OpenClaw B-M3: ClawHub package downloads are not enforced with integrity verification

Impact B-M3: ClawHub package downloads are not enforced with integrity verification. ClawHub downloads could install plugin archives without enforcing archive or per-file integrity metadata. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and doe...

GHSA-QX8J-G322-QJ6M OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects

Impact fetchWithSsrFGuard replays unsafe request bodies across cross-origin redirects. A guarded fetch could resend unsafe request bodies or headers when following cross-origin redirects. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does n...

GHSA-VR5G-MMX7-H897 OpenClaw has Browser SSRF Policy Bypass via Interaction-Triggered Navigation

Impact Browser SSRF Policy Bypass via Interaction-Triggered Navigation. Browser interactions could trigger navigations that bypassed the normal SSRF navigation checks. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a...

Improper Privilege Management

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Privilege Management via the node.pair.approve function being assigned to the broader operator.write scope instead of the intended operator.pairing scope. An attacker can gain...

GHSA-67MF-F936-PPXF OpenClaw `node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval

Impact OpenClaw node.pair.approve placed in operator.write scope instead of operator.pairing allows unprivileged pairing approval. The pairing approval method accepted operator.write instead of the narrower pairing scope and admin requirement for exec-capable nodes. OpenClaw is a user-controlled...

GHSA-3FV3-6P2V-GXWJ OpenClaw QQ Bot Extension missing SSRF Protection on All Media Fetch Paths

Impact QQ Bot Extension: Missing SSRF Protection on All Media Fetch Paths. QQ Bot media download paths were not consistently routed through the SSRF guard and allowlist policy. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a...

@0xwork/connect (>=0.1.0 <=0.1.7), @agentholdings/agent-passport (>=0.1.0 <=0.1.5) +22 more potentially affected by unknown CVE via openclaw (>=2026.3.22 <=2026.4.5)

openclaw NPM version =2026.3.22, =0.1.0, =0.1.0, =0.8.3, =0.1.0, =2026.3.25, =0.0.0, =27.2.5, =1.1.0, =2.1.3, =2026.3.24-3, =0.14.39, =0.1.0, =0.1.1, =0.2.18 and more Source cves: unknown CVE Source advisory: SNYK:JS-OPENCLAW-15989071...

GHSA-25WV-8PHJ-8P7R OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths

Impact Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths. Concurrent asynchronous shared-secret auth attempts could race the per-key rate-limit budget. OpenClaw is a user-controlled local assistant. This advisory is scoped to the...

GHSA-5WJ5-87VQ-39XM OpenClaw: Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement

Impact Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement. A previously paired node could reconnect with a broader command set, including exec-capable commands, without forcing the operator/admin re-pairing path. OpenClaw is a user-controlled local assistant. This...

OpenClaw: Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement

Impact Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement. A previously paired node could reconnect with a broader command set, including exec-capable commands, without forcing the operator/admin re-pairing path. OpenClaw is a user-controlled local assistant. This...

GHSA-VC32-H5MQ-453V OpenClaw: /allowlist omits owner-only enforcement for cross-channel allowlist writes

Impact /allowlist omits owner-only enforcement for cross-channel allowlist writes. An authorized non-owner sender could attempt allowlist writes against a different channel. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a...

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the node.invoke process. An attacker can alter persistent browser profiles by invoking browser.proxy to bypass the intended profile-mutation guard. Remediation...

@0xwork/connect (>=0.1.0 <=0.1.7), @agentholdings/agent-passport (>=0.1.0 <=0.1.5) +22 more potentially affected by CVE-2026-42431 via openclaw (>=2026.3.22 <=2026.4.5)

openclaw NPM version =2026.3.22, =0.1.0, =0.1.0, =0.8.3, =0.1.0, =2026.3.25, =0.0.0, =27.2.5, =1.1.0, =2.1.3, =2026.3.24-3, =0.14.39, =0.1.0, =0.1.1, =0.2.18 and more Source cves: CVE-2026-42431 Source advisory: SNYK:JS-OPENCLAW-15989075...

GHSA-CMFR-9M2R-XWHQ OpenClaw `node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard

Impact OpenClaw node.invokebrowser.proxy bypasses browser.request persistent profile-mutation guard. node.invokebrowser.proxy could mutate persistent browser profiles through a path that bypassed the browser.request guard. OpenClaw is a user-controlled local assistant. This advisory is scoped to...

@0xwork/connect (>=0.1.0 <=0.1.7), @agentholdings/agent-passport (>=0.1.0 <=0.1.5) +22 more potentially affected by CVE-2026-42423 via openclaw (>=2026.3.22 <=2026.4.5)

openclaw NPM version =2026.3.22, =0.1.0, =0.1.0, =0.8.3, =0.1.0, =2026.3.25, =0.0.0, =27.2.5, =1.1.0, =2.1.3, =2026.3.24-3, =0.14.39, =0.1.0, =0.1.1, =0.2.18 and more Source cves: CVE-2026-42423 Source advisory: SNYK:JS-OPENCLAW-15967229...

GHSA-Q2GC-XJQW-QP89 OpenClaw: strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts

Impact strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts. The approval-timeout fallback could allow inline eval commands that strictInlineEval was meant to require explicit approval for. OpenClaw is a user-controlled local assistant...

OpenClaw: strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts

Impact strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts. The approval-timeout fallback could allow inline eval commands that strictInlineEval was meant to require explicit approval for. OpenClaw is a user-controlled local assistant...

MAL-2026-2527 Malicious code in sjs-biginteger (npm)

sjs-biginteger typosquats big.js on npm. Published April 7, 2026 by throwaway account vanes.s.p.orit.a, the package ships legitimate big.js source and hides its payload in a dependency: sjs-lint-build1. On install, the dependency’s postinstall hook fetches the attacker’s SSH public key from a C2...

GHSA-HFVC-G4FC-PQHX vulnerabilities

Vulnerabilities for packages: kwok, cloud-provider-azure, mcp-grafana, gogatekeeper, policy-controller, wolfictl, fulcio, trivy-operator, ko, falcosidekick, kubernetes-csi-external-attacher, tekton-pipelines, grafana-mimir, grafana-pyroscope, cluster-api, k8sgateway, bento, cosign, ferretdb,...

CVE-2026-39883 vulnerabilities

Vulnerabilities for packages: kwok, cloud-provider-azure, mcp-grafana, gogatekeeper, policy-controller, wolfictl, fulcio, trivy-operator, ko, falcosidekick, kubernetes-csi-external-attacher, tekton-pipelines, grafana-mimir, grafana-pyroscope, cluster-api, k8sgateway, bento, cosign, ferretdb,...