openclaw@2026.2.19 vulnerabilities

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the pairing setup. An attacker can gain unauthorized access to long-lived shared gateway credentials by obtaining a leaked setup code from chat history, logs, screenshots, or copied QR payloads.

Upgrade openclaw to version 2026.3.12 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the automatic plugin discovery in .openclaw/extensions/. An attacker can execute arbitrary code by including a malicious plugin in a cloned repository, which is loaded automatically when the application is run from that directory.

Upgrade openclaw to version 2026.3.12 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the session_status. An attacker can access or modify session data belonging to other sandboxes by supplying another session's sessionKey. This may allow unauthorized reading or modification of session state outside the intended sandbox boundary.

Upgrade openclaw to version 2026.3.12 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via insufficient access control in the command handler. An attacker can gain unauthorized access to privileged configuration and debugging interfaces by sending commands as a non-owner user.

Upgrade openclaw to version 2026.3.12 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Directory Traversal via the agent RPC. An attacker can execute arbitrary commands and access files outside the intended workspace boundary by supplying crafted spawnedBy and workspaceDir values to the gateway RPC.

Upgrade openclaw to version 2026.3.11 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the browser.request. An attacker can modify or create browser profiles and persist unauthorized configuration changes by sending crafted requests to profile management routes, even without elevated administrative privileges.

Upgrade openclaw to version 2026.3.12 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the webhook event validation. An attacker can inject forged events and impersonate legitimate senders by submitting crafted requests to the webhook endpoint. This may result in unauthorized actions being triggered in downstream systems.

Upgrade openclaw to version 2026.3.12 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authorization via the WebSocket connection. An attacker can gain unauthorized access to elevated gateway operations by presenting client-declared scopes that are not properly bound to a device identity or trusted path.

Upgrade openclaw to version 2026.3.12 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the Discord reaction ingestion for guild channels. An attacker can gain unauthorized access to restricted session events by sending reaction events from a non-allowlisted guild member.

Upgrade openclaw to version 2026.3.11 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition through the writeFile commit path. An attacker can cause files to be written outside the intended sandbox path by exploiting a race condition between path validation and the final file move operation.

Upgrade openclaw to version 2026.3.11 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key through improper authorization in the subagents control. An attacker can gain unauthorized access to sibling session controls by issuing control requests that are resolved against the parent requester scope, allowing them to steer or terminate sibling runs and potentially escalate privileges or disrupt operations across sandbox boundaries.

Upgrade openclaw to version 2026.3.11 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the system.run. An attacker can execute unauthorized local code by obtaining approval for a benign script-runner command, then rewriting the referenced script on disk before execution, causing the modified code to run under the approved context.

Upgrade openclaw to version 2026.3.11 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authorization through the configWrites authorization. An attacker can modify protected configuration data of sibling accounts by issuing channel commands that target accounts with restricted write permissions.

Upgrade openclaw to version 2026.3.11 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition through the handling of temporary file creation and population in the sandboxed file system bridge. An attacker can write arbitrary data outside the intended validated directory by exploiting a race condition in parent-path aliasing before the final guarded replace step.

Upgrade openclaw to version 2026.3.11 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization through the device.token.rotate process. An attacker can gain unauthorized administrative access and potentially execute arbitrary code on connected nodes by minting tokens with elevated privileges beyond their current scope.

Upgrade openclaw to version 2026.3.11-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition via the system.run process. An attacker can execute unintended local code as the runtime user by modifying an approved local script after approval but before execution.

Upgrade openclaw to version 2026.3.11 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Not Failing Securely ('Failing Open') in the credential resolution process. An attacker can access unintended remote credentials by configuring local authentication SecretRefs that are unavailable, causing the system to fall back to remote credential sources instead of failing as expected.

Upgrade openclaw to version 2026.3.11 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Origin Validation Error in the WebSocket connections when gateway.auth.mode is set to trusted-proxy and proxy headers are present. An attacker can gain unauthorized privileged access by establishing a cross-site WebSocket connection from an untrusted origin through a trusted reverse proxy, allowing the execution of privileged Gateway methods and exposure of sensitive configuration. This is only exploitable if the deployment exposes the Gateway behind a trusted reverse proxy and relies on browser origin checks to restrict access.

Upgrade openclaw to version 2026.3.11 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Symlink Attack through improper handling of symlink alias resolution during workspace boundary checks. An attacker can gain unauthorized write access to files outside the intended workspace or sandbox by exploiting dangling symlinks that resolve beyond the configured boundary.

Upgrade openclaw to version 2026.2.26 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Authentication Bypass by Alternate Name in the Microsoft Teams group sender authorization process when a route allowlist is configured and the sender allowlist is empty. An attacker can gain unauthorized access to trigger replies in allowlisted Teams routes by exploiting the wildcard sender authorization logic.

Upgrade openclaw to version 2026.3.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the group allowlist authorization. An attacker can gain unauthorized group sender access by leveraging DM pairing-store entries to satisfy group allowlist checks.

Upgrade openclaw to version 2026.2.26 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition through the system.run approval flow. An attacker can execute unauthorized or modified scripts by obtaining approval for a script execution and then altering the script content before execution, allowing different code to run under the guise of a previously approved command.

Upgrade openclaw to version 2026.3.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition through the skills download installer. An attacker can cause files to be written outside the intended directory by rebinding the validated base path between its validation and use.

Upgrade openclaw to version 2026.3.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the handling of Slack system events in members.ts and messages.ts due to missing sender authorization checks before enqueueing events. An attacker can gain unauthorized access to system-event processing by sending crafted Slack events from non-allowlisted senders. This is only exploitable if Slack DM allowlists (dmPolicy / allowFrom) or per-channel users allowlists are relied upon for access control.

Upgrade openclaw to version 2026.2.26 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Symlink Attack via the workspace path validation. An attacker can gain unauthorized access to files and potentially modify or create files outside the intended workspace boundary by exploiting symlinks that point to non-existent targets outside the workspace.

Upgrade openclaw to version 2026.2.26 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the /api/channels gateway-auth. An attacker can gain unauthorized access to protected plugin channel APIs by exploiting a mismatch in path canonicalization between the gateway guard and plugin handler routing.

Upgrade openclaw to version 2026.2.26 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Protection Mechanism Failure via the /acp spawn command handler. An attacker can escalate privileges by initializing host-side ACP sessions from a sandboxed context when ACP is enabled and a backend is available.

Upgrade openclaw to version 2026.3.7-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Use of GET Request Method With Sensitive Query Strings via the process that appends authentication material to the browser URL query string and persists it in browser localStorage. An attacker can recover valid administrative credentials by accessing browser-controlled surfaces or persistent browser storage.

Upgrade openclaw to version 2026.3.7-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the /allowlist ... --store process. An attacker can gain unintended authorization to the default account by editing allowlist entries as an already-authorized user, causing cross-account authorization expansion.

Upgrade openclaw to version 2026.3.7-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the system.run process when handling dispatch wrappers with exactly four transparent wrappers such as repeated env invocations before /bin/sh -c. An attacker can bypass shell approval gating by crafting a command sequence that exploits the mismatch between approval classification and execution planning at the dispatch depth boundary. This is only exploitable if the system is configured in security=allowlist mode.

Upgrade openclaw to version 2026.3.7-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the system.run process when PowerShell encoded-command wrappers such as -EncodedCommand, -enc, or -e are used. An attacker can bypass approval mechanisms and execute arbitrary commands by invoking PowerShell with encoded payloads, which are not properly recognized by the allowlist approval parsing.

Upgrade openclaw to version 2026.3.7-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the chat.send process. An attacker can perform unauthorized persistent configuration changes by routing /config set or /config unset commands through an authenticated gateway client with operator.write privileges, bypassing intended admin-only restrictions. This is only exploitable if the attacker has an authenticated gateway client with operator.write, chat.send access, and /config command support enabled.

Upgrade openclaw to version 2026.3.7-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the system.run process. An attacker can bypass intended allowlist or approval mechanisms by supplying crafted environment variable overrides such as GIT_SSH_COMMAND, GIT_CONFIG_*, or NPM_CONFIG_*, which are not properly sanitized and can influence the behavior of spawned subprocesses.

Upgrade openclaw to version 2026.3.7-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Improper Control of Interaction Frequency via the hooks HTTP handler. An attacker can cause temporary lockout of legitimate webhook delivery by sending repeated non-POST requests with invalid tokens, thereby exhausting the authentication failure budget and triggering a lockout for the affected client key. This can result in a temporary loss of availability for hook-triggered automation or wake events, especially in environments where multiple clients share the same proxy or NAT configuration.

Upgrade openclaw to version 2026.3.7-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Insufficiently Protected Credentials via the fetchWithSsrFGuard process. An attacker can obtain sensitive authorization credentials by triggering a cross-origin redirect that causes custom headers, such as API keys or private tokens, to be forwarded to an unintended origin.

Upgrade openclaw to version 2026.3.7-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the system.run process. An attacker can cause unauthorized commands to be persisted as trusted entries by submitting a shell command with an unquoted # character, resulting in the shell executing only the portion before the comment while the persistence mechanism stores the entire command, including the non-executed tail.

Upgrade openclaw to version 2026.3.7-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Directory Traversal via the extractToolResultMediaPaths process. An attacker can access and exfiltrate sensitive files from the system's temporary directory or other allowed local roots by injecting specially crafted MEDIA: directives or manipulating the details.path field in tool result content. The file contents are then delivered to external messaging channels such as Discord, Slack, Telegram, or WhatsApp, potentially without user awareness.

Upgrade openclaw to version 2026.2.21 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Symlink Attack in the tools.fs.workspaceOnly process when hardlink aliases inside the workspace reference files outside the workspace boundary. An attacker can access or modify files outside the intended workspace by creating hardlink aliases within the workspace that point to external files. This is only exploitable if workspace-only filesystem restrictions are enabled.

Upgrade openclaw to version 2026.2.25 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the isAllowedParsedChatSender process. An attacker can gain unauthorized access to direct messaging or reaction features by sending messages from an untrusted sender when the allowFrom configuration is empty or unset and the DM policy is set to pairing or allowlist.

Upgrade openclaw to version 2026.2.22 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the processing of Slack interactive callbacks, specifically block_action, view_submission, and view_closed. An attacker can inject unauthorized system-event text into an active session by sending crafted interactive callback requests before full sender authorization checks are performed. This is only exploitable if the deployment is in a shared Slack workspace that relies on sender restrictions such as allowFrom, DM policy, or channel user allowlists.

Upgrade openclaw to version 2026.2.25 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the tools.elevated.allowFrom process. An attacker can gain unauthorized elevated access by providing broader identity signals than intended, bypassing sender-scoped authorization checks.

Upgrade openclaw to version 2026.2.22 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Files or Directories Accessible to External Parties via the image tool when tools.fs.workspaceOnly is set to true but not enforced for mounted paths resolved by the sandbox file system bridge. An attacker can access and exfiltrate files outside the intended workspace by leveraging the ability to load out-of-workspace mounted images and forward their contents to external model providers.

Upgrade openclaw to version 2026.2.23-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) incomplete validation of IPv4 special-use address ranges in the web_fetch process. An attacker can access internal or non-global network resources by supplying crafted URLs that bypass SSRF protections. This is only exploitable if the attacker has network reachability to the relevant special-use ranges and can trigger a request path that reaches web_fetch URL fetching.

Upgrade openclaw to version 2026.2.22 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Symlink Attack via the resolveIdentityAvatarUrl function. An attacker can access arbitrary files outside the intended workspace by supplying a crafted local avatar path that follows a symlink, resulting in the exposure of file contents as a base64-encoded data: URL in gateway responses.

Upgrade openclaw to version 2026.2.22 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization through improper access control in the pairing store process. An attacker can gain unauthorized access to another account's direct message pairing by leveraging approval from a different account in multi-account deployments.

Upgrade openclaw to version 2026.2.26 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the webhook request body parsing. An attacker can degrade service availability by sending slow or oversized unauthenticated requests that hold the parser open before authentication and signature checks are performed.

Upgrade openclaw to version 2026.3.2 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the safeBins process. An attacker can execute arbitrary commands in the application runtime context by placing a malicious binary with the same name as a trusted executable in a writable directory that is included in the default trusted directories.

Upgrade openclaw to version 2026.2.24 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Symlink Attack via the stageSandboxMedia process. An attacker can overwrite arbitrary files outside the intended workspace by staging media files to a destination path containing a symlink that points outside the sandbox boundary.

Upgrade openclaw to version 2026.3.2-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the apply_patch process. An attacker can gain unauthorized access to files or directories outside the intended workspace by exploiting insufficient enforcement of workspace-only restrictions when certain sandbox and configuration options are enabled. This is only exploitable if sandbox mode, the experimental apply_patch tool, workspace-only expectations, and writable mounts outside the workspace are all enabled.

Upgrade openclaw to version 2026.2.23-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Command Injection via the resolveShell function. An attacker can execute arbitrary commands by influencing environment variables such as SHELL, HOME, or ZDOTDIR during shell startup processing.

Upgrade openclaw to version 2026.2.22 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the getHeadersWithAuth function. An attacker can obtain authentication tokens by controlling a local loopback port and intercepting probe traffic.

Note: This is only exploitable if the deployment is in a shared-user or shared-host environment where an untrusted local user or process can bind to the loopback relay port.

Upgrade openclaw to version 2026.2.22 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Reliance on Untrusted Inputs in a Security Decision when trusted-proxy authentication is enabled. An attacker can gain unauthorized access to node event methods by connecting with a node role session and specifying client.id=control-ui to bypass device identity checks.

Upgrade openclaw to version 2026.2.25 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Insufficiently Protected Credentials due to the reuse of authentication tokens as a fallback secret in the owner ID prompt hashing process. An attacker can infer sensitive hash outputs by observing prompt metadata, especially if weak gateway tokens are used and the dedicated secret is unset.

Upgrade openclaw to version 2026.2.22 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Files or Directories Accessible to External Parties via the assertBrowserNavigationAllowed function. An attacker who has authenticated access to a gateway with browser tooling enabled can access and exfiltrate local files readable by the process user by navigating browser sessions to file:// URLs and extracting page content through browser snapshot or extraction actions.

Upgrade openclaw to version 2026.2.21 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Command Injection in the tools.exec.safeBins process when a binary without an explicit safe-bin profile is added in allowlist mode. An attacker can execute arbitrary code by supplying interpreter-style binaries (such as python3, node, or ruby) with inline payloads via command-line flags like -c. This is only exploitable if an operator explicitly configures such binaries in safeBins, which is not the default configuration.

Upgrade openclaw to version 2026.2.22 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the resolveSenderCandidates process. An attacker can gain unauthorized access to command or directive execution by configuring commands.allowFrom with conversation identifiers, which allows any participant in that conversation to perform actions intended only for specific sender identities.

Upgrade openclaw to version 2026.2.23-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the SSRF IP classification. An attacker can access unintended network resources by supplying IPv6 multicast addresses that bypass address classification checks.

Upgrade openclaw to version 2026.2.25 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the allowFrom module. An attacker can gain unauthorized access by exploiting slug collisions in Discord name/tag allowlist entries, allowing them to bypass intended authorization checks.

Upgrade openclaw to version 2026.2.22 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Cleartext Transmission of Sensitive Information via the gateway.controlUi.allowInsecureAuth configuration when it is explicitly enabled and the gateway is exposed over plaintext HTTP. An attacker can gain privileged operator access by intercepting or using leaked credentials.

Note: This is only exploitable if the insecure configuration is enabled and the gateway is accessible over plaintext HTTP.

Upgrade openclaw to version 2026.2.21 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the Telegram DM message handling. An attacker can cause unauthorized media files to be downloaded and written to disk by sending inbound media messages before sender authorization checks are completed.

Upgrade openclaw to version 2026.2.24 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the WebSocket connect process. An attacker can inject unauthorized node.event messages by connecting with a shared gateway token and claiming role=node without device identity or pairing, which can trigger agent execution and voice transcript flows.

Upgrade openclaw to version 2026.2.22 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the enqueueSystemEvent process. An attacker can add unauthorized reaction status lines to agent contexts by sending specially crafted reaction-only inbound events before access checks are enforced. This is only exploitable if reaction notifications are enabled for Signal reaction-only inbound events.

Upgrade openclaw to version 2026.2.25 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Symlink Attack via the resolveSandboxedMediaSource process. An attacker can access files outside the intended sandbox confinement by submitting crafted media paths that exploit a symlink alias in the fallback temporary directory.

Upgrade openclaw to version 2026.2.25-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Command Injection via the process when attacker-controlled environment variables are admitted and inherited by host command execution paths. An attacker can execute arbitrary commands by injecting malicious values into environment variables that are processed during shell command execution. This is only exploitable if the attacker has local or privileged influence over configuration or environment inputs.

Upgrade openclaw to version 2026.2.21 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the autoAllowSkills process. An attacker can execute unauthorized skills without operator approval by exploiting a skill-name collision when autoAllowSkills is enabled and the allowlist evaluator matches a path-scoped executable to a skill bin name. This is only exploitable if autoAllowSkills=true, system.run is configured with security=allowlist, and ask=on-miss is set.

Upgrade openclaw to version 2026.2.23-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via system.run. An attacker can execute hidden commands under misleading approval or display text by supplying additional positional argv payloads that are not reflected in the visible command context.

Upgrade openclaw to version 2026.2.24 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Directory Traversal in detectAndLoadPromptImages or loadImageFromRef. An attacker can access and load image data from out-of-workspace paths by referencing mounted paths in prompt text.

Note: This is only exploitable if sandbox mode is enabled, tools.fs.workspaceOnly=true is configured, an out-of-workspace mount path is reachable from the sandbox, and a vision-capable model path is active for native prompt image loading.

Upgrade openclaw to version 2026.2.24 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization through a mismatch in wrapper-depth parsing in system.run. An attacker can bypass approval gating by crafting nested transparent dispatch wrappers, allowing execution of shell commands without triggering the expected approval prompt in allowlist mode with ask-on-miss enabled.

Upgrade openclaw to version 2026.2.24 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via tools.exec.safeBins. An attacker can access sensitive files from the working directory by supplying a pattern input through the -e or --regexp flag and providing a filename as a positional argument.

Note: This is only exploitable if grep is explicitly included in the tools.exec.safeBins configuration and the attacker can invoke exec tooling under that profile.

Upgrade openclaw to version 2026.2.21 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Untrusted Search Path through the SHELL environment variable fallback. An attacker can execute arbitrary commands by supplying a malicious path in the SHELL environment variable, which is then invoked without validation.

Upgrade openclaw to version 2026.2.22 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Untrusted Search Path via tools.exec.safeBins. An attacker can execute arbitrary commands by placing a malicious binary with the same name as a trusted binary in a PATH-derived directory that is trusted by the allowlist mode.

Upgrade openclaw to version 2026.2.22 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition via system.run when a mutable symlink is used as the cwd target between approval and execution. An attacker can execute commands in an unintended directory by altering the symlink after approval but before execution.

Upgrade openclaw to version 2026.2.25 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to External Control of System or Configuration Setting via the collectConfigEnvVars function. An attacker can execute arbitrary code in the service runtime environment by injecting malicious environment variables during startup.

Upgrade openclaw to version 2026.2.21 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via system.run when shell line-continuation and command substitution are used to bypass allowlist analysis. An attacker can execute unauthorized commands by crafting input that splits command substitution across lines, causing the analysis to misinterpret the payload and allowing execution of non-allowlisted subcommands.

Note: This is only exploitable if the deployment is configured with tools.exec.security=allowlist (with ask=on-miss or off).

Upgrade openclaw to version 2026.2.22 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authorization via sandbox-browser-entrypoint.sh. An attacker can gain unauthorized access to VNC observer sessions by connecting to the noVNC service, which is exposed without authentication on the host loopback interface.

Upgrade openclaw to version 2026.2.21 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via template.js. An attacker can execute arbitrary JavaScript in the context of the exported HTML by injecting a crafted value into the mimeType field of an image content block, which is then interpolated into the <img src="data:..."> attribute without proper validation or escaping.

Note: This is only exploitable if an attacker can control image entries in session data, such as through crafted tool results or session manipulation.

Upgrade openclaw to version 2026.2.23 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Directory Traversal via the gateway plugin authentication. An attacker can gain unauthorized access to protected API channel routes by sending requests with encoded dot-segment traversal in the path, which are normalized by plugin handlers.

Upgrade openclaw to version 2026.2.26 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the message_reaction function. An attacker can inject unauthorized system events by sending crafted Telegram reactions, bypassing configured DM or group authorization controls.

Upgrade openclaw to version 2026.2.25 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Reliance on Untrusted Inputs in a Security Decision via improper parsing of the X-Forwarded-For header behind trusted proxies. An attacker can influence security decisions tied to client IP, such as authentication rate-limiting or local/private network classification, by supplying crafted header values. This is only exploitable if the deployment is configured with trusted proxies that append or preserve forwarding headers instead of overwriting them.

Upgrade openclaw to version 2026.2.21 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Command Injection via the system.run process. An attacker can execute arbitrary code by supplying environment variable overrides such as HOME or ZDOTDIR that trigger malicious shell startup files before the intended command is evaluated.

Upgrade openclaw to version 2026.2.22 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource due to the browser container launching Chromium with the --no-sandbox flag enabled by default, which disables OS-level sandbox protections. An attacker can increase the impact of renderer-side bugs and weaken browser isolation by exploiting this configuration.

Upgrade openclaw to version 2026.2.21 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Symlink Attack via the validateBindMounts process. An attacker can access files or directories outside of intended boundaries by exploiting symlinked parent directories combined with non-existent leaf paths, thereby bypassing allowed-root and blocked-path checks.

Upgrade openclaw to version 2026.2.24 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the toolsBySender process when untyped sender keys are used. An attacker can gain unauthorized access to privileged group tool permissions by causing an identifier collision between mutable sender identity values.

Upgrade openclaw to version 2026.2.22 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Symlink Attack via the ZIP extraction process when a pre-existing symlink exists in the destination path. An attacker can write files outside the intended extraction directory by crafting a ZIP archive and leveraging symlink traversal.

Upgrade openclaw to version 2026.2.22 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Origin Validation Error via the WebSocket authentication process. An attacker can gain unauthorized access to operator-level WebSocket sessions and invoke privileged control-plane methods by tricking a user into opening a malicious web page and successfully brute-forcing the gateway password. This is only exploitable if the gateway is reachable on loopback, password authentication mode is enabled, the victim opens attacker-controlled web content, and the password is guessable within feasible brute-force or dictionary attempts.

Upgrade openclaw to version 2026.2.25-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Execution with Unnecessary Privileges due to the absence of a USER directive in the Dockerfiles, causing all processes to run as root. An attacker can gain root privileges within the container by compromising any process running inside these containers, which may enable kernel exploit attempts, abuse of mounted volumes, and access to privileged syscalls.

Upgrade openclaw to version 2026.2.21 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the webhook process of the optional BlueBubbles plugin when password authentication is not configured for incoming webhook events. An attacker can trigger unauthorized webhook actions by sending crafted requests to the webhook endpoint in deployments where password authentication is omitted. This is only exploitable if the BlueBubbles plugin is enabled and webhook password authentication is not set.

Upgrade openclaw to version 2026.2.21 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize via the boundary validation process for @-prefixed absolute paths when tools.fs.workspaceOnly is set to true. An attacker can access files outside the intended workspace boundary by supplying specially crafted absolute paths that bypass validation checks. This is only exploitable if the non-default configuration tools.fs.workspaceOnly=true is enabled and the sandbox/tooling configuration allows such path handling.

Upgrade openclaw to version 2026.2.24 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via inconsistent enforcement of host and DNS policies in the media fetch process. An attacker can access internal network resources or unintended hosts by exploiting fetch paths that bypass shared guard logic.

Upgrade openclaw to version 2026.2.26 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the --compress-program flag in the sort process when sort is manually added to the tools.exec.safeBins configuration. An attacker can execute arbitrary external programs by supplying a crafted value to the --compress-program flag, bypassing expected operator approval. This is only exploitable if sort is explicitly included in tools.exec.safeBins and the deployment uses both security=allowlist and ask=on-miss settings.

Upgrade openclaw to version 2026.2.22 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Directory Traversal via improper validation of media local-paths in the sandbox. An attacker can access and exfiltrate files outside the intended sandbox boundary by supplying absolute paths under the host temporary directory that are not confined to the active sandbox root.

Upgrade openclaw to version 2026.2.24 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Interpretation Conflict through a mismatch in policy and runtime interpretation of wrapper commands using GNU env -S semantics. An attacker can execute unintended commands by injecting untrusted content into tool command text, causing policy checks to approve a command while a different payload is executed at runtime.

Upgrade openclaw to version 2026.2.23-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) in the skills-install-download process when handling .tar.bz2 archives due to bypassed archive safety parity checks. An attacker can cause local resource exhaustion and impact system availability by submitting specially crafted .tar.bz2 archives during skill installation.

Upgrade openclaw to version 2026.3.2-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the writeUrlToFile function. An attacker can access internal network resources or perform unauthorized network requests by supplying crafted URLs in the payload fields processed by paired nodes.

Upgrade openclaw to version 2026.3.2-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the dm reaction notification process. An attacker can bypass authorization checks and enqueue unauthorized reaction-derived system events by reacting to bot-authored direct messages in restrictive DM setups.

Upgrade openclaw to version 2026.2.25-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the agentCommand process when the senderIsOwner parameter is omitted, causing it to default to true. An attacker can gain unauthorized access to owner-only tools by participating as a non-owner in the same Discord voice channel and triggering the voice transcript flow.

Upgrade openclaw to version 2026.3.2 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the web_fetch process when environment proxy variables are configured. An attacker can access internal or private network resources by supplying attacker-controlled URLs that are routed through proxy behavior instead of strict DNS-pinned routing. This is only exploitable if environment proxy variables such as HTTP_PROXY, HTTPS_PROXY, or ALL_PROXY are set for the runtime process.

Upgrade openclaw to version 2026.3.2 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition via improper validation of file paths in browser output handling. An attacker can write files outside of intended directory boundaries by exploiting insufficient path confinement checks.

Upgrade openclaw to version 2026.3.2-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the route classification process. An attacker can gain unauthorized access to protected API endpoints by submitting requests with deeply encoded alternate path representations that bypass authentication checks.

Upgrade openclaw to version 2026.3.2-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Replay Attack via the voice-call webhook process. An attacker can cause replayed webhook events to be accepted as new by modifying the i-twilio-idempotency-token header in a signed request. This is only exploitable if the optional voice-call Twilio webhook path is enabled.

Upgrade openclaw to version 2026.2.26 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition via the ZIP extraction process. An attacker can cause files to be written outside the intended extraction directory by exploiting a race condition involving a parent-directory symlink rebind between path validation and file write.

Upgrade openclaw to version 2026.3.2-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Prototype Pollution via the /debug set process. An attacker can modify in-memory runtime overrides by supplying prototype-reserved keys such as __proto__, constructor, or prototype if they are already authorized to access the /debug set endpoint. This is only exploitable if the /debug feature is enabled and the attacker has prior authorization to use /debug set.

Upgrade openclaw to version 2026.2.21 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Arbitrary Command Injection via the renderEnvLines process. An attacker can execute arbitrary commands with the privileges of the gateway service user by injecting newline characters and additional systemd directives into environment variable values, which are then written to the generated unit file and executed upon service restart. This is only exploitable if an attacker can control config.env.vars and trigger the install or reinstall process.

Upgrade openclaw to version 2026.2.21 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the system.run process. An attacker can execute unauthorized commands by bypassing allowlist restrictions through wrapper binaries such as env or shell-dispatch chains.

Upgrade openclaw to version 2026.2.22 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Command Injection via the system.run when allowlist parsing fails to reject command substitution tokens inside double-quoted shell text. An attacker can execute unauthorized commands on the node host by crafting payloads that exploit shell substitution within allowlisted commands.

Note: This is only exploitable if the target uses the macOS node-host execution path, exec approvals are set to allowlist mode, ask mode is set to on-miss or off, and the allowlist contains a benign executable used in a shell wrapper flow.

Upgrade openclaw to version 2026.2.22 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Replay Attack via the webhook replay handling. An attacker can cause duplicate inbound actions to be processed by replaying previously valid signed webhook requests after the replay window expires or following a process restart.

Upgrade openclaw to version 2026.2.25-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to User Impersonation during authentication. An attacker can gain unauthorized access to HTTP gateway routes by exploiting the improper application of tokenless Tailscale authentication headers, bypassing token or password requirements in trusted-network deployments.

Note: This is only exploitable if tokenless Tailscale authentication is enabled and the deployment relies on token/password authentication for HTTP gateway routes.

Upgrade openclaw to version 2026.2.21 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the innerHTML process. An attacker can execute arbitrary JavaScript in the context of the exported session HTML viewer by including crafted HTML or unescaped metadata fields in session content.

Upgrade openclaw to version 2026.2.23-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Arbitrary Code Injection via the transform module path resolution process. An attacker can execute arbitrary JavaScript code with gateway-process privileges by causing a symlinked entry to resolve outside the trusted directory and be dynamically imported. This is only exploitable if hook transforms are enabled and reachable, the attacker can influence transform path resolution (such as via privileged config access or writable filesystem path in the transform tree), and a symlink escape exists to attacker-controlled code.

Upgrade openclaw to version 2026.2.22 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Privilege Assignment via the sessions_spawn process when using runtime="acp" in a sandboxed environment. An attacker can gain unauthorized access to host-side ACP initialization by bypassing sandbox inheritance checks.

Upgrade openclaw to version 2026.3.2-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the web_search citation redirect. An attacker can access internal network resources by supplying a crafted citation redirect target that points to loopback, private, or internal destinations, causing the host to initiate unauthorized requests.

Upgrade openclaw to version 2026.3.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the exec approvals, when approvals are granted through unrecognized multiplexer shell wrappers. An attacker can execute unauthorized commands by leveraging wrapper binaries such as busybox sh -c or toybox sh -c to bypass intended allowlist restrictions.

Upgrade openclaw to version 2026.2.23-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Untrusted Search Path via the system.run execution. An attacker can execute an unintended or malicious executable by altering the PATH resolution after approval, causing a different binary to be run than the one originally approved.

Upgrade openclaw to version 2026.3.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Symlink Attack via the agents.files.get and agents.files.set methods. An attacker can access or modify files outside the intended workspace by exploiting symlink traversal, potentially leading to unauthorized file read or write operations within the permissions of the gateway process. This may result in further compromise, including the possibility of executing arbitrary code, depending on which files are targeted.

Upgrade openclaw to version 2026.2.25 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the exec.approval requests. An attacker can gain unauthorized access to execute actions on unintended nodes by replaying approval requests across different nodes within the same operator-controlled gateway fleet.

Upgrade openclaw to version 2026.2.23 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Directory Traversal via the static file serving API. An attacker can access files outside the intended directory by placing symbolic links within the root directory and requesting those linked paths.

Upgrade openclaw to version 2026.2.22 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Improper Authorization in the system.run due to a parsing mismatch in allowlist checks for shell-chain payloads. An attacker can execute unauthorized shell commands on a paired macOS host by submitting a shell-chain command that bypasses incomplete command views and is approved under specific security settings.

Note:

This is only exploitable if the caller is authenticated with operator.write, the target is a paired macOS beta node host, and exec approvals are set to security=allowlist and ask=on-miss.

Upgrade openclaw to version 2026.2.22 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Symlink Attack in the handling of browser trace and download output paths, specifically when processing temporary output. An attacker can overwrite arbitrary files by exploiting symlink traversal in the output path configuration.

Upgrade openclaw to version 2026.2.25 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Directory Traversal via the jsonlPath parameter in the a2ui_push action, which is passed directly to the file reader without validation. An attacker can access arbitrary files on the server by supplying crafted file paths, potentially exfiltrating sensitive information to a connected node client.

Upgrade openclaw to version 2026.2.21 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the bypass of the mediaAllowHosts configuration. An attacker can access internal or unintended network resources by supplying or influencing attachment URLs that trigger redirect chains to non-allowlisted targets.

Upgrade openclaw to version 2026.2.22 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Protection Mechanism Failure through improper validation of the docker.network configuration parameter. An attacker can gain unauthorized access to internal network resources by specifying network=container:<id> and joining another container's network namespace.

Upgrade openclaw to version 2026.2.24 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition in the host=node executions. An attacker can execute commands from an unintended filesystem location by rebinding a writable parent symlink in cwd between approval and execution, thereby bypassing intended approval context.

Upgrade openclaw to version 2026.2.26 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the system.run approvals. An attacker can cause execution of an unintended binary by crafting a command with a trailing-space in the executable token and obtaining or reusing a matching approval context, leading to execution of a different binary than what was displayed to the approver.

Upgrade openclaw to version 2026.2.25 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Directory Traversal via the sendAttachment and setGroupIcon message actions when sandboxRoot is unset. An attacker can read arbitrary files accessible to the runtime user by triggering authorized message-action paths that hydrate media from local absolute paths, bypassing intended local media root checks.

Upgrade openclaw to version 2026.2.24 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through improper handling of client IP address normalization in the authentication rate-limiting process. An attacker can increase the number of allowed failed authentication attempts by alternating between IPv4 and IPv4-mapped IPv6 address formats, effectively bypassing intended rate limits.

Upgrade openclaw to version 2026.2.22 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Symlink Attack via the avatar handling. An attacker can access sensitive local files outside the intended workspace by submitting crafted symlink paths to the avatar interface.

Upgrade openclaw to version 2026.2.22 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the exec approval mode on macOS node-hosts when basename-only allowlist entries are configured. An attacker can execute unauthorized local binaries by creating a file with the same name as an allowed command, thereby bypassing intended path-based policy enforcement.

Upgrade openclaw to version 2026.2.22 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Command Injection via the system.run shell-wrapper. An attacker can execute arbitrary shell commands outside the intended allowlisted command body by injecting SHELLOPTS and PS4 environment variables, which are evaluated during shell wrapper execution.

Upgrade openclaw to version 2026.2.22 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Off-by-one Error in the allowlist mode. An attacker can execute unintended commands by bypassing operator safety controls using specially crafted input to env -S when /usr/bin/env is allowlisted. This can result in a mismatch between policy analysis and runtime execution, potentially enabling shell-wrapper payloads to be executed.

Upgrade openclaw to version 2026.2.23 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the paired node device reconnect. An attacker can gain unauthorized access to restricted commands by spoofing the platform or deviceFamily metadata during a reconnect attempt. This is only exploitable if the attacker already possesses a paired node identity on the trusted network and the node command policy differs by platform.

Upgrade openclaw to version 2026.2.26 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the OAuth onboarding process in the macOS beta application, where the PKCE code_verifier was exposed as the OAuth state in the URL. An attacker can obtain sensitive authentication information by intercepting the front-channel URL during the onboarding flow.

Upgrade openclaw to version 2026.2.25 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Access Control Bypass in the sessions_spawn sandboxed session. An attacker can bypass intended sandbox restrictions by spawning a child process under an agent with sandboxing disabled, resulting in reduced runtime confinement.

Upgrade openclaw to version 2026.3.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the stop triggers and /models command. An attacker can disrupt active sessions and access sensitive model or authentication metadata by sending unauthorized requests to these command paths.

Upgrade openclaw to version 2026.3.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the Zalo webhook. An attacker can exhaust system memory and cause process instability or termination by sending unauthenticated requests with varying query-string keys to the webhook endpoint.

Upgrade openclaw to version 2026.3.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authorization through an authorization mismatch in the agent. An attacker can perform privileged control-plane actions beyond their intended write scope by invoking owner-only tool surfaces such as gateway and cron with write-scope agent runs.

Upgrade openclaw to version 2026.3.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the allow-always wrapper in security=allowlist mode. An attacker can execute arbitrary commands without further approval by exploiting persistent wrapper-level allowlist entries that bypass intended authorization boundaries on subsequent invocations.

Upgrade openclaw to version 2026.2.22 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the group allowlist authorization. An attacker can gain unauthorized access to group communications by leveraging DM pairing-store approvals to bypass explicit group allowlist checks.

Upgrade openclaw to version 2026.2.26 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the approval-enabled host=node workflows. An attacker can bypass intended approval integrity by reusing a previously approved request with altered environment input, potentially leading to unauthorized command execution or manipulation.

Upgrade openclaw to version 2026.2.26 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the media-stream WebSocket upgrades. An attacker can exhaust server resources by establishing multiple unauthenticated pre-start socket connections and keeping them open without validation.

Upgrade openclaw to version 2026.2.22 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the system.run command resolution. An attacker can execute unauthorized commands on a trusted Windows node by submitting a benign command for approval and then appending malicious trailing arguments to the cmd.exe /c invocation, resulting in a mismatch between the approved/audited command text and the actual executed command.

Upgrade openclaw to version 2026.2.21 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in handling inbound media downloads across multiple channels, where configured byte limits are not consistently enforced before buffering remote media. An attacker can cause elevated memory usage and potential process instability by sending oversized media payloads.

Upgrade openclaw to version 2026.2.22 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition via the media attachment handling. An attacker can access files outside the intended sandbox boundary by exploiting a race condition between path validation and file read operations, such as by retargeting a symlink between the check and use steps.

Upgrade openclaw to version 2026.3.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Interpretation Conflict via the platform or deviceFamily metadata fields. An attacker can expand node command availability beyond intended defaults by supplying Unicode-confusable values that pass metadata pinning but are classified differently during policy resolution.

Upgrade openclaw to version 2026.3.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition via the writeFileWithinRoot function. An attacker can create or truncate files outside the intended root directory by exploiting a race condition between symlink resolution and file write operations.

Upgrade openclaw to version 2026.3.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Multiple Releases of Same Resource or Handle via the applySkillConfigEnvOverrides function. An attacker can inject dangerous environment variables into the host process by modifying local configuration files to set arbitrary skill environment values. This is only exploitable if an attacker has write access to the application's local configuration files.

Upgrade openclaw to version 2026.2.21 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the resolvePermissionRequest, resolveToolNameForPermission, and shouldAutoApproveToolCall functions. An attacker can gain unauthorized access to resources by crafting tool calls with spoofed metadata or non-core read-like names that bypass interactive approval prompts.

Upgrade openclaw to version 2026.2.23-beta.1 or higher.