openclaw@2026.4.5

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Directory Traversal via the webchat audio embedding process. An attacker can access and exfiltrate arbitrary local audio-like files readable by the gateway process by influencing the ReplyPayload.mediaUrl to reference absolute local paths or file: URLs, which are then base64-encoded and returned in the webchat media response. This is only exploitable if the targeted file is readable by the gateway process, has an audio-like extension, and fits within the webchat audio size cap.

Upgrade openclaw to version 2026.4.15-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the uploadC2CMedia or uploadGroupMedia process. An attacker can cause the application to make unintended outbound requests to attacker-controlled URLs by supplying crafted image URLs during direct media upload.

Upgrade openclaw to version 2026.4.20-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authorization via the policy enforcement process. An attacker can gain unauthorized access to restricted tools by leveraging bundled MCP or LSP tools that bypass configured tool policies. This is only exploitable if a bundled MCP or LSP tool source is configured and an operator policy is set to restrict that tool.

Upgrade openclaw to version 2026.4.19-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity via the cron process. An attacker can cause untrusted events to be labeled as trusted system events by triggering isolated cron agent runs through webhooks, which may lead to misleading trust attribution in the awareness stream.

Upgrade openclaw to version 2026.4.19-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the process that loads environment variables from workspace configuration. An attacker can execute arbitrary code with the privileges of the operator by supplying malicious environment variables such as NODE_OPTIONS, LD_PRELOAD, or BASH_ENV in the workspace configuration. This is only exploitable if the operator runs the application in a workspace containing a malicious MCP configuration.

Upgrade openclaw to version 2026.4.20-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the sessionKey process. An attacker can gain unauthorized access to webhook routing by supplying externally influenced session keys through templated hook mappings, even when request-supplied session keys are disabled.

Upgrade openclaw to version 2026.4.20-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization through the Feishu card-action callback process. An attacker can bypass intended policy restrictions by crafting a card-action event that misclassifies direct messages as group conversations, thereby avoiding enforcement of dmPolicy.

Upgrade openclaw to version 2026.4.19-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the browser profile creation process. An attacker can cause unauthorized requests to internal network resources by storing a profile with a cdpUrl pointing to a private-network or metadata endpoint, which may later be accessed during normal profile status checks. This is only exploitable if strict-mode SSRF protections are enabled and private-network CDP targets are explicitly disabled.

Upgrade openclaw to version 2026.4.19-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Insufficiently Protected Credentials via the MINIMAX_API_HOST environment variable injection in workspace dotenv files. An attacker can intercept sensitive API credentials by redirecting outbound requests to an attacker-controlled origin. This is only exploitable if the application is run from a workspace controlled by the attacker.

Upgrade openclaw to version 2026.4.20-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the environment variable loading process. An attacker can influence trusted runtime behavior by setting specially crafted OPENCLAW_ variables in a workspace, which are then loaded and override runtime-control environment variables when the application is executed. This is only exploitable if the application is run from an attacker-controlled workspace.

Upgrade openclaw to version 2026.4.20-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Insufficient Granularity of Access Control via insufficient access control in the gateway config.patch and config.apply processes. An attacker can modify protected operator settings by leveraging a prompt-injected model with access to the owner-only gateway tool. This is only exploitable if a model with prompt injection capability is granted access to the owner-only gateway configuration tool.

Upgrade openclaw to version 2026.4.20-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the paired-device pairing management process. An attacker can gain unauthorized access to approve or operate on unrelated pending device requests by leveraging paired-device access within the same gateway scope.

Upgrade openclaw to version 2026.4.20 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the assistant-media route. An attacker can access protected media files and metadata by bypassing HTTP authentication path scope validation.

Upgrade openclaw to version 2026.4.20 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Unsafe Dependency Resolution in the authentication setup. An attacker can cause untrusted workspace plugins to be auto-enabled by leveraging non-interactive onboarding that selects a provider authentication choice shadowed by an untrusted plugin.

Upgrade openclaw to version 2026.4.9-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the operator.write message-tool. An attacker can modify persistent Matrix profile configuration without proper authorization by sending crafted requests through message-tool paths that bypass intended admin-level restrictions.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the exec approval binding. An attacker can bypass intended approval mechanisms and execute unauthorized applets or scripts by leveraging opaque multi-call binaries such as busybox and toybox, which obscure the actual operation being performed.

Upgrade openclaw to version 2026.4.12 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer in the sourceConfig and runtimeConfig alias fields, which were not properly redacted. An attacker can obtain sensitive secrets, such as provider API keys, gateway authentication material, and channel credentials, by accessing these unredacted alias fields.

Note: This is only exploitable if the attacker is an authenticated gateway client with configuration read access.

Upgrade openclaw to version 2026.4.14-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Command Injection via improper handling of environment variable assignments in argv forms during shell-wrapper detection. An attacker can execute arbitrary commands by injecting specially crafted environment variable assignments into the argument vector.

Upgrade openclaw to version 2026.4.12 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs due to insufficient filtering of high-risk interpreter startup environment variables in the execution environment policy. An attacker can influence downstream execution or network behavior by supplying crafted environment variables.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to DNS Rebinding via improper hostname validation in the browser navigation policy. An attacker can access internal network resources or sensitive endpoints by exploiting DNS rebinding techniques to bypass hostname restrictions.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authorization in the channel setup. An attacker can gain unauthorized access to privileged plugin functionality by introducing untrusted workspace plugin shadows that are resolved before trusted bundled plugins.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via improper validation of the outPath parameter in the screen recording. An attacker can write files outside the intended workspace boundary by specifying a path that bypasses the workspace-only filesystem guard.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization when handling collect-mode queue batches, where messages from different senders could be processed together using the authorization context of the final sender. An attacker can gain unauthorized access to actions or data by sending messages that are subsequently processed with elevated privileges inherited from another sender.

Upgrade openclaw to version 2026.4.14-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to External Control of System or Configuration Setting via the loading of workspace .env files. An attacker can manipulate runtime-control variables by crafting a malicious .env file that sets environment variables affecting update sources, gateway URLs, ClawHub resolution, browser executable paths, and related behaviors.

Upgrade openclaw to version 2026.4.9-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authorization in the approval authorization. An attacker can gain unauthorized approval rights by exploiting empty approver lists, allowing them to resolve pending approvals if they know an approval id.

Upgrade openclaw to version 2026.4.12 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in the agent hook event processing. An attacker can escalate privileges by supplying crafted external input that is treated as trusted system events.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Binding to an Unrestricted IP Address via the CDP relay. An attacker can gain unauthorized access to the Chrome DevTools Protocol by connecting from outside the intended local or sandboxed network range.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the sandbox noVNC helper route. An attacker can gain unauthorized access to interactive browser session credentials by bypassing bridge authentication.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization through the operator.write configuration. An attacker can modify and persist unauthorized profile configurations by sending crafted HTTP requests to affected endpoints without requiring administrative privileges.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Directory Traversal via the outbound media handling. An attacker can access arbitrary local files by referencing host-local paths outside the intended media storage boundary in reply text.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the /dreaming path in the operator.write. An attacker can modify persistent memory dreaming settings by sending write-scoped gateway requests, resulting in unauthorized configuration changes that should require higher privileges.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition due to missed detection of local async exec completion events during heartbeat owner downgrade. An attacker can maintain a process in a more privileged context than intended by providing untrusted completion content.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Use of a Key Past its Expiration Date due to the reuse of a previously resolved bearer authentication configuration in the gateway after a SecretRef rotation. An attacker can maintain unauthorized access by continuing to use an old bearer token that should have been invalidated.

Upgrade openclaw to version 2026.4.15-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via host=node override in the routing execution. An attacker can bypass intended sandbox restrictions and execute code on a remote node by manipulating the routing logic.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition via the validateScriptFileForShellBleed() function. An attacker can cause the preflight analysis to inspect a different file than the one that passed the initial workspace boundary check by racing a replacement of the target file after validation but before it is read.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the environment variable handling process. An attacker can influence Git operations by setting specific environment variables before execution.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the device.token.rotate function. An attacker can obtain unauthorized access to roles or scopes by rotating device tokens without the required pairing approval.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Access Control Bypass due to missing owner-only enforcement in the /allowlist process for cross-channel allowlist writes. An attacker can perform unauthorized modifications to allowlists in other channels by sending crafted requests as an authorized non-owner user.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity via the fetchWithSsrFGuard function. An attacker can cause unsafe request bodies or headers to be resent across cross-origin redirects by manipulating redirect responses.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource via the upload_file or upload_image process. An attacker can access files outside the intended workspace directory by uploading specially crafted docx blocks.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the node.invoke process. An attacker can alter persistent browser profiles by invoking browser.proxy to bypass the intended profile-mutation guard.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Insufficient Session Expiration due to the resolvedAuth process becoming outdated after a configuration reload. An attacker can maintain unauthorized access by leveraging stale authentication state in newly accepted gateway connections.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Support for Integrity Check through the download process. An attacker can cause unauthorized or malicious plugin archives to be installed by providing tampered or unverified files during the download process.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Command Injection via the host-exec process. An attacker can execute arbitrary commands by injecting environment variables that influence interpreters, shells, or build tools.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Insufficient Session Expiration due to the failure to terminate existing WebSocket sessions upon shared gateway token rotation. An attacker can maintain unauthorized access to an active session by continuing to use a previously valid shared token after it has been rotated.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere in the handling of shared reply MEDIA references, where paths are treated as trusted. An attacker can cause unauthorized access to local files by crafting a shared reply MEDIA reference that triggers another channel to read a local file path as trusted generated media.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to missing pre-allocation size checks in the base64 decoding process. An attacker can cause excessive memory allocation by providing specially crafted input data.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Trust Boundary Violation via the wake process. An attacker can inject unauthorized payloads into the trusted System: prompt channel by sending authenticated /hooks/wake or mapped wake payloads.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Trust Boundary Violation via the process handling background runtime output injection into trusted System: events. An attacker can escalate privileges or inject unauthorized commands by promoting lower-trust output into trusted event streams, potentially leading to prompt-injection in subsequent agent operations.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the media download process. An attacker can access internal network resources by sending crafted requests to the affected media fetch endpoints.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Improper Privilege Management in the Gateway plugin HTTP. An attacker can gain unauthorized write access by sending requests that are only intended to have read privileges, resulting in privilege escalation.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the handling of environment variables in the exec env denylist. An attacker can execute arbitrary commands by injecting malicious values into environment variables such as HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, or MAKEFLAGS that are not properly denied.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Improper Input Validation in to the strictInlineEval() function. An attacker can execute unauthorized inline evaluation commands by exploiting the approval-timeout fallback mechanism, which bypasses explicit approval requirements.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via improper handling of redirects in the Playwright navigation. An attacker can access internal or private network resources by crafting requests that exploit insufficient validation of redirect targets.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the Pairing Reconnect Command. An attacker can gain unauthorized access to privileged commands by reconnecting a previously paired node, thereby bypassing the intended operator or admin re-pairing requirement.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the Interaction-Triggered Navigation. An attacker can access internal resources by triggering browser interactions that bypass normal navigation checks.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Improper Privilege Management via the node.pair.approve() function being assigned to the broader operator.write scope instead of the intended operator.pairing scope. An attacker can gain unauthorized approval capabilities by exploiting insufficient privilege assignment.

Upgrade openclaw to version 2026.4.8 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Open Redirect via the fetchWithSsrFGuard function. An attacker can access sensitive request data or headers by triggering cross-origin redirects.

Upgrade openclaw to version 2026.4.8 or higher.