openclaw@2026.2.22 vulnerabilities

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the exec.approval requests. An attacker can gain unauthorized access to execute actions on unintended nodes by replaying approval requests across different nodes within the same operator-controlled gateway fleet.

Upgrade openclaw to version 2026.2.23 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Symlink Attack in the handling of browser trace and download output paths, specifically when processing temporary output. An attacker can overwrite arbitrary files by exploiting symlink traversal in the output path configuration.

Upgrade openclaw to version 2026.2.25 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Protection Mechanism Failure through improper validation of the docker.network configuration parameter. An attacker can gain unauthorized access to internal network resources by specifying network=container:<id> and joining another container's network namespace.

Upgrade openclaw to version 2026.2.24 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition in the host=node executions. An attacker can execute commands from an unintended filesystem location by rebinding a writable parent symlink in cwd between approval and execution, thereby bypassing intended approval context.

Upgrade openclaw to version 2026.2.26 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the system.run approvals. An attacker can cause execution of an unintended binary by crafting a command with a trailing-space in the executable token and obtaining or reusing a matching approval context, leading to execution of a different binary than what was displayed to the approver.

Upgrade openclaw to version 2026.2.25 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Directory Traversal via the sendAttachment and setGroupIcon message actions when sandboxRoot is unset. An attacker can read arbitrary files accessible to the runtime user by triggering authorized message-action paths that hydrate media from local absolute paths, bypassing intended local media root checks.

Upgrade openclaw to version 2026.2.24 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Off-by-one Error in the allowlist mode. An attacker can execute unintended commands by bypassing operator safety controls using specially crafted input to env -S when /usr/bin/env is allowlisted. This can result in a mismatch between policy analysis and runtime execution, potentially enabling shell-wrapper payloads to be executed.

Upgrade openclaw to version 2026.2.23 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the paired node device reconnect. An attacker can gain unauthorized access to restricted commands by spoofing the platform or deviceFamily metadata during a reconnect attempt. This is only exploitable if the attacker already possesses a paired node identity on the trusted network and the node command policy differs by platform.

Upgrade openclaw to version 2026.2.26 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the OAuth onboarding process in the macOS beta application, where the PKCE code_verifier was exposed as the OAuth state in the URL. An attacker can obtain sensitive authentication information by intercepting the front-channel URL during the onboarding flow.

Upgrade openclaw to version 2026.2.25 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Access Control Bypass in the sessions_spawn sandboxed session. An attacker can bypass intended sandbox restrictions by spawning a child process under an agent with sandboxing disabled, resulting in reduced runtime confinement.

Upgrade openclaw to version 2026.3.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the stop triggers and /models command. An attacker can disrupt active sessions and access sensitive model or authentication metadata by sending unauthorized requests to these command paths.

Upgrade openclaw to version 2026.3.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the Zalo webhook. An attacker can exhaust system memory and cause process instability or termination by sending unauthenticated requests with varying query-string keys to the webhook endpoint.

Upgrade openclaw to version 2026.3.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authorization through an authorization mismatch in the agent. An attacker can perform privileged control-plane actions beyond their intended write scope by invoking owner-only tool surfaces such as gateway and cron with write-scope agent runs.

Upgrade openclaw to version 2026.3.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the group allowlist authorization. An attacker can gain unauthorized access to group communications by leveraging DM pairing-store approvals to bypass explicit group allowlist checks.

Upgrade openclaw to version 2026.2.26 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the approval-enabled host=node workflows. An attacker can bypass intended approval integrity by reusing a previously approved request with altered environment input, potentially leading to unauthorized command execution or manipulation.

Upgrade openclaw to version 2026.2.26 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition via the media attachment handling. An attacker can access files outside the intended sandbox boundary by exploiting a race condition between path validation and file read operations, such as by retargeting a symlink between the check and use steps.

Upgrade openclaw to version 2026.3.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Interpretation Conflict via the platform or deviceFamily metadata fields. An attacker can expand node command availability beyond intended defaults by supplying Unicode-confusable values that pass metadata pinning but are classified differently during policy resolution.

Upgrade openclaw to version 2026.3.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition via the writeFileWithinRoot function. An attacker can create or truncate files outside the intended root directory by exploiting a race condition between symlink resolution and file write operations.

Upgrade openclaw to version 2026.3.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the resolvePermissionRequest, resolveToolNameForPermission, and shouldAutoApproveToolCall functions. An attacker can gain unauthorized access to resources by crafting tool calls with spoofed metadata or non-core read-like names that bypass interactive approval prompts.

Upgrade openclaw to version 2026.2.23-beta.1 or higher.