CVE-2026-32898

OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP client that auto-approves tool calls based on untrusted toolCall.kind metadata and permissive name heuristics. Attackers can bypass interactive approval prompts for read-class operations by spoofing tool...

CVE-2026-31998

OpenClaw 2026.2.22 and 2026.2.23 contain an authorization bypass in the synology-chat channel plugin when dmPolicy is set to allowlist with empty allowedUserIds, allowing attackers with Synology sender access to bypass checks and trigger unauthorized agent dispatch and downstream tool actions. Af...

CVE-2026-31998 OpenClaw 2026.2.22 < 2026.2.24 - Authorization Bypass in Synology Chat Plugin via Empty allowedUserIds

OpenClaw versions 2026.2.22 and 2026.2.23 contain an authorization bypass vulnerability in the synology-chat channel plugin where dmPolicy set to allowlist with empty allowedUserIds fails open. Attackers with Synology sender access can bypass authorization checks and trigger unauthorized agent...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.2.23 contained security vulnerabilities. These vulnerabilities were caused by a bypass of the allowed lists in the system’s runtime protection mechanism, which could allow...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions 2026.2.22 and 2026.2.23 of OpenClaw contain security vulnerabilities. These vulnerabilities stem from an authorization bypass issue in the synology-chat plugin. This could allow attackers to circumvent...

OpenClaw 跨站脚本漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.2.23 had a cross-site scripting vulnerability. This vulnerability stemmed from HTML injection issues, which could allow attackers to execute arbitrary JavaScript code...

OpenClaw's Synology Chat dmPolicy=allowlist failed open on empty allowedUserIds, allowing unauthorized agent dispatch

Summary In openclaw versions 2026.2.22 and 2026.2.23, the optional synology-chat channel plugin had an authorization fail-open condition: when dmPolicy was allowlist and allowedUserIds was empty/unset, unauthorized senders were still allowed through to agent dispatch. This is assessed as medium...

Interpretation Conflict

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Interpretation Conflict through a mismatch in policy and runtime interpretation of wrapper commands using GNU env -S semantics. An attacker can execute unintended commands by injecting...

OpenClaw has exec allowlist/safeBins policy-runtime mismatch via env -S wrapper interpretation

Summary tools.exec allowlist/safe-bins evaluation could diverge from runtime execution for wrapper commands using GNU env -S/--split-string semantics. This allowed policy checks to treat a command as a benign safe-bin invocation while runtime executed a different payload. Affected Packages /...

GHSA-7FF8-XJH3-MGH6 OpenClaw's non-default autoAllowSkills setting could bypass on-miss exec prompt

Summary In openclaw versions up to and including 2026.2.22-2, a non-default exec-approval configuration could allow a skill-name collision to bypass an ask=on-miss prompt. When autoAllowSkills=true, a path-scoped executable such as ./skill-bin could resolve to basename skill-bin, satisfy the skil...

OpenClaw has stored XSS in exported session HTML viewer via markdown/raw-HTML rendering

Summary The exported session HTML viewer allowed stored XSS when untrusted session content included raw HTML markdown tokens or unescaped metadata fields. Impact Opening a crafted exported HTML session could execute attacker-controlled JavaScript in the viewer context. This can expose session...

GHSA-R294-2894-92J3 OpenClaw has stored XSS in exported session HTML viewer via markdown/raw-HTML rendering

Summary The exported session HTML viewer allowed stored XSS when untrusted session content included raw HTML markdown tokens or unescaped metadata fields. Impact Opening a crafted exported HTML session could execute attacker-controlled JavaScript in the viewer context. This can expose session...

GHSA-3C6H-G97W-FG78 OpenClaw's tools.exec.safeBins sort long-option abbreviation bypass can skip exec approval in allowlist mode

Summary In OpenClaw, tools.exec.safeBins validation for sort could be bypassed via GNU long-option abbreviations in allowlist mode, allowing approval-free execution paths that should require approval. Affected Packages / Versions - Ecosystem: npm - Package: openclaw - Latest published version...

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the applypatch process. An attacker can gain unauthorized access to files or directories outside the intended workspace by exploiting insufficient enforcement ...

Incorrect Authorization

Overview @openclaw/voice-call is an OpenClaw voice-call plugin Affected versions of this package are vulnerable to Incorrect Authorization via the webhook event deduplication. An attacker can trigger duplicate or stale call-state transitions by replaying Twilio webhook events with randomized even...

Off-by-one Error

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Off-by-one Error in the allowlist mode. An attacker can execute unintended commands by bypassing operator safety controls using specially crafted input to env -S when /usr/bin/env is...

PT-2026-26238

Summary In openclaw versions 2026.2.22 and 2026.2.23, the optional synology-chat channel plugin had an authorization fail-open condition: when dmPolicy was allowlist and allowedUserIds was empty/unset, unauthorized senders were still allowed through to agent dispatch. This is assessed as medium...

PT-2026-26389

Summary In some opt-in sandbox configurations, the experimental apply patch tool did not consistently apply workspace-only checks to mounted paths for example /agent/.... Impact This does not affect default installs. Default posture: - agents.defaults.sandbox.mode=off sandbox disabled by default ...

GHSA-GWQP-86Q6-W47G OpenClaw's exec allow-always can be bypassed via unrecognized multiplexer shell wrappers (busybox/toybox sh -c)

Summary OpenClaw exec approvals could be bypassed in allowlist mode when allow-always was granted through unrecognized multiplexer shell wrappers notably busybox sh -c and toybox sh -c. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.2.22-2 - Latest published vulnerable...

OpenClaw: Node exec approvals could be replayed across nodes

Summary exec.approval requests for host=node were not explicitly bound to the target nodeId, so an approval intended for one node could be replayed for a different node under the same operator-controlled gateway fleet. Impact An operator approval for a system.run request could be reused across...