Path traversal in OpenClaw's ACP dispatch mechanism allows authenticated remote attackers to read arbitrary files outside intended directories by manipulating inbound channel attachment paths. Attackers can bypass both attachment-cache and root directory security checks to access sensitive system files. Upstream fix available via GitHub commit 566fb73d9d, with versions prior to 2026.3.31 confirmed vulnerable. No CISA KEV listing at time of analysis, indicating targeted rather than widespread exploitation.
Environment variable injection in OpenClaw (pre-2026.3.31) allows authenticated remote attackers to compromise host execution integrity by injecting malicious variables that override package managers, Docker registries, compiler paths, and TLS configurations during host exec operations. The vulnerability exhibits high confidentiality impact (CVSS:4.0 VC:H) with network attack vector and low complexity (AV:N/AC:L), requiring only low-privilege authentication (PR:L). VulnCheck disclosure indicates this affects Docker-related operations, with fixes available via GitHub commit eb8de67 and tracked under GHSA-cg7q-fg22-4g98. EPSS and KEV data not available at time of analysis.
Environment variable disclosure in OpenClaw jq safe-bin policy allows authenticated remote attackers to extract sensitive credentials and configuration data. The vulnerability stems from incomplete filter blocking in jq program execution - specifically, the $ENV filter can bypass safe-bin restrictions to read process environment variables. Versions prior to 2026.3.28 are affected. No CISA KEV listing or public POC identified at time of analysis, but disclosure by VulnCheck indicates vendor-confirmed issue with available patch.
Plaintext private key storage in OpenClaw versions before 2026.3.31 exposes Nostr protocol signing keys through configuration retrieval methods. Authenticated attackers with network access can exploit redaction bypass in config.get methods to extract unencrypted private keys, enabling full impersonation of the compromised Nostr identity for signing and authentication operations. Vendor patch available via GitHub commit 57700d716f660591fb6e09727f3ca8041fa48b9d. EPSS and KEV data not available, but the authentication bypass tag and network attack vector indicate elevated risk for multi-tenant or shared OpenClaw deployments.
Privilege escalation in OpenClaw versions prior to 2026.3.28 enables authenticated operators with write permissions to modify administrator-only voice configuration settings through the chat.send endpoint. This vulnerability allows low-privileged operator accounts to manipulate sensitive Talk Voice configuration persistence, bypassing intended role-based access controls. A vendor-released patch is available via commit e34694733fc64931ed4a543c73d84ad3435d5df1. EPSS data unavailable; no CISA KEV listing or public exploit code identified at time of analysis, though the targeted nature (authenticated internal operators) suggests lower mass-exploitation risk than the CVSS 7.1 score might imply.
Execution approval bypass in OpenClaw before 2026.3.28 allows local authenticated users with standard privileges to establish overly broad executable allowlist entries through wrapper carrier exploitation. Attackers leverage positional routing in dispatch wrappers to trust carrier executables instead of their invoked targets, escalating from limited execution approval to arbitrary code execution with high confidentiality and integrity impact. Vendor-released patch version 2026.3.28 addresses the flaw (GHSA-p4x4-2r7f-wjxg). No evidence of active exploitation or public POC identified at time of analysis.
Privilege escalation in OpenClaw before 2026.3.28 allows local authenticated attackers to bypass execution allowlist controls via wrapper binary persistence. When users grant trust to wrapped commands (e.g., via /usr/bin/script), OpenClaw fails to distinguish the wrapper from the underlying executable, allowing attackers to reuse the wrapper's persistent trust to execute arbitrary unauthorized programs. No active exploitation confirmed (CISA KEV: not listed), but VulnCheck has published technical advisory details. EPSS data not available.
Local privilege escalation and session hijacking in Spring Boot allows attackers with local access to hijack authenticated sessions or execute arbitrary code by taking control of the ApplicationTemp directory. The vulnerability affects Spring Boot versions 2.7.0 through 4.0.5 when server.servlet.session.persistent is enabled, requiring attack persistence across application restarts. VMware has released patches for all supported branches (4.0.6, 3.5.14, 3.4.16, 3.3.19, 2.7.33), though unsupported versions remain vulnerable. No active exploitation confirmed at time of analysis.