openclaw

OpenClaw: QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes

OpenClaw: Untrusted workspace channel shadows could execute during built-in channel setup

OpenClaw's andbox browser noVNC observer lacked VNC authentication

OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR)

OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths

OpenClaw vulnerable to arbitrary file read via $include directive

Duplicate Advisory: OpenClaw: Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName

OpenClaw: Multiple Code Paths Missing Base64 Pre-Allocation Size Checks

OpenClaw has a gateway exec allowlist allow-always bypass via unregistered /usr/bin/script wrapper

OpenClaw: Unsanitized CWD path injection into LLM prompts

OpenClaw's Zalo group sender allowlist bypass permits unauthorized GROUP dispatch

OpenClaw: Gateway `agent` calls could override the workspace boundary

OpenClaw has incomplete Fix for CVE-2026-27486: Unvalidated SIGKILL in `!stop` Chat Command via `shell-utils.ts`

Duplicate Advisory: OpenClaw's Node system.run approval hardening wrapper semantic drift can execute unintended local scripts

OpenClaw: Matrix profile config persistence was reachable from operator.write message tools

Duplicate Advisory: OpenClaw's Slack reaction/pin sender-policy consistency issue in non-message ingress

OpenClaw: Voice-call Plivo replay mutates in-process callback origin before replay rejection

OpenClaw bootstrap setup codes could be replayed to escalate pending pairing scopes before approval

OpenClaw has a IPv6 multicast SSRF classifier bypass

OpenClaw's config env vars allowed startup env injection into service runtime

OpenClaw: Workspace provider auth choices could auto-enable untrusted provider plugins

OpenClaw has a workspace-only sandbox guard mismatch for @-prefixed absolute paths

OpenClaw Gateway: RCE and Privilege Escalation from operator.pairing to operator.admin via device.pair.approve

OpenClaw vulnerable to SSRF in src/agents/tools/web-fetch.ts

OpenClaw BlueBubbles webhook auth bypass via loopback proxy trust

OpenClaw Hook Session Key Override Enables Targeted Cross-Session Routing

OpenClaw has a Command Injection via unescaped environment assignments in Windows Scheduled Task script generation

OpenClaw: Pairing-scoped device tokens could mint `operator.admin` and reach node RCE

OpenClaw's Chrome extension relay binds publicly due to wildcard treated as loopback

OpenClaw: Node camera URL payload host-binding bypass allowed gateway fetch pivots

OpenClaw host-env blocklist missing `GIT_TEMPLATE_DIR` and `AWS_CONFIG_FILE` allows code execution via env override

Duplicate Advisory: OpenClaw's complex interpreter pipelines could skip exec script preflight validation

Duplicate Advisory: Signal group allowlist authorization bypass via DM pairing-store leakage

OpenClaw: workspace path guard bypass on non-existent out-of-root symlink leaf

OpenClaw: HTTP operator endpoints lack browser-origin validation in trusted-proxy mode

OpenClaw's unsanitized session ID enables path traversal in transcript file operations

Duplicate Advisory: OpenClaw: Gateway hello snapshots exposed host config and state paths to non-admin clients

OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders

OpenClaw vulnerable to path traversal (Zip Slip) in archive extraction during explicit installation commands

OpenClaw QQ Bot Extension missing SSRF Protection on All Media Fetch Paths

OpenClaw has an inbound allowlist policy bypass in voice-call extension (empty caller ID + suffix matching)

OpenClaw is Missing Webhook Authentication in Telnyx Provider Allows Unauthenticated Requests

OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse

OpenClaw has incomplete IPv4 special-use SSRF blocking in web fetch guard

OpenClaw: Host exec environment overrides miss proxy, TLS, Docker, and Git TLS controls

Duplicate Advisory: OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes

OpenClaw: Gateway Backend Reconnect lets Non-Admin Operator Scopes Self-Claim operator.admin

OpenClaw's system.run shell-wrapper positional argv carriers could execute hidden commands under misleading approval text

OpenClaw: Hardlink alias checks could bypass workspace-only file boundaries in specific configurations

OpenClaw: Chrome --no-sandbox disabled OS-level browser sandbox in sandbox browser container

OpenClaw: Unicode canonicalization drift in node metadata policy classification could broaden node allowlists

OpenClaw: Gateway HTTP /sessions/:sessionKey/kill Reaches Admin Kill Path Without Caller Scope Binding

Duplicate Advisory: OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders

OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass

OpenClaw: Docker container escape via unvalidated bind mount config injection

OpenClaw: Tlon Startup Migration Rehydrates Empty-Array Revocations From File Config

OpenClaw's unauthenticated Nostr profile HTTP endpoints allow remote profile/config tampering

OpenClaw hardened cron webhook delivery against SSRF

OpenClaw: Gateway operator.write Can Reach Admin-Class Talk Voice Config Persistence via chat.send

OpenClaw: Command-authorized non-owners could reach owner-only `/config` and `/debug` surfaces

OpenClaw: Slack system events bypass sender authorization in member and message subtype handlers

Duplicate Advisory: OpenClaw: stageSandboxMedia destination symlink traversal can overwrite files outside sandbox workspace

Duplicate Advisory: OpenClaw: workspace path guard bypass on non-existent out-of-root symlink leaf

OpenClaw: denial of service through large base64 media files allocating large buffers before limit checks

Duplicate Advisory: OpenClaw: Gateway Canvas local-direct requests bypass Canvas HTTP and WebSocket authentication

OpenClaw B-M3: ClawHub package downloads are not enforced with integrity verification

OpenClaw's Telegram message_reaction authorization bypass allows unauthorized system-event injection

OpenClaw Twilio voice-call webhook auth bypass when ngrok loopback compatibility is enabled

OpenClaw has Signal group allowlist authorization bypass via DM pairing-store leakage

Duplicate Advisory: OpenClaw: Unbound interpreter and runtime commands could bypass node-host approval integrity

OpenClaw has a Matrix allowlist bypass via displayName and cross-homeserver localpart matching

OpenClaw affected by potential code execution via unsafe hook module path handling in Gateway

OpenClaw's Trusted-proxy Control UI sessions retain privileged scopes without device identity on device-less allow paths

OpenClaw: Telegram bot token exposure via logs

OpenClaw's typed sender-key matching for toolsBySender prevents identity-collision policy bypass

Duplicate Advisory: web_search citation redirect SSRF via private-network-allowing policy

OpenClaw browser navigation guard allowed non-network URL schemes, enabling authenticated browser-tool users to access file:// local files

OpenClaw has multiple E2E/test Dockerfiles that run all processes as root

OpenClaw's complex interpreter pipelines could skip exec script preflight validation

OpenClaw has unbounded memory growth in Zalo webhook via query-string key churn (unauthenticated DoS)

Duplicate Advisory: OpenClaw's sandboxed sessions_spawn now enforces sandbox inheritance for cross-agent spawns

OpenClaw: Unbound bootstrap setup codes allow privilege escalation during pairing

Duplicate Advisory: OpenClaw: /pair approve command path omitted caller scope subsetting and reopened device pairing escalation

OpenClaw: Slack interactive callbacks could skip configured sender checks in some shared-workspace flows

OpenClaw: Zalo replay dedupe cache could suppress events across authenticated webhook targets

OpenClaw: Silent privilege escalation via gateway shared-auth reconnect

OpenClaw has ACP CLI approval prompt ANSI escape sequence injection

OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events

OpenClaw: Matrix Verification Notices Bypass Matrix DM Policy and Reply to Unpaired DM Peers

OpenClaw: Incomplete scope-clearing fix allows operator.admin escalation via trusted-proxy auth mode

OpenClaw: Zalo webhook replay cache cross-target messageId scope bypass

OpenClaw's `tools.exec.safeBins` PATH-hijack allowed trojan binaries to bypass allowlist checks

Duplicate Advisory: OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions

OpenClaw: Voice-call Plivo V3 webhook replay key uses unsorted URL, allowing replay via query-parameter reordering

Duplicate Advisory: OpenClaw's Nextcloud Talk webhook missing rate limiting on shared secret authentication

OpenClaw: MSTeams thread history bypasses sender allowlist via Graph API

OpenClaw: Arbitrary code execution via unvalidated WebView JavascriptInterface

OpenClaw has Sandbox Media Root Bypass via Unnormalized `mediaUrl` / `fileUrl` Parameter Keys (CWE-22)

OpenClaw: system.run approval identity mismatch could execute a different binary than displayed

OpenClaw: Shared-secret comparison call sites leaked length information through timing

OpenClaw: QQBot media tags could read arbitrary local files through reply text

OpenClaw: Self-Whitelisting in appendLocalMediaParentRoots Allows Arbitrary File Read & Credential Exfiltration

OpenClaw has hook auth rate limiter bypass via IPv4-mapped IPv6 client key variants

OpenClaw: Discord voice manager bypasses channel-level member access allowlist

OpenClaw session tool visibility hardening and Telegram webhook secret fallback

OpenClaw: Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State

OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token

Duplicate Advisory: OpenClaw: Plivo V2 verified replay identity drifts on query-only variants

OpenClaw Gateway `operator.write` can reach admin-only session reset via `chat.send` `/reset`

OpenClaw: Sandbox staged writes could escape the verified parent directory before commit

OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode

OpenClaw: Memory dreaming config persistence was reachable from operator.write commands

OpenClaw: Sandboxed agents could escape exec routing via host=node override

Duplicate Advisory: OpenClaw's inbound media downloads could exceed configured byte limits before rejection across multiple channels

OpenClaw: Telegram audio preflight transcription enables resource consumption by unauthorized senders

OpenClaw: Agent hook events could enqueue trusted system events from unsanitized external input

OpenClaw: Forged Nostr DMs could create pairing state before signature verification

OpenClaw's runtime /debug override path accepted prototype-reserved keys

OpenClaw: `operator.write` chat.send could reach admin-only config writes

OpenClaw's Control UI Static File Handler Follows Symlinks and Allows Out-of-Root File Read

OpenClaw: Gateway `operator.write` can reach admin-only persisted `verboseLevel` via `chat.send` `/verbose`

OpenClaw: Read-scoped identity-bearing HTTP clients could kill sessions via /sessions/:sessionKey/kill

OpenClaw has an arbitrary transcript path file write via gateway sessionFile

OpenClaw hardened the skill download target directory validation

OpenClaw's Node role device-identity bypass allows unauthorized node.event injection

OpenClaw: Tlon settings empty-allowlist reconciliation bypassed intended revocation

Duplicate Advisory: OpenClaw's ACP child sessions inherit subagent security envelope constraints

OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback)

OpenClaw: Unrecognized script runners could bypass `system.run` approval integrity

OpenClaw: Feishu extension resolveUploadInput bypasses file-system sandbox and allows arbitrary file reads via upload_image

Duplicate Advisory: OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects

Duplicate Advisory: OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse

OpenClaw: Gateway operator.write Can Reach Admin-Class Channel Allowlist Persistence via chat.send

OpenClaw's Discord component interaction ingress skips guild/channel policy enforcement

OpenClaw safeBins file-existence oracle information disclosure

OpenClaw: ZIP extraction race could write outside destination via parent symlink rebind

OpenClaw: OpenShell mirror mode could delete arbitrary remote directories when roots were mis-scoped

OpenClaw: Channel setup catalog lookups could include untrusted workspace plugin shadows

OpenClaw has Windows system.run approval mismatch on cmd.exe /c trailing arguments

OpenClaw: Node reconnect metadata spoofing could bypass platform-based node command policy

OpenClaw: Unauthenticated plugin-auth HTTP routes receive operator runtime scopes

OpenClaw: Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement

OpenClaw Windows Scheduled Task script generation allowed local command injection via unsafe cmd argument handling

OpenClaw: `session_status` sessionId resolution bypasses sandboxed session-tree visibility

Duplicate Advisory: OpenClaw: Tlon cite expansion happens before channel and DM authorization is complete

OpenClaw: config.get redaction bypass through sourceConfig and runtimeConfig aliases

OpenClaw exec allowlist safeBins short-option bypass could permit arbitrary file write

OpenClaw's dispatch-wrapper depth-cap mismatch can bypass shell-wrapper approval gating in system.run allowlist mode

Duplicate Advisory: OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter

OpenClaw's avatar symlink traversal can expose out-of-workspace local files

OpenClaw's gateway connect could skip device identity checks when auth.token was present but not yet validated

OpenClaw: system.run wrapper-depth boundary could skip shell approval gating

OpenClaw: fetch-guard forwards custom authorization headers across cross-origin redirects

Duplicate Advisory: OpenClaw's skills-install-download can be redirected outside the tools root by rebinding the validated base path

OpenClaw Bypasses DM Policy Separation via Synology Chat Webhook Path Collision

OpenClaw's hooks count non-POST requests toward auth lockout

OpenClaw reuses the gateway auth token in the owner ID prompt hashing fallback

OpenClaw: Gateway chat.send ACP-only provenance guard could be bypassed by client identity spoofing

OpenClaw: HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class)

OpenClaw affected by SSRF via attachment/media URL hydration

OpenClaw: Synology Chat reply delivery could be rebound through username-based user resolution.

OpenClaw's Signal reaction-only status events could, in limited cases, be enqueued before access checks

OpenClaw's MSTeams attachment redirect handling could bypass configured media host allowlists

OpenClaw: Shell init-file options could satisfy exec allowlist script matching

OpenClaw's non-default autoAllowSkills setting could bypass on-miss exec prompt

OpenClaw has two SSRF via sendMediaFeishu and markdown image fetching in Feishu extension

OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata

OpenClaw macOS deep link confirmation truncation can conceal executed agent message

OpenClaw: BlueBubbles Webhook Missing Rate Limiting Enables Brute-Force Password Guessing

OpenClaw: Gateway hello snapshots exposed host config and state paths to non-admin clients

OpenClaw: Sandbox media TOCTOU could read files outside sandbox root

OpenClaw affected by iMessage remote attachment SCP hardening (strict host-key checks and remoteHost validation)

OpenClaw improperly parses X-Forwarded-For behind trusted proxies allows client IP spoofing in security decisions

OpenClaw's sandbox config hash sorted primitive arrays and suppressed needed container recreation

OpenClaw: Gateway /tools/invoke tool escalation + ACP permission auto-approval

Duplicate Advisory: OpenClaw's Nextcloud Talk webhook replay could trigger duplicate inbound processing

Duplicate Advisory: OpenClaw's Signal reaction-only status events could, in limited cases, be enqueued before access checks

OpenClaw has Inconsistent Host Exec Environment Override Sanitization

Duplicate Advisory: OpenClaw affected by SSRF via unguarded image download in fal provider

OpenClaw has SSRF guard bypass via IPv6 transition over ISATAP

Duplicate Advisory: OpenClaw Gateway: RCE and Privilege Escalation from operator.pairing to operator.admin via device.pair.approve

OpenClaw has a CWD `.env` environment variable injection which bypasses host-env policy and allows config takeover

OpenClaw: Non-owner command-authorized sender can change the owner-only `/send` session delivery policy

Duplicate Advisory: OpenClaw's system.run allowlist bypass via shell line-continuation command substitution

OpenClaw's sandbox skill mirroring path traversal vulnerability could write outside the sandbox workspace

OpenClaw: CLI Remote Onboarding Persists Unauthenticated Discovery Endpoint and Exfiltrates Gateway Credentials

OpenClaw has allowlist exec-guard bypass via env -S

OpenClaw: Browser snapshot and screenshot routes could expose internal page content after navigation

OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints

OpenClaw has ReDoS and regex injection via unescaped Feishu mention metadata in RegExp construction

OpenClaw skills.status could leak secrets to operator.read clients

Duplicate Advisory: OpenClaw's system.run approval TOCTOU via mutable symlink cwd target on node host

OpenClaw: OpenShell `mirror` mode can convert untrusted sandbox files into explicitly enabled workspace hooks and execute them on the host during gateway startup

OpenClaw's Nextcloud Talk webhook missing rate limiting on shared secret authentication

OpenClaw: Windows-compatible env override keys could bypass system.run approval binding

OpenClaw: Discord text `/approve` bypasses `channels.discord.execApprovals.approvers` and allows non-approvers to resolve pending exec approvals

OpenClaw: CDP /json/version WebSocket URL could pivot to untrusted second-hop targets

OpenClaw: QMD memory_get restricts reads to canonical or indexed memory paths

OpenClaw: Tlon media downloads can bypass core safety limits and exhaust disk

OpenClaw's system.run approvals did not bind mutable script operands across approval and execution

OpenClaw: `session_status` still bypasses configured `tools.sessions.visibility` for unsandboxed invocations

OpenClaw: Existing-session browser interaction routes bypassed SSRF policy enforcement

OpenClaw: Heartbeat owner downgrade missed local async exec completion events

Duplicate Advisory: OpenClaw Bypasses DM Policy Separation via Synology Chat Webhook Path Collision

OpenClaw: TOCTOU read in exec script preflight

Duplicate Advisory: OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token

OpenClaw: Feishu docx upload_file/upload_image Bypasses Workspace-Only Filesystem Policy (GHSA-qf48-qfv4-jjm9 Incomplete Fix)

OpenClaw: stageSandboxMedia destination symlink traversal can overwrite files outside sandbox workspace

OpenClaw: Endpoint persists after trust decline, leaking gateway credentials

OpenClaw has an unauthorized sender bypass in its stop triggers and /models command authorization

OpenClaw's tools.exec.safeBins generic fallback allowed interpreter-style inline payload execution in allowlist mode

OpenClaw's commands.allowFrom sender authorization accepted conversation identifiers via ctx.From

Duplicate Advisory: OpenClaw: Google Chat app-url webhook auth accepted non-deployment add-on principals

OpenClaw: Gateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write`

OpenClaw contains a symlink traversal vulnerability

Duplicate Advisory: OpenClaw: Zalo webhook rate limiting could be bypassed before secret validation

OpenClaw: Shell-wrapper detection missed env-argv assignment injection forms

OpenClaw safeBins jq `$ENV` filter bypass allows environment variable disclosure

OpenClaw: screen_record outPath bypassed workspace-only filesystem guard

OpenClaw's tools.exec.safeBins sort long-option abbreviation bypass can skip exec approval in allowlist mode

OpenClaw has an opt-in insecure Control UI auth over plaintext HTTP could allow privileged access

OpenClaw's shell env fallback trusts unvalidated SHELL path from host environment

OpenClaw: Sender policy bypass in host media attachment reads allows unauthorized local file disclosure

OpenClaw: system.run allow-always persistence included shell-commented payload tails

OpenClaw Vulnerable to Local File Exfiltration via MCP Tool Result MEDIA: Directive Injection

OpenClaw: SSRF via Unguarded `fetch()` in Marketplace Plugin Download and Ollama Model Discovery

OpenClaw: Command hijacking via unsafe PATH handling (bootstrapping + node-host PATH overrides)

OpenClaw: SSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host

OpenClaw's mutating internal ACP chat commands missed operator.admin scope enforcement

OpenClaw log poisoning (indirect prompt injection) via WebSocket headers

OpenClaw: Prevent shell injection in macOS keychain credential write

OpenClaw: Config writes could persist resolved ${VAR} secrets to disk

OpenClaw: MS Teams fileConsent/invoke missing conversation binding allowed cross-conversation pending-upload consumption

OpenClaw: Empty approver lists could grant explicit approval authorization

OpenClaw has a Discord `allowFrom` slug-collision authorization bypass

OpenClaw: Webchat media embedding enforces local-root containment for tool-result files

OpenClaw: Browser SSRF policy default allowed private-network navigation

OpneClaw accepts unsanitized iMessage attachment paths which allowed SCP remote-path command injection

OpenClaw: Path traversal via inbound channel attachment path in ACP dispatch allows arbitrary file read

Duplicate Advisory: OpenClaw: Nextcloud Talk room allowlist matched colliding room names instead of stable room tokens

OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains

OpenClaw vulnerable to Unauthenticated Local RCE via WebSocket config.apply

OpenClaw SSRF guard misses four IPv6 special-use ranges

Duplicate Advisory: OpenClaw Telegram webhook request bodies were read before secret validation, enabling unauthenticated resource exhaustion

OpenClaw: MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion

OpenClaw's sandboxed sessions_spawn now enforces sandbox inheritance for cross-agent spawns

OpenClaw's Zalouser allowlist authorization matched mutable group names by default

OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs

OpenClaw: Telegram legacy allowFrom migration fans default-account trust into all named accounts

Duplicate Advisory: OpenClaw: Symlink Traversal via IDENTITY.md appendFile in agents.create/update (Incomplete Fix for CVE-2026-32013)

OpenClaw's allow-always wrapper persistence could bypass future approvals and enable command execution

OpenClaw plugin runtime command execution is part of trusted plugin boundary

OpenClaw's Conflicting Tool Identity Hints Bypass Dangerous-Tool Prompting

OpenClaw: PIP_INDEX_URL and UV_INDEX_URL bypass host exec env sanitization and redirect Python package-index traffic

OpenClaw: Plivo V2 verified replay identity drifts on query-only variants

OpenClaw: Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables

Duplicate Advisory: OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows

OpenClaw has Canvas route hardening for mixed-trust deployments

OpenClaw: Forwarding header spoofing bypasses gateway.trustedProxies origin detection

OpenClaw: Nostr profile mutation routes allowed operator.write config persistence

OpenClaw: Feishu thread history and quoted messages bypass sender allowlist

OpenClaw: Mattermost callback dispatch allowed non-allowlisted sender actions

Duplicate Advisory: OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation

OpenClaw's tools.exec.safeBins trusted PATH directories allowed binary shadowing in allowlist mode

OpenClaw: Workspace plugin auto-discovery allowed code execution from cloned repositories

OpenClaw: Message action attachment hydration bypasses local media root checks when sandboxRoot is unset

OpenClaw: Browser interaction routes could pivot into local CDP and regain file reads

OpenClaw: Shared reply MEDIA - paths are treated as trusted and can trigger cross-channel local file exfiltration

OpenClaw: Unavailable local auth SecretRefs could fall through to remote credentials in local mode

OpenClaw has agent avatar symlink traversal in gateway session metadata

Duplicate Advisory: OpenClaw: Telegram Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Secret

OpenClaw: Delivery queue recovery could lose group tool-policy context for media replay

Duplicate Advisory: OpenClaw: BlueBubbles Webhook Missing Rate Limiting Enables Brute-Force Password Guessing

OpenClaw: Browser tabs action select and close routes bypassed SSRF policy

OpenClaw: Media Parsing Path Traversal Leads to Arbitrary File Read

Duplicate Advisory: OpenClaw has an improper sandbox configuration vulnerability

OpenClaw: Zalo channel downloads media before sender authorization

OpenClaw: Node system.run approval bypass via parent-symlink cwd rebind

OpenClaw: Pairing setup codes exposed long-lived shared gateway credentials instead of short-lived bootstrap tokens

OpenClaw Canvas Authentication Bypass Vulnerability

Duplicate Advisory: OpenClaw has browser trace/download path symlink escape in temp output handling

Duplicate Advisory: OpenClaw: Node-host approvals could show misleading shell payloads instead of the executed argv

OpenClaw: Heartbeat context inheritance bypasses sandbox via senderIsOwner escalation

OpenClaw: Image Tool `tools.fs.workspaceOnly` Bypass via Sandbox Bridge Mounts

OpenClaw's hook transform module path allows traversal and arbitrary JavaScript module loading

Duplicate Advisory: OpenClaw has Bypass in Webhook Rate Limiting via Pre-Authentication Secret Validation

OpenClaw: Skill env override host env injection via applySkillConfigEnvOverrides (defense-in-depth)

OpenClaw: GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant)

OpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals

OpenClaw leaf subagents can bypass controlScope restrictions to send messages to child sessions

OpenClaw's elevated allowFrom accepted broader identity signals than specified within sender-scoped authorization

OpenClaw: /api/channels gateway-auth boundary bypass via path canonicalization mismatch

OpenClaw has a potential access-group authorization bypass if channel type lookup fails

OpenClaw's web tools strict URL guard could lose DNS pinning when env proxy is configured

OpenClaw: Remote media error responses could trigger unbounded memory allocation before failure

OpenClaw: Incomplete host-env-security-policy allows untrusted model to substitute compiler binaries via env overrides

OpenClaw: Lower-trust background runtime output is injected into trusted `System:` events, and local async exec completion misses the intended `exec-event` downgrade

OpenClaw authorization bypass: operator.write can resolve exec approvals via chat.send -> /approve

Duplicate Advisory: safeBins stdin-only bypass via sort output and recursive grep flags

OpenClaw: Paired node escalates to gateway RCE via unrestricted node.event agent dispatch

OpenClaw's Synology Chat dmPolicy=allowlist failed open on empty allowedUserIds, allowing unauthorized agent dispatch

OpenClaw: LINE group allowlist scope mismatch with DM pairing-store entries

OpenClaw has gateway plugin auth bypass via encoded dot-segment traversal in protected /api/channels paths

OpenClaw: Native prompt image auto-load did not honor tools.fs.workspaceOnly in sandboxed runs

OpenClaw has Zip Slip path traversal in tar archive extraction

OpenClaw's Node system.run approval hardening wrapper semantic drift can execute unintended local scripts

OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter

OpenClaw has a path traversal in browser trace/download output paths may allow arbitrary file writes

OpenClaw: Sandboxed /acp spawn requests could initialize host ACP sessions

OpenClaw affected by denial of service via unbounded URL-backed media fetch

OpenClaw has a path traversal in browser upload allows local file read

Duplicate Advisory: OpenClaw's allow-always wrapper persistence could bypass future approvals and enable command execution

OpenClaw: Unauthorized Telegram Senders Trigger Media Download and Disk Write Before Access Check

OpenClaw has Windows Lobster shell fallback command injection in constrained fallback path

OpenClaw: Collect-mode queue batches could reuse the last sender authorization context

OpenClaw `node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval

OpenClaw has web_search citation redirect SSRF via private-network-allowing policy

OpenClaw: Microsoft Teams SSO invoke handler missed sender authorization checks

Duplicate Advisory: OpenClaw: Windows media loaders accepted remote-host file URLs before local path validation

OpenClaw's gateway tokenless Tailscale auth applied to HTTP routes

OpenClaw: Sandbox noVNC helper route exposed interactive browser session credentials

OpenClaw has macOS `system.run` allowlist bypass via quoted command substitution

OpenClaw: Sandbox escape via TOCTOU race in remote FS bridge readFile

OpenClaw runs Discord audio preflight transcription before member authorization

OpenClaw has a command injection in maintainer clawtributors updater

OpenClaw's exec allow-always can be bypassed via unrecognized multiplexer shell wrappers (busybox/toybox sh -c)

OpenClaw: Windows media loaders accepted remote-host file URLs before local path validation

OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin`

OpenClaw: /pair approve command path omitted caller scope subsetting and reopened device pairing escalation

OpenClaw Nostr privateKey config redaction bypass leaks plaintext signing key via config.get

Duplicate Advisory: OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin`

OpenClaw: macOS optional allowlist basename matching could bypass path-based policy

OpenClaw: Google Chat app-url webhook auth accepted non-deployment add-on principals

OpenClaw's `system.run` env override filtering allowed dangerous helper-command pivots

OpenClaw: SSH-based sandbox backends pass unsanitized process.env to child processes

OpenClaw: Authenticated `/hooks/wake` and mapped `wake` payloads are promoted into the trusted `System:` prompt channel

OpenClaw: Write-scoped callers could reach admin-only session reset logic through `agent`

OpenClaw: Process Safety - Unvalidated PID Kill via SIGKILL in Process Cleanup

OpenClaw Telegram allowlist authorization accepted mutable usernames

OpenClaw: Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName

OpenClaw: Voice-call realtime WebSocket accepted oversized frames

OpenClaw has a Path Traversal in Browser Download Functionality

OpenClaw: Cross-account sender authorization expansion in `/allowlist ... --store` account scoping

Duplicate Advisory: OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata

OpenClaw has non-constant-time token comparison in hooks authentication

OpenClaw's browser-origin WebSocket auth hardening gap could enable loopback password brute-force chains

OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning

OpenClaw: Bonjour/DNS-SD TXT metadata steers CLI routing after failed service resolution

OpenClaw: Node-host approvals could show misleading shell payloads instead of the executed argv

OpenClaw has a path traversal in apply_patch could write/delete files outside the workspace

OpenClaw vulnerable to sensitive file disclosure via stageSandboxMedia

OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reachable)

OpenClaw has a Path Traversal in Plugin Installation

Duplicate Advisory: OpenClaw's gateway tokenless Tailscale auth applied to HTTP routes

OpenClaw: Agentic Consent Bypass — LLM Agent Can Silently Disable Exec Approval via `config.patch`

OpenClaw: Telegram Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Secret

OpenClaw's image tool bypasses tools.fs.workspaceOnly on sandbox mount paths and exfiltrates out-of-workspace images

OpenClaw: macOS Tailnet DNS Spoofing & Credential Exfiltration

OpenClaw's system.run allowlist can be bypassed through an unregistered time dispatch wrapper

OpenClaw: Image pixel-limit guard can fail open on sips and allow decompression-bomb DoS

Duplicate Advisory: OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback)

OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects

OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions

OpenClaw shell-env fallback trusted startup env and could execute attacker-influenced login-shell paths

OpenClaw: Zip extraction symlink traversal could write outside destination

CpenClaw's ACPX Windows wrapper shell fallback allowed cwd injection in specific paths

OpenClaw: Node exec approvals could be replayed across nodes

OpenClaw: Discord event cover images bypassed sandbox media normalization

OpenClaw is vulnerable to validation bypass through GNU long-option abbreviations in allowlist mode

OpenClaw: Exec environment denylist missed high-risk interpreter startup variables

OpenClaw: Android accepted cleartext remote gateway endpoints and sent stored credentials over ws://

OpenClaw has Browser SSRF Policy Bypass via Interaction-Triggered Navigation

OpenClaw `device.token.rotate` mints tokens for unapproved roles, bypassing device role-upgrade pairing

OpenClaw: Discord guild reaction ingress could bypass users and roles allowlists

`OpenClaw: session_status` let sandboxed subagents access parent or sibling session state

OpenClaw voice-call media stream validated streams after upgrade, which could allow pre-start unauthenticated sockets to increase resource pressure

OpenClaw affected by BASH_ENV / ENV startup-file injection into spawned shell commands

OpenClaw's system.run approval TOCTOU via mutable symlink cwd target on node host

Duplicate Advisory: OpenClaw: system.run approval identity mismatch could execute a different binary than displayed

OpenClaw: Sandbox media fallback tmp symlink alias bypass allows host file reads outside sandboxRoot

Duplicate Advisory: OpenClaw: Plugin subagent routes could bypass gateway authorization with synthetic admin scopes

Duplicate Advisory: ACPX Windows wrapper shell fallback allowed cwd injection in specific paths

OpenClaw affected by SSRF in Image Tool Remote Fetch

OpenClaw: Existing WS sessions survive shared gateway token rotation

OpenClaw Loopback CDP probe can leak Gateway token to local listener

OpenClaw's skills-install-download can be redirected outside the tools root by rebinding the validated base path

Duplicate Advisory: OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured

OpenClaw: resolvedAuth closure becomes stale after config reload

OpenClaw: Mutating internal `/allowlist` chat commands missed `operator.admin` scope enforcement

OpenClaw: Feishu Raw Card Send Surface Can Mint Legacy Card Callbacks That Bypass DM Pairing

Duplicate Advisory: OpenClaw's system.run shell-wrapper positional argv carriers could execute hidden commands under misleading approval text

OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation

OpenClaw: Browser SSRF hostname validation could be bypassed by DNS rebinding

OpenClaw `node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard

Duplicate Advisory: OpenClaw's system.run approvals did not bind mutable script operands across approval and execution

OpenClaw: Sandbox browser CDP relay could expose DevTools protocol on 0.0.0.0

OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection

Duplicate Advisory: Exec allowlist wrapper analysis did not unwrap env/shell dispatch chains

OpenClaw has a webhook auth bypass when gateway is behind a reverse proxy (loopback remoteAddress trust)

OpenClaw: Reject symlinks in local skill packaging script

OpenClaw Telegram media fetch errors exposed bot tokens in logged file URLs

OpenClaw's Slack reaction/pin sender-policy consistency issue in non-message ingress

OpenClaw: Sandbox file operations use check-then-act, bypassing fd-based TOCTOU defenses

OpenClaw: Exec approval allowlist patterns overmatched on POSIX paths

OpenClaw validates Zalo outbound photo URLs through the SSRF guard

Duplicate Advisory: OpenClaw: LINE webhook handler lacks shared pre-auth concurrency budget before signature verification

OpenClaw: Gateway agent /reset exposes admin session reset to operator.write callers

OpenClaw: Voice-call still parses large WebSocket frames before start validation (Incomplete fix for CVE-2026-32062)

OpenClaw: Hook mapping templates could bypass hook session-key opt-in

OpenClaw: Workspace `.env` can override the bundled hooks root and load attacker hook code

OpenClaw: Trailing-dot localhost CDP hosts could bypass remote loopback protections

OpenClaw safeBins stdin-only bypass via sort output and recursive grep flags

OpenClaw: Workspace dotenv files cannot override connector endpoint hosts

OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured

OpenClaw: Isolated cron awareness events were recorded as trusted system events

OpenClaw's inbound media downloads could exceed configured byte limits before rejection across multiple channels

OpenClaw Affected by Remote Code Execution via System Prompt Injection in Slack Channel Descriptions

OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes

OpenClaw: Tlon cite expansion happens before channel and DM authorization is complete

OpenClaw: Zalo webhook rate limiting could be bypassed before secret validation

OpenClaw Vulnerable to HTML injection via unvalidated image MIME type in data-URL interpolation

Duplicate Advisory: OpenClaw: HTTP operator endpoints lack browser-origin validation in trusted-proxy mode

Duplicate Advisory: OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens

Duplicate Advisory: OpenClaw: SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476)

OpenClaw: Channel commands could bypass account-scoped `configWrites` restrictions

OpenClaw's system.run allowlist approval parsing missed PowerShell encoded-command wrappers

Duplicate Advisory: OpenClaw: CDP /json/version WebSocket URL could pivot to untrusted second-hop targets

OpenClaw hook transform path containment missed symlink-resolved escapes

OpenClaw: Experimental apply_patch may bypass workspace-only checks in opt-in sandbox mounts (off by default)

OpenClaw: Agent gateway config mutations could change protected operator settings

Duplicate Advisory: OpenClaw has Windows Lobster shell fallback command injection in constrained fallback path

OpenClaw's system.run allowlist bypass via shell line-continuation command substitution

OpenClaw: Discord voice transcript owner-flag omission could expose owner-only tools in mixed-trust channels

OpenClaw's authorization mismatch allowed write-scope agent runs to reach owner-only tools

OpenClaw Has a Gateway Control Interface Information Disclosure Vulnerability

OpenClaw: Feishu webhook and card-action validation now fail closed

Duplicate Advisory: OpenClaw's device removal and token revocation do not terminate active WebSocket sessions

OpenClaw: Gateway WebSocket Denial of Service via unbounded pre-auth upgrades

OpenClaw's Gateway Control UI bootstrap config required Gateway auth

Duplicate Advisory: OpenClaw session transcript files were created without forced user-only permissions

OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners

OpenClaw: Bundled MCP/LSP tools could bypass configured tool policy

Duplicate Advisory: OpenClaw: Voice-call Plivo replay mutates in-process callback origin before replay rejection

OpenClaw's gateway config mutation guard allowed unsafe model-driven config writes

OpenClaw has an Arbitrary Malicious Code Execution Vulnerability

OpenClaw's voice-call Twilio replay dedupe now bound to authenticated webhook identity

OpenClaw: Webchat audio embedding could read local files without local-root containment

OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests

Duplicate Advisory: `OpenClaw: session_status` let sandboxed subagents access parent or sibling session state

Duplicate Advisory: OpenClaw: Remote media error responses could trigger unbounded memory allocation before failure

OpenClaw: Browser CDP profile creation skipped strict-mode SSRF checks

OpenClaw's incomplete host env sanitization blocklist allows supply-chain redirection via package-manager env overrides

Duplicate Advisory: Synology Chat dmPolicy=allowlist failed open on empty allowedUserIds, allowing unauthorized agent dispatch

OpenClaw's exec allowlist wrapper analysis did not unwrap env/shell dispatch chains

Duplicate Advisory: OpenClaw: OpenShell `mirror` mode can convert untrusted sandbox files into explicitly enabled workspace hooks and execute them on the host during gateway startup

Duplicate Advisory: OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root

OpenClaw Telegram webhook request bodies were read before secret validation, enabling unauthenticated resource exhaustion

OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind

Duplicate Advisory: OpenClaw: Pairing pending-request caps were enforced per channel instead of per account

OpenClaw: Microsoft Teams media fetch paths bypass shared SSRF guard model

Duplicate Advisory: OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind

OpenClaw vulnerable to path traversal in Feishu media temp-file naming allows writes outside os.tmpdir()

Duplicate Advisory: OpenClaw: Feishu webhook and card-action validation now fail closed

Duplicate Advisory: OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes

OpenClaw has a BlueBubbles group allowlist mismatch via DM pairing-store fallback

OpenClaw Gateway tool allowed unrestricted gatewayUrl override

Duplicate Advisory: OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation

Duplicate Advisory: OpenClaw: Discord Component Interaction Misclassifies Group DM as Direct Message

OpenClaw: Plugin subagent routes could bypass gateway authorization with synthetic admin scopes

OpenClaw's ACP child sessions inherit subagent security envelope constraints

Duplicate Advisory: OpenClaw: Webchat media embedding enforces local-root containment for tool-result files

Duplicate Advisory: OpenClaw reuses the gateway auth token in the owner ID prompt hashing fallback

OpenClaw: LINE webhook handler lacks shared pre-auth concurrency budget before signature verification

Duplicate Advisory: OpenClaw: Discord Slash Commands Bypass Group DM Channel Allowlist

In OpenClaw, manually adding sort to tools.exec.safeBins could bypass allowlist approval via --compress-program

OpenClaw: Workspace dotenv could override runtime-control environment variables

OpenClaw unpaired device identity can bypass operator pairing and self-assign operator scopes with shared auth

OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution

Duplicate Advisory: OpenClaw: Workspace plugin auto-discovery allowed code execution from cloned repositories

OpenClaw Canvas Path Traversal Information Disclosure Vulnerability

Duplicate Advisory: OpenClaw Windows Scheduled Task script generation allowed local command injection via unsafe cmd argument handling

OpenClaw DM pairing-store identities could satisfy group allowlist authorization

OpenClaw: BlueBubbles (optional plugin) pairing/allowlist mismatch when allowFrom is empty

Duplicate Advisory: OpenClaw: Workspace `.env` can override the bundled hooks root and load attacker hook code

OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config

OpenClaw inter-session prompts could be treated as direct user instructions

OpenClaw: Strict browser SSRF bypass in Playwright redirect handling leaves private targets reachable

OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access

OpenClaw: BlueBubbles Group Reactions Bypass requireMention and Still Enqueue Agent-Visible System Events

OpenClaw: Discord voice ingress authorization can be bypassed via channel, name, and stale-role validation gaps

OpenClaw's Windows cmd.exe parsing may bypass exec allowlist/approval gating

OpenClaw: Gateway Plugin HTTP Auth Grants Unrestricted operator.admin Runtime Scope to All Callers

Duplicate Advisory: OpenClaw's andbox browser noVNC observer lacked VNC authentication

OpenClaw affected by SSRF in optional Tlon (Urbit) extension authentication

OpenClaw's MS Teams sender allowlist bypass when route allowlist is configured and sender allowlist is empty

OpenClaw: strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts

OpenClaw: pnpm dlx approvals did not bind local script operands

OpenClaw's Nextcloud Talk webhook replay could trigger duplicate inbound processing

Duplicate Advisory: OpenClaw validates Zalo outbound photo URLs through the SSRF guard

OpenClaw: MS Teams Feedback Invocation Bypasses Sender Allowlists and Records Unauthorized Session Feedback

Duplicate Advisory: OpenClaw: QQBot direct media upload skipped URL SSRF validation

OpenClaw is vulnerable to unauthenticated resource exhaustion through its voice call webhook handling

OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting

OpenClaw's sandbox bind validation could bypass allowed-root and blocked-path checks via symlink-parent missing-leaf paths

OpenClaw: shell-env trusted-prefix fallback allowed attacker-controlled binary execution via $SHELL

OpenClaw gateway exec allow-always over-trusts positional carrier executables

OpenClaw has cross-account DM pairing authorization bypass via unscoped pairing store access

OpenClaw: Marketplace Plugin Download Follows Redirects Without SSRF Protection

OpenClaw: Browser control startup could continue unauthenticated after auth bootstrap failure

OpenClaw Host-Exec Environment Variable Injection

Duplicate Advisory: OpenClaw host-env blocklist missing `GIT_TEMPLATE_DIR` and `AWS_CONFIG_FILE` allows code execution via env override

Duplicate Advisory: OpenClaw: Skill env override host env injection via applySkillConfigEnvOverrides (defense-in-depth)

OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root

Duplicate Advisory: OpenClaw: Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation

OpenClaw has pre-auth webhook body parsing that can enable unauthenticated slow-request DoS

OpenClaw: Unbound interpreter and runtime commands could bypass node-host approval integrity

OpenClaw has stored XSS in exported session HTML viewer via markdown/raw-HTML rendering

OpenClaw's shell startup env injection bypasses system.run allowlist intent (RCE class)

OpenClaw's dashboard leaked gateway auth material via browser URL/query and localStorage

OpenClaw: Discord Slash Commands Bypass Group DM Channel Allowlist

Duplicate Advisory: OpenClaw: Unrecognized script runners could bypass `system.run` approval integrity

OpenClaw: `browser.request` still allows `POST /reset-profile` through the `operator.write` surface

OpenClaw has encoded-path auth bypass in plugin `/api/channels` route classification

OpenClaw: /allowlist omits owner-only enforcement for cross-channel allowlist writes

OpenClaw: `browser.request` let `operator.write` persist admin-only browser profile changes

OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows

Duplicate Advisory: OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains

Duplicate Advisory: OpenClaw safeBins file-existence oracle information disclosure

OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation

Duplicate Advisory: OpenClaw: Exec environment denylist missed high-risk interpreter startup variables

Duplicate Advisory: OpenClaw: Sandbox `writeFile` commit could race outside the validated path

OpenClaw: Media download follows cross-origin redirects with Authorization headers intact

OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting

OpenClaw: Symlink Traversal via IDENTITY.md appendFile in agents.create/update (Incomplete Fix for CVE-2026-32013)

OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities

Temporary path handling could write outside OpenClaw temp boundary

OpenClaw: Browser press/type interaction routes missed complete navigation guard coverage

OpenClaw: SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476)

OpenClaw has a sandbox network isolation bypass via docker.network=container:<id>

Duplicate Advisory: OpenClaw: Browser press/type interaction routes missed complete navigation guard coverage

OpenClaw safeBins grep -e File Read Bypass (stdin-only policy bypass)

OpenClaw: Gateway Canvas local-direct requests bypass Canvas HTTP and WebSocket authentication

OpenClaw: QQBot direct media upload skipped URL SSRF validation

OpenClaw exec approvals: safeBins could bypass stdin-only constraints via shell expansion

Duplicate Advisory: Command Injection via unescaped environment assignments in Windows Scheduled Task script generation

OpenClaw: Feishu reaction events could bypass group authorization and mention gating

OpenClaw Improperly Neutralizes Line Breaks in systemd Unit Generation Enables Local Command Execution (Linux)

OpenClaw: Security Scan Failure Does Not Block Plugin Installation (Fail-Open)

OpenClaw has a Feishu allowFrom authorization bypass via display-name collision

OpenClaw has system.run shell-wrapper env injection via SHELLOPTS/PS4 can bypass allowlist intent (RCE)

Duplicate Advisory: OpenClaw is vulnerable to unauthenticated resource exhaustion through its voice call webhook handling

OpenClaw: Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding

OpenClaw Exposes Credentials Embedded in baseUrl Fields via config.get and channels.status

OpenClaw has a local file disclosure via sendMediaFeishu in Feishu extension

OpenClaw: busybox and toybox applet execution weakened exec approval binding

OpenClaw MS Teams inbound attachment downloader leaks bearer tokens to allowlisted suffix domains

OpenClaw has browser trace/download path symlink escape in temp output handling

OpenClaw: safeBins static default trusted dirs allow writable-dir binary hijack (`jq`)

OpenClaw: Google Chat and Zalouser group sender allowlist bypass via policy downgrade

OpenClaw gateway agents.files symlink escape allowed out-of-workspace file read/write

OpenClaw replaced a deprecated sandbox hash algorithm

OpenClaw: OpenShell Mirror Sync — Sandbox Escape via Unrestricted File Sync + Symlink Traversal

OpenClaw's serialize sandbox registry writes to prevent races and delete-rollback corruption

Duplicate Advisory: OpenClaw Has a Gateway Control Interface Information Disclosure Vulnerability

OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens

OpenClaw is vulnerable to Path Traversal through path validation bypass

OpenClaw has auth inconsistency on local Browser Extension Relay /extension endpoint

OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization

OpenClaw Has Incomplete Fix for CVE-2026-4039: CLI Backend Environment Variable Injection via Workspace Config

OpenClaw Slack: dmPolicy=open allowed any DM sender to run privileged slash commands

OpenClaw: Pairing pending-request caps were enforced per channel instead of per account

OpenClaw: Nextcloud Talk room allowlist matched colliding room names instead of stable room tokens

OpenClaw: Paired-device pairing actions were not limited to the caller device

OpenClaw's owner-only gateway tool access checks were incomplete in specific authenticated DM flows

Duplicate Advisory: OpenClaw: Nostr inbound DMs could trigger unauthenticated crypto work before sender policy enforcement

OpenClaw's device removal and token revocation do not terminate active WebSocket sessions

OpenClaw: node.pair.approve missing callerScopes validation allows low-privilege operator to approve malicious nodes

OpenClaw Twitch allowFrom is not enforced in optional plugin, unauthorized chat users can trigger agent pipeline

Duplicate Advisory: OpenClaw's message tool media parameter bypasses tool policy filesystem isolation

OpenClaw: Unified root-bound write hardening for browser output and related path-boundary flows

OpenClaw: diffs viewer misclassifies proxied remote requests as loopback when `allowRemoteViewer` is disabled

OpenClaw: Sandboxed sessions_spawn(runtime="acp") bypassed sandbox inheritance and allowed host ACP initialization

OpenClaw has a Gateway HTTP /v1/models Route Bypasses Operator Read Scope

OpenClaw: macOS beta onboarding exposed PKCE verifier via OAuth state

OpenClaw skills-install-download: tar.bz2 extraction bypassed archive safety parity checks (local DoS)

OpenClaw Chutes manual OAuth state validation bypass can cause credential substitution

OpenClaw: QQ Bot structured payloads could read arbitrary local files

OpenClaw: `/phone arm`/`/phone disarm` Bypasses `operator.admin` Scope Check for External Channels

OpenClaw: Gateway operator.write Can Reach Admin-Class Telegram Config and Cron Persistence via send

OpenClaw has exec allowlist/safeBins policy-runtime mismatch via env -S wrapper interpretation

OpenClaw affected by SSRF via unguarded image download in fal provider

OpenClaw: Discord DM reaction ingress missed dmPolicy/allowFrom checks in restricted setups

OpenClaw has command injection via Windows shell fallback in Lobster tool execution

OpenClaw: Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation

OpenClaw has an exec allowlist bypass via command substitution/backticks inside double quotes

OpenClaw: iOS A2UI bridge trusted generic local-network pages for agent.request dispatch

OpenClaw's non-default safeBins sort configuration can bypass intended allowlist approval constraints

Duplicate Advisory: allowlist exec-guard bypass via env -S

OpenClaw's TOCTOU symlink race in writeFileWithinRoot could create or truncate files outside root boundaries

OpenClaw: Nostr inbound DMs could trigger unauthenticated crypto work before sender policy enforcement

OpenClaw Vulnerable to Remote Code Execution via Node Invoke Approval Bypass in Gateway

OpenClaw: Device-Paired Node Skips Node Scope Gate → Host RCE.md

OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows

Duplicate Advisory: OpenClaw's MS Teams sender allowlist bypass when route allowlist is configured and sender allowlist is empty

Duplicate Advisory: OpenClaw: Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding

OpenClaw: Workspace `.env` can override the bundled plugin trust root

Duplicate Advisory: OpenClaw: Slack system events bypass sender authorization in member and message subtype handlers

OpenClaw: Sandbox dangling-symlink alias handling could bypass workspace-only write boundary

OpenClaw: Matrix thread root and reply context bypass sender allowlist

OpenClaw may have stale policy enforcement for queued node actions

Duplicate Advisory: OpenClaw: Gateway operator.write Can Reach Admin-Class Telegram Config and Cron Persistence via send

Duplicate Advisory: OpenClaw: MSTeams thread history bypasses sender allowlist via Graph API

OpenClaw: Feishu card actions could misclassify DMs and skip dmPolicy

Duplicate Advisory: OpenClaw: Slack thread context could include messages from non-allowlisted senders

OpenClaw Google Chat spoofing access with allowlist authorized mutable email principal despite sender-ID mismatch

Duplicate Advisory: OpenClaw: Trailing-dot localhost CDP hosts could bypass remote loopback protections

Duplicate Advisory: OpenClaw: Device-Paired Node Skips Node Scope Gate → Host RCE.md

OpenClaw: Gateway HTTP Session History Route Bypasses Operator Read Scope

OpenClaw: Workspace .env could inject OpenClaw runtime-control variables

Duplicate Advisory: OpenClaw: Feishu extension resolveUploadInput bypasses file-system sandbox and allows arbitrary file reads via upload_image

Duplicate Advisory: OpenClaw: CLI Remote Onboarding Persists Unauthenticated Discovery Endpoint and Exfiltrates Gateway Credentials

Duplicate Advisory: OpenClaw's shell startup env injection bypasses system.run allowlist intent (RCE class)

Duplicate Advisory: OpenClaw: Browser SSRF hostname validation could be bypassed by DNS rebinding

Duplicate Advisory: OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting

OpenClaw's exec allowlist analysis rejects shell expansion in unquoted heredocs

OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload

OpenClaw: Slack thread context could include messages from non-allowlisted senders

Duplicate Advisory: OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests

OpenClaw: Leaf subagents could steer sibling sessions across sandbox boundaries

Duplicate Advisory: OpenClaw: Gateway `operator.write` can reach admin-only persisted `verboseLevel` via `chat.send` `/verbose`

Duplicate Advisory: OpenClaw: Workspace dotenv files cannot override connector endpoint hosts

OpenClaw: Discord Component Interaction Misclassifies Group DM as Direct Message

Duplicate Advisory: OpenClaw: Hook mapping templates could bypass hook session-key opt-in

Duplicate Advisory: OpenClaw: Workspace dotenv could override runtime-control environment variables

Duplicate Advisory: OpenClaw: Isolated cron awareness events were recorded as trusted system events

Duplicate Advisory: OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config

Duplicate Advisory: OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload

Duplicate Advisory: OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution

Duplicate Advisory: OpenClaw: Delivery queue recovery could lose group tool-policy context for media replay

Duplicate Advisory: OpenClaw: Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables

Duplicate Advisory: OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners

Duplicate Advisory: OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes

OpenClaw: Sandbox `writeFile` commit could race outside the validated path

OpenClaw has incomplete Fix for CVE-2026-32011: Feishu Webhook Pre-Auth Body Parsing DoS (Slow-Body / Slowloris Variant)

Duplicate Advisory: OpenClaw: SSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host

OpenClaw session transcript files were created without forced user-only permissions

OpenClaw: Workspace .env npm_execpath could influence bundled runtime dependency install

Duplicate Advisory: Shell positional parameters could weaken strict inline-eval checks

Duplicate Advisory: Workspace-derived service PATH could influence trash command selection

OpenClaw: Internal/webchat command auth could inherit ownerAllowFrom wildcard state

Duplicate Advisory: Workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots

Duplicate Advisory: Active Memory write scope could mutate global config

OpenClaw: Shell positional parameters could weaken strict inline-eval checks

OpenClaw: Skill-command dispatch could skip before-tool-call hooks

Duplicate Advisory: memory-wiki shared search could miss session visibility checks

Duplicate Advisory: Exported session HTML could keep unsafe markdown links

OpenClaw: memory-wiki shared search could miss session visibility checks

OpenClaw: Zalo allowFrom could bind to mutable display names

Duplicate Advisory: BlueBubbles sender policy could match mutable conversation identifiers

OpenClaw: BlueBubbles sender policy could match mutable conversation identifiers

OpenClaw: Empty-scope device re-pairing could confuse caller scope containment

Duplicate Advisory: Tool group policy callers could accept unvalidated group IDs

OpenClaw: Tool group policy callers could accept unvalidated group IDs

OpenClaw: Bootstrap token replay could widen pending pairing scopes

OpenClaw: macOS Swift exec allowlist missed combined POSIX inline flags

Duplicate Advisory: Slack reaction events could ignore reaction notification settings

OpenClaw: Host environment sanitizer missed two Node.js control variables

OpenClaw: Discord allowFrom could bind to mutable display names

OpenClaw: Exec allowlist could miss side effects from transparent command wrappers

OpenClaw: Shell inline-command parsing could miss an allowlist check

OpenClaw: Slack reaction events could ignore reaction notification settings

OpenClaw: Workspace .env CLOUDSDK_PYTHON could influence Gmail setup gcloud execution

Duplicate Advisory: macOS Swift exec allowlist missed combined POSIX inline flags

Duplicate Advisory: Focus command could miss controlScope enforcement

Duplicate Advisory: Empty-scope device re-pairing could confuse caller scope containment

OpenClaw: Focus command could miss controlScope enforcement

Duplicate Advisory: Discord allowFrom could bind to mutable display names

Duplicate Advisory: OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization

Duplicate Advisory: Workspace .env npm_execpath could influence bundled runtime dependency install

Duplicate Advisory: Internal/webchat command auth could inherit ownerAllowFrom wildcard state

Duplicate Advisory: Skill-command dispatch could skip before-tool-call hooks

OpenClaw: MCP Streamable HTTP redirects could forward configured custom headers to another origin

Duplicate Advisory: Linux and macOS exec allowlists skipped configured argument patterns

OpenClaw: Hostname checks could treat trailing-dot hosts inconsistently

OpenClaw: Node browser proxy `allowProfiles` bypass through persistent profile mutation and runtime profile selection

Duplicate Advisory: Bootstrap token replay could widen pending pairing scopes

OpenClaw: Pairing-scoped device session could restore revoked node token authority

OpenClaw: Config recovery could restore openclaw.json with broad file permissions

OpenClaw: Workspace-derived service PATH could influence trash command selection

OpenClaw: Linux and macOS exec allowlists skipped configured argument patterns

Duplicate Advisory: Shell inline-command parsing could miss an allowlist check

OpenClaw's message tool media parameter bypasses tool policy filesystem isolation

Duplicate Advisory: Config recovery could restore openclaw.json with broad file permissions

Duplicate Advisory: Hostname checks could treat trailing-dot hosts inconsistently

Duplicate Advisory: Host environment sanitizer missed two Node.js control variables

Duplicate Advisory: Zalo allowFrom could bind to mutable display names

OpenClaw: Exported session HTML could keep unsafe markdown links

OpenClaw: Workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots

Duplicate Advisory: Pairing-scoped device session could restore revoked node token authority

Duplicate Advisory: Exec allowlist could miss side effects from transparent command wrappers

OpenClaw: Active Memory write scope could mutate global config

openclaw-claude-bridge: sandbox is not effective - `--allowed-tools ""` does not restrict available tools

OpenClaw optional voice-call plugin: webhook verification may be bypassed behind certain proxy configurations

OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl

Malicious code in openclaw-droid (npm)

OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable

OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand

Malicious code in @elvatis_com/openclaw-cli-bridge-elvatis (npm)

Malicious code in @shadanai/openclaw (npm)

Malicious code in @signetai/signet-memory-openclaw (npm)

Malicious code in atel-mcp-openclaw (npm)

Malicious code in fastgrc-openclaw (npm)

Duplicate Advisory: OpenClaw: Unavailable local auth SecretRefs could fall through to remote credentials in local mode

@axonflow/openclaw fix introduces plugin cache and credential-file permission hardening

Malicious code in @openclaw-ai/openclawai (npm)

Malicious code in @openclaw-cn/cli (npm)

Malicious code in @openclaw-cn/feishu (npm)

Malicious code in @openclaw-cn/libsignal (npm)

Malicious code in @openclaw-cn/toutiao-ops (npm)

Malicious code in openclaw-cn (npm)