3 matches found
OpenClaw: Webchat audio embedding could read local files without local-root containment
Impact OpenClaw deployments before 2026.4.15 could embed host-local audio files into webchat responses without applying the local media root containment check used by other media-serving paths. If an attacker could influence an agent or tool-produced ReplyPayload.mediaUrl, the webchat audio...
Missing Authorization
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authorization via the command-auth.ts process. An attacker can gain unauthorized access to owner-enforced commands by sending commands from a non-owner sender when a channel plugi...
GHSA-C28G-VH7M-FM7V OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners
Impact OpenClaw deployments before 2026.4.21 could treat a non-owner sender as authorized for owner-enforced slash commands when all of the following were true: - a channel plugin declared commands.enforceOwnerForCommands: true; - the channel accepted wildcard inbound senders with allowFrom: ""; ...