openclaw
581 known vulnerabilities · 0 critical · 2 high
OpenClaw: Untrusted workspace channel shadows could execute during built-in channel setup
OpenClaw's andbox browser noVNC observer lacked VNC authentication
OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR)
OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths
OpenClaw: QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes
OpenClaw: Microsoft Teams media fetch paths bypass shared SSRF guard model
OpenClaw vulnerable to arbitrary file read via $include directive
OpenClaw: Path traversal via inbound channel attachment path in ACP dispatch allows arbitrary file read
OpenClaw's commands.allowFrom sender authorization accepted conversation identifiers via ctx.From
OpenClaw: busybox and toybox applet execution weakened exec approval binding
OpenClaw has system.run shell-wrapper env injection via SHELLOPTS/PS4 can bypass allowlist intent (RCE)
OpenClaw: Multiple Code Paths Missing Base64 Pre-Allocation Size Checks
OpenClaw has a gateway exec allowlist allow-always bypass via unregistered /usr/bin/script wrapper
OpenClaw's Zalo group sender allowlist bypass permits unauthorized GROUP dispatch
OpenClaw: Gateway `agent` calls could override the workspace boundary
OpenClaw has incomplete Fix for CVE-2026-27486: Unvalidated SIGKILL in `!stop` Chat Command via `shell-utils.ts`
Duplicate Advisory: OpenClaw's Node system.run approval hardening wrapper semantic drift can execute unintended local scripts
OpenClaw: Voice-call still parses large WebSocket frames before start validation (Incomplete fix for CVE-2026-32062)
OpenClaw: Matrix profile config persistence was reachable from operator.write message tools
OpenClaw: Voice-call Plivo replay mutates in-process callback origin before replay rejection
OpenClaw bootstrap setup codes could be replayed to escalate pending pairing scopes before approval
OpenClaw has a IPv6 multicast SSRF classifier bypass
OpenClaw's config env vars allowed startup env injection into service runtime
OpenClaw: Workspace provider auth choices could auto-enable untrusted provider plugins
OpenClaw Nostr privateKey config redaction bypass leaks plaintext signing key via config.get
OpenClaw has a workspace-only sandbox guard mismatch for @-prefixed absolute paths
OpenClaw Gateway: RCE and Privilege Escalation from operator.pairing to operator.admin via device.pair.approve
OpenClaw vulnerable to SSRF in src/agents/tools/web-fetch.ts
OpenClaw's allow-always wrapper persistence could bypass future approvals and enable command execution
OpenClaw BlueBubbles webhook auth bypass via loopback proxy trust
OpenClaw Hook Session Key Override Enables Targeted Cross-Session Routing
OpenClaw has a Command Injection via unescaped environment assignments in Windows Scheduled Task script generation
OpenClaw: Pairing-scoped device tokens could mint `operator.admin` and reach node RCE
OpenClaw's complex interpreter pipelines could skip exec script preflight validation
OpenClaw's Chrome extension relay binds publicly due to wildcard treated as loopback
OpenClaw: Node camera URL payload host-binding bypass allowed gateway fetch pivots
OpenClaw host-env blocklist missing `GIT_TEMPLATE_DIR` and `AWS_CONFIG_FILE` allows code execution via env override
Duplicate Advisory: OpenClaw's complex interpreter pipelines could skip exec script preflight validation
Duplicate Advisory: Signal group allowlist authorization bypass via DM pairing-store leakage
OpenClaw: workspace path guard bypass on non-existent out-of-root symlink leaf
OpenClaw: HTTP operator endpoints lack browser-origin validation in trusted-proxy mode
OpenClaw: Gateway operator.write Can Reach Admin-Class Telegram Config and Cron Persistence via send
OpenClaw's unsanitized session ID enables path traversal in transcript file operations
OpenClaw has Inconsistent Host Exec Environment Override Sanitization
OpenClaw's tools.exec.safeBins sort long-option abbreviation bypass can skip exec approval in allowlist mode
OpenClaw has an inbound allowlist policy bypass in voice-call extension (empty caller ID + suffix matching)
OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders
OpenClaw vulnerable to path traversal (Zip Slip) in archive extraction during explicit installation commands
OpenClaw has command injection via Windows shell fallback in Lobster tool execution
OpenClaw QQ Bot Extension missing SSRF Protection on All Media Fetch Paths
OpenClaw is Missing Webhook Authentication in Telnyx Provider Allows Unauthenticated Requests
OpenClaw's system.run allowlist approval parsing missed PowerShell encoded-command wrappers
OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse
OpenClaw has incomplete IPv4 special-use SSRF blocking in web fetch guard
OpenClaw has an exec allowlist bypass via command substitution/backticks inside double quotes
OpenClaw: Host exec environment overrides miss proxy, TLS, Docker, and Git TLS controls
OpenClaw: Gateway Backend Reconnect lets Non-Admin Operator Scopes Self-Claim operator.admin
OpenClaw's system.run shell-wrapper positional argv carriers could execute hidden commands under misleading approval text
OpenClaw: Hardlink alias checks could bypass workspace-only file boundaries in specific configurations
OpenClaw: Chrome --no-sandbox disabled OS-level browser sandbox in sandbox browser container
OpenClaw: Unicode canonicalization drift in node metadata policy classification could broaden node allowlists
OpenClaw: Gateway HTTP /sessions/:sessionKey/kill Reaches Admin Kill Path Without Caller Scope Binding
OpenClaw: Media download follows cross-origin redirects with Authorization headers intact
OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass
OpenClaw: Docker container escape via unvalidated bind mount config injection
OpenClaw: Tlon Startup Migration Rehydrates Empty-Array Revocations From File Config
OpenClaw's unauthenticated Nostr profile HTTP endpoints allow remote profile/config tampering
OpenClaw: Mattermost callback dispatch allowed non-allowlisted sender actions
OpenClaw: Gateway operator.write Can Reach Admin-Class Talk Voice Config Persistence via chat.send
OpenClaw: Command-authorized non-owners could reach owner-only `/config` and `/debug` surfaces
OpenClaw: Browser press/type interaction routes missed complete navigation guard coverage
OpenClaw: Browser SSRF policy default allowed private-network navigation
OpenClaw: Slack system events bypass sender authorization in member and message subtype handlers
Duplicate Advisory: OpenClaw: stageSandboxMedia destination symlink traversal can overwrite files outside sandbox workspace
Duplicate Advisory: OpenClaw: workspace path guard bypass on non-existent out-of-root symlink leaf
OpenClaw: denial of service through large base64 media files allocating large buffers before limit checks
Duplicate Advisory: OpenClaw: Gateway Canvas local-direct requests bypass Canvas HTTP and WebSocket authentication
OpenClaw B-M3: ClawHub package downloads are not enforced with integrity verification
OpenClaw's mutating internal ACP chat commands missed operator.admin scope enforcement
OpenClaw: Workspace `.env` can override the bundled plugin trust root
Duplicate Advisory: OpenClaw: Nextcloud Talk room allowlist matched colliding room names instead of stable room tokens
OpenClaw's Telegram message_reaction authorization bypass allows unauthorized system-event injection
OpenClaw Twilio voice-call webhook auth bypass when ngrok loopback compatibility is enabled
OpenClaw has Signal group allowlist authorization bypass via DM pairing-store leakage
Duplicate Advisory: OpenClaw: Unbound interpreter and runtime commands could bypass node-host approval integrity
OpenClaw has a Matrix allowlist bypass via displayName and cross-homeserver localpart matching
OpenClaw affected by potential code execution via unsafe hook module path handling in Gateway
OpenClaw's Trusted-proxy Control UI sessions retain privileged scopes without device identity on device-less allow paths
OpenClaw's typed sender-key matching for toolsBySender prevents identity-collision policy bypass
Duplicate Advisory: web_search citation redirect SSRF via private-network-allowing policy
OpenClaw browser navigation guard allowed non-network URL schemes, enabling authenticated browser-tool users to access file:// local files
OpenClaw: Config writes could persist resolved ${VAR} secrets to disk
OpenClaw has multiple E2E/test Dockerfiles that run all processes as root
OpenClaw has unbounded memory growth in Zalo webhook via query-string key churn (unauthenticated DoS)
Duplicate Advisory: OpenClaw's sandboxed sessions_spawn now enforces sandbox inheritance for cross-agent spawns
Duplicate Advisory: OpenClaw: /pair approve command path omitted caller scope subsetting and reopened device pairing escalation
OpenClaw: Slack interactive callbacks could skip configured sender checks in some shared-workspace flows
OpenClaw: Symlink Traversal via IDENTITY.md appendFile in agents.create/update (Incomplete Fix for CVE-2026-32013)
OpenClaw: Zalo replay dedupe cache could suppress events across authenticated webhook targets
OpenClaw: Silent privilege escalation via gateway shared-auth reconnect
OpenClaw has ACP CLI approval prompt ANSI escape sequence injection
OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events
OpenClaw: Matrix Verification Notices Bypass Matrix DM Policy and Reply to Unpaired DM Peers
OpenClaw's skills-install-download can be redirected outside the tools root by rebinding the validated base path
OpenClaw's inbound media downloads could exceed configured byte limits before rejection across multiple channels
OpenClaw: Incomplete scope-clearing fix allows operator.admin escalation via trusted-proxy auth mode
OpenClaw: Zalo webhook replay cache cross-target messageId scope bypass
OpenClaw's `tools.exec.safeBins` PATH-hijack allowed trojan binaries to bypass allowlist checks
Duplicate Advisory: OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions
OpenClaw: Voice-call Plivo V3 webhook replay key uses unsorted URL, allowing replay via query-parameter reordering
Duplicate Advisory: OpenClaw's Nextcloud Talk webhook missing rate limiting on shared secret authentication
OpenClaw: MSTeams thread history bypasses sender allowlist via Graph API
OpenClaw: Arbitrary code execution via unvalidated WebView JavascriptInterface
Duplicate Advisory: Synology Chat dmPolicy=allowlist failed open on empty allowedUserIds, allowing unauthorized agent dispatch
OpenClaw has Sandbox Media Root Bypass via Unnormalized `mediaUrl` / `fileUrl` Parameter Keys (CWE-22)
OpenClaw: system.run approval identity mismatch could execute a different binary than displayed
Duplicate Advisory: OpenClaw: Sandbox `writeFile` commit could race outside the validated path
OpenClaw: Shared-secret comparison call sites leaked length information through timing
OpenClaw: QQBot media tags could read arbitrary local files through reply text
OpenClaw: Self-Whitelisting in appendLocalMediaParentRoots Allows Arbitrary File Read & Credential Exfiltration
OpenClaw has hook auth rate limiter bypass via IPv4-mapped IPv6 client key variants
OpenClaw: Discord voice manager bypasses channel-level member access allowlist
OpenClaw session tool visibility hardening and Telegram webhook secret fallback
OpenClaw: Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State
OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token
OpenClaw has a Feishu allowFrom authorization bypass via display-name collision
Duplicate Advisory: OpenClaw: Slack system events bypass sender authorization in member and message subtype handlers
Duplicate Advisory: OpenClaw: Plivo V2 verified replay identity drifts on query-only variants
OpenClaw Gateway `operator.write` can reach admin-only session reset via `chat.send` `/reset`
OpenClaw: Sandbox staged writes could escape the verified parent directory before commit
OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode
OpenClaw: Memory dreaming config persistence was reachable from operator.write commands
OpenClaw: Sandboxed agents could escape exec routing via host=node override
Duplicate Advisory: OpenClaw's inbound media downloads could exceed configured byte limits before rejection across multiple channels
OpenClaw: Telegram audio preflight transcription enables resource consumption by unauthorized senders
OpenClaw: Agent hook events could enqueue trusted system events from unsanitized external input
OpenClaw: Forged Nostr DMs could create pairing state before signature verification
OpenClaw's runtime /debug override path accepted prototype-reserved keys
OpenClaw: `operator.write` chat.send could reach admin-only config writes
OpenClaw's Control UI Static File Handler Follows Symlinks and Allows Out-of-Root File Read
OpenClaw: Gateway `operator.write` can reach admin-only persisted `verboseLevel` via `chat.send` `/verbose`
OpenClaw: Read-scoped identity-bearing HTTP clients could kill sessions via /sessions/:sessionKey/kill
OpenClaw has an arbitrary transcript path file write via gateway sessionFile
OpenClaw hardened the skill download target directory validation
OpenClaw: Tlon settings empty-allowlist reconciliation bypassed intended revocation
OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback)
OpenClaw: Unrecognized script runners could bypass `system.run` approval integrity
OpenClaw: Feishu extension resolveUploadInput bypasses file-system sandbox and allows arbitrary file reads via upload_image
Duplicate Advisory: OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects
Duplicate Advisory: OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse
OpenClaw: Gateway operator.write Can Reach Admin-Class Channel Allowlist Persistence via chat.send
OpenClaw: ZIP extraction race could write outside destination via parent symlink rebind
OpenClaw: OpenShell mirror mode could delete arbitrary remote directories when roots were mis-scoped
OpenClaw: Workspace .env could inject OpenClaw runtime-control variables
Duplicate Advisory: OpenClaw Gateway: RCE and Privilege Escalation from operator.pairing to operator.admin via device.pair.approve
Duplicate Advisory: Command Injection via unescaped environment assignments in Windows Scheduled Task script generation
OpenClaw: Channel setup catalog lookups could include untrusted workspace plugin shadows
OpenClaw has Windows system.run approval mismatch on cmd.exe /c trailing arguments
OpenClaw: Node reconnect metadata spoofing could bypass platform-based node command policy
OpenClaw: Unauthenticated plugin-auth HTTP routes receive operator runtime scopes
OpenClaw: Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement
OpenClaw: Discord Component Interaction Misclassifies Group DM as Direct Message
OpenClaw Windows Scheduled Task script generation allowed local command injection via unsafe cmd argument handling
OpenClaw: `session_status` sessionId resolution bypasses sandboxed session-tree visibility
Duplicate Advisory: OpenClaw: Tlon cite expansion happens before channel and DM authorization is complete
OpenClaw: config.get redaction bypass through sourceConfig and runtimeConfig aliases
OpenClaw exec allowlist safeBins short-option bypass could permit arbitrary file write
OpenClaw `node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval
OpenClaw's dispatch-wrapper depth-cap mismatch can bypass shell-wrapper approval gating in system.run allowlist mode
OpenClaw: Forwarding header spoofing bypasses gateway.trustedProxies origin detection
Duplicate Advisory: OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter
OpenClaw's Node role device-identity bypass allows unauthorized node.event injection
OpenClaw's avatar symlink traversal can expose out-of-workspace local files
OpenClaw's gateway connect could skip device identity checks when auth.token was present but not yet validated
OpenClaw: system.run wrapper-depth boundary could skip shell approval gating
OpenClaw: fetch-guard forwards custom authorization headers across cross-origin redirects
OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting
Duplicate Advisory: OpenClaw's skills-install-download can be redirected outside the tools root by rebinding the validated base path
OpenClaw Bypasses DM Policy Separation via Synology Chat Webhook Path Collision
OpenClaw's hooks count non-POST requests toward auth lockout
OpenClaw reuses the gateway auth token in the owner ID prompt hashing fallback
OpenClaw: Gateway chat.send ACP-only provenance guard could be bypassed by client identity spoofing
OpenClaw: HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class)
OpenClaw: Synology Chat reply delivery could be rebound through username-based user resolution.
OpenClaw's Signal reaction-only status events could, in limited cases, be enqueued before access checks
OpenClaw has two SSRF via sendMediaFeishu and markdown image fetching in Feishu extension
OpenClaw's MSTeams attachment redirect handling could bypass configured media host allowlists
OpenClaw's non-default autoAllowSkills setting could bypass on-miss exec prompt
OpenClaw: PIP_INDEX_URL and UV_INDEX_URL bypass host exec env sanitization and redirect Python package-index traffic
OpenClaw: BlueBubbles Webhook Missing Rate Limiting Enables Brute-Force Password Guessing
OpenClaw: Shell init-file options could satisfy exec allowlist script matching
OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata
OpenClaw macOS deep link confirmation truncation can conceal executed agent message
OpenClaw's sandbox skill mirroring path traversal vulnerability could write outside the sandbox workspace
OpenClaw: Image pixel-limit guard can fail open on sips and allow decompression-bomb DoS
OpenClaw MS Teams inbound attachment downloader leaks bearer tokens to allowlisted suffix domains
OpenClaw: Gateway hello snapshots exposed host config and state paths to non-admin clients
Duplicate Advisory: OpenClaw's system.run allowlist bypass via shell line-continuation command substitution
OpenClaw: Sandbox media TOCTOU could read files outside sandbox root
OpenClaw affected by iMessage remote attachment SCP hardening (strict host-key checks and remoteHost validation)
OpenClaw improperly parses X-Forwarded-For behind trusted proxies allows client IP spoofing in security decisions
OpenClaw's sandbox config hash sorted primitive arrays and suppressed needed container recreation
OpenClaw: Gateway /tools/invoke tool escalation + ACP permission auto-approval
Temporary path handling could write outside OpenClaw temp boundary
Duplicate Advisory: OpenClaw's Nextcloud Talk webhook replay could trigger duplicate inbound processing
Duplicate Advisory: OpenClaw's Signal reaction-only status events could, in limited cases, be enqueued before access checks
OpenClaw: Feishu thread history and quoted messages bypass sender allowlist
OpenClaw: Discord DM reaction ingress missed dmPolicy/allowFrom checks in restricted setups
Duplicate Advisory: OpenClaw affected by SSRF via unguarded image download in fal provider
Duplicate Advisory: OpenClaw is vulnerable to unauthenticated resource exhaustion through its voice call webhook handling
OpenClaw has SSRF guard bypass via IPv6 transition over ISATAP
Duplicate Advisory: OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation
OpenClaw has a CWD `.env` environment variable injection which bypasses host-env policy and allows config takeover
OpenClaw: Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding
OpenClaw: Non-owner command-authorized sender can change the owner-only `/send` session delivery policy
OpenClaw has an opt-in insecure Control UI auth over plaintext HTTP could allow privileged access
OpenClaw: Prevent shell injection in macOS keychain credential write
OpenClaw: CLI Remote Onboarding Persists Unauthenticated Discovery Endpoint and Exfiltrates Gateway Credentials
OpenClaw: Browser snapshot and screenshot routes could expose internal page content after navigation
OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints
OpenClaw has ReDoS and regex injection via unescaped Feishu mention metadata in RegExp construction
OpenClaw skills.status could leak secrets to operator.read clients
Duplicate Advisory: OpenClaw's system.run approval TOCTOU via mutable symlink cwd target on node host
OpenClaw: OpenShell `mirror` mode can convert untrusted sandbox files into explicitly enabled workspace hooks and execute them on the host during gateway startup
OpenClaw's Nextcloud Talk webhook missing rate limiting on shared secret authentication
OpenClaw safeBins stdin-only bypass via sort output and recursive grep flags
OpenClaw: Windows-compatible env override keys could bypass system.run approval binding
OpenClaw: Discord text `/approve` bypasses `channels.discord.execApprovals.approvers` and allows non-approvers to resolve pending exec approvals
OpenClaw: Empty approver lists could grant explicit approval authorization
OpenClaw: CDP /json/version WebSocket URL could pivot to untrusted second-hop targets
OpenClaw: QMD memory_get restricts reads to canonical or indexed memory paths
OpenClaw: Tlon media downloads can bypass core safety limits and exhaust disk
OpenClaw: Leaf subagents could steer sibling sessions across sandbox boundaries
OpenClaw's system.run approvals did not bind mutable script operands across approval and execution
OpenClaw: `session_status` still bypasses configured `tools.sessions.visibility` for unsandboxed invocations
OpenClaw: Existing-session browser interaction routes bypassed SSRF policy enforcement
OpenClaw: Heartbeat owner downgrade missed local async exec completion events
OpenClaw has agent avatar symlink traversal in gateway session metadata
OpenClaw: Workspace plugin auto-discovery allowed code execution from cloned repositories
Duplicate Advisory: OpenClaw session transcript files were created without forced user-only permissions
Duplicate Advisory: OpenClaw Bypasses DM Policy Separation via Synology Chat Webhook Path Collision
OpenClaw: TOCTOU read in exec script preflight
Duplicate Advisory: OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token
OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains
OpenClaw: Feishu docx upload_file/upload_image Bypasses Workspace-Only Filesystem Policy (GHSA-qf48-qfv4-jjm9 Incomplete Fix)
OpenClaw: stageSandboxMedia destination symlink traversal can overwrite files outside sandbox workspace
OpenClaw: Endpoint persists after trust decline, leaking gateway credentials
OpenClaw has an unauthorized sender bypass in its stop triggers and /models command authorization
OpenClaw's tools.exec.safeBins generic fallback allowed interpreter-style inline payload execution in allowlist mode
OpenClaw gateway agents.files symlink escape allowed out-of-workspace file read/write
OpenClaw has a Discord `allowFrom` slug-collision authorization bypass
Duplicate Advisory: OpenClaw: Google Chat app-url webhook auth accepted non-deployment add-on principals
OpenClaw: Gateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write`
OpenClaw: Security Scan Failure Does Not Block Plugin Installation (Fail-Open)
Duplicate Advisory: OpenClaw: Zalo webhook rate limiting could be bypassed before secret validation
Duplicate Advisory: OpenClaw: Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName
Duplicate Advisory: OpenClaw: Workspace plugin auto-discovery allowed code execution from cloned repositories
OpenClaw: Shell-wrapper detection missed env-argv assignment injection forms
OpenClaw safeBins jq `$ENV` filter bypass allows environment variable disclosure
OpenClaw: screen_record outPath bypassed workspace-only filesystem guard
OpenClaw: Sandbox escape via TOCTOU race in remote FS bridge readFile
OpenClaw's shell env fallback trusts unvalidated SHELL path from host environment
OpenClaw: Sender policy bypass in host media attachment reads allows unauthorized local file disclosure
OpenClaw: system.run allow-always persistence included shell-commented payload tails
OpenClaw Vulnerable to Local File Exfiltration via MCP Tool Result MEDIA: Directive Injection
OpenClaw: Google Chat and Zalouser group sender allowlist bypass via policy downgrade
OpenClaw: SSRF via Unguarded `fetch()` in Marketplace Plugin Download and Ollama Model Discovery
OpenClaw's Conflicting Tool Identity Hints Bypass Dangerous-Tool Prompting
OpenClaw: Command hijacking via unsafe PATH handling (bootstrapping + node-host PATH overrides)
OpenClaw: SSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host
OpenClaw: Collect-mode queue batches could reuse the last sender authorization context
OpenClaw log poisoning (indirect prompt injection) via WebSocket headers
Duplicate Advisory: OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin`
OpenClaw: MS Teams fileConsent/invoke missing conversation binding allowed cross-conversation pending-upload consumption
OpenClaw has macOS `system.run` allowlist bypass via quoted command substitution
OpenClaw has a local file disclosure via sendMediaFeishu in Feishu extension
OpenClaw's serialize sandbox registry writes to prevent races and delete-rollback corruption
OpenClaw: Webchat media embedding enforces local-root containment for tool-result files
OpneClaw accepts unsanitized iMessage attachment paths which allowed SCP remote-path command injection
OpenClaw vulnerable to Unauthenticated Local RCE via WebSocket config.apply
OpenClaw SSRF guard misses four IPv6 special-use ranges
Duplicate Advisory: OpenClaw Telegram webhook request bodies were read before secret validation, enabling unauthenticated resource exhaustion
OpenClaw: MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion
OpenClaw's sandboxed sessions_spawn now enforces sandbox inheritance for cross-agent spawns
OpenClaw's Zalouser allowlist authorization matched mutable group names by default
OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs
OpenClaw: Telegram legacy allowFrom migration fans default-account trust into all named accounts
Duplicate Advisory: OpenClaw: Symlink Traversal via IDENTITY.md appendFile in agents.create/update (Incomplete Fix for CVE-2026-32013)
OpenClaw plugin runtime command execution is part of trusted plugin boundary
OpenClaw: Image Tool `tools.fs.workspaceOnly` Bypass via Sandbox Bridge Mounts
OpenClaw: Plivo V2 verified replay identity drifts on query-only variants
OpenClaw: Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables
Duplicate Advisory: OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows
OpenClaw has Canvas route hardening for mixed-trust deployments
OpenClaw: GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant)
OpenClaw: Nostr profile mutation routes allowed operator.write config persistence
OpenClaw: Unbound bootstrap setup codes allow privilege escalation during pairing
OpenClaw: OpenShell Mirror Sync — Sandbox Escape via Unrestricted File Sync + Symlink Traversal
OpenClaw's tools.exec.safeBins trusted PATH directories allowed binary shadowing in allowlist mode
OpenClaw: Google Chat app-url webhook auth accepted non-deployment add-on principals
OpenClaw: Message action attachment hydration bypasses local media root checks when sandboxRoot is unset
OpenClaw: Browser interaction routes could pivot into local CDP and regain file reads
OpenClaw has a potential access-group authorization bypass if channel type lookup fails
OpenClaw: Shared reply MEDIA - paths are treated as trusted and can trigger cross-channel local file exfiltration
OpenClaw: Unavailable local auth SecretRefs could fall through to remote credentials in local mode
Duplicate Advisory: OpenClaw: Telegram Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Secret
OpenClaw's elevated allowFrom accepted broader identity signals than specified within sender-scoped authorization
OpenClaw: Delivery queue recovery could lose group tool-policy context for media replay
Duplicate Advisory: OpenClaw: BlueBubbles Webhook Missing Rate Limiting Enables Brute-Force Password Guessing
OpenClaw: Browser tabs action select and close routes bypassed SSRF policy
OpenClaw: Media Parsing Path Traversal Leads to Arbitrary File Read
Duplicate Advisory: OpenClaw has an improper sandbox configuration vulnerability
OpenClaw: Zalo channel downloads media before sender authorization
OpenClaw: Node system.run approval bypass via parent-symlink cwd rebind
OpenClaw: Pairing setup codes exposed long-lived shared gateway credentials instead of short-lived bootstrap tokens
OpenClaw Canvas Authentication Bypass Vulnerability
Duplicate Advisory: OpenClaw has browser trace/download path symlink escape in temp output handling
OpenClaw: Voice-call realtime WebSocket accepted oversized frames
Duplicate Advisory: OpenClaw: Node-host approvals could show misleading shell payloads instead of the executed argv
OpenClaw: Heartbeat context inheritance bypasses sandbox via senderIsOwner escalation
OpenClaw's hook transform module path allows traversal and arbitrary JavaScript module loading
Duplicate Advisory: OpenClaw has Bypass in Webhook Rate Limiting via Pre-Authentication Secret Validation
OpenClaw: Skill env override host env injection via applySkillConfigEnvOverrides (defense-in-depth)
Duplicate Advisory: OpenClaw's Slack reaction/pin sender-policy consistency issue in non-message ingress
OpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals
OpenClaw leaf subagents can bypass controlScope restrictions to send messages to child sessions
Duplicate Advisory: OpenClaw: Windows media loaders accepted remote-host file URLs before local path validation
OpenClaw: /api/channels gateway-auth boundary bypass via path canonicalization mismatch
OpenClaw's web tools strict URL guard could lose DNS pinning when env proxy is configured
OpenClaw: Remote media error responses could trigger unbounded memory allocation before failure
OpenClaw: Incomplete host-env-security-policy allows untrusted model to substitute compiler binaries via env overrides
OpenClaw: Sandbox noVNC helper route exposed interactive browser session credentials
OpenClaw: Lower-trust background runtime output is injected into trusted `System:` events, and local async exec completion misses the intended `exec-event` downgrade
OpenClaw authorization bypass: operator.write can resolve exec approvals via chat.send -> /approve
Duplicate Advisory: safeBins stdin-only bypass via sort output and recursive grep flags
OpenClaw: Paired node escalates to gateway RCE via unrestricted node.event agent dispatch
OpenClaw's Synology Chat dmPolicy=allowlist failed open on empty allowedUserIds, allowing unauthorized agent dispatch
OpenClaw: LINE group allowlist scope mismatch with DM pairing-store entries
OpenClaw has gateway plugin auth bypass via encoded dot-segment traversal in protected /api/channels paths
OpenClaw: Native prompt image auto-load did not honor tools.fs.workspaceOnly in sandboxed runs
OpenClaw's Node system.run approval hardening wrapper semantic drift can execute unintended local scripts
OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter
OpenClaw has a path traversal in browser trace/download output paths may allow arbitrary file writes
OpenClaw: Sandboxed /acp spawn requests could initialize host ACP sessions
OpenClaw: Discord event cover images bypassed sandbox media normalization
OpenClaw affected by denial of service via unbounded URL-backed media fetch
OpenClaw has a path traversal in browser upload allows local file read
Duplicate Advisory: OpenClaw's allow-always wrapper persistence could bypass future approvals and enable command execution
OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin`
OpenClaw: Unauthorized Telegram Senders Trigger Media Download and Disk Write Before Access Check
OpenClaw has Windows Lobster shell fallback command injection in constrained fallback path
OpenClaw DM pairing-store identities could satisfy group allowlist authorization
OpenClaw: /pair approve command path omitted caller scope subsetting and reopened device pairing escalation
OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities
OpenClaw has web_search citation redirect SSRF via private-network-allowing policy
OpenClaw: Microsoft Teams SSO invoke handler missed sender authorization checks
OpenClaw's gateway tokenless Tailscale auth applied to HTTP routes
OpenClaw is vulnerable to Path Traversal through path validation bypass
OpenClaw runs Discord audio preflight transcription before member authorization
OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows
OpenClaw has a command injection in maintainer clawtributors updater
OpenClaw's exec allow-always can be bypassed via unrecognized multiplexer shell wrappers (busybox/toybox sh -c)
OpenClaw: Windows media loaders accepted remote-host file URLs before local path validation
OpenClaw: Node browser proxy `allowProfiles` bypass through persistent profile mutation and runtime profile selection
OpenClaw: macOS optional allowlist basename matching could bypass path-based policy
OpenClaw's `system.run` env override filtering allowed dangerous helper-command pivots
OpenClaw: SSH-based sandbox backends pass unsanitized process.env to child processes
OpenClaw: Authenticated `/hooks/wake` and mapped `wake` payloads are promoted into the trusted `System:` prompt channel
OpenClaw: Write-scoped callers could reach admin-only session reset logic through `agent`
OpenClaw: BlueBubbles Group Reactions Bypass requireMention and Still Enqueue Agent-Visible System Events
OpenClaw: Process Safety - Unvalidated PID Kill via SIGKILL in Process Cleanup
OpenClaw Telegram allowlist authorization accepted mutable usernames
OpenClaw: Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName
Duplicate Advisory: OpenClaw: system.run approval identity mismatch could execute a different binary than displayed
OpenClaw: Cross-account sender authorization expansion in `/allowlist ... --store` account scoping
Duplicate Advisory: OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata
OpenClaw has non-constant-time token comparison in hooks authentication
OpenClaw's browser-origin WebSocket auth hardening gap could enable loopback password brute-force chains
OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning
OpenClaw: Bonjour/DNS-SD TXT metadata steers CLI routing after failed service resolution
OpenClaw: Node-host approvals could show misleading shell payloads instead of the executed argv
OpenClaw has a path traversal in apply_patch could write/delete files outside the workspace
OpenClaw vulnerable to sensitive file disclosure via stageSandboxMedia
OpenClaw Slack: dmPolicy=open allowed any DM sender to run privileged slash commands
OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reachable)
Duplicate Advisory: OpenClaw's gateway tokenless Tailscale auth applied to HTTP routes
OpenClaw: Agentic Consent Bypass — LLM Agent Can Silently Disable Exec Approval via `config.patch`
OpenClaw: Telegram Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Secret
OpenClaw's image tool bypasses tools.fs.workspaceOnly on sandbox mount paths and exfiltrates out-of-workspace images
OpenClaw: Zip extraction symlink traversal could write outside destination
OpenClaw Improperly Neutralizes Line Breaks in systemd Unit Generation Enables Local Command Execution (Linux)
OpenClaw's message tool media parameter bypasses tool policy filesystem isolation
OpenClaw: macOS Tailnet DNS Spoofing & Credential Exfiltration
OpenClaw's system.run allowlist can be bypassed through an unregistered time dispatch wrapper
OpenClaw Has Incomplete Fix for CVE-2026-4039: CLI Backend Environment Variable Injection via Workspace Config
Duplicate Advisory: OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback)
OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects
OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions
OpenClaw shell-env fallback trusted startup env and could execute attacker-influenced login-shell paths
OpenClaw's Slack reaction/pin sender-policy consistency issue in non-message ingress
OpenClaw: Sandbox file operations use check-then-act, bypassing fd-based TOCTOU defenses
CpenClaw's ACPX Windows wrapper shell fallback allowed cwd injection in specific paths
OpenClaw: Node exec approvals could be replayed across nodes
OpenClaw: Tlon cite expansion happens before channel and DM authorization is complete
OpenClaw is vulnerable to validation bypass through GNU long-option abbreviations in allowlist mode
OpenClaw: Exec environment denylist missed high-risk interpreter startup variables
OpenClaw voice-call media stream validated streams after upgrade, which could allow pre-start unauthenticated sockets to increase resource pressure
OpenClaw: Android accepted cleartext remote gateway endpoints and sent stored credentials over ws://
OpenClaw has Browser SSRF Policy Bypass via Interaction-Triggered Navigation
OpenClaw `device.token.rotate` mints tokens for unapproved roles, bypassing device role-upgrade pairing
OpenClaw: Discord guild reaction ingress could bypass users and roles allowlists
OpenClaw: Discord voice transcript owner-flag omission could expose owner-only tools in mixed-trust channels
`OpenClaw: session_status` let sandboxed subagents access parent or sibling session state
OpenClaw affected by BASH_ENV / ENV startup-file injection into spawned shell commands
OpenClaw's system.run approval TOCTOU via mutable symlink cwd target on node host
OpenClaw has auth inconsistency on local Browser Extension Relay /extension endpoint
OpenClaw: Sandbox media fallback tmp symlink alias bypass allows host file reads outside sandboxRoot
Duplicate Advisory: OpenClaw: Plugin subagent routes could bypass gateway authorization with synthetic admin scopes
Duplicate Advisory: ACPX Windows wrapper shell fallback allowed cwd injection in specific paths
OpenClaw affected by SSRF in Image Tool Remote Fetch
OpenClaw: Existing WS sessions survive shared gateway token rotation
OpenClaw: Feishu webhook and card-action validation now fail closed
OpenClaw: Nextcloud Talk room allowlist matched colliding room names instead of stable room tokens
OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting
OpenClaw Loopback CDP probe can leak Gateway token to local listener
Duplicate Advisory: OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured
OpenClaw: Marketplace Plugin Download Follows Redirects Without SSRF Protection
OpenClaw: resolvedAuth closure becomes stale after config reload
OpenClaw: Mutating internal `/allowlist` chat commands missed `operator.admin` scope enforcement
OpenClaw: Feishu Raw Card Send Surface Can Mint Legacy Card Callbacks That Bypass DM Pairing
Duplicate Advisory: OpenClaw's system.run shell-wrapper positional argv carriers could execute hidden commands under misleading approval text
OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation
OpenClaw: Browser SSRF hostname validation could be bypassed by DNS rebinding
OpenClaw Vulnerable to HTML injection via unvalidated image MIME type in data-URL interpolation
OpenClaw `node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard
Duplicate Advisory: OpenClaw's system.run approvals did not bind mutable script operands across approval and execution
OpenClaw: Sandbox browser CDP relay could expose DevTools protocol on 0.0.0.0
OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection
Duplicate Advisory: Exec allowlist wrapper analysis did not unwrap env/shell dispatch chains
OpenClaw has a webhook auth bypass when gateway is behind a reverse proxy (loopback remoteAddress trust)
OpenClaw Telegram media fetch errors exposed bot tokens in logged file URLs
OpenClaw: Exec approval allowlist patterns overmatched on POSIX paths
OpenClaw: Workspace `.env` can override the bundled hooks root and load attacker hook code
OpenClaw: Gateway agent /reset exposes admin session reset to operator.write callers
OpenClaw: Trailing-dot localhost CDP hosts could bypass remote loopback protections
OpenClaw: safeBins static default trusted dirs allow writable-dir binary hijack (`jq`)
OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured
OpenClaw: Gateway HTTP Session History Route Bypasses Operator Read Scope
OpenClaw Affected by Remote Code Execution via System Prompt Injection in Slack Channel Descriptions
OpenClaw: Zalo webhook rate limiting could be bypassed before secret validation
Duplicate Advisory: OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes
OpenClaw hook transform path containment missed symlink-resolved escapes
Duplicate Advisory: OpenClaw: SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476)
OpenClaw: Channel commands could bypass account-scoped `configWrites` restrictions
Duplicate Advisory: OpenClaw's device removal and token revocation do not terminate active WebSocket sessions
OpenClaw Google Chat spoofing access with allowlist authorized mutable email principal despite sender-ID mismatch
Duplicate Advisory: OpenClaw has Windows Lobster shell fallback command injection in constrained fallback path
OpenClaw's system.run allowlist bypass via shell line-continuation command substitution
OpenClaw Vulnerable to Remote Code Execution via Node Invoke Approval Bypass in Gateway
OpenClaw's authorization mismatch allowed write-scope agent runs to reach owner-only tools
OpenClaw Has a Gateway Control Interface Information Disclosure Vulnerability
OpenClaw's Discord component interaction ingress skips guild/channel policy enforcement
OpenClaw: Gateway WebSocket Denial of Service via unbounded pre-auth upgrades
OpenClaw's voice-call Twilio replay dedupe now bound to authenticated webhook identity
OpenClaw has an Arbitrary Malicious Code Execution Vulnerability
OpenClaw: Experimental apply_patch may bypass workspace-only checks in opt-in sandbox mounts (off by default)
Duplicate Advisory: `OpenClaw: session_status` let sandboxed subagents access parent or sibling session state
Duplicate Advisory: OpenClaw: Remote media error responses could trigger unbounded memory allocation before failure
OpenClaw's incomplete host env sanitization blocklist allows supply-chain redirection via package-manager env overrides
OpenClaw's exec allowlist wrapper analysis did not unwrap env/shell dispatch chains
OpenClaw Telegram webhook request bodies were read before secret validation, enabling unauthenticated resource exhaustion
OpenClaw Canvas Path Traversal Information Disclosure Vulnerability
OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind
OpenClaw: BlueBubbles (optional plugin) pairing/allowlist mismatch when allowFrom is empty
Duplicate Advisory: OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind
OpenClaw: LINE webhook handler lacks shared pre-auth concurrency budget before signature verification
OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access
OpenClaw vulnerable to path traversal in Feishu media temp-file naming allows writes outside os.tmpdir()
OpenClaw: Browser control startup could continue unauthenticated after auth bootstrap failure
OpenClaw has a BlueBubbles group allowlist mismatch via DM pairing-store fallback
OpenClaw has a sandbox network isolation bypass via docker.network=container:<id>
OpenClaw has browser trace/download path symlink escape in temp output handling
OpenClaw: Plugin subagent routes could bypass gateway authorization with synthetic admin scopes
Duplicate Advisory: OpenClaw reuses the gateway auth token in the owner ID prompt hashing fallback
In OpenClaw, manually adding sort to tools.exec.safeBins could bypass allowlist approval via --compress-program
OpenClaw: SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476)
Duplicate Advisory: OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains
OpenClaw unpaired device identity can bypass operator pairing and self-assign operator scopes with shared auth
Duplicate Advisory: OpenClaw Windows Scheduled Task script generation allowed local command injection via unsafe cmd argument handling
OpenClaw affected by SSRF in optional Tlon (Urbit) extension authentication
OpenClaw inter-session prompts could be treated as direct user instructions
OpenClaw: Strict browser SSRF bypass in Playwright redirect handling leaves private targets reachable
OpenClaw: strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts
OpenClaw has cross-account DM pairing authorization bypass via unscoped pairing store access
OpenClaw: Discord voice ingress authorization can be bypassed via channel, name, and stale-role validation gaps
OpenClaw's Windows cmd.exe parsing may bypass exec allowlist/approval gating
OpenClaw: Gateway Plugin HTTP Auth Grants Unrestricted operator.admin Runtime Scope to All Callers
Duplicate Advisory: OpenClaw's andbox browser noVNC observer lacked VNC authentication
OpenClaw's MS Teams sender allowlist bypass when route allowlist is configured and sender allowlist is empty
OpenClaw: pnpm dlx approvals did not bind local script operands
OpenClaw's Nextcloud Talk webhook replay could trigger duplicate inbound processing
OpenClaw: MS Teams Feedback Invocation Bypasses Sender Allowlists and Records Unauthorized Session Feedback
Duplicate Advisory: OpenClaw's shell startup env injection bypasses system.run allowlist intent (RCE class)
OpenClaw is vulnerable to unauthenticated resource exhaustion through its voice call webhook handling
OpenClaw: Feishu reaction events could bypass group authorization and mention gating
OpenClaw's sandbox bind validation could bypass allowed-root and blocked-path checks via symlink-parent missing-leaf paths
OpenClaw: shell-env trusted-prefix fallback allowed attacker-controlled binary execution via $SHELL
OpenClaw gateway exec allow-always over-trusts positional carrier executables
OpenClaw has incomplete Fix for CVE-2026-32011: Feishu Webhook Pre-Auth Body Parsing DoS (Slow-Body / Slowloris Variant)
OpenClaw Host-Exec Environment Variable Injection
Duplicate Advisory: OpenClaw: Skill env override host env injection via applySkillConfigEnvOverrides (defense-in-depth)
OpenClaw has pre-auth webhook body parsing that can enable unauthenticated slow-request DoS
OpenClaw: Unbound interpreter and runtime commands could bypass node-host approval integrity
OpenClaw has stored XSS in exported session HTML viewer via markdown/raw-HTML rendering
OpenClaw's shell startup env injection bypasses system.run allowlist intent (RCE class)
OpenClaw's dashboard leaked gateway auth material via browser URL/query and localStorage
OpenClaw: Discord Slash Commands Bypass Group DM Channel Allowlist
Duplicate Advisory: OpenClaw: Unrecognized script runners could bypass `system.run` approval integrity
OpenClaw: `browser.request` still allows `POST /reset-profile` through the `operator.write` surface
OpenClaw has encoded-path auth bypass in plugin `/api/channels` route classification
OpenClaw: /allowlist omits owner-only enforcement for cross-channel allowlist writes
OpenClaw: `browser.request` let `operator.write` persist admin-only browser profile changes
OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows
OpenClaw: Pairing pending-request caps were enforced per channel instead of per account
Duplicate Advisory: OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes
Duplicate Advisory: OpenClaw safeBins file-existence oracle information disclosure
OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation
OpenClaw: Sandbox `writeFile` commit could race outside the validated path
OpenClaw safeBins grep -e File Read Bypass (stdin-only policy bypass)
OpenClaw: Gateway Canvas local-direct requests bypass Canvas HTTP and WebSocket authentication
OpenClaw exec approvals: safeBins could bypass stdin-only constraints via shell expansion
OpenClaw Exposes Credentials Embedded in baseUrl Fields via config.get and channels.status
OpenClaw's owner-only gateway tool access checks were incomplete in specific authenticated DM flows
Duplicate Advisory: OpenClaw: Nostr inbound DMs could trigger unauthenticated crypto work before sender policy enforcement
OpenClaw's device removal and token revocation do not terminate active WebSocket sessions
OpenClaw: node.pair.approve missing callerScopes validation allows low-privilege operator to approve malicious nodes
OpenClaw Twitch allowFrom is not enforced in optional plugin, unauthorized chat users can trigger agent pipeline
Duplicate Advisory: OpenClaw's message tool media parameter bypasses tool policy filesystem isolation
OpenClaw: Unified root-bound write hardening for browser output and related path-boundary flows
OpenClaw: diffs viewer misclassifies proxied remote requests as loopback when `allowRemoteViewer` is disabled
OpenClaw: Sandboxed sessions_spawn(runtime="acp") bypassed sandbox inheritance and allowed host ACP initialization
OpenClaw has a Gateway HTTP /v1/models Route Bypasses Operator Read Scope
OpenClaw: macOS beta onboarding exposed PKCE verifier via OAuth state
OpenClaw skills-install-download: tar.bz2 extraction bypassed archive safety parity checks (local DoS)
OpenClaw has exec allowlist/safeBins policy-runtime mismatch via env -S wrapper interpretation
OpenClaw Chutes manual OAuth state validation bypass can cause credential substitution
OpenClaw: QQ Bot structured payloads could read arbitrary local files
OpenClaw: `/phone arm`/`/phone disarm` Bypasses `operator.admin` Scope Check for External Channels
OpenClaw: Sandbox dangling-symlink alias handling could bypass workspace-only write boundary
OpenClaw affected by SSRF via unguarded image download in fal provider
OpenClaw: Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation
OpenClaw: Matrix thread root and reply context bypass sender allowlist
OpenClaw: iOS A2UI bridge trusted generic local-network pages for agent.request dispatch
OpenClaw's non-default safeBins sort configuration can bypass intended allowlist approval constraints
OpenClaw may have stale policy enforcement for queued node actions
Duplicate Advisory: allowlist exec-guard bypass via env -S
OpenClaw's TOCTOU symlink race in writeFileWithinRoot could create or truncate files outside root boundaries
OpenClaw: Nostr inbound DMs could trigger unauthenticated crypto work before sender policy enforcement
OpenClaw: Device-Paired Node Skips Node Scope Gate → Host RCE.md
OpenClaw session transcript files were created without forced user-only permissions
Duplicate Advisory: OpenClaw's MS Teams sender allowlist bypass when route allowlist is configured and sender allowlist is empty
openclaw-claude-bridge: sandbox is not effective - `--allowed-tools ""` does not restrict available tools
OpenClaw optional voice-call plugin: webhook verification may be bypassed behind certain proxy configurations
OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl
Malicious code in openclaw-droid (npm)
OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable
OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand
Malicious code in @openclaw-ai/openclawai (npm)
Duplicate Advisory: OpenClaw: Unavailable local auth SecretRefs could fall through to remote credentials in local mode