openclaw@2026.5.16-beta.7

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authorization due to insufficient validation in the message read actions process. An attacker can access sensitive messages from unauthorized channels by sending crafted requests that bypass channel allowlist checks.

Upgrade openclaw to version 2026.5.19 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authorization in the node event handling process. An attacker can gain unauthorized access to restricted exec lifecycle events by sending crafted node.event messages from a paired node to the gateway, which can steer target sessions into privileged exec-event paths and expose unintended capabilities.

Upgrade openclaw to version 2026.5.18 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Untrusted Search Path via the skill installation process when workspace .env files override the Homebrew executable selection. An attacker can execute arbitrary Homebrew-compatible executables by manipulating the .env file during skill setup, potentially compromising the system. This is only exploitable if an attacker has access to a trusted operator workspace.

Upgrade openclaw to version 2026.5.27 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Privilege Assignment due to the incorrect assignment of owner-scoped MCP loopback authority to hook-triggered agent processes. An attacker can perform unauthorized privileged actions by exploiting the /hooks/agent endpoint with a valid hook token, allowing access to or invocation of owner-only MCP tools, such as modifying persistent cron state.

Upgrade openclaw to version 2026.5.20 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to User Impersonation via insufficient validation in the Control UI pairing process. An attacker can obtain persistent administrative device tokens by spoofing locality information over the network, thereby escalating temporary shared access to durable admin-level credentials that persist even after token rotation.

Upgrade openclaw to version 2026.5.22 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the browser control process. An attacker can access internal network resources and read restricted page content by leveraging action-triggered redirects and browser evaluation capabilities.

Upgrade openclaw to version 2026.5.18 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Unsafe Dependency Resolution via manipulation of the extension metadata process. An attacker can execute arbitrary code by redirecting the loading process toward unscanned package payloads, allowing plugin code to be loaded outside of reviewed package entry points and bypassing security scanning. This is only exploitable if the attacker has trusted operator access.

Upgrade openclaw to version 2026.5.18 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to User Impersonation via improper validation of identity headers in the trusted-proxy configuration. An attacker can impersonate privileged users by supplying forged identity headers to the proxy-facing Gateway port, potentially escalating privileges.

Upgrade openclaw to version 2026.5.18 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via insufficient sanitization of environment variables in the process. An attacker can influence the behavior of a Node.js child process or alter coverage output paths by supplying malicious environment variables from a lower-trust source.

Upgrade openclaw to version 2026.5.26 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the session management process. An attacker can regain previously revoked node token authority by maintaining a pairing-scoped device session after the token has been revoked. This is only exploitable if a device retains an active pairing-scoped session following the revocation of its node token.

Upgrade openclaw to version 2026.5.26 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via inconsistent handling of hostnames with trailing dots in the request path. An attacker can bypass hostname blocklist policies by submitting URLs with a trailing dot, potentially accessing destinations that should be restricted.

Upgrade openclaw to version 2026.5.26 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the exec process. An attacker can perform unauthorized operations by crafting command requests that leverage transparent command wrappers to bypass allowlist validation.

Upgrade openclaw to version 2026.5.26 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition via the system.run safe-bin allowlist validation. An attacker can access arbitrary files and expose sensitive configuration data by injecting shell metacharacters into approved commands.

Upgrade openclaw to version 2026.5.18 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition via the shell wrapper argv. An attacker can execute unauthorized commands by modifying command arguments after allowlist approval but before execution.

Upgrade openclaw to version 2026.5.18 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition via the node pairing reconnection. An attacker can gain unauthorized node authority by exploiting logic flaws that allow restoration or escalation of node pairing states beyond intended approval scopes.

Upgrade openclaw to version 2026.5.27 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to User Interface (UI) Misrepresentation of Critical Information via the approval display truncation. An attacker can execute unauthorized operations by submitting oversized exec commands with benign prefixes and malicious suffixes that are hidden from approvers.

Upgrade openclaw to version 2026.5.18 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the chat.send route. An attacker can perform unauthorized privileged actions by leveraging inherited external routes to bypass required scope checks, enabling unauthorized modification of plugins, configuration, MCP, allowlist, and ACP settings.

Upgrade openclaw to version 2026.5.18 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authorization in the QQBot native approval buttons process. An attacker can gain unauthorized access to resolve pending exec or plugin approval requests by interacting with approval buttons without proper authorization.

Upgrade openclaw to version 2026.5.18-beta.1 or higher.