4 matches found
GHSA-RJ39-33V7-9XRQ Duplicate Advisory: OpenClaw's shell startup env injection bypasses system.run allowlist intent (RCE class)
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xgf2-vxv2-rrmg. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the...
CVE-2026-32021
OpenClaw versions prior to 2026.2.22 contain an authorization bypass in the Feishu allowFrom allowlist implementation. The vulnerability allows an attacker to bypass checks by setting a display name equal to a whitelisted ID string, instead of enforcing strict ID-only matching, potentially gainin...
Duplicate Advisory: OpenClaw's allow-always wrapper persistence could bypass future approvals and enable command execution
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-6j27-pc5c-m8w8. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in allow-always wrapper persistenc...
OpenClaw 操作系统命令注入漏洞
OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.2.22 had a vulnerability related to operating system command injection. This vulnerability stemmed from the persistent existence of the allow-always wrapper, which allowed...