6 matches found
EUVD-2026-36322
OpenClaw: Paired nodes could forge exec lifecycle events without system.run provenance...
CVE-2026-53816
OpenClaw before 2026.5.18 contains an insufficient provenance validation vulnerability in node event handling that allows paired nodes to forge exec lifecycle events without system.run authorization. A malicious or compromised paired node can send crafted node.event messages to the gateway,...
Missing Authorization
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authorization in the node event handling process. An attacker can gain unauthorized access to restricted exec lifecycle events by sending crafted node.event messages from a paired...
PT-2026-48746
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.18 Description Insufficient provenance validation in node event handling allows paired nodes to forge exec lifecycle events without system.run authorization. A malicious or compromised paired node can send...
GHSA-GFMX-PPH7-G46X OpenClaw: Lower-trust background runtime output is injected into trusted `System:` events, and local async exec completion misses the intended `exec-event` downgrade
Impact Lower-trust background runtime output is injected into trusted System: events, and local async exec completion misses the intended exec-event downgrade. Lower-trust runtime/background output could be promoted into trusted System events, allowing prompt-injection into later agent turns...
EUVD-2025-34079
tracexec has env command argument injection via environment variables starting with dash in traced exec events...