OpenClaw has multiple E2E/test Dockerfiles that run all processes as root

Three Dockerfiles in scripts/docker/ and scripts/e2e/ lack a USER directive, meaning all processes run as uid 0 root. If any process is compromised, the attacker has root inside the container, making container breakout significantly easier. Partial fix 2026-02-08: Commit 28e1a65e added USER sandb...

GHSA-XGF2-VXV2-RRMG OpenClaw's shell startup env injection bypasses system.run allowlist intent (RCE class)

Summary system.run environment sanitization allowed shell-startup env overrides HOME, ZDOTDIR that can execute attacker-controlled startup files before allowlist-evaluated command bodies. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.2.22 Technical Details In affected...

GHSA-3CVX-236H-M9FJ OpenClaw has an opt-in insecure Control UI auth over plaintext HTTP could allow privileged access

Description In affected releases, when an operator explicitly enabled gateway.controlUi.allowInsecureAuth: true and exposed the gateway over plaintext HTTP, Control UI authentication could permit privileged operator access without the intended device identity + pairing guarantees. This required a...

OpenClaw has an opt-in insecure Control UI auth over plaintext HTTP could allow privileged access

Description In affected releases, when an operator explicitly enabled gateway.controlUi.allowInsecureAuth: true and exposed the gateway over plaintext HTTP, Control UI authentication could permit privileged operator access without the intended device identity + pairing guarantees. This required a...

GHSA-P4WH-CR8M-GM6C OpenClaw: shell-env trusted-prefix fallback allowed attacker-controlled binary execution via $SHELL

Summary shell-env fallback trusted prefix-based executable paths for $SHELL, allowing execution of attacker-controlled binaries in local/runtime-env influence scenarios. Details In affected versions, shell selection accepted either: 1. a shell listed in /etc/shells, or 2. any executable under...

GHSA-X9CF-3W63-RPQ9 OpenClaw vulnerable to sensitive file disclosure via stageSandboxMedia

Summary When iMessage remote attachment fetching is enabled channels.imessage.remoteHost, stageSandboxMedia accepted arbitrary absolute paths and used SCP to copy them into local staging. If a non-attachment path reaches this flow, files outside expected iMessage attachment directories on the...

GHSA-56PC-6HVP-4GV4 OpenClaw vulnerable to arbitrary file read via $include directive

Vulnerability Path traversal in config $include resolution allowed arbitrary local file reads outside the config directory boundary CWE-22. Attack Vectors 1. If an attacker can modify OpenClaw config, they can set $include to absolute paths for example /etc/passwd and read files accessible to the...

EUVD-2026-9315

drlibs version 0.14.4 and earlier fixed in commit 8a7258c contain a heap buffer overflow vulnerability in the drwavreadsmpltometadataobj function of drwav.h that allows memory corruption via crafted WAV files. Attackers can exploit a mismatch between sampleLoopCount validation in pass 1 and...

CVE-2026-29022 mackron / dr_libs dr_wav.h Heap Buffer Overflow via WAV File

drlibs drwav.h version 0.14.4 and earlier fixed in commit 8a7258c contain a heap buffer overflow vulnerability in the drwavreadsmpltometadataobj function of drwav.h that allows memory corruption via crafted WAV files. Attackers can exploit a mismatch between sampleLoopCount validation in pass 1 a...

CVE-2026-29022

CVE-2026-29022 affects dr_libs/dr_wav.h up to version 0.14.4. The vulnerability is a heap buffer overflow in the function drwav__read_smpl_to_metadata_obj() , caused by a mismatch between sampleLoopCount validation in pass 1 and unconditional processing in pass 2, allowing memory corruption via c...

UBUNTU-CVE-2026-0540

DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements noscript, xmp, noembed, noframes, iframe in the SAFEFORXML regex. Attacke...

GHSA-RPQR-J937-6QR9 OpenViking contains a Path Traversal vulnerability

OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import directory. Attackers can craft malicious ZIP archives with traversal sequences, absolute paths, or...

CVE-2026-28518

OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import directory. Attackers can craft malicious ZIP archives with traversal sequences, absolute paths, or...

CVE-2026-20777

A heap-based buffer overflow vulnerability exists in the Nicolet WFT parsing functionality of The Biosig Project libbiosig 3.9.2 and Master Branch db9a9a63. A specially crafted .wft file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability...

EUVD-2026-9296

OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import directory. Attackers can craft malicious ZIP archives with traversal sequences, absolute paths, or...

PT-2026-22744

OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import directory. Attackers can craft malicious ZIP archives with traversal sequences, absolute paths, or...

PT-2026-26007

Summary OpenClaw exec approvals could be bypassed in allowlist mode when allow-always was granted through unrecognized multiplexer shell wrappers notably busybox sh -c and toybox sh -c. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.2.22-2 - Latest published vulnerable...

Path Traversal

mcp-server-git is vulnerable to Path Traversal. The vulnerability is due to the gitadd tool not validating file paths, where relative paths containing ../ sequences that resolve outside the repository were accepted and staged into the Git index, and attackers can exploit this to potentially...

CVE-2026-27838

wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling self.getobject. In versions up to and including 2.4, ache keys are scoped only by pk — no user ID is included. When a victim has previously accessed their routine via the API...

CVE-2026-28515

openDCIM version 23.04, through commit 4467e9c4, contains a missing authorization vulnerability in install.php and container-install.php. The installer and upgrade handler expose LDAP configuration functionality without enforcing application role checks. Any authenticated user can access this...