openclaw 2026.4.19-beta.1

Direct Vulnerabilities

Known vulnerabilities in the openclaw package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Missing Authorization openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authorization via the `command-auth.ts` process. An attacker can gain unauthorized access to owner-enforced commands by sending commands from a non-owner sender when a channel plugin enforces owner-only commands, the channel accepts wildcard inbound senders, and no explicit owner allow list is configured. This is only exploitable if the channel plugin has `commands.enforceOwnerForCommands` set to true, `allowFrom` includes a wildcard ("*"), and `commands.ownerAllowFrom` is not explicitly set. How to fix Missing Authorization? Upgrade `openclaw` to version 2026.4.21 or higher.	<2026.4.21
M Server-side Request Forgery (SSRF) openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the `uploadC2CMedia` or `uploadGroupMedia` process. An attacker can cause the application to make unintended outbound requests to attacker-controlled URLs by supplying crafted image URLs during direct media upload. How to fix Server-side Request Forgery (SSRF)? Upgrade `openclaw` to version 2026.4.20-beta.1 or higher.	<2026.4.20-beta.1
M Unsafe Dependency Resolution openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the process that loads environment variables from workspace configuration. An attacker can execute arbitrary code with the privileges of the operator by supplying malicious environment variables such as `NODE_OPTIONS`, `LD_PRELOAD`, or `BASH_ENV` in the workspace configuration. This is only exploitable if the operator runs the application in a workspace containing a malicious MCP configuration. How to fix Unsafe Dependency Resolution? Upgrade `openclaw` to version 2026.4.20-beta.1 or higher.	<2026.4.20-beta.1
M Authorization Bypass Through User-Controlled Key openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the `sessionKey` process. An attacker can gain unauthorized access to webhook routing by supplying externally influenced session keys through templated hook mappings, even when request-supplied session keys are disabled. How to fix Authorization Bypass Through User-Controlled Key? Upgrade `openclaw` to version 2026.4.20-beta.1 or higher.	<2026.4.20-beta.1
M Insufficiently Protected Credentials openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Insufficiently Protected Credentials via the `MINIMAX_API_HOST` environment variable injection in workspace dotenv files. An attacker can intercept sensitive API credentials by redirecting outbound requests to an attacker-controlled origin. This is only exploitable if the application is run from a workspace controlled by the attacker. How to fix Insufficiently Protected Credentials? Upgrade `openclaw` to version 2026.4.20-beta.1 or higher.	>=2026.4.5 <2026.4.20-beta.1
M Incomplete List of Disallowed Inputs openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the environment variable loading process. An attacker can influence trusted runtime behavior by setting specially crafted `OPENCLAW_` variables in a workspace, which are then loaded and override runtime-control environment variables when the application is executed. This is only exploitable if the application is run from an attacker-controlled workspace. How to fix Incomplete List of Disallowed Inputs? Upgrade `openclaw` to version 2026.4.20-beta.1 or higher.	<2026.4.20-beta.1
M Insufficient Granularity of Access Control openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Insufficient Granularity of Access Control via insufficient access control in the `gateway config.patch` and `config.apply` processes. An attacker can modify protected operator settings by leveraging a prompt-injected model with access to the owner-only gateway tool. This is only exploitable if a model with prompt injection capability is granted access to the owner-only gateway configuration tool. How to fix Insufficient Granularity of Access Control? Upgrade `openclaw` to version 2026.4.20-beta.1 or higher.	<2026.4.20-beta.1
M Incorrect Authorization openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization in the paired-device pairing management process. An attacker can gain unauthorized access to approve or operate on unrelated pending device requests by leveraging paired-device access within the same gateway scope. How to fix Incorrect Authorization? Upgrade `openclaw` to version 2026.4.20 or higher.	<2026.4.20
L Incorrect Authorization openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the `assistant-media` route. An attacker can access protected media files and metadata by bypassing HTTP authentication path scope validation. How to fix Incorrect Authorization? Upgrade `openclaw` to version 2026.4.20 or higher.	<2026.4.20
C Arbitrary Code Injection openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Arbitrary Code Injection via the upstream API requests. An attacker can execute arbitrary code by injecting malicious prompts into requests. How to fix Arbitrary Code Injection? There is no fixed version for `openclaw`.	>=0.0.0

Vulnerability

Vulnerable Version

Missing Authorization