33268 matches found
OpenClaw exec approvals: safeBins could bypass stdin-only constraints via shell expansion
Summary OpenClaw's exec-approvals allowlist supports a small set of "safe bins" intended to be stdin-only no positional file arguments when running tools.exec.host=gateway|node with security=allowlist. In affected configurations, the allowlist validation checked pre-expansion argv tokens, but...
OpenClaw has a command injection in maintainer clawtributors updater
Summary Command injection in the maintainer/dev script scripts/update-clawtributors.ts. Impact Affects contributors/maintainers or CI who run bun scripts/update-clawtributors.ts in a source checkout that contains a malicious commit author email e.g. crafted @users.noreply.github.com values. Norma...
OpenClaw has a path traversal in browser upload allows local file read
Summary Authenticated attackers can read arbitrary files from the Gateway host by supplying absolute paths or path traversal sequences to the browser tool's upload action. The server passed these paths to Playwright's setInputFiles APIs without restricting them to a safe root. Severity remains Hi...
OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities
Summary Under iMessage groupPolicy=allowlist, group authorization could be satisfied by sender identities coming from the DM pairing store, broadening DM trust into group contexts. Details Affected component: src/imessage/monitor/monitor-provider.ts. Vulnerable logic derived effectiveGroupAllowFr...
OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning
Summary Discovery beacons Bonjour/mDNS and DNS-SD include TXT records such as lanHost, tailnetDns, gatewayPort, and gatewayTlsSha256. TXT records are unauthenticated. Prior to the fix, some clients treated TXT values as authoritative routing/pinning inputs: - iOS and macOS: used TXT-provided host...
OpenClaw Google Chat spoofing access with allowlist authorized mutable email principal despite sender-ID mismatch
Summary Google Chat allowlisting supports matching by sender email in addition to immutable sender resource name users/. This weakens identity binding if a deployment assumes allowlists are strictly keyed by immutable principals. Affected Packages / Versions As of 2026-02-14; based on latest...
OpenClaw skills.status could leak secrets to operator.read clients
Summary skills.status could disclose secrets to operator.read clients by returning raw resolved config values in configChecks for skill requires.config paths. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.2.14...
OpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals
Summary A mismatch between rawCommand and command in the node host system.run handler could cause allowlist/approval evaluation to be performed on one command while executing a different argv. Affected Configurations This only impacts deployments that: - Use the node host / companion node executi...
OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reachable)
Summary OpenClaw's SSRF protection could be bypassed using full-form IPv4-mapped IPv6 literals such as 0:0:0:0:0:ffff:7f00:1 which is 127.0.0.1. This could allow requests that should be blocked loopback / private network / link-local metadata to pass the SSRF guard. - Vulnerable component: SSRF...
OpenClaw Gateway tool allowed unrestricted gatewayUrl override
Summary The Gateway tool accepted a tool-supplied gatewayUrl without sufficient restrictions, which could cause the OpenClaw host to attempt outbound WebSocket connections to user-specified targets. Affected Packages / Versions - Package: openclaw npm - Affected versions: = 2026.2.14 planned What...
OpenClaw has a local file disclosure via sendMediaFeishu in Feishu extension
Summary The Feishu extension previously allowed sendMediaFeishu to treat attacker-controlled mediaUrl values as local filesystem paths and read them directly. Affected versions - = 2026.2.14 Impact If an attacker can influence tool calls directly or via prompt injection, they may be able to...
OpenClaw macOS deep link confirmation truncation can conceal executed agent message
Summary OpenClaw macOS desktop client registers the openclaw:// URL scheme. For openclaw://agent deep links without an unattended key, the app shows a confirmation dialog that previously displayed only the first 240 characters of the message, but executed the full message after the user clicked...
OpenClaw is Missing Webhook Authentication in Telnyx Provider Allows Unauthenticated Requests
Summary In affected versions, OpenClaw's optional @openclaw/voice-call plugin Telnyx webhook handler could accept unsigned inbound webhook requests when telnyx.publicKey was not configured, allowing unauthenticated callers to forge Telnyx events. This only impacts deployments where the Voice Call...
OpenClaw has a Path Traversal in Plugin Installation
Summary OpenClaw's plugin installation path derivation could be abused by a malicious plugin package.json name to escape the intended extensions directory and write files to a parent directory. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.1.20, = 2026.2.1 - Latest...
OpenClaw authorization bypass: operator.write can resolve exec approvals via chat.send -> /approve
Summary What this means plain language If you give a client “chat/write” access to the gateway operator.write but you do not intend to let that client approve exec requests operator.approvals, affected versions could still let that client approve/deny a pending exec approval by sending the /appro...
OpenClaw MS Teams inbound attachment downloader leaks bearer tokens to allowlisted suffix domains
Summary NOTE: This only affects deployments that enable the optional MS Teams extension Teams channel. If you do not use MS Teams, you are not impacted. When OpenClaw downloads inbound MS Teams attachments / inline images, it may retry a URL with an Authorization: Bearer header after receiving 40...
OpenClaw Twitch allowFrom is not enforced in optional plugin, unauthorized chat users can trigger agent pipeline
Summary In the optional Twitch channel plugin extensions/twitch, allowFrom is documented as a hard allowlist of Twitch user IDs, but it was not enforced as a hard gate. If allowedRoles is unset or empty, the access control path defaulted to allow, so any Twitch user who could mention the bot coul...
OpenClaw has an inbound allowlist policy bypass in voice-call extension (empty caller ID + suffix matching)
Summary An authentication bypass in the optional voice-call extension/plugin allowed unapproved or anonymous callers to reach the voice-call agent when inbound policy was set to allowlist or pairing. Deployments that do not install/enable the voice-call extension are not affected. Affected Packag...
Nextcloud Talk allowlist bypass via actor.name display name spoofing
Summary In affected versions of the optional Nextcloud Talk plugin installed separately; not bundled with the core OpenClaw install, an untrusted webhook field actor.name, display name could be treated as an allowlist identifier. An attacker could change their Nextcloud display name to match an...
OpenClaw has a potential access-group authorization bypass if channel type lookup fails
Summary When Telegram webhook mode is enabled without a configured webhook secret, OpenClaw may accept unauthenticated HTTP POST requests at the Telegram webhook endpoint and trust attacker-controlled update JSON. This can allow forged Telegram updates that spoof message.from.id / chat.id,...
OpenClaw has a Matrix allowlist bypass via displayName and cross-homeserver localpart matching
Summary OpenClaw Matrix DM allowlist matching could be bypassed in certain configurations. Matrix support ships as an optional plugin not bundled with the core install, so this only affects deployments that have installed and enabled the Matrix plugin. Affected Packages / Versions - Package:...
OpenClaw BlueBubbles webhook auth bypass via loopback proxy trust
Summary In affected versions, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback 127.0.0.1, ::1, ::ffff:127.0.0.1 even when the configured webhook secret was missing or incorrect. This does not affect t...
OpenClaw optional voice-call plugin: webhook verification may be bypassed behind certain proxy configurations
Affected Packages / Versions This issue affects the optional voice-call plugin only. It is not enabled by default; it only applies to installations where the plugin is installed and enabled. - Package: @openclaw/voice-call - Vulnerable versions: = 2026.2.3 Legacy package name if you are still usi...
OpenClaw log poisoning (indirect prompt injection) via WebSocket headers
Summary In openclaw versions prior to 2026.2.13, OpenClaw logged certain WebSocket request headers including Origin and User-Agent without neutralization or length limits on the "closed before connect" path. If an unauthenticated client can reach the gateway and send crafted header values, those...
OpenClaw's unauthenticated Nostr profile HTTP endpoints allow remote profile/config tampering
Summary The OpenClaw Nostr channel plugin optional, disabled by default, installed separately exposes profile management HTTP endpoints under /api/channels/nostr/:accountId/profile GET/PUT and /api/channels/nostr/:accountId/profile/import POST. In affected versions, these routes were dispatched v...
Apache Tomcat - Security constraint bypass with HTTP/0.9
Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests to the GET method. If a security constraint was configured to allow HEAD requests to a URI but deny GET requests, the user could bypass that constraint on GET requests by sending a specification inval...
Apache Tomcat has an Improper Input Validation vulnerability
Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native and Tomcat's FFM port of the Tomcat Native code did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypasse...
Apache Tomcat - Client certificate verification bypass
Improper Input Validation vulnerability. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Older EOL...
OpenClaw affected by SSRF via attachment/media URL hydration
Summary Versions of the openclaw npm package prior to 2026.2.2 could be coerced into fetching arbitrary https URLs during attachment/media hydration. An attacker who can influence the media URL for example via model-controlled sendAttachment or auto-reply media URLs could trigger SSRF to internal...
fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)
Summary The XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Details There is a check in DocTypeReader.js that trie...
Improper Digest Verification in httpsig-hyper May Allow Message Integrity Bypass
Impact An issue was discovered in httpsig-hyper where Digest header verification could incorrectly succeed due to misuse of Rust's matches! macro. Specifically, the comparison: rust if matches!digest, expecteddigest treated expecteddigest as a pattern binding rather than a value comparison,...
The rs-soroban-sdk #[contractimpl] macro calls inherent function instead of trait function when names collide
Impact The contractimpl macro contains a bug in how it wires up function calls. In Rust, you can define functions on a type in two ways: - Directly on the type as an inherent function: rust impl MyContract fn value ... - Through a trait rust impl Trait for MyContract fn value ... These are two...
emp3r0r Affected by Concurrent Map Access DoS (panic/crash)
Summary Multiple shared maps are accessed without consistent synchronization across goroutines. Under concurrent activity, Go runtime can trigger fatal error: concurrent map read and map write, causing C2 process crash availability loss. Vulnerable Componentwith code examples Operator relay map h...
Skill-scanner Unsecured Network Binding Vulnerability
Description: A vulnerability in the API Server of Skill Scanner could allow a unauthenticated, remote attacker to interact with the server API and either trigger a denial of service DoS condition or upload arbitrary files. This vulnerability is due to an erroneous binding to multiple interfaces. ...
Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization
Summary A missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about any server on a Pterodactyl instance, even if that server is associated with a different node. This issue stems from missing logic to verify that the node...
Indico Affected by Cross-Site-Scripting via material uploads
Impact There is a Cross-Site-Scripting vulnerability when uploading certain file types as materials. Patches You should to update to Indico 3.3.10 as soon as possible. See the docs for instructions on how to update. Please be aware that to apply the fix itself updating is sufficient, but to benef...
Echo has a Windows path traversal via backslash in middleware.Static default filesystem
Summary On Windows, Echo’s middleware.Static using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. Details In middleware/static.go, the requested path is unescaped and normalized with path.Clean URL semantics...
Indico has Server-Side Request Forgery (SSRF) in multiple places
Impact Indico makes outgoing requests to user-provides URLs in various places. This is mostly intentional and part of Indico's functionality, but of course it is never intended to let you access "special" targets such as localhost or cloud metadata endpoints. Patches You should to update to Indic...
Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href
Summary Rack::Directory generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename begins with the javascript: scheme e.g. javascript:alert1, the generated index includes an anchor whose href attribute is exactly...
OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass
Summary In Telegram webhook mode, if channels.telegram.webhookSecret is not set, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint is reachable by an attacker, this can allow forged Telegram updates for example...
Unauthenticated File Upload in Gogs
Security Advisory:Unauthenticated File Upload in Gogs Vulnerability Type: Unauthenticated File Upload Date: Aug 5, 2025 Discoverer: OpenAI Security Research Summary Gogs exposes unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled default, any...
Gogs has a Protected Branch Deletion Bypass in Web Interface
Summary An access control bypass vulnerability in Gogs web interface allows any repository collaborator with Write permissions to delete protected branches including the default branch by sending a direct POST request, completely bypassing the branch protection mechanism. This vulnerability enabl...
Gogs has an Authorization Bypass Allows Cross-Repository Label Modification in Gogs
Summary A broken access control vulnerability in Gogs allows authenticated users with write access to any repository to modify labels belonging to other repositories. The UpdateLabel function in the Web UI internal/route/repo/issue.go fails to verify that the label being modified belongs to the...
Gogs Allows Cross-Repository Comment Deletion via DeleteComment
IDOR: Cross-Repository Comment Deletion via DeleteComment Summary The POST /:owner/:repo/issues/comments/:id/delete endpoint does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by...
OpenClaw Affected by Remote Code Execution via System Prompt Injection in Slack Channel Descriptions
Summary When the Slack integration is enabled, Slack channel metadata topic/description could be incorporated into the model's system prompt. Impact Prompt injection is a documented risk for LLM-driven systems. This issue increased the injection surface by allowing untrusted Slack channel metadat...
Pterodactyl Panel's SFTP sessions remain active after user account deletion or password change
Summary Deleting a user account with SFTP access or changing the user's password does not immediately terminate existing SFTP sessions, allowing continued filesystem access after credentials are revoked. This can result in unintended and unauthorized access to server files even after administrato...
OpenClaw has a webhook auth bypass when gateway is behind a reverse proxy (loopback remoteAddress trust)
Summary The BlueBubbles webhook handler previously treated any request whose socket remoteAddress was loopback 127.0.0.1, ::1, ::ffff:127.0.0.1 as authenticated. When OpenClaw Gateway is behind a reverse proxy Tailscale Serve/Funnel, nginx, Cloudflare Tunnel, ngrok, the proxy typically connects t...
OpenClaw affected by SSRF in Image Tool Remote Fetch
Summary A server-side request forgery SSRF vulnerability in the Image tool allowed attackers to force OpenClaw to make HTTP requests to arbitrary internal or restricted network targets. Affected Versions - npm: openclaw = 2026.2.1 Patched Versions - npm: openclaw 2026.2.2 and later Fix Commits -...
OpenClaw's Chrome extension relay binds publicly due to wildcard treated as loopback
Summary The Chrome extension relay ensureChromeExtensionRelayServer previously treated wildcard hosts 0.0.0.0 / :: as loopback, which could make it bind the relay HTTP/WS server to all interfaces when a wildcard cdpUrl was passed. Impact If configured with a wildcard cdpUrl, relay HTTP endpoints...
OpenClaw has an exec allowlist bypass via command substitution/backticks inside double quotes
Summary Exec approvals allowlist bypass via command substitution/backticks inside double quotes. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.2.2 Impact Only affects setups that explicitly enable the optional exec approvals allowlist feature. Default installs are...