8 matches found
Server-side Request Forgery (SSRF)
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via improper handling of redirects in the Playwright navigation. An attacker can access internal or private network resources by crafting requests that...
Server-side Request Forgery (SSRF)
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the Interaction-Triggered Navigation. An attacker can access internal resources by triggering browser interactions that bypass normal navigation check...
Improper Privilege Management
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Privilege Management via the node.pair.approve function being assigned to the broader operator.write scope instead of the intended operator.pairing scope. An attacker can gain...
Incorrect Permission Assignment for Critical Resource
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource via the uploadfile or uploadimage process. An attacker can access files outside the intended workspace directory by uploading special...
Improper Input Validation
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Input Validation in to the strictInlineEval function. An attacker can execute unauthorized inline evaluation commands by exploiting the approval-timeout fallback mechanism, which...
Incomplete List of Disallowed Inputs
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the handling of environment variables in the exec env denylist. An attacker can execute arbitrary commands by injecting malicious values into...
Trust Boundary Violation
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Trust Boundary Violation via the wake process. An attacker can inject unauthorized payloads into the trusted System: prompt channel by sending authenticated /hooks/wake or mapped wake...
Trust Boundary Violation
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Trust Boundary Violation via the process handling background runtime output injection into trusted System: events. An attacker can escalate privileges or inject unauthorized commands by...