OpenClaw: Sandbox escape via TOCTOU race in remote FS bridge readFile

Summary Sandbox escape via TOCTOU race in remote FS bridge readFile Current Maintainer Triage - Normalized severity: critical - Assessment: v2026.3.28 remote sandbox reads still do path-check then separate file read, so the TOCTOU sandbox escape remains present in the latest shipped tag. Affected...

GHSA-G8XP-QX39-9JQ9 OpenClaw: Incomplete host-env-security-policy allows untrusted model to substitute compiler binaries via env overrides

Summary Incomplete host-env-security-policy.json allows untrusted model to substitute compiler binaries CC, CXX, CARGOBUILDRUSTC, CMAKECCOMPILER via env overrides on approved host exec requests Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Shipped v2026.3....

OpenClaw runs Discord audio preflight transcription before member authorization

Summary Discord audio preflight transcription before member authorization Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: v2026.3.28 still runs Discord audio preflight before member allowlist rejection, but this is the same pre-auth resource-consumption clas...

OpenClaw: MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion

Summary MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: v2026.3.28 still parses Teams JSON after only a Bearer-prefix gate and before real JWT validation, and the...

OpenClaw: Workspace `.env` can override the bundled plugin trust root

Summary Workspace .env can override the bundled plugin trust root Current Maintainer Triage - Status: open - Normalized severity: high - Assessment: v2026.3.28 still lets workspace .env override OPENCLAWBUNDLEDPLUGINSDIR, but critical is too high because exploitation still depends on...

OpenClaw: Heartbeat context inheritance bypasses sandbox via senderIsOwner escalation

Summary Heartbeat context inheritance bypasses sandbox via senderIsOwner escalation Current Maintainer Triage - Status: open - Normalized severity: Critical Affected Packages / Versions - Package: openclaw npm - Latest published npm version: 2026.3.31 - Vulnerable version range: = 2026.3.31 - Fir...