openclaw@2026.3.28

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Directory Traversal via the mirror mode process. An attacker can delete arbitrary remote directories by manipulating the remoteWorkspaceDir and remoteAgentWorkspaceDir configuration values during mirror sync operations.

Upgrade openclaw to version 2026.4.2 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Directory Traversal via the webchat audio embedding process. An attacker can access and exfiltrate arbitrary local audio-like files readable by the gateway process by influencing the ReplyPayload.mediaUrl to reference absolute local paths or file: URLs, which are then base64-encoded and returned in the webchat media response. This is only exploitable if the targeted file is readable by the gateway process, has an audio-like extension, and fits within the webchat audio size cap.

Upgrade openclaw to version 2026.4.15-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the uploadC2CMedia or uploadGroupMedia process. An attacker can cause the application to make unintended outbound requests to attacker-controlled URLs by supplying crafted image URLs during direct media upload.

Upgrade openclaw to version 2026.4.20-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authorization via the policy enforcement process. An attacker can gain unauthorized access to restricted tools by leveraging bundled MCP or LSP tools that bypass configured tool policies. This is only exploitable if a bundled MCP or LSP tool source is configured and an operator policy is set to restrict that tool.

Upgrade openclaw to version 2026.4.19-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity via the cron process. An attacker can cause untrusted events to be labeled as trusted system events by triggering isolated cron agent runs through webhooks, which may lead to misleading trust attribution in the awareness stream.

Upgrade openclaw to version 2026.4.19-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the process that loads environment variables from workspace configuration. An attacker can execute arbitrary code with the privileges of the operator by supplying malicious environment variables such as NODE_OPTIONS, LD_PRELOAD, or BASH_ENV in the workspace configuration. This is only exploitable if the operator runs the application in a workspace containing a malicious MCP configuration.

Upgrade openclaw to version 2026.4.20-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the sessionKey process. An attacker can gain unauthorized access to webhook routing by supplying externally influenced session keys through templated hook mappings, even when request-supplied session keys are disabled.

Upgrade openclaw to version 2026.4.20-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization through the Feishu card-action callback process. An attacker can bypass intended policy restrictions by crafting a card-action event that misclassifies direct messages as group conversations, thereby avoiding enforcement of dmPolicy.

Upgrade openclaw to version 2026.4.19-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the browser profile creation process. An attacker can cause unauthorized requests to internal network resources by storing a profile with a cdpUrl pointing to a private-network or metadata endpoint, which may later be accessed during normal profile status checks. This is only exploitable if strict-mode SSRF protections are enabled and private-network CDP targets are explicitly disabled.

Upgrade openclaw to version 2026.4.19-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the environment variable loading process. An attacker can influence trusted runtime behavior by setting specially crafted OPENCLAW_ variables in a workspace, which are then loaded and override runtime-control environment variables when the application is executed. This is only exploitable if the application is run from an attacker-controlled workspace.

Upgrade openclaw to version 2026.4.20-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Insufficient Granularity of Access Control via insufficient access control in the gateway config.patch and config.apply processes. An attacker can modify protected operator settings by leveraging a prompt-injected model with access to the owner-only gateway tool. This is only exploitable if a model with prompt injection capability is granted access to the owner-only gateway configuration tool.

Upgrade openclaw to version 2026.4.20-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Origin Validation Error via the Slack thread context. An attacker can inject unauthorized messages into the agent context by replying to allowlisted users in Slack threads, thereby bypassing sender access controls and manipulating the model's context.

Upgrade openclaw to version 2026.4.2 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the paired-device pairing management process. An attacker can gain unauthorized access to approve or operate on unrelated pending device requests by leveraging paired-device access within the same gateway scope.

Upgrade openclaw to version 2026.4.20 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the assistant-media route. An attacker can access protected media files and metadata by bypassing HTTP authentication path scope validation.

Upgrade openclaw to version 2026.4.20 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the Nostr DM ingress path. An attacker can cause unauthorized pairing challenges to be issued and consume shared pairing capacity by sending forged direct messages before event signature validation.

Upgrade openclaw to version 2026.3.31 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Cleartext Transmission of Sensitive Information via the ws:// gateway endpoint. An attacker can intercept sensitive information by redirecting clients to malicious endpoints or forging discovery results, causing credentials to be transmitted in cleartext over unencrypted connections.

Upgrade openclaw to version 2026.4.2 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Unsafe Dependency Resolution in the authentication setup. An attacker can cause untrusted workspace plugins to be auto-enabled by leveraging non-interactive onboarding that selects a provider authentication choice shadowed by an untrusted plugin.

Upgrade openclaw to version 2026.4.9-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the operator.write message-tool. An attacker can modify persistent Matrix profile configuration without proper authorization by sending crafted requests through message-tool paths that bypass intended admin-level restrictions.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the exec approval binding. An attacker can bypass intended approval mechanisms and execute unauthorized applets or scripts by leveraging opaque multi-call binaries such as busybox and toybox, which obscure the actual operation being performed.

Upgrade openclaw to version 2026.4.12 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the webSocketDebuggerUrl field in the /json/version response. An attacker can cause the application to initiate connections to arbitrary, potentially malicious hosts by manipulating this field, potentially leading to unauthorized network access or data exposure.

Upgrade openclaw to version 2026.4.5 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer in the sourceConfig and runtimeConfig alias fields, which were not properly redacted. An attacker can obtain sensitive secrets, such as provider API keys, gateway authentication material, and channel credentials, by accessing these unredacted alias fields.

Note: This is only exploitable if the attacker is an authenticated gateway client with configuration read access.

Upgrade openclaw to version 2026.4.14-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Command Injection via improper handling of environment variable assignments in argv forms during shell-wrapper detection. An attacker can execute arbitrary commands by injecting specially crafted environment variable assignments into the argument vector.

Upgrade openclaw to version 2026.4.12 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs due to insufficient filtering of high-risk interpreter startup environment variables in the execution environment policy. An attacker can influence downstream execution or network behavior by supplying crafted environment variables.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to DNS Rebinding via improper hostname validation in the browser navigation policy. An attacker can access internal network resources or sensitive endpoints by exploiting DNS rebinding techniques to bypass hostname restrictions.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authorization in the channel setup. An attacker can gain unauthorized access to privileged plugin functionality by introducing untrusted workspace plugin shadows that are resolved before trusted bundled plugins.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via improper validation of the outPath parameter in the screen recording. An attacker can write files outside the intended workspace boundary by specifying a path that bypasses the workspace-only filesystem guard.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization when handling collect-mode queue batches, where messages from different senders could be processed together using the authorization context of the final sender. An attacker can gain unauthorized access to actions or data by sending messages that are subsequently processed with elevated privileges inherited from another sender.

Upgrade openclaw to version 2026.4.14-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to External Control of System or Configuration Setting via the loading of workspace .env files. An attacker can manipulate runtime-control variables by crafting a malicious .env file that sets environment variables affecting update sources, gateway URLs, ClawHub resolution, browser executable paths, and related behaviors.

Upgrade openclaw to version 2026.4.9-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authorization in the approval authorization. An attacker can gain unauthorized approval rights by exploiting empty approver lists, allowing them to resolve pending approvals if they know an approval id.

Upgrade openclaw to version 2026.4.12 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in the agent hook event processing. An attacker can escalate privileges by supplying crafted external input that is treated as trusted system events.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Binding to an Unrestricted IP Address via the CDP relay. An attacker can gain unauthorized access to the Chrome DevTools Protocol by connecting from outside the intended local or sandboxed network range.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the sandbox noVNC helper route. An attacker can gain unauthorized access to interactive browser session credentials by bypassing bridge authentication.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization through the operator.write configuration. An attacker can modify and persist unauthorized profile configurations by sending crafted HTTP requests to affected endpoints without requiring administrative privileges.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Directory Traversal via the outbound media handling. An attacker can access arbitrary local files by referencing host-local paths outside the intended media storage boundary in reply text.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Use of a Key Past its Expiration Date due to the reuse of a previously resolved bearer authentication configuration in the gateway after a SecretRef rotation. An attacker can maintain unauthorized access by continuing to use an old bearer token that should have been invalidated.

Upgrade openclaw to version 2026.4.15-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition via the validateScriptFileForShellBleed() function. An attacker can cause the preflight analysis to inspect a different file than the one that passed the initial workspace boundary check by racing a replacement of the target file after validation but before it is read.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the environment variable handling process. An attacker can influence Git operations by setting specific environment variables before execution.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the device.token.rotate function. An attacker can obtain unauthorized access to roles or scopes by rotating device tokens without the required pairing approval.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Access Control Bypass due to missing owner-only enforcement in the /allowlist process for cross-channel allowlist writes. An attacker can perform unauthorized modifications to allowlists in other channels by sending crafted requests as an authorized non-owner user.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity via the fetchWithSsrFGuard function. An attacker can cause unsafe request bodies or headers to be resent across cross-origin redirects by manipulating redirect responses.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource via the upload_file or upload_image process. An attacker can access files outside the intended workspace directory by uploading specially crafted docx blocks.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the node.invoke process. An attacker can alter persistent browser profiles by invoking browser.proxy to bypass the intended profile-mutation guard.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Insufficient Session Expiration due to the resolvedAuth process becoming outdated after a configuration reload. An attacker can maintain unauthorized access by leveraging stale authentication state in newly accepted gateway connections.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Support for Integrity Check through the download process. An attacker can cause unauthorized or malicious plugin archives to be installed by providing tampered or unverified files during the download process.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Command Injection via the host-exec process. An attacker can execute arbitrary commands by injecting environment variables that influence interpreters, shells, or build tools.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Insufficient Session Expiration due to the failure to terminate existing WebSocket sessions upon shared gateway token rotation. An attacker can maintain unauthorized access to an active session by continuing to use a previously valid shared token after it has been rotated.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere in the handling of shared reply MEDIA references, where paths are treated as trusted. An attacker can cause unauthorized access to local files by crafting a shared reply MEDIA reference that triggers another channel to read a local file path as trusted generated media.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to missing pre-allocation size checks in the base64 decoding process. An attacker can cause excessive memory allocation by providing specially crafted input data.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Trust Boundary Violation via the wake process. An attacker can inject unauthorized payloads into the trusted System: prompt channel by sending authenticated /hooks/wake or mapped wake payloads.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Trust Boundary Violation via the process handling background runtime output injection into trusted System: events. An attacker can escalate privileges or inject unauthorized commands by promoting lower-trust output into trusted event streams, potentially leading to prompt-injection in subsequent agent operations.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the media download process. An attacker can access internal network resources by sending crafted requests to the affected media fetch endpoints.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Improper Privilege Management in the Gateway plugin HTTP. An attacker can gain unauthorized write access by sending requests that are only intended to have read privileges, resulting in privilege escalation.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the handling of environment variables in the exec env denylist. An attacker can execute arbitrary commands by injecting malicious values into environment variables such as HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, or MAKEFLAGS that are not properly denied.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Improper Input Validation in to the strictInlineEval() function. An attacker can execute unauthorized inline evaluation commands by exploiting the approval-timeout fallback mechanism, which bypasses explicit approval requirements.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through concurrent asynchronous authentication attempts. An attacker can exhaust system resources by racing the per-key rate-limit budget, potentially leading to degraded service availability.

Upgrade openclaw to version 2026.4.5 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via improper handling of redirects in the Playwright navigation. An attacker can access internal or private network resources by crafting requests that exploit insufficient validation of redirect targets.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the Pairing Reconnect Command. An attacker can gain unauthorized access to privileged commands by reconnecting a previously paired node, thereby bypassing the intended operator or admin re-pairing requirement.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the Interaction-Triggered Navigation. An attacker can access internal resources by triggering browser interactions that bypass normal navigation checks.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Improper Privilege Management via the node.pair.approve() function being assigned to the broader operator.write scope instead of the intended operator.pairing scope. An attacker can gain unauthorized approval capabilities by exploiting insufficient privilege assignment.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Open Redirect via the fetchWithSsrFGuard function. An attacker can access sensitive request data or headers by triggering cross-origin redirects.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Arbitrary File Upload through the Tlon media downloads process. An attacker can exhaust disk resources by bypassing core size, count, and cleanup limits.

Upgrade openclaw to version 2026.3.31 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the enforcement of pending pairing-request caps per channel rather than per account. An attacker can prevent new pairing or onboarding actions for other accounts by filling the shared pending window with requests from different accounts.

Upgrade openclaw to version 2026.3.31 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the fetch process in the marketplace plugin. An attacker can access internal network resources or sensitive information by supplying crafted URLs that trigger server-side requests to arbitrary locations.

Upgrade openclaw to version 2026.3.31 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Timing Attack through the secret comparison process. An attacker can infer secret length information by measuring timing differences during comparison operations.

Upgrade openclaw to version 2026.4.2 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Improper Privilege Management in the POST /sessions/:sessionKey/kill process. An attacker can terminate active subagent sessions by sending requests with only read-scoped identity-bearing HTTP clients.

Upgrade openclaw to version 2026.4.2 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Unsafe Dependency Resolution through the channel setup process. An attacker can execute arbitrary code by introducing a malicious workspace plugin that claims a bundled channel id, allowing code execution during channel setup even if the plugin remains disabled and untrusted.

Upgrade openclaw to version 2026.4.2 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the session_status process. An attacker can bypass configured session visibility restrictions by invoking unsandboxed sessions, potentially accessing session information that should be hidden according to policy.

Upgrade openclaw to version 2026.3.31 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Directory Traversal via the QQ Bot media-send path. An attacker can access arbitrary files on the host filesystem by crafting structured payloads that specify file paths outside of intended media roots.

Upgrade openclaw to version 2026.4.2 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to inconsistent normalization of environment override keys between approval binding and execution time. An attacker can inject unauthorized environment variables into approved commands by exploiting this discrepancy.

Upgrade openclaw to version 2026.4.2 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Information Exposure via the connect process. An attacker can obtain sensitive host filesystem paths and deployment metadata by making authenticated requests as a non-admin client.

Upgrade openclaw to version 2026.4.2 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization through the approval process for local scripts in pnpm dlx. An attacker can execute unauthorized or modified scripts by replacing an approved local script after approval but before execution.

Upgrade openclaw to version 2026.4.2 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Improper Input Validation via the CDP discovery process. An attacker can redirect authenticated browser control to a localhost-resolving endpoint by crafting a discovery response with a trailing-dot localhost host, thereby bypassing loopback-host normalization and potentially exposing sensitive browser state.

Upgrade openclaw to version 2026.4.2 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the exec allowlist component. An attacker can execute unauthorized scripts by leveraging shell init-file options such as --rcfile, --init-file, or --startup-file to load attacker-controlled initialization files before the approved script is executed.

Note:

This is only exploitable if exec allowlist or allow-always behavior is enabled and the attacker can influence the shell-wrapper command to use init-file options.

Upgrade openclaw to version 2026.3.31 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs through the validateScriptFileForShellBleed process. An attacker can execute unauthorized script content by crafting piped, substituted, or subshell commands that bypass validation checks.

Upgrade openclaw to version 2026.4.2 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the LINE webhook handler process. An attacker can cause transient availability loss by sending a high volume of unauthenticated requests before signature verification, overwhelming the handler due to the absence of a shared pre-auth concurrency budget.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the Graph API process. An attacker can access message thread history that should be restricted by sender allowlists by querying the API directly, potentially exposing information to unauthorized users.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to UNIX Symbolic Link (Symlink) Following in the tar upload process. An attacker can overwrite arbitrary files on the remote host by uploading a tar archive containing symlinks that are followed during extraction.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer via the process.env variable being passed unsanitized to child processes. An attacker can influence the environment of spawned child processes by injecting malicious environment variables, potentially leading to unintended behavior or information disclosure. This is only exploitable if SSH environment variable forwarding is enabled in the SSH configuration.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the fetch function in the Marketplace Plugin Download process. An attacker can access internal network resources or sensitive endpoints by supplying crafted URLs to the affected process.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions due to the plugin installation process. An attacker can bypass intended security restrictions by exploiting a failure in the security scan, allowing installation of potentially untrusted plugins when the scan does not block the process as expected. This is only exploitable if an operator chooses to proceed with the installation despite a visible scan failure.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the heartbeat process. An attacker can gain unauthorized access to restricted resources by exploiting context inheritance to bypass sandbox restrictions through sender privilege escalation.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the process that fetches quoted, root, or thread context messages, which bypasses the sender allowlist. An attacker can access message content from unauthorized senders by exploiting the lack of proper sender validation in this process.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Replay Attack in the callback process. An attacker can alter the origin of a Plivo callback before it is rejected by replaying a captured valid callback for a live call.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the PIP_INDEX_URL and UV_INDEX_URL environment variables, which bypass host execution environment sanitization and redirect Python package-index traffic. An attacker can manipulate package index sources by setting these environment variables during package management operations.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to External Control of System or Configuration Setting via the handling of the .env configuration file, which allows the override of the OPENCLAW_BUNDLED_HOOKS_DIR environment variable. An attacker can execute arbitrary code by placing a malicious .env file in the workspace that points to attacker-controlled hook code.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the process that fetches thread root and reply context, which bypasses the sender allowlist. An attacker can gain unauthorized access to message threads by exploiting this bypass.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Information Exposure in the config.get process. An attacker can obtain sensitive plaintext signing keys by accessing configuration views that expose the secret value.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Replay Attack in the replay deduplication process. An attacker can bypass intended access restrictions by reusing messageId values across authenticated sibling-target delivery paths.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authorization via unauthenticated plugin-auth HTTP routes receiving operator runtime scopes. An attacker can gain unauthorized access to privileged runtime actions by sending requests to these routes before plugin authentication is completed.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Interpretation Conflict in the startup migration process. An attacker can restore previously revoked configuration settings by leveraging the improper handling of empty-array values in the file configuration after a restart.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs due to insufficient sanitization of environment variables related to package management, registries, Docker, compilers, and TLS overrides in the host-env policy. An attacker can influence the execution environment and potentially alter build or deployment processes by injecting malicious values into these environment variables.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Use of Less Trusted Source in the diffs viewer process when proxied remote requests are incorrectly classified as loopback addresses if allowRemoteViewer is disabled. An attacker can gain unauthorized access to restricted resources by sending specially crafted proxied requests that are misidentified as originating from a trusted local source.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to External Control of System or Configuration Setting via the handling of the .env file, which can override the trusted root directory for bundled plugins. An attacker can influence the loading of untrusted plugins by providing a malicious workspace containing a crafted .env file. This is only exploitable if the attacker is able to control the workspace that is loaded.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Arbitrary File Upload via the Mirror Sync process. An attacker can escape the intended sandbox and gain unauthorized access to files outside the designated directory by exploiting unrestricted file synchronization and symlink traversal.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Insufficiently Protected Credentials via the media download process. An attacker can obtain sensitive credentials by triggering cross-origin redirects that cause Authorization headers to be forwarded to unintended destinations.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Improper Privilege Management in the handling of environment variable overrides for proxy, TLS, Docker, and Git TLS controls. An attacker can bypass intended security restrictions by executing processes in a host environment where these variables are not properly enforced.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the Discord audio preflight transcription process occurring before member authorization. An attacker can cause excessive resource consumption by sending unauthorized requests that trigger this process.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) in the HTTP operator endpoints when running in trusted-proxy mode, as browser-origin validation is not enforced. An attacker can perform unauthorized actions on behalf of authenticated users by tricking them into visiting a malicious website that issues crafted requests to the affected endpoints. This is only exploitable if the deployment uses identity-bearing trusted-proxy browser configurations rather than the shared-secret HTTP operator model.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Replay Attack via the webhook signature verification process. An attacker can bypass replay detection by submitting requests with equivalent Base64 and Base64URL-encoded signatures, causing the system to treat them as distinct and allowing replayed requests to be accepted.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Files or Directories Accessible to External Parties via the appendLocalMediaParentRoots function. An attacker can access arbitrary files and exfiltrate credentials by leveraging self-whitelisting of media parent directories, which allows unauthorized file reads on the host system.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Denial of Service (DoS) via the MS Teams webhook process. An attacker can cause resource exhaustion by sending unauthenticated requests that are parsed before proper JWT validation.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the node pairing process. An attacker can execute arbitrary commands on the host system by exploiting insufficient enforcement of node scope restrictions. This is only exploitable if a device-paired node is present without proper node pairing.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Uncontrolled Search Path Element via environment variable overrides of compiler binaries during approved host execution requests. An attacker can execute arbitrary code by substituting trusted compiler binaries with malicious ones. This is only exploitable if the attacker has access to submit an approved host-exec request within the existing exec trust domain.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Directory Traversal via the ACP dispatch process. An attacker can access arbitrary files on the system by supplying crafted inbound channel attachment paths that traverse outside the intended directories.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the voice-call process. An attacker can cause excessive resource consumption by sending oversized WebSocket frames before validation occurs.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the authentication process when using trusted-proxy authentication mode. An attacker can gain elevated privileges by exploiting incomplete scope-clearing, allowing self-declared operator scopes to persist on a real identity-bearing authentication path.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the Discord voice ingress process. An attacker can gain unauthorized access to voice channels by bypassing the channel-level member access allowlist.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the node.event process. An attacker can gain unauthorized access to gateway-side tools and execute arbitrary code by dispatching unrestricted agent requests from a paired node client.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource due to improper migration of allowFrom trust settings from the default account to all named accounts during the Telegram legacy migration process. An attacker can gain unauthorized access to named accounts by exploiting the inherited trust relationships.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the Discord slash and autocomplete command handling process. An attacker can gain unauthorized access to group DM channels by bypassing the allowlist restriction using native Discord slash or autocomplete commands. This is only exploitable if the attacker is an already-authorized Discord user.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the preflight process for Telegram audio transcription. An attacker can cause excessive resource or billing consumption by triggering audio transcription operations as an unauthorized sender before allowlist enforcement.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Brute Force in the authentication process. An attacker can bypass rate limiting by supplying a fake DeviceToken, allowing repeated authentication attempts without triggering shared rate limits.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Insufficient Session Expiration due to the device.token.rotate process not terminating active WebSocket sessions after credential rotation. An attacker can maintain unauthorized access to an active session by continuing to use a previously authenticated WebSocket connection even after credentials have been rotated.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation via the onboarding process. An attacker can obtain gateway credentials by leveraging a scenario where a previously discovered endpoint persists after trust is declined, and the operator accepts the prefilled endpoint during manual onboarding.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the Control UI bootstrap JSON process. An attacker can obtain sensitive information, such as version and assistant agent ID, by accessing the exposed payload.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the image pixel-limit guard failing to properly restrict oversized pixel counts during image processing. An attacker can exhaust system resources by submitting specially crafted image files that trigger excessive decompression.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition in the readFile process of the remote file system bridge due to a time-of-check to time-of-use (TOCTOU) race condition. An attacker can gain unauthorized access to files outside the intended sandbox by exploiting the window between the path validation and the actual file read operation.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to DNS Rebinding in the macOS wide-area discovery process. An attacker can intercept or manipulate DNS responses and exfiltrate operator credentials by presenting themselves as a trusted Tailnet peer within the same Tailnet and leveraging a CA-trusted endpoint. This is only exploitable if the attacker is on the same Tailnet, has a CA-trusted endpoint, and the user selects the malicious peer.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition in the apply_patch, remove, and mkdir operations within the sandbox workspace process. An attacker can manipulate file system state by exploiting a race condition between the time a file is checked and the time it is acted upon.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the process that handles Discord component interactions, which incorrectly classifies Group Direct Messages as standard Direct Messages. An attacker can cause policy or session misclassification by sending crafted component interactions in a Group DM context.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authorization in the Discord voice ingress authorization process. An attacker can gain unauthorized access to restricted voice channels by exploiting gaps in channel, name, and stale-role validation.

Upgrade openclaw to version 2026.3.31-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity via the OAuth flow, where the PKCE verifier is reused as the OAuth state value and reflected back in the redirect URL. An attacker can obtain sensitive authentication credentials by capturing the redirect URL during the authorization process.

Upgrade openclaw to version 2026.4.2 or higher.