openclaw@2026.5.4-beta.1

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authorization due to insufficient validation in the message read actions process. An attacker can access sensitive messages from unauthorized channels by sending crafted requests that bypass channel allowlist checks.

Upgrade openclaw to version 2026.5.19 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authorization in the node event handling process. An attacker can gain unauthorized access to restricted exec lifecycle events by sending crafted node.event messages from a paired node to the gateway, which can steer target sessions into privileged exec-event paths and expose unintended capabilities.

Upgrade openclaw to version 2026.5.18 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Untrusted Search Path via the skill installation process when workspace .env files override the Homebrew executable selection. An attacker can execute arbitrary Homebrew-compatible executables by manipulating the .env file during skill setup, potentially compromising the system. This is only exploitable if an attacker has access to a trusted operator workspace.

Upgrade openclaw to version 2026.5.27 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Privilege Assignment due to the incorrect assignment of owner-scoped MCP loopback authority to hook-triggered agent processes. An attacker can perform unauthorized privileged actions by exploiting the /hooks/agent endpoint with a valid hook token, allowing access to or invocation of owner-only MCP tools, such as modifying persistent cron state.

Upgrade openclaw to version 2026.5.20 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to User Impersonation via insufficient validation in the Control UI pairing process. An attacker can obtain persistent administrative device tokens by spoofing locality information over the network, thereby escalating temporary shared access to durable admin-level credentials that persist even after token rotation.

Upgrade openclaw to version 2026.5.22 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the commands.allowFrom process. An attacker can gain unauthorized access to restricted command functionality by invoking Telegram interactive callbacks before allowlist checks are enforced.

Upgrade openclaw to version 2026.5.6 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition via the exec process. An attacker can execute unauthorized commands by bypassing intended allowlist validation using combined shell options. This is only exploitable if the affected feature is enabled.

Upgrade openclaw to version 2026.5.12 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the Skill Workshop apply flow due to improper enforcement of approval policies. An attacker can modify configurations without proper authorization by sending requests to the apply path before the required approval step.

Upgrade openclaw to version 2026.5.6 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to User Impersonation via the allowFrom process. An attacker can gain unauthorized permissions by manipulating display name metadata to match policy entries intended for other identities. This is only exploitable if operator configuration allows policy matching based on mutable display names.

Upgrade openclaw to version 2026.5.7 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the browser control process. An attacker can access internal network resources and read restricted page content by leveraging action-triggered redirects and browser evaluation capabilities.

Upgrade openclaw to version 2026.5.18 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Unsafe Dependency Resolution via manipulation of the extension metadata process. An attacker can execute arbitrary code by redirecting the loading process toward unscanned package payloads, allowing plugin code to be loaded outside of reviewed package entry points and bypassing security scanning. This is only exploitable if the attacker has trusted operator access.

Upgrade openclaw to version 2026.5.18 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incomplete Comparison with Missing Factors via the retry endpoint validation process. An attacker can intercept authentication material by crafting a hostname prefix that resembles a trusted host, causing the system to send sensitive information to an untrusted endpoint.

Upgrade openclaw to version 2026.5.7 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the dynamic-agent binding process. An attacker can modify binding states without proper authorization by sending crafted requests as an authenticated user.

Upgrade openclaw to version 2026.5.6 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to User Impersonation via improper validation of identity headers in the trusted-proxy configuration. An attacker can impersonate privileged users by supplying forged identity headers to the proxy-facing Gateway port, potentially escalating privileges.

Upgrade openclaw to version 2026.5.18 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the native command handling process. An attacker can gain unauthorized access to privileged operations by sending crafted commands that bypass the configured owner-command access control.

Upgrade openclaw to version 2026.5.6 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the PowerShell encoded-command handling process. An attacker can execute arbitrary commands by leveraging unrecognized encoded-command alias forms to circumvent allowlist checks.

Upgrade openclaw to version 2026.5.12 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Not Failing Securely ('Failing Open') in the event handler process due to missing validation of channel type metadata. An attacker can bypass intended policy decisions by sending crafted events that omit required channel type information.

Upgrade openclaw to version 2026.5.6 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via insufficient sanitization of environment variables in the process. An attacker can influence the behavior of a Node.js child process or alter coverage output paths by supplying malicious environment variables from a lower-trust source.

Upgrade openclaw to version 2026.5.26 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Information Exposure via the MCP Streamable HTTP process when custom headers are configured and the MCP endpoint responds with a cross-origin redirect. An attacker can obtain sensitive information, such as API keys or tenant-routing headers, by leveraging a malicious or compromised MCP endpoint that issues redirects to another origin. This is only exploitable if the MCP server is configured with transportType: "streamable-http", sensitive custom headers under mcp.servers.*.headers, and the MCP endpoint is malicious, compromised, or able to redirect to another origin.

Upgrade openclaw to version 2026.5.12 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the exec process when combined POSIX inline-command flags are used on macOS. An attacker can execute shell content outside the intended allowlist check by crafting command requests that leverage combined inline flags. This is only exploitable if the affected feature is enabled and reachable, and lower-trust input can access the execution path.

Upgrade openclaw to version 2026.5.6 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the enforcement of argPattern checks for exec allowlist entries on Linux and macOS gateways. An attacker can execute disallowed arguments for an allowlisted executable by influencing a tool-enabled agent to call exec with arguments that should have required additional approval. This is only exploitable if the gateway is running on Linux or macOS, exec is configured with tools.exec.security: "allowlist", at least one allowlist entry uses argPattern, and the allowlisted executable accepts security-relevant arguments or flags.

Upgrade openclaw to version 2026.5.12 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to User Impersonation via the allowFrom process. An attacker can gain unauthorized access to agent privileges intended for another Discord identity by exploiting mutable display name metadata to match policy entries. This is only exploitable if the affected feature is enabled and reachable, and the operator's configuration allows lower-trust input to reach the relevant path.

Upgrade openclaw to version 2026.5.7 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Privilege Assignment via the Active Memory write process. An attacker can modify global configuration settings by leveraging operator.write access to escalate privileges beyond the intended scope. This is only exploitable if the affected feature is enabled and reachable by a user with operator.write permissions.

Upgrade openclaw to version 2026.5.6 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authorization via the shell inline-command parsing process. An attacker can execute unauthorized shell commands by crafting command requests that bypass the intended allowlist checks.

Upgrade openclaw to version 2026.5.12 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization in the session management process. An attacker can regain previously revoked node token authority by maintaining a pairing-scoped device session after the token has been revoked. This is only exploitable if a device retains an active pairing-scoped session following the revocation of its node token.

Upgrade openclaw to version 2026.5.26 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via inconsistent handling of hostnames with trailing dots in the request path. An attacker can bypass hostname blocklist policies by submitting URLs with a trailing dot, potentially accessing destinations that should be restricted.

Upgrade openclaw to version 2026.5.26 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Protection Mechanism Failure in the skill-command dispatch process. An attacker can bypass hook-based auditing or policy enforcement by routing a skill command through a dispatch path that skips the runBeforeToolCallHook process. This may allow unauthorized actions or insufficient auditing depending on the operator's configuration and whether lower-trust input can access the affected path.

Upgrade openclaw to version 2026.5.6 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the exported session HTML process. An attacker can execute arbitrary browser-side scripts by crafting malicious markdown links containing javascript: or data: URIs, which are preserved in the generated HTML and triggered when a user opens and interacts with the exported file.

Upgrade openclaw to version 2026.5.12 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Improper Authorization via the reaction notification process. An attacker can trigger unintended agent processing for reaction events by delivering Slack reaction events even when reaction notifications are disabled. This is only exploitable if the Slack reaction event feature is enabled and reachable.

Upgrade openclaw to version 2026.5.12 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the BlueBubbles process. An attacker can gain unauthorized access to restricted agent responses by manipulating conversation-level identifiers to match allowlist entries through conversation metadata rather than a stable sender identity. This is only exploitable if the affected feature is enabled and reachable, and the operator's configuration allows lower-trust input to access the relevant path.

Upgrade openclaw to version 2026.5.7 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Improper Privilege Management via the bootstrap token process. An attacker can gain unauthorized access to broader pending pairing scopes by replaying a pending bootstrap token with an expanded set of requested permissions before approval. This is only exploitable if the affected feature is enabled and reachable, and lower-trust input can access the relevant path.

Upgrade openclaw to version 2026.5.12 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the exec process. An attacker can perform unauthorized operations by crafting command requests that leverage transparent command wrappers to bypass allowlist validation.

Upgrade openclaw to version 2026.5.26 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition via the system.run safe-bin allowlist validation. An attacker can access arbitrary files and expose sensitive configuration data by injecting shell metacharacters into approved commands.

Upgrade openclaw to version 2026.5.18 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition via the shell wrapper argv. An attacker can execute unauthorized commands by modifying command arguments after allowlist approval but before execution.

Upgrade openclaw to version 2026.5.18 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition via the node pairing reconnection. An attacker can gain unauthorized node authority by exploiting logic flaws that allow restoration or escalation of node pairing states beyond intended approval scopes.

Upgrade openclaw to version 2026.5.27 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to User Interface (UI) Misrepresentation of Critical Information via the approval display truncation. An attacker can execute unauthorized operations by submitting oversized exec commands with benign prefixes and malicious suffixes that are hidden from approvers.

Upgrade openclaw to version 2026.5.18 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authorization via the bundle MCP loopback session-spawn path. An attacker can gain unauthorized access to restricted commands by bypassing intended command restrictions through authenticated access to the affected path.

Upgrade openclaw to version 2026.5.12 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the chat.send route. An attacker can perform unauthorized privileged actions by leveraging inherited external routes to bypass required scope checks, enabling unauthorized modification of plugins, configuration, MCP, allowlist, and ACP settings.

Upgrade openclaw to version 2026.5.18 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authorization through the registerPairCommand and resolvePairingCommandAuthState paths in the device-pair command handler. An attacker can generate pairing setup codes, inspect pending pairings, approve requests, or clear/revoke bootstrap tokens by invoking /pair from non-gateway chat surfaces without presenting the operator.pairing scope. This lets an unauthorized user take over device pairing workflows and disrupt or hijack an operator’s pairing state.

Upgrade openclaw to version 2026.5.4-beta.2 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization via the exec approver gate process. An attacker can gain unauthorized approval capabilities by leveraging limited exec approval permissions to bypass intended approval splits and approve plugin actions outside of operator configuration.

Upgrade openclaw to version 2026.5.12-beta.1 or higher.

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authorization in the QQBot native approval buttons process. An attacker can gain unauthorized access to resolve pending exec or plugin approval requests by interacting with approval buttons without proper authorization.

Upgrade openclaw to version 2026.5.18-beta.1 or higher.