CVE-2026-32028

OpenClaw versions prior to 2026.2.25 fail to enforce dmPolicy and allowFrom authorization checks on Discord direct-message reaction notifications, allowing non-allowlisted users to enqueue reaction-derived system events. Attackers can exploit this inconsistency by reacting to bot-authored DM...

Symlink Attack

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Symlink Attack in the tools.fs.workspaceOnly process when hardlink aliases inside the workspace reference files outside the workspace boundary. An attacker can access or modify files...

GHSA-792Q-QW95-F446 OpenClaw's Signal reaction-only status events could, in limited cases, be enqueued before access checks

Summary In a narrow Signal reaction-notification path, reaction-only inbound events could enqueue a status event before sender access checks were applied. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.2.24 latest published at patch time - Fixed: 2026.2.25 Details In the...

OpenClaw's Signal reaction-only status events could, in limited cases, be enqueued before access checks

Summary In a narrow Signal reaction-notification path, reaction-only inbound events could enqueue a status event before sender access checks were applied. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.2.24 latest published at patch time - Fixed: 2026.2.25 Details In the...

Symlink Attack

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Symlink Attack via the resolveSandboxedMediaSource process. An attacker can access files outside the intended sandbox confinement by submitting crafted media paths that exploit a symlink...

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the shared gateway authentication. An attacker can gain unauthorized operator privileges by presenting a self-signed, unpaired device identity. Remediation...

Missing Authorization

Overview @openclaw/msteams is an OpenClaw Microsoft Teams channel plugin Affected versions of this package are vulnerable to Missing Authorization via fileConsent/invoke. An attacker can access or manipulate pending file uploads belonging to other conversations by providing a valid uploadId withi...

OpenClaw's Slack reaction/pin sender-policy consistency issue in non-message ingress

Summary OpenClaw Slack monitor handled reaction and pin non-message events before applying sender-policy checks consistently. In affected versions, these events could be added to system-event context even when sender policy would not normally allow them. Affected Packages / Versions - Package: np...

GHSA-QJ22-XQJR-V83V OpenClaw's Telegram message_reaction authorization bypass allows unauthorized system-event injection

A missing sender-authorization check in Telegram messagereaction handling allowed unauthorized users to trigger reaction-derived system events. Affected Packages / Versions - Package: openclaw npm - Introduced: 2026.2.17 - Affected: = 2026.2.17 and = 2026.2.24 - Latest published at patch time:...

OpenClaw gateway agents.files symlink escape allowed out-of-workspace file read/write

Impact The gateway agents.files.get and agents.files.set methods allowed symlink traversal for allowlisted workspace files. A symlinked allowlisted file for example AGENTS.md could resolve outside the agent workspace and be read/written by the gateway process. This could enable arbitrary host fil...

Symlink Attack

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Symlink Attack in the handling of browser trace and download output paths, specifically when processing temporary output. An attacker can overwrite arbitrary files by exploiting symlink...