openclaw@2026.3.1-beta.1 vulnerabilities

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Symlink Attack via the stageSandboxMedia process. An attacker can overwrite arbitrary files outside the intended workspace by staging media files to a destination path containing a symlink that points outside the sandbox boundary.

Upgrade openclaw to version 2026.3.2-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) in the skills-install-download process when handling .tar.bz2 archives due to bypassed archive safety parity checks. An attacker can cause local resource exhaustion and impact system availability by submitting specially crafted .tar.bz2 archives during skill installation.

Upgrade openclaw to version 2026.3.2-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the writeUrlToFile function. An attacker can access internal network resources or perform unauthorized network requests by supplying crafted URLs in the payload fields processed by paired nodes.

Upgrade openclaw to version 2026.3.2-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the agentCommand process when the senderIsOwner parameter is omitted, causing it to default to true. An attacker can gain unauthorized access to owner-only tools by participating as a non-owner in the same Discord voice channel and triggering the voice transcript flow.

Upgrade openclaw to version 2026.3.2 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the web_fetch process when environment proxy variables are configured. An attacker can access internal or private network resources by supplying attacker-controlled URLs that are routed through proxy behavior instead of strict DNS-pinned routing. This is only exploitable if environment proxy variables such as HTTP_PROXY, HTTPS_PROXY, or ALL_PROXY are set for the runtime process.

A fix was pushed into the master branch but not yet published.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition via improper validation of file paths in browser output handling. An attacker can write files outside of intended directory boundaries by exploiting insufficient path confinement checks.

Upgrade openclaw to version 2026.3.2-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the route classification process. An attacker can gain unauthorized access to protected API endpoints by submitting requests with deeply encoded alternate path representations that bypass authentication checks.

Upgrade openclaw to version 2026.3.2-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition via the ZIP extraction process. An attacker can cause files to be written outside the intended extraction directory by exploiting a race condition involving a parent-directory symlink rebind between path validation and file write.

Upgrade openclaw to version 2026.3.2-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Privilege Assignment via the sessions_spawn process when using runtime="acp" in a sandboxed environment. An attacker can gain unauthorized access to host-side ACP initialization by bypassing sandbox inheritance checks.

Upgrade openclaw to version 2026.3.2-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the web_search citation redirect. An attacker can access internal network resources by supplying a crafted citation redirect target that points to loopback, private, or internal destinations, causing the host to initiate unauthorized requests.

Upgrade openclaw to version 2026.3.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Untrusted Search Path via the system.run execution. An attacker can execute an unintended or malicious executable by altering the PATH resolution after approval, causing a different binary to be run than the one originally approved.

Upgrade openclaw to version 2026.3.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Access Control Bypass in the sessions_spawn sandboxed session. An attacker can bypass intended sandbox restrictions by spawning a child process under an agent with sandboxing disabled, resulting in reduced runtime confinement.

Upgrade openclaw to version 2026.3.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the stop triggers and /models command. An attacker can disrupt active sessions and access sensitive model or authentication metadata by sending unauthorized requests to these command paths.

Upgrade openclaw to version 2026.3.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the Zalo webhook. An attacker can exhaust system memory and cause process instability or termination by sending unauthenticated requests with varying query-string keys to the webhook endpoint.

Upgrade openclaw to version 2026.3.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authorization through an authorization mismatch in the agent. An attacker can perform privileged control-plane actions beyond their intended write scope by invoking owner-only tool surfaces such as gateway and cron with write-scope agent runs.

Upgrade openclaw to version 2026.3.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Command Injection in the wrapper resolution. An attacker can execute arbitrary commands by influencing the current working directory during wrapper resolution for .cmd or .bat files on Windows ACPX paths.

Upgrade openclaw to version 2026.3.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition via the media attachment handling. An attacker can access files outside the intended sandbox boundary by exploiting a race condition between path validation and file read operations, such as by retargeting a symlink between the check and use steps.

Upgrade openclaw to version 2026.3.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Interpretation Conflict via the platform or deviceFamily metadata fields. An attacker can expand node command availability beyond intended defaults by supplying Unicode-confusable values that pass metadata pinning but are classified differently during policy resolution.

Upgrade openclaw to version 2026.3.1 or higher.