33181 matches found
OpenClaw: Endpoint persists after trust decline, leaking gateway credentials
Summary Remote onboarding preserves attacker-discovered endpoint after trust decline, routing gateway credentials to it Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Real shipped onboarding trust-decline bug because the declined discovered URL survived int...
OpenClaw: diffs viewer misclassifies proxied remote requests as loopback when `allowRemoteViewer` is disabled
Summary diffs viewer misclassifies proxied remote requests as loopback when allowRemoteViewer is disabled Current Maintainer Triage - Status: open - Normalized severity: low - Assessment: Shipped v2026.3.28 misclassified proxied diff-viewer requests as local loopback in some cases, a real but...
OpenClaw: Discord Slash Commands Bypass Group DM Channel Allowlist
Summary Discord Slash Commands Bypass Group DM Channel Allowlist Current Maintainer Triage - Status: narrow - Normalized severity: moderate - Assessment: v2026.3.28 native Discord slash and autocomplete paths still skip the group-DM allowlist, but impact is limited to already-authorized Discord...
OpenClaw: macOS Tailnet DNS Spoofing & Credential Exfiltration
Summary macOS Wide-Area Discovery Accepts Arbitrary Tailnet Peer as DNS Authority and Exfiltrates Operator Credentials Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Real shipped macOS discovery steering bug, but exploitation needs same-tailnet position, a...
OpenClaw: Telegram legacy allowFrom migration fans default-account trust into all named accounts
Summary Telegram legacy allowFrom migration fans default-account trust into all named accounts Current Maintainer Triage - Status: open - Normalized severity: low - Assessment: Shipped v2026.3.28 Telegram migration fans legacy default-account allowFrom trust into named accounts, which is an...
OpenClaw: Tlon Startup Migration Rehydrates Empty-Array Revocations From File Config
Summary Tlon Startup Migration Rehydrates Empty-Array Revocations From File Config Current Maintainer Triage - Status: open - Normalized severity: low - Assessment: v2026.3.28 startup migration still treats empty-array settings as missing and can rehydrate revoked Tlon config from file state afte...
OpenClaw: Unbound bootstrap setup codes allow privilege escalation during pairing
Summary Bootstrap setup codes were not bound to the intended device role and scopes, allowing first-use privilege escalation during pairing. Current Maintainer Triage - Status: open - Normalized severity: high - Assessment: Real first-use bootstrap privilege-escalation bug fixed and shipped in...
OpenClaw: Node browser proxy `allowProfiles` bypass through persistent profile mutation and runtime profile selection
Summary Node browser proxy allowProfiles bypass through persistent profile mutation and runtime profile selection Current Maintainer Triage - Status: open - Normalized severity: high - Assessment: Real released allowProfiles bypass through profile mutation and runtime profile selection, fixed and...
OpenClaw: Discord voice manager bypasses channel-level member access allowlist
Summary Discord voice manager bypasses channel-level member access allowlist Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: v2026.3.28 still accepts Discord voice ingress before channel allowlist authorization, and main-only gating means this remains a real...
OpenClaw: Telegram audio preflight transcription enables resource consumption by unauthorized senders
Summary Telegram audio preflight transcription enables resource consumption by unauthorized senders Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: v2026.3.28 still lets unauthorized Telegram group senders trigger audio preflight before allowlist enforcement...
OpenClaw: Paired node escalates to gateway RCE via unrestricted node.event agent dispatch
Summary Paired node escalates to gateway RCE via unrestricted node.event agent dispatch Current Maintainer Triage - Status: narrow - Normalized severity: high - Assessment: v2026.3.28 still lets paired role=node clients drive node.event agent.request into broader gateway-side tool access than nod...
OpenClaw: Sandbox escape via TOCTOU race in remote FS bridge readFile
Summary Sandbox escape via TOCTOU race in remote FS bridge readFile Current Maintainer Triage - Normalized severity: critical - Assessment: v2026.3.28 remote sandbox reads still do path-check then separate file read, so the TOCTOU sandbox escape remains present in the latest shipped tag. Affected...
OpenClaw: Voice-call still parses large WebSocket frames before start validation (Incomplete fix for CVE-2026-32062)
Summary Incomplete fix for CVE-2026-32062: voice-call still parses large WebSocket frames before start validation Current Maintainer Triage - Normalized severity: medium - Assessment: v2026.3.28 still parses oversized pre-start voice-call WebSocket frames before start validation, and the unreleas...
OpenClaw: Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation
Summary Gateway device.token.rotate does not terminate active WebSocket sessions after credential rotation Current Maintainer Triage - Status: open - Normalized severity: low - Assessment: v2026.3.28 rotates device tokens without disconnecting already-authenticated WebSocket sessions, which is a...
OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting
Summary Fake DeviceToken Bypasses Shared Auth Rate Limiting Current Maintainer Triage - Status: narrow - Normalized severity: low - Assessment: Real in shipped mixed WS auth flow, but practical risk is mostly weak shared-password deployments since strong shared tokens remain non-bruteforceable...
OpenClaw: Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables
Summary Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables Current Maintainer Triage - Normalized severity: medium - Assessment: v2026.3.28 also misses the broader package, registry, compiler, Docker, and TLS env family in the shipped host-en...
OpenClaw: Path traversal via inbound channel attachment path in ACP dispatch allows arbitrary file read
Summary Path traversal via inbound channel attachment path in ACP dispatch allows arbitrary file read Current Maintainer Triage - Normalized severity: medium - Assessment: v2026.3.28 ACP dispatch still reads attachment paths outside the guarded attachment-cache or root checks, and the...
OpenClaw: Incomplete scope-clearing fix allows operator.admin escalation via trusted-proxy auth mode
Summary Incomplete scope-clearing fix allows operator.admin escalation via trusted-proxy auth mode Current Maintainer Triage - Normalized severity: high - Assessment: v2026.3.28 still misses trusted-proxy scope clearing for non-Control-UI clients, so self-declared operator scopes can survive on a...
OpenClaw: Media Parsing Path Traversal Leads to Arbitrary File Read
Summary OpenClaw = 2026.3.28 - First stable tag containing the fix: v2026.3.28 Fix Commits - 4797bbc5b96e2cca5532e43b58915c051746fe37 — 2026-03-25T13:35:16-06:00 Release Process Note - The fix is already present in released version 2026.3.28...
OpenClaw: Agentic Consent Bypass — LLM Agent Can Silently Disable Exec Approval via `config.patch`
Summary Agentic Consent Bypass: LLM Agent Can Silently Disable Exec Approval via config.patch Current Maintainer Triage - Status: open - Normalized severity: high - Assessment: Maintainers accepted this issue, fixed it in 76411b2afc4ae721e36c12e0ea24fd23e2fed61e on 2026-03-27, and that fix shippe...
OpenClaw Has a Gateway Control Interface Information Disclosure Vulnerability
Summary OpenClaw Gateway Control Interface Information Disclosure Vulnerability Current Maintainer Triage - Status: narrow - Normalized severity: low - Assessment: Released Control UI bootstrap JSON did expose version and assistant agent id, but that is low-severity fingerprinting or info...
OpenClaw: Sandbox file operations use check-then-act, bypassing fd-based TOCTOU defenses
Summary Sandbox file operations use check-then-act, bypassing fd-based TOCTOU defenses Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Released workspace-only applypatch remove and mkdir operations were still check-then-act, but the draft overstates scope by...
OpenClaw: Image pixel-limit guard can fail open on sips and allow decompression-bomb DoS
Summary Image pixel-limit guard can fail open on sips and allow decompression-bomb DoS Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: Shipped v2026.3.28 image processing could fail open on oversized pixel counts and allow decompression-bomb DoS, an availabili...
OpenClaw: Incomplete host-env-security-policy allows untrusted model to substitute compiler binaries via env overrides
Summary Incomplete host-env-security-policy.json allows untrusted model to substitute compiler binaries CC, CXX, CARGOBUILDRUSTC, CMAKECCOMPILER via env overrides on approved host exec requests Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Shipped v2026.3....
OpenClaw: Device-Paired Node Skips Node Scope Gate → Host RCE.md
Summary Device-Paired Node Skips Node Scope Gate → Host RCE.md Current Maintainer Triage - Status: open - Normalized severity: high - Assessment: Real in shipped v2026.3.28 because a merely device-paired node could expose node commands without node pairing, but high is sufficient given the...
OpenClaw: Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding
Summary Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding Current Maintainer Triage - Status: narrow - Normalized severity: low - Assessment: Shipped v2026.3.28 replay hashing treated equivalent Telnyx Base64/Base64URL signatures as distinct requests, but signature...
OpenClaw: Host exec environment overrides miss proxy, TLS, Docker, and Git TLS controls
Summary Host exec environment overrides miss proxy, TLS, Docker, and Git TLS controls Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: Real in shipped v2026.3.28: host exec env policy still missed proxy, TLS, Docker, and Git TLS variables until 4d912e0451 on...
OpenClaw runs Discord audio preflight transcription before member authorization
Summary Discord audio preflight transcription before member authorization Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: v2026.3.28 still runs Discord audio preflight before member allowlist rejection, but this is the same pre-auth resource-consumption clas...
OpenClaw: HTTP operator endpoints lack browser-origin validation in trusted-proxy mode
Summary HTTP operator endpoints lack browser-origin validation in trusted-proxy mode Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: This is a real trusted-proxy HTTP CSRF or browser-origin gap in released tags, but it is not critical because it depends on...
OpenClaw: MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion
Summary MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: v2026.3.28 still parses Teams JSON after only a Bearer-prefix gate and before real JWT validation, and the...
OpenClaw: Self-Whitelisting in appendLocalMediaParentRoots Allows Arbitrary File Read & Credential Exfiltration
Summary Media Local Roots Self-Whitelisting in appendLocalMediaParentRoots Allows Model-Initiated Arbitrary Host File Read and Credential Exfiltration Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: v2026.3.28 still self-whitelists media parent dirs in...
OpenClaw: Media download follows cross-origin redirects with Authorization headers intact
Summary Media download follows cross-origin redirects with Authorization headers intact Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: Shipped v2026.3.28 media downloads forwarded Authorization across cross-origin redirects, a real in-scope credential-leak...
OpenClaw: OpenShell Mirror Sync — Sandbox Escape via Unrestricted File Sync + Symlink Traversal
Summary OpenShell Mirror Sync: Sandbox Escape via Unrestricted File Sync + Symlink Traversal Current Maintainer Triage - Status: narrow - Normalized severity: high - Assessment: v2026.3.28 still has the mirror-boundary bug because shipped c02ee8 only excluded hooks while unreleased 3b9dab is the...
OpenClaw: Workspace `.env` can override the bundled plugin trust root
Summary Workspace .env can override the bundled plugin trust root Current Maintainer Triage - Status: open - Normalized severity: high - Assessment: v2026.3.28 still lets workspace .env override OPENCLAWBUNDLEDPLUGINSDIR, but critical is too high because exploitation still depends on...
Electron: Context Isolation bypass via contextBridge VideoFrame transfer
Impact Apps that pass VideoFrame objects from the WebCodecs API across the contextBridge are vulnerable to a context isolation bypass. An attacker who can execute JavaScript in the main world for example, via XSS can use a bridged VideoFrame to gain access to the isolated world, including any...
Electron: AppleScript injection in app.moveToApplicationsFolder on macOS
Impact On macOS, app.moveToApplicationsFolder used an AppleScript fallback path that did not properly handle certain characters in the application bundle path. Under specific conditions, a crafted launch path could lead to arbitrary AppleScript execution when the user accepted the...
Electron: Service worker can spoof executeJavaScript IPC replies
Impact A service worker running in a session could spoof reply messages on the internal IPC channel used by webContents.executeJavaScript and related methods, causing the main-process promise to resolve with attacker-controlled data. Apps are only affected if they have service workers registered...
Electron: Incorrect origin passed to permission request handler for iframe requests
Impact When an iframe requests fullscreen, pointerLock, keyboardLock, openExternal, or media permissions, the origin passed to session.setPermissionRequestHandler was the top-level page's origin rather than the requesting iframe's origin. Apps that grant permissions based on the origin parameter ...
Electron: Out-of-bounds read in second-instance IPC on macOS and Linux
Impact On macOS and Linux, apps that call app.requestSingleInstanceLock were vulnerable to an out-of-bounds heap read when parsing a crafted second-instance message. Leaked memory could be delivered to the app's second-instance event handler. This issue is limited to processes running as the same...
Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes
Impact The nodeIntegrationInWorker webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with nodeIntegrationInWorker: false could still receive Node.js integration. Apps are only affected if they enable...
Electron: Use-after-free in offscreen child window paint callback
Impact Apps that use offscreen rendering and allow child windows via window.open may be vulnerable to a use-after-free. If the parent offscreen WebContents is destroyed while a child window remains open, subsequent paint frames on the child dereference freed memory, which may lead to a crash or...
Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows
Impact On Windows, app.setAsDefaultProtocolClientprotocol did not validate the protocol name before writing to the registry. Apps that pass untrusted input as the protocol name may allow an attacker to write to arbitrary subkeys under HKCU\Software\Classes, potentially hijacking existing protocol...
Electron: Use-after-free in download save dialog callback
Impact Apps that allow downloads and programmatically destroy sessions may be vulnerable to a use-after-free. If a session is torn down while a native save-file dialog is open for a download, dismissing the dialog dereferences freed memory, which may lead to a crash or memory corruption. Apps tha...
Electron: Use-after-free in WebContents fullscreen, pointer-lock, and keyboard-lock permission callbacks
Impact Apps that register an asynchronous session.setPermissionRequestHandler may be vulnerable to a use-after-free when handling fullscreen, pointer-lock, or keyboard-lock permission requests. If the requesting frame navigates or the window closes while the permission handler is pending, invokin...
Electron: Use-after-free in PowerMonitor on Windows and macOS
Impact Apps that use the powerMonitor module may be vulnerable to a use-after-free. After the native PowerMonitor object is garbage-collected, the associated OS-level resources a message window on Windows, a shutdown handler on macOS retain dangling references. A subsequent session-change event...
Electron: Renderer command-line switch injection via undocumented commandLineSwitches webPreference
Impact An undocumented commandLineSwitches webPreference allowed arbitrary switches to be appended to the renderer process command line. Apps that construct webPreferences by spreading untrusted configuration objects may inadvertently allow an attacker to inject switches that disable renderer...
Electron: Unquoted executable path in app.setLoginItemSettings on Windows
Impact On Windows, app.setLoginItemSettingsopenAtLogin: true wrote the executable path to the Run registry key without quoting. If the app is installed to a path containing spaces, an attacker with write access to an ancestor directory may be able to cause a different executable to run at login...
Electron: HTTP Response Header Injection in custom protocol handlers and webRequest
Impact Apps that register custom protocol handlers via protocol.handle / protocol.registerSchemesAsPrivileged or modify response headers via webRequest.onHeadersReceived may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or...
Electron: USB device selection not validated against filtered device list
Impact The select-usb-device event callback did not validate the chosen device ID against the filtered list that was presented to the handler. An app whose handler could be influenced to select a device ID outside the filtered set would grant access to a device that did not match the renderer's...
TeleJSON: DOM XSS via unsanitised constructor name in `new Function()`
Summary telejson versions prior to 6.0.0 released 2022 are vulnerable to DOM-based Cross-Site Scripting XSS through unsafe deserialisation. Attacker-controlled input from the constructor-name property in parsed JSON is passed directly to new Function without sanitisation, allowing arbitrary...