•about 3 hours ago•GHSA-2XCP-X87W-Q377
5.3GHSA-2xcp-x87w-q377: Incorrect Authorization Bypass via Templated Hook Mappings in OpenClaw
The OpenClaw personal AI assistant framework contains an incorrect authorization vulnerability within its webhook routing logic. An architectural flaw in the processing of hook mapping templates allows external webhook payloads to resolve to arbitrary session keys. This effectively bypasses the framework's 'allowRequestSessionKey' security gate, enabling unauthorized users to hijack sessions, inject messages, and access cross-session data.
2 views•7 min read
•about 4 hours ago•GHSA-V8QF-FR4G-28P2
4.3CVE-2026-41908: Scope Enforcement Bypass in OpenClaw Assistant Media Route
OpenClaw versions prior to 2026.4.20 contain a medium-severity authorization bypass vulnerability in the assistant-media gateway route. When configured behind a trusted proxy, the application fails to validate operator scopes, allowing authenticated users with unrelated privileges to access sensitive media files.
3 views•6 min read
•about 5 hours ago•GHSA-72Q8-JCMC-97WX
5.3GHSA-72Q8-JCMC-97WX: Authorization Bypass in openclaw via Feishu Chat Misclassification
OpenClaw versions prior to 2026.4.20 contain a vulnerability in the Feishu integration module where direct messages (DMs) are incorrectly classified as group chats during card interactions. This misclassification leads to a bypass of the dmPolicy enforcement mechanism, allowing unauthorized execution of bot commands within private contexts.
3 views•5 min read
•about 6 hours ago•GHSA-HXVM-XJVF-93F3
7.8GHSA-HXVM-XJVF-93F3: Arbitrary Code Execution via Insecure Environment Variable Loading in OpenClaw
OpenClaw versions prior to 2026.4.20 are vulnerable to arbitrary code execution due to insecure handling of workspace-local `.env` files. The application fails to restrict the entire `OPENCLAW_` namespace, allowing untrusted repositories to override critical internal control variables.
4 views•4 min read
•about 6 hours ago•GHSA-57R2-H2WJ-G887
3.3GHSA-57R2-H2WJ-G887: Trust Boundary Violation in OpenClaw Isolated Cron Awareness Events
OpenClaw versions prior to 2026.4.17 contain a vulnerability where isolated cron agents fail to explicitly mark external webhook data as untrusted. This allows external inputs to be promoted to the main session stream with authoritative system provenance labels.
3 views•6 min read
•about 7 hours ago•GHSA-MJ59-H3Q9-GHFH
7.8GHSA-MJ59-H3Q9-GHFH: Arbitrary Code Execution via Environment Variable Injection in OpenClaw MCP Servers
OpenClaw versions prior to 2026.4.20 are vulnerable to an environment variable injection flaw within the Model Context Protocol (MCP) server configuration mechanism. By supplying a crafted workspace configuration file, an attacker can define dangerous environment variables that execute arbitrary code upon server initialization.
4 views•7 min read
•about 8 hours ago•GHSA-C4QG-J8JG-42Q5
LowGHSA-C4QG-J8JG-42Q5: Server-Side Request Forgery in OpenClaw QQBot Extension
The OpenClaw platform contains a Server-Side Request Forgery (SSRF) vulnerability within its QQBot extension. The application fails to validate external media URLs before relaying them to the QQ Open Platform API. This flaw allows an attacker to induce the upstream QQ API to initiate HTTP requests to arbitrary destinations, including sensitive internal services and cloud metadata endpoints.
5 views•8 min read
•about 8 hours ago•GHSA-XRQ9-JM7V-G9H7
5.4CVE-2026-41909: Incorrect Authorization in OpenClaw Device Pairing
The OpenClaw Agent Platform before version 2026.4.20 contains an incorrect authorization vulnerability (CWE-863) in its gateway pairing management module. A failure to distinguish between administrative operator sessions and device-level sessions allows compromised or malicious devices to view and manipulate pairing requests belonging to other devices within the same gateway scope.
9 views•5 min read
•about 9 hours ago•GHSA-J4C5-89F5-F3PM
Not AssignedGHSA-j4c5-89f5-f3pm: Server-Side Request Forgery via CDP Profile Configuration in OpenClaw
OpenClaw versions prior to 2026.4.18 are vulnerable to a Server-Side Request Forgery (SSRF) flaw due to improper state merging. The application automatically extracted hostnames defined in Chrome DevTools Protocol (CDP) profile configurations and incorrectly appended them to the global SSRF navigation allowlist. This behavior allowed attackers or malicious configurations to authorize automated browser navigation to restricted internal networks and cloud metadata services.
6 views•5 min read
•about 10 hours ago•GHSA-H2VW-PH2C-JVWF
7.5GHSA-H2VW-PH2C-JVWF: Credential Exfiltration via Environment Variable Injection in OpenClaw
OpenClaw versions prior to 2026.4.20 are vulnerable to an environment variable injection flaw that permits credential exfiltration. The application insecurely loads workspace-local .env files, allowing an attacker to override API endpoint routing for the MiniMax model provider. Opening a maliciously crafted workspace redirects authenticated requests to an attacker-controlled server, leaking the user's API keys.
6 views•5 min read
•about 10 hours ago•GHSA-QRP5-GFW2-GXV4
Not AssignedGHSA-QRP5-GFW2-GXV4: Security Policy Bypass in OpenClaw via Bundled MCP/LSP Tools
A logic flaw in the OpenClaw agent platform's tool orchestration pipeline allowed bundled Model Context Protocol (MCP) and Language Server Protocol (LSP) tools to bypass all configured security policies. The vulnerability stems from a merge-after-filter implementation defect, resulting in unauthorized tool execution.
6 views•6 min read
•about 11 hours ago•GHSA-7JM2-G593-4QRC
5.5GHSA-7jm2-g593-4qrc: Unauthorized Configuration Mutation in OpenClaw Agent Gateway
The OpenClaw agent gateway contains a medium-severity vulnerability in its configuration mutation guard. This flaw allows an AI agent to bypass validation checks and modify protected operator-level settings, leading to potential sandbox escapes, SSRF policy violations, and unauthorized execution of arbitrary commands.
5 views•6 min read