CVE-2026-32052

OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run shell-wrapper that allows attackers to execute hidden commands by injecting positional argv carriers after inline shell payloads. Attackers can craft misleading approval text while executing arbitrary...

CVE-2026-32052

OpenClaw is affected in versions prior to 2026.2.24. The vulnerability is a command injection in the system.run shell-wrapper that enables execution of hidden commands by injecting trailing positional argv carriers after inline shell payloads. The attack can be triggered through crafted approval ...

CVE-2026-32033 OpenClaw < 2026.2.24 - Path Traversal via @-prefixed Absolute Paths in Workspace Boundary Validation

OpenClaw versions prior to 2026.2.24 contain a path traversal vulnerability where @-prefixed absolute paths bypass workspace-only file-system boundary validation due to canonicalization mismatch. Attackers can exploit this by crafting @-prefixed paths like @/etc/passwd to read files outside the...

CVE-2026-32026 OpenClaw < 2026.2.24 - Arbitrary File Read via Improper Temporary Path Validation in Sandbox

OpenClaw versions prior to 2026.2.24 contain an improper path validation vulnerability in sandbox media handling that allows absolute paths under the host temporary directory outside the active sandbox root. Attackers can exploit this by providing malicious media references to read and exfiltrate...

CVE-2026-32023

OpenClaw : vulnerable up to version 2026.2.23 due to an approval-gating bypass in system.run allowlist mode caused by a dispatch-wrapper depth-cap mismatch. Attackers could chain nested wrappers (e.g., /usr/bin/env) to execute /bin/sh -c commands without triggering the approval prompt. The issue ...

CVE-2026-27522

OpenClaw versions prior to 2026.2.24 contain a local media root bypass vulnerability in sendAttachment and setGroupIcon message actions when sandboxRoot is unset. Attackers can hydrate media from local absolute paths to read arbitrary host files accessible by the runtime user...

Incorrect Authorization

Overview @openclaw/zalo is an OpenClaw Zalo channel plugin Affected versions of this package are vulnerable to Incorrect Authorization in the GROUP message dispatch process. An attacker can gain unauthorized access to restricted group message handling by sending GROUP messages from a sender not...

GHSA-534W-2VM4-89XR OpenClaw's Zalo group sender allowlist bypass permits unauthorized GROUP dispatch

A missing group-sender authorization check in the Zalo plugin allowed unauthorized GROUP messages to enter agent dispatch paths in configurations intended to restrict group traffic. Impact When Zalo group handling was configured with allowlist-style controls, a sender not present in the intended...

Symlink Attack

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Symlink Attack via the validateBindMounts process. An attacker can access files or directories outside of intended boundaries by exploiting symlinked parent directories combined with...

GHSA-GW85-XP4Q-5GP9 OpenClaw's Synology Chat dmPolicy=allowlist failed open on empty allowedUserIds, allowing unauthorized agent dispatch

Summary In openclaw versions 2026.2.22 and 2026.2.23, the optional synology-chat channel plugin had an authorization fail-open condition: when dmPolicy was allowlist and allowedUserIds was empty/unset, unauthorized senders were still allowed through to agent dispatch. This is assessed as medium...

OpenClaw's Synology Chat dmPolicy=allowlist failed open on empty allowedUserIds, allowing unauthorized agent dispatch

Summary In openclaw versions 2026.2.22 and 2026.2.23, the optional synology-chat channel plugin had an authorization fail-open condition: when dmPolicy was allowlist and allowedUserIds was empty/unset, unauthorized senders were still allowed through to agent dispatch. This is assessed as medium...

GHSA-VVGP-4C28-M3JM OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions

Summary A trusted-proxy Control UI pairing bypass accepted client.id=control-ui without device identity checks. The bypass did not require operator role, so an authenticated node role session could connect unpaired and reach node event methods. Impact With trusted-proxy authentication enabled, a...

Unsafe Dependency Resolution

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the safeBins process. An attacker can execute arbitrary commands in the application runtime context by placing a malicious binary with the same name as a...

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via system.run. An attacker can execute hidden commands under misleading approval or display text by supplying additional positional argv payloads that are not...

OpenClaw's system.run approval TOCTOU via mutable symlink cwd target on node host

Summary In [email protected], approval-bound system.run on node hosts could be influenced by mutable symlink cwd targets between approval and execution. Details Approval matching on the gateway validated command/argv and binding fields, including cwd, as provided text. Node execution later used...

GHSA-CCG8-46R6-9QGJ OpenClaw's dispatch-wrapper depth-cap mismatch can bypass shell-wrapper approval gating in system.run allowlist mode

Summary A wrapper-depth parsing mismatch in system.run allowed nested transparent dispatch wrappers for example repeated /usr/bin/env to suppress shell-wrapper detection while still matching allowlist resolution. In security=allowlist + ask=on-miss, this could bypass the expected approval prompt...

Allocation of Resources Without Limits or Throttling

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the Telegram DM message handling. An attacker can cause unauthorized media files to be downloaded and written to disk by sending...

GHSA-9F72-QCPW-2HXC OpenClaw: Native prompt image auto-load did not honor tools.fs.workspaceOnly in sandboxed runs

Summary In sandboxed runs, native prompt image auto-load did not honor tools.fs.workspaceOnly=true. This optional hardening setting is not enabled by default. When operators enabled it, prompt text could still reference mounted out-of-workspace image paths for example /agent/secret.png and load...

Protection Mechanism Failure

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Protection Mechanism Failure through improper validation of the docker.network configuration parameter. An attacker can gain unauthorized access to internal network resources by specifyin...

GHSA-FQCM-97M6-W7RM OpenClaw: Message action attachment hydration bypasses local media root checks when sandboxRoot is unset

Impact sendAttachment and setGroupIcon message actions could hydrate media from local absolute paths when sandboxRoot was unset, bypassing intended local media root checks. This could allow reads of arbitrary host files reachable by the runtime user when an authorized message-action path was...