openclaw@2026.3.8-beta.1 vulnerabilities

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the pairing setup. An attacker can gain unauthorized access to long-lived shared gateway credentials by obtaining a leaked setup code from chat history, logs, screenshots, or copied QR payloads.

Upgrade openclaw to version 2026.3.12 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the automatic plugin discovery in .openclaw/extensions/. An attacker can execute arbitrary code by including a malicious plugin in a cloned repository, which is loaded automatically when the application is run from that directory.

Upgrade openclaw to version 2026.3.12 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the session_status. An attacker can access or modify session data belonging to other sandboxes by supplying another session's sessionKey. This may allow unauthorized reading or modification of session state outside the intended sandbox boundary.

Upgrade openclaw to version 2026.3.12 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via insufficient access control in the command handler. An attacker can gain unauthorized access to privileged configuration and debugging interfaces by sending commands as a non-owner user.

Upgrade openclaw to version 2026.3.12 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Directory Traversal via the agent RPC. An attacker can execute arbitrary commands and access files outside the intended workspace boundary by supplying crafted spawnedBy and workspaceDir values to the gateway RPC.

Upgrade openclaw to version 2026.3.11 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the browser.request. An attacker can modify or create browser profiles and persist unauthorized configuration changes by sending crafted requests to profile management routes, even without elevated administrative privileges.

Upgrade openclaw to version 2026.3.12 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the webhook event validation. An attacker can inject forged events and impersonate legitimate senders by submitting crafted requests to the webhook endpoint. This may result in unauthorized actions being triggered in downstream systems.

Upgrade openclaw to version 2026.3.12 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authorization via the WebSocket connection. An attacker can gain unauthorized access to elevated gateway operations by presenting client-declared scopes that are not properly bound to a device identity or trusted path.

Upgrade openclaw to version 2026.3.12 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the Discord reaction ingestion for guild channels. An attacker can gain unauthorized access to restricted session events by sending reaction events from a non-allowlisted guild member.

Upgrade openclaw to version 2026.3.11 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition through the writeFile commit path. An attacker can cause files to be written outside the intended sandbox path by exploiting a race condition between path validation and the final file move operation.

Upgrade openclaw to version 2026.3.11 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key through improper authorization in the subagents control. An attacker can gain unauthorized access to sibling session controls by issuing control requests that are resolved against the parent requester scope, allowing them to steer or terminate sibling runs and potentially escalate privileges or disrupt operations across sandbox boundaries.

Upgrade openclaw to version 2026.3.11 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the system.run. An attacker can execute unauthorized local code by obtaining approval for a benign script-runner command, then rewriting the referenced script on disk before execution, causing the modified code to run under the approved context.

Upgrade openclaw to version 2026.3.11 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authorization through the configWrites authorization. An attacker can modify protected configuration data of sibling accounts by issuing channel commands that target accounts with restricted write permissions.

Upgrade openclaw to version 2026.3.11 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition through the handling of temporary file creation and population in the sandboxed file system bridge. An attacker can write arbitrary data outside the intended validated directory by exploiting a race condition in parent-path aliasing before the final guarded replace step.

Upgrade openclaw to version 2026.3.11 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the plugin subagent runtime dispatch gateway methods. An attacker can gain unauthorized administrative access by sending unauthenticated requests to plugin-owned HTTP routes, allowing execution of privileged gateway actions such as deleting sessions, reading session data, or triggering agent execution.

Upgrade openclaw to version 2026.3.11-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization through the device.token.rotate process. An attacker can gain unauthorized administrative access and potentially execute arbitrary code on connected nodes by minting tokens with elevated privileges beyond their current scope.

Upgrade openclaw to version 2026.3.11-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition via the system.run process. An attacker can execute unintended local code as the runtime user by modifying an approved local script after approval but before execution.

Upgrade openclaw to version 2026.3.11 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Not Failing Securely ('Failing Open') in the credential resolution process. An attacker can access unintended remote credentials by configuring local authentication SecretRefs that are unavailable, causing the system to fall back to remote credential sources instead of failing as expected.

Upgrade openclaw to version 2026.3.11 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Origin Validation Error in the WebSocket connections when gateway.auth.mode is set to trusted-proxy and proxy headers are present. An attacker can gain unauthorized privileged access by establishing a cross-site WebSocket connection from an untrusted origin through a trusted reverse proxy, allowing the execution of privileged Gateway methods and exposure of sensitive configuration. This is only exploitable if the deployment exposes the Gateway behind a trusted reverse proxy and relies on browser origin checks to restrict access.

Upgrade openclaw to version 2026.3.11 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Authentication Bypass by Alternate Name in the Microsoft Teams group sender authorization process when a route allowlist is configured and the sender allowlist is empty. An attacker can gain unauthorized access to trigger replies in allowlisted Teams routes by exploiting the wildcard sender authorization logic.

Upgrade openclaw to version 2026.3.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition through the system.run approval flow. An attacker can execute unauthorized or modified scripts by obtaining approval for a script execution and then altering the script content before execution, allowing different code to run under the guise of a previously approved command.

Upgrade openclaw to version 2026.3.8 or higher.