openclaw@2026.4.8

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Directory Traversal via the webchat audio embedding process. An attacker can access and exfiltrate arbitrary local audio-like files readable by the gateway process by influencing the ReplyPayload.mediaUrl to reference absolute local paths or file: URLs, which are then base64-encoded and returned in the webchat media response. This is only exploitable if the targeted file is readable by the gateway process, has an audio-like extension, and fits within the webchat audio size cap.

Upgrade openclaw to version 2026.4.15-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the uploadC2CMedia or uploadGroupMedia process. An attacker can cause the application to make unintended outbound requests to attacker-controlled URLs by supplying crafted image URLs during direct media upload.

Upgrade openclaw to version 2026.4.20-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authorization via the policy enforcement process. An attacker can gain unauthorized access to restricted tools by leveraging bundled MCP or LSP tools that bypass configured tool policies. This is only exploitable if a bundled MCP or LSP tool source is configured and an operator policy is set to restrict that tool.

Upgrade openclaw to version 2026.4.19-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity via the cron process. An attacker can cause untrusted events to be labeled as trusted system events by triggering isolated cron agent runs through webhooks, which may lead to misleading trust attribution in the awareness stream.

Upgrade openclaw to version 2026.4.19-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the process that loads environment variables from workspace configuration. An attacker can execute arbitrary code with the privileges of the operator by supplying malicious environment variables such as NODE_OPTIONS, LD_PRELOAD, or BASH_ENV in the workspace configuration. This is only exploitable if the operator runs the application in a workspace containing a malicious MCP configuration.

Upgrade openclaw to version 2026.4.20-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the sessionKey process. An attacker can gain unauthorized access to webhook routing by supplying externally influenced session keys through templated hook mappings, even when request-supplied session keys are disabled.

Upgrade openclaw to version 2026.4.20-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization through the Feishu card-action callback process. An attacker can bypass intended policy restrictions by crafting a card-action event that misclassifies direct messages as group conversations, thereby avoiding enforcement of dmPolicy.

Upgrade openclaw to version 2026.4.19-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the browser profile creation process. An attacker can cause unauthorized requests to internal network resources by storing a profile with a cdpUrl pointing to a private-network or metadata endpoint, which may later be accessed during normal profile status checks. This is only exploitable if strict-mode SSRF protections are enabled and private-network CDP targets are explicitly disabled.

Upgrade openclaw to version 2026.4.19-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Insufficiently Protected Credentials via the MINIMAX_API_HOST environment variable injection in workspace dotenv files. An attacker can intercept sensitive API credentials by redirecting outbound requests to an attacker-controlled origin. This is only exploitable if the application is run from a workspace controlled by the attacker.

Upgrade openclaw to version 2026.4.20-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the environment variable loading process. An attacker can influence trusted runtime behavior by setting specially crafted OPENCLAW_ variables in a workspace, which are then loaded and override runtime-control environment variables when the application is executed. This is only exploitable if the application is run from an attacker-controlled workspace.

Upgrade openclaw to version 2026.4.20-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Insufficient Granularity of Access Control via insufficient access control in the gateway config.patch and config.apply processes. An attacker can modify protected operator settings by leveraging a prompt-injected model with access to the owner-only gateway tool. This is only exploitable if a model with prompt injection capability is granted access to the owner-only gateway configuration tool.

Upgrade openclaw to version 2026.4.20-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the paired-device pairing management process. An attacker can gain unauthorized access to approve or operate on unrelated pending device requests by leveraging paired-device access within the same gateway scope.

Upgrade openclaw to version 2026.4.20 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the assistant-media route. An attacker can access protected media files and metadata by bypassing HTTP authentication path scope validation.

Upgrade openclaw to version 2026.4.20 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Unsafe Dependency Resolution in the authentication setup. An attacker can cause untrusted workspace plugins to be auto-enabled by leveraging non-interactive onboarding that selects a provider authentication choice shadowed by an untrusted plugin.

Upgrade openclaw to version 2026.4.9-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the operator.write message-tool. An attacker can modify persistent Matrix profile configuration without proper authorization by sending crafted requests through message-tool paths that bypass intended admin-level restrictions.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the exec approval binding. An attacker can bypass intended approval mechanisms and execute unauthorized applets or scripts by leveraging opaque multi-call binaries such as busybox and toybox, which obscure the actual operation being performed.

Upgrade openclaw to version 2026.4.12 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer in the sourceConfig and runtimeConfig alias fields, which were not properly redacted. An attacker can obtain sensitive secrets, such as provider API keys, gateway authentication material, and channel credentials, by accessing these unredacted alias fields.

Note: This is only exploitable if the attacker is an authenticated gateway client with configuration read access.

Upgrade openclaw to version 2026.4.14-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Command Injection via improper handling of environment variable assignments in argv forms during shell-wrapper detection. An attacker can execute arbitrary commands by injecting specially crafted environment variable assignments into the argument vector.

Upgrade openclaw to version 2026.4.12 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs due to insufficient filtering of high-risk interpreter startup environment variables in the execution environment policy. An attacker can influence downstream execution or network behavior by supplying crafted environment variables.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to DNS Rebinding via improper hostname validation in the browser navigation policy. An attacker can access internal network resources or sensitive endpoints by exploiting DNS rebinding techniques to bypass hostname restrictions.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authorization in the channel setup. An attacker can gain unauthorized access to privileged plugin functionality by introducing untrusted workspace plugin shadows that are resolved before trusted bundled plugins.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via improper validation of the outPath parameter in the screen recording. An attacker can write files outside the intended workspace boundary by specifying a path that bypasses the workspace-only filesystem guard.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization when handling collect-mode queue batches, where messages from different senders could be processed together using the authorization context of the final sender. An attacker can gain unauthorized access to actions or data by sending messages that are subsequently processed with elevated privileges inherited from another sender.

Upgrade openclaw to version 2026.4.14-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to External Control of System or Configuration Setting via the loading of workspace .env files. An attacker can manipulate runtime-control variables by crafting a malicious .env file that sets environment variables affecting update sources, gateway URLs, ClawHub resolution, browser executable paths, and related behaviors.

Upgrade openclaw to version 2026.4.9-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authorization in the approval authorization. An attacker can gain unauthorized approval rights by exploiting empty approver lists, allowing them to resolve pending approvals if they know an approval id.

Upgrade openclaw to version 2026.4.12 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in the agent hook event processing. An attacker can escalate privileges by supplying crafted external input that is treated as trusted system events.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Binding to an Unrestricted IP Address via the CDP relay. An attacker can gain unauthorized access to the Chrome DevTools Protocol by connecting from outside the intended local or sandboxed network range.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the sandbox noVNC helper route. An attacker can gain unauthorized access to interactive browser session credentials by bypassing bridge authentication.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization through the operator.write configuration. An attacker can modify and persist unauthorized profile configurations by sending crafted HTTP requests to affected endpoints without requiring administrative privileges.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Directory Traversal via the outbound media handling. An attacker can access arbitrary local files by referencing host-local paths outside the intended media storage boundary in reply text.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the /dreaming path in the operator.write. An attacker can modify persistent memory dreaming settings by sending write-scoped gateway requests, resulting in unauthorized configuration changes that should require higher privileges.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Directory Traversal in the handling of Discord event cover image parameters, which could bypass the intended media normalization. An attacker can access host-local media references by crafting event cover images that evade the sandbox normalization path, potentially exposing internal resources.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition due to missed detection of local async exec completion events during heartbeat owner downgrade. An attacker can maintain a process in a more privileged context than intended by providing untrusted completion content.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Use of a Key Past its Expiration Date due to the reuse of a previously resolved bearer authentication configuration in the gateway after a SecretRef rotation. An attacker can maintain unauthorized access by continuing to use an old bearer token that should have been invalidated.

Upgrade openclaw to version 2026.4.15-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to External Control of File Name or Path via improper validation of file paths in the media embedding. An attacker can access arbitrary files on the host system or trigger network credential exposure by supplying crafted local or UNC-style file paths.

Upgrade openclaw to version 2026.4.15-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via host=node override in the routing execution. An attacker can bypass intended sandbox restrictions and execute code on a remote node by manipulating the routing logic.

Upgrade openclaw to version 2026.4.10 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization due to the heartbeat owner downgrade not properly handling untrusted webhook wake events. An attacker can maintain elevated privileges by sending specially crafted webhook events that bypass intended privilege downgrades.

Upgrade openclaw to version 2026.4.14-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition via the validateScriptFileForShellBleed() function. An attacker can cause the preflight analysis to inspect a different file than the one that passed the initial workspace boundary check by racing a replacement of the target file after validation but before it is read.

Upgrade openclaw to version 2026.4.10 or higher.