6xqf
- https://github.com/openclaw/openclaw/security/advisories/GHSA-m38g-vpwj-mpg9
- https://github.com/openclaw/openclaw/security/advisories/GHSA-3fp5-v549-9v66
- https://github.com/openclaw/openclaw/security/advisories/GHSA-v7hx-r36p-f68m
- https://github.com/openclaw/openclaw/security/advisories/GHSA-3pmr-x9g8-m55r
- https://github.com/openclaw/openclaw/security/advisories/GHSA-wgq8-x5wm-g4rw
- https://github.com/openclaw/openclaw/security/advisories/GHSA-7vrr-rp4x-4g76
- https://github.com/openclaw/openclaw/security/advisories/GHSA-mm9g-83wh-mhwj
- https://github.com/openclaw/openclaw/security/advisories/GHSA-f6p7-6326-vf7v