5 matches found
GHSA-J472-GF56-X589 OpenClaw: PowerShell encoded-command aliases could miss exec allowlist checks
Summary PowerShell encoded-command aliases could miss exec allowlist checks. In affected versions, a command request using abbreviated encoded-command flags could use an alias form not recognized by the allowlist parser. This advisory is scoped to the named feature and configuration. It does not...
GHSA-27PQ-2PH8-8X25 Duplicate Advisory: Shell positional parameters could weaken strict inline-eval checks
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-5cj2-3jr2-5h77. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.2 contains an inline-eval bypass vulnerability allowing authenticated operators to weaken stri...
CVE-2026-6322 fast-uri vulnerable to host confusion via percent-encoded authority delimiters
fast-uri normalize decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator...
GHSA-G75X-8QQM-2VXP OpenClaw's `tools.exec.safeBins` PATH-hijack allowed trojan binaries to bypass allowlist checks
Summary tools.exec.safeBins allowlist checks could be bypassed by PATH-hijacked binaries, allowing execution of attacker-controlled trojan binaries under an allowlisted executable name. Affected Packages / Versions - Package: openclaw npm - Latest published version at triage time: 2026.2.17 -...
Missing allowlist checks on tokens in CrossAnchorBridge could cause loss of funds
Lines of code Vulnerability details Impact The CrossAnchorBridge contract accepts any ERC20 token and transfers them to the wormhole bridge. There were allowlist checks on the tokens before, but they were commented out in this version for the audit. If a user transfers, for example, non-supported...