•16 minutes ago•CVE-2026-3351
2.1CVE-2026-3351: Authorization Bypass in Canonical LXD Certificates API
A Missing Authorization vulnerability in Canonical LXD allows authenticated, restricted users to enumerate the fingerprints of all trusted certificates via the API. The flaw exists in the non-recursive handling of the GET /1.0/certificates endpoint, bypassing per-object visibility controls.
2 views•5 min read
•about 1 hour ago•GHSA-JWF4-8WF4-JF2M
9.8GHSA-JWF4-8WF4-JF2M: Critical Authorization Bypass in OpenClaw BlueBubbles Plugin
A critical access control vulnerability exists in the OpenClaw BlueBubbles plugin due to a logic error in the shared authorization utility. The flaw causes the system to fail-open when the allowlist configuration is empty, permitting unauthorized remote users to bypass Direct Message (DM) gating policies. This allows arbitrary unauthenticated users to interact with the AI assistant, potentially triggering sensitive actions or accessing private data.
1 views•5 min read
•about 2 hours ago•GHSA-F6H3-846H-2R8W
9.8GHSA-f6h3-846h-2r8w: Authorization Bypass in OpenClaw via Improper Recipient Validation
OpenClaw (formerly Clawdbot) contains a critical authorization bypass vulnerability in its elevated permissions module. The vulnerability arises from an overly permissive validation logic in the `isApprovedElevatedSender` function, which incorrectly includes the message recipient's identifier (the bot itself) in the authorization check. If an administrator includes the bot's own identity in the `tools.elevated.allowFrom` configuration—a common configuration pattern for self-testing—any unauthenticated remote user can execute commands with elevated privileges by simply sending a message to the bot.
3 views•5 min read
•about 9 hours ago•GHSA-W7J5-J98M-W679
8.5 (Estimated)GHSA-W7J5-J98M-W679: Excessive Privileges (Root Execution) in OpenClaw Containers
OpenClaw, a popular open-source AI assistant, was found to execute critical containerized processes with full root privileges. This configuration violates the principle of least privilege and significantly lowers the barrier for attackers to achieve persistence or container escape following a compromise. The vulnerability affects multiple Dockerfiles used for end-to-end testing and sandboxing.
5 views•6 min read
•about 10 hours ago•GHSA-25PW-4H6W-QWVM
5.4OpenClaw BlueBubbles Group Allowlist Bypass via DM Pairing Fallback
A logical vulnerability exists in the authorization middleware of the OpenClaw BlueBubbles extension, enabling unauthorized users to bypass group chat access controls. The flaw allows the trusted identity of a user established in a Direct Message (DM) context—stored in a local pairing store—to incorrectly satisfy authorization requirements in Group Chat contexts, even when strict allowlists are configured. This effectively renders the `groupPolicy` allowlist ineffective against any user who has previously paired with the assistant via a private channel.
5 views•6 min read
•about 13 hours ago•GHSA-4GC7-QCVF-38WG
9.9CVE-2026-28363: Remote Code Execution in OpenClaw via Argument Injection
A critical remote code execution vulnerability exists in the OpenClaw automation platform (versions prior to 2026.2.23). The flaw resides in the 'safe-bin' allowlist validation logic, which fails to account for GNU long-option abbreviations when sanitizing command-line arguments. Low-privileged authenticated users can exploit this by supplying abbreviated flags (e.g., '--compress-p' instead of '--compress-program') to the 'sort' utility. This bypasses the security filter while still being interpreted by the underlying binary as a dangerous directive, allowing the execution of arbitrary system commands.
5 views•4 min read
•about 13 hours ago•GHSA-659F-22XC-98F2
8.1GHSA-659F-22XC-98F2: Path Traversal via Symbolic Links in OpenClaw Webhook Transforms
A critical path traversal vulnerability exists in the OpenClaw infrastructure, specifically within the webhook transform module loader. The vulnerability arises from improper resolution of symbolic links when validating module paths against a restricted directory allowlist. By creating a symbolic link within the allowed directory that points to a file outside of it, an attacker can bypass the containment check and force the application to load and execute arbitrary JavaScript or TypeScript files from the filesystem. This flaw allows for Remote Code Execution (RCE) if an attacker can introduce a symbolic link into the configured transforms directory.
6 views•6 min read
•about 14 hours ago•GHSA-V6X2-2QVM-6GV8
9.8GHSA-V6X2-2QVM-6GV8: Critical Token Leak via Insecure Hashing Fallback in OpenClaw
A critical vulnerability in OpenClaw allows for the recovery of high-privilege gateway authentication tokens due to an insecure fallback mechanism in the privacy-preservation logic. When anonymizing owner identifiers for external LLM prompts, the system defaults to using the sensitive `gateway.auth.token` as a cryptographic salt if no dedicated display secret is configured. This results in the transmission of hashes derived from the authentication token to third-party providers, enabling offline brute-force attacks to recover the administrative credentials.
2 views•5 min read
•about 14 hours ago•GHSA-GW85-XP4Q-5GP9
9.8GHSA-GW85-XP4Q-5GP9: Authorization Bypass in OpenClaw Synology Chat Extension
A critical authorization bypass vulnerability exists in the Synology Chat extension of the OpenClaw AI assistant infrastructure. The vulnerability arises from a 'fail-open' logic error in the user allowlist enforcement mechanism. When the `dmPolicy` is configured to `allowlist` but the list of allowed user IDs is left empty, the system defaults to permitting all traffic rather than denying it. This flaw allows unauthenticated remote attackers to interact with the AI agent, potentially triggering sensitive tools or workflows intended only for authorized administrators.
3 views•4 min read
•about 15 hours ago•GHSA-8MF7-VV8W-HJR2
9.8GHSA-8MF7-VV8W-HJR2: Remote Code Execution via Insecure SafeBins Fallback in OpenClaw
A critical Remote Code Execution (RCE) vulnerability exists in OpenClaw's `safeBins` execution allowlist mechanism. The flaw resides in the `tools.exec.safeBins` configuration logic, where a permissive generic fallback profile was applied to binaries lacking specific security definitions. This oversight allows attackers to bypass command approval policies by leveraging interpreter binaries (e.g., Python, Node.js) to execute arbitrary inline payloads, effectively neutralizing the intended security controls of the agent framework.
4 views•6 min read
•about 16 hours ago•GHSA-R9Q5-C7QC-P26W
UnknownGHSA-R9Q5-C7QC-P26W: Webhook Replay Vulnerability in OpenClaw Nextcloud Talk Integration
A capture-replay vulnerability exists in the Nextcloud Talk integration of the OpenClaw AI platform. The webhook handler properly verifies cryptographic signatures but fails to track processed message identifiers, allowing attackers to re-submit captured valid requests. This results in duplicate processing of AI commands and potential redundant side effects.
4 views•4 min read
•about 16 hours ago•GHSA-JXRQ-8FM4-9P58
8.8OpenClaw Archive Extraction Path Traversal via Symlinks
A critical path traversal vulnerability exists in the OpenClaw AI assistant platform's archive extraction logic. The flaw allows attackers to bypass directory confinement by leveraging pre-existing symbolic links within the destination directory. This facilitates arbitrary file writes outside the intended extraction root, potentially leading to Remote Code Execution (RCE) by overwriting sensitive system files or application code.
3 views•5 min read