Duplicate Advisory: OpenClaw's inbound media downloads could exceed configured byte limits before rejection across multiple channels

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rxxp-482v-7mrh. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.22 fail to consistently enforce configured inbound media byte limits before bufferi...

CVE-2026-32021 OpenClaw < 2026.2.22 - Authorization Bypass via Display Name Collision in Feishu allowFrom

OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the Feishu allowFrom allowlist implementation that accepts mutable sender display names instead of enforcing ID-only matching. An attacker can set a display name equal to an allowlisted ID string to bypass...

CVE-2026-32010 OpenClaw < 2026.2.22 - Allowlist Bypass via sort --compress-program Parameter

OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the safe-bin configuration when sort is manually added to tools.exec.safeBins. Attackers can invoke sort with the --compress-program flag to execute arbitrary external programs without operator approval in allowlist...

GHSA-3846-MFVC-XWPF Duplicate Advisory: Exec allowlist wrapper analysis did not unwrap env/shell dispatch chains

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-jj82-76v6-933r. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run exec analysis that fails...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions 2026.2.22 and 2026.2.23 of OpenClaw contain security vulnerabilities. These vulnerabilities stem from an authorization bypass issue in the synology-chat plugin. This could allow attackers to circumvent...

GHSA-JWF4-8WF4-JF2M OpenClaw: BlueBubbles (optional plugin) pairing/allowlist mismatch when allowFrom is empty

Summary BlueBubbles is an optional OpenClaw channel plugin. A configuration-sensitive access-control mismatch allowed DM senders to be treated as authorized when dmPolicy was pairing or allowlist and allowFrom was empty/unset. Severity Rationale Medium Severity is set to medium because: - this...

Symlink Attack

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Symlink Attack via the resolveIdentityAvatarUrl function. An attacker can access arbitrary files outside the intended workspace by supplying a crafted local avatar path that follows a...

Authorization Bypass Through User-Controlled Key

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the tools.elevated.allowFrom process. An attacker can gain unauthorized elevated access by providing broader identity signals than...

Command Injection

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Command Injection in the tools.exec.safeBins process when a binary without an explicit safe-bin profile is added in allowlist mode. An attacker can execute arbitrary code by supplying...

OpenClaw's Synology Chat dmPolicy=allowlist failed open on empty allowedUserIds, allowing unauthorized agent dispatch

Summary In openclaw versions 2026.2.22 and 2026.2.23, the optional synology-chat channel plugin had an authorization fail-open condition: when dmPolicy was allowlist and allowedUserIds was empty/unset, unauthorized senders were still allowed through to agent dispatch. This is assessed as medium...

Insufficiently Protected Credentials

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Insufficiently Protected Credentials due to the reuse of authentication tokens as a fallback secret in the owner ID prompt hashing process. An attacker can infer sensitive hash outputs by...

Arbitrary Code Injection

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Arbitrary Code Injection via the transform module path resolution process. An attacker can execute arbitrary JavaScript code with gateway-process privileges by causing a symlinked entry t...

Incomplete List of Disallowed Inputs

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the --compress-program flag in the sort process when sort is manually added to the tools.exec.safeBins configuration. An attacker can execute...

GHSA-4CQV-H74H-93J4 OpenClaw has a Discord `allowFrom` slug-collision authorization bypass

OpenClaw supports Discord allowlists using either user IDs or names/tags. Name/tag matching depends on slug normalization, so different user tags can collide to the same slug and unintentionally satisfy a name-based allowlist entry. Affected Packages / Versions - Package: openclaw npm - Affected...

Command Injection

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Command Injection via the resolveShell function. An attacker can execute arbitrary commands by influencing environment variables such as SHELL, HOME, or ZDOTDIR during shell startup...

Untrusted Search Path

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Untrusted Search Path through the SHELL environment variable fallback. An attacker can execute arbitrary commands by supplying a malicious path in the SHELL environment variable, which is...

Untrusted Search Path

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Untrusted Search Path via tools.exec.safeBins. An attacker can execute arbitrary commands by placing a malicious binary with the same name as a trusted binary in a PATH-derived directory...

PT-2026-26238

Summary In openclaw versions 2026.2.22 and 2026.2.23, the optional synology-chat channel plugin had an authorization fail-open condition: when dmPolicy was allowlist and allowedUserIds was empty/unset, unauthorized senders were still allowed through to agent dispatch. This is assessed as medium...

Allocation of Resources Without Limits or Throttling

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the media-stream WebSocket upgrades. An attacker can exhaust server resources by establishing multiple unauthenticated pre-start...

Allocation of Resources Without Limits or Throttling

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in handling inbound media downloads across multiple channels, where configured byte limits are not consistently enforced before...