5 matches found
Time-of-check Time-of-use (TOCTOU) Race Condition
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition through a race condition in the write process. An attacker can cause unauthorized file writes outside the intended sandbox mount root by...
GHSA-53VX-PMQW-863C OpenClaw: Browser SSRF policy default allowed private-network navigation
Summary Browser SSRF policy default allowed private-network navigation. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.14 Impact Browser SSRF protection could allow private-network navigation by default in paths where restrictive behavior was...
Insertion of Sensitive Information into Log File
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the fetchRemoteMedia function. An attacker can obtain sensitive bot tokens by triggering Telegram media fetch errors that cause the...
Missing Authorization
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authorization via the WebSocket connection. An attacker can gain unauthorized access to elevated gateway operations by presenting client-declared scopes that are not properly boun...
Missing Authentication for Critical Function
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the webhook process of the BlueBubbles plugin due to trusting the loopback remoteAddress without validating forwarding headers. An attacker...