openclaw 2026.3.11-beta.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the openclaw package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
C Command Injection openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Command Injection via the remote attachment staging process. An attacker can execute arbitrary commands on the configured remote host by supplying a crafted iMessage attachment filename containing shell metacharacters when remote attachment staging is enabled. How to fix Command Injection? Upgrade `openclaw` to version 2026.3.13-beta.1 or higher.	<2026.3.13-beta.1
H Denial of Service (DoS) openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Denial of Service (DoS) through the Telegram webhook request handling process. An attacker can cause excessive resource consumption by sending unauthenticated requests with large bodies, leading the server to perform unnecessary memory allocation, socket usage, and JSON parsing before authentication is enforced. How to fix Denial of Service (DoS)? Upgrade `openclaw` to version 2026.3.13-beta.1 or higher.	<2026.3.13-beta.1
H Improper Privilege Management openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Privilege Management. An attacker can gain unauthorized privileges by replaying a valid setup code before approval, allowing escalation of pending device pairing scopes. How to fix Improper Privilege Management? Upgrade `openclaw` to version 2026.3.13-beta.1 or higher.	<2026.3.13-beta.1
M Insertion of Sensitive Information into Log File openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the `fetchRemoteMedia` function. An attacker can obtain sensitive bot tokens by triggering Telegram media fetch errors that cause the original file URLs, containing the tokens, to be included in error messages and subsequently logged or displayed. How to fix Insertion of Sensitive Information into Log File? Upgrade `openclaw` to version 2026.3.13-beta.1 or higher.	<2026.3.13-beta.1
M Permissive Regular Expression openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Permissive Regular Expression via the `matchesExecAllowlistPattern` function. An attacker can bypass intended command or executable path restrictions by crafting paths that exploit overly broad pattern matching, including the use of wildcards that cross POSIX path segments. How to fix Permissive Regular Expression? Upgrade `openclaw` to version 2026.3.12 or higher.	<2026.3.12
M Insertion of Sensitive Information into Log File openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the pairing setup. An attacker can gain unauthorized access to long-lived shared gateway credentials by obtaining a leaked setup code from chat history, logs, screenshots, or copied QR payloads. How to fix Insertion of Sensitive Information into Log File? Upgrade `openclaw` to version 2026.3.12 or higher.	<2026.3.12
H Unsafe Dependency Resolution openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the automatic plugin discovery in `.openclaw/extensions/`. An attacker can execute arbitrary code by including a malicious plugin in a cloned repository, which is loaded automatically when the application is run from that directory. How to fix Unsafe Dependency Resolution? Upgrade `openclaw` to version 2026.3.12 or higher.	<2026.3.12
M Incorrect Authorization openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization in the `session_status`. An attacker can access or modify session data belonging to other sandboxes by supplying another session's `sessionKey`. This may allow unauthorized reading or modification of session state outside the intended sandbox boundary. How to fix Incorrect Authorization? Upgrade `openclaw` to version 2026.3.12 or higher.	<2026.3.12
H Incorrect Authorization openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via insufficient access control in the command handler. An attacker can gain unauthorized access to privileged configuration and debugging interfaces by sending commands as a non-owner user. How to fix Incorrect Authorization? Upgrade `openclaw` to version 2026.3.12 or higher.	<2026.3.12
H Directory Traversal openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Directory Traversal via the `agent` RPC. An attacker can execute arbitrary commands and access files outside the intended workspace boundary by supplying crafted `spawnedBy` and `workspaceDir` values to the gateway RPC. How to fix Directory Traversal? Upgrade `openclaw` to version 2026.3.11 or higher.	<2026.3.11
H Incorrect Authorization openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the `browser.request`. An attacker can modify or create browser profiles and persist unauthorized configuration changes by sending crafted requests to profile management routes, even without elevated administrative privileges. How to fix Incorrect Authorization? Upgrade `openclaw` to version 2026.3.12 or higher.	<2026.3.12
H Improper Verification of Cryptographic Signature openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the webhook event validation. An attacker can inject forged events and impersonate legitimate senders by submitting crafted requests to the webhook endpoint. This may result in unauthorized actions being triggered in downstream systems. How to fix Improper Verification of Cryptographic Signature? Upgrade `openclaw` to version 2026.3.12 or higher.	<2026.3.12
M Missing Authorization openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authorization via the WebSocket connection. An attacker can gain unauthorized access to elevated gateway operations by presenting client-declared scopes that are not properly bound to a device identity or trusted path. How to fix Missing Authorization? Upgrade `openclaw` to version 2026.3.12 or higher.	<2026.3.12
M Incorrect Authorization openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization in the Discord reaction ingestion for guild channels. An attacker can gain unauthorized access to restricted session events by sending reaction events from a non-allowlisted guild member. How to fix Incorrect Authorization? Upgrade `openclaw` to version 2026.3.11 or higher.	<2026.3.11
M Time-of-check Time-of-use (TOCTOU) Race Condition openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition through the `writeFile` commit path. An attacker can cause files to be written outside the intended sandbox path by exploiting a race condition between path validation and the final file move operation. How to fix Time-of-check Time-of-use (TOCTOU) Race Condition? Upgrade `openclaw` to version 2026.3.11 or higher.	<2026.3.11
H Authorization Bypass Through User-Controlled Key openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key through improper authorization in the `subagents` control. An attacker can gain unauthorized access to sibling session controls by issuing control requests that are resolved against the parent requester scope, allowing them to steer or terminate sibling runs and potentially escalate privileges or disrupt operations across sandbox boundaries. How to fix Authorization Bypass Through User-Controlled Key? Upgrade `openclaw` to version 2026.3.11 or higher.	<2026.3.11
H Incorrect Authorization openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the `system.run`. An attacker can execute unauthorized local code by obtaining approval for a benign script-runner command, then rewriting the referenced script on disk before execution, causing the modified code to run under the approved context. How to fix Incorrect Authorization? Upgrade `openclaw` to version 2026.3.11 or higher.	<2026.3.11
H Missing Authorization openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authorization through the `configWrites` authorization. An attacker can modify protected configuration data of sibling accounts by issuing channel commands that target accounts with restricted write permissions. How to fix Missing Authorization? Upgrade `openclaw` to version 2026.3.11 or higher.	<2026.3.11
M Time-of-check Time-of-use (TOCTOU) Race Condition openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition through the handling of temporary file creation and population in the sandboxed file system bridge. An attacker can write arbitrary data outside the intended validated directory by exploiting a race condition in parent-path aliasing before the final guarded replace step. How to fix Time-of-check Time-of-use (TOCTOU) Race Condition? Upgrade `openclaw` to version 2026.3.11 or higher.	<2026.3.11
H Time-of-check Time-of-use (TOCTOU) Race Condition openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition via the `system.run` process. An attacker can execute unintended local code as the runtime user by modifying an approved local script after approval but before execution. How to fix Time-of-check Time-of-use (TOCTOU) Race Condition? Upgrade `openclaw` to version 2026.3.11 or higher.	<2026.3.11
L Not Failing Securely ('Failing Open') openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Not Failing Securely ('Failing Open') in the credential resolution process. An attacker can access unintended remote credentials by configuring local authentication SecretRefs that are unavailable, causing the system to fall back to remote credential sources instead of failing as expected. How to fix Not Failing Securely ('Failing Open')? Upgrade `openclaw` to version 2026.3.11 or higher.	<2026.3.11
H Origin Validation Error openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Origin Validation Error in the WebSocket connections when `gateway.auth.mode` is set to `trusted-proxy` and proxy headers are present. An attacker can gain unauthorized privileged access by establishing a cross-site WebSocket connection from an untrusted origin through a trusted reverse proxy, allowing the execution of privileged Gateway methods and exposure of sensitive configuration. This is only exploitable if the deployment exposes the Gateway behind a trusted reverse proxy and relies on browser origin checks to restrict access. How to fix Origin Validation Error? Upgrade `openclaw` to version 2026.3.11 or higher.	<2026.3.11

Vulnerability

Vulnerable Version

Command Injection