Openclaw
Monthly
Remote code execution in OpenClaw npm package versions before 2026.4.20 allows local authenticated users to inject malicious code through MCP stdio server environment variables. Attackers craft workspace configurations containing dangerous environment variables (NODE_OPTIONS, LD_PRELOAD, BASH_ENV) that execute arbitrary code when operators start sessions using those MCP servers. Vendor-released patch available (version 2026.4.20). No public exploit code or active exploitation confirmed at time of analysis, though VulnCheck published detailed technical advisory. CVSS 7.3 reflects local attack vector requiring user interaction, limiting widespread exploitation risk despite high technical impact.
Authentication bypass in OpenClaw before version 2026.4.22 allows unauthenticated attackers to read sensitive bootstrap and configuration metadata from the Control UI config endpoint when Gateway authentication is enabled. The vulnerability exposes internal bootstrap information and configuration fields intended only for authenticated Control UI sessions via an unprotected HTTP GET request to the `/__openclaw/control-ui-config.json` endpoint, with no user interaction required.
OpenClaw before version 2026.4.20 misclassifies direct messages as group conversations in Feishu card-action callbacks, allowing authenticated attackers to bypass dmPolicy restrictions and trigger card-action flows that should have been blocked. The vulnerability affects direct message handling in the Feishu integration and requires authenticated access (PR:L per CVSS vector) but achieves both confidentiality and integrity impact with moderate CVSS score of 5.4.
OpenClaw versions 2026.4.5 through 2026.4.19 allow local attackers with user privileges to redirect credentialed MiniMax API requests to attacker-controlled servers via environment variable injection in workspace dotenv files, exposing MiniMax API keys in Authorization headers. The vulnerability requires user interaction (opening a malicious workspace) and local access but achieves high confidentiality impact by exfiltrating sensitive API credentials.
Authorization bypass in OpenClaw before 2026.4.21 allows non-owner senders to execute owner-enforced slash commands when channels are configured with wildcard inbound senders (allowFrom: ["*"]) without explicit owner allowFrom settings. Attackers with legitimate channel access can exploit this to bypass owner-only command authorization checks and execute commands such as /send, /config, or /debug. The vulnerability requires authenticated access to affected channels but is limited to command-owner authorization and does not grant tool access or gateway administrator scope.
Authentication bypass in OpenClaw's BlueBubbles webhook handler allows remote attackers to send crafted webhook requests without credentials. The handleBlueBubblesWebhookRequest function in extensions/bluebubbles/src/monitor.ts incorrectly exempts localhost requests from authentication, enabling IP spoofing attacks to bypass security controls. Exploit code is publicly available on GitHub. Patch released in version 2026.2.12 (commit a6653be). CVSS 7.3 reflects network-accessible unauthenticated attack with low complexity affecting confidentiality, integrity, and availability.
Authentication bypass in OpenClaw's MCP loopback interface allows local low-privilege attackers to escalate to owner-level access. Non-owner MCP client processes can spoof the 'x-openclaw-sender-is-owner' HTTP header to impersonate the owner and access owner-gated operations. Publicly available exploit code exists via GitHub commit 3cb1a56, and VulnCheck has published a detailed advisory. The vulnerability affects OpenClaw npm package versions <= 2026.4.21, with patch 2026.4.22 available since April 2026.
Server-side request forgery in OpenClaw before 2026.4.20 allows unauthenticated remote attackers to relay unintended requests through QQBot direct media upload endpoints (uploadC2CMedia and uploadGroupMedia) by sending crafted image URLs that bypass SSRF protections. The vulnerability affects QQBot outbound media handling and does not expose arbitrary local files, but could allow attackers to make configured QQBot media delivery requests to unintended destinations.
Server-side request forgery in OpenClaw before version 2026.4.22 allows remote attackers to bypass SSRF protection in the Zalo plugin's sendPhoto function by providing malicious photo URLs, enabling unauthorized access to internal resources. The vulnerability affects the Zalo Bot API integration and requires network access but involves time-based attack complexity; no public exploit code or active exploitation has been confirmed.
Shell expansion injection in OpenClaw's exec allowlist validation allows authenticated attackers to bypass command approval controls and execute arbitrary system commands. The vulnerability affects OpenClaw versions prior to 2026.4.22 through improper parsing of unquoted heredoc bodies, where shell expansion tokens ($VAR, $(), etc.) are treated as literal text during allowlist analysis but expanded at runtime. This enables attackers to embed unapproved commands within ostensibly safe allowlisted commands. VulnCheck disclosed this vulnerability, and a proof-of-concept fix commit is publicly available. CVSS 8.7 reflects high impact across confidentiality, integrity, and availability with low attack complexity.
Environment variable namespace collision in OpenClaw npm package before version 2026.4.20 enables malicious workspace dotenv files to override critical runtime control variables including OPENCLAW_GIT_DIR, potentially redirecting trusted operations like source updates and installer flows to attacker-controlled paths. Exploitation requires user interaction (opening a malicious workspace) but no authentication, achieving high confidentiality and integrity impact within the local scope. CVSS 8.5 severity reflects the local attack vector with low complexity. No active exploitation confirmed (not in CISA KEV), but public exploit code exists via the GitHub security advisory demonstrating the attack surface. Fixed in version 2026.4.20 per vendor commit 018494fa.
OpenClaw before 2026.4.22 contains a time-of-check/time-of-use (TOCTOU) race condition in the OpenShell filesystem bridge that allows authenticated attackers with local access to read files outside the intended mount root by performing symlink swaps during filesystem operations. The vulnerability affects sandbox security guarantees by enabling bypass of containment restrictions through coordinated symlink manipulation, and has been confirmed patched in version 2026.4.22.
OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in OpenShell sandbox filesystem writes that allows authenticated attackers to redirect file writes outside the intended mount root via symlink swaps. By exploiting the window between sandbox validation and actual file write operations, an attacker with local access can manipulate symlinks to bypass sandbox filesystem restrictions and write arbitrary files to locations outside the workspace.
Authorization bypass in OpenClaw Matrix bot integration allows DM-paired attackers to execute privileged room control commands without configured permissions. Attackers who have previously established direct message pairing can exploit misaligned allowlist logic to run room control commands in bot rooms, bypassing room membership and allowlist requirements. Fixed in version 2026.4.15 after responsible disclosure by Keen Security Lab. No evidence of active exploitation; publicly available vendor advisory and fix commits reduce exploitation probability.
OpenClaw's Feishu webhook integration fails open when encryptKey is missing or callback tokens are blank, allowing remote unauthenticated attackers to bypass signature verification and replay protection mechanisms. Attackers can submit crafted webhook requests or malformed card-action callbacks directly to command dispatch without authentication, enabling arbitrary command execution. Vendor-confirmed authentication bypass; patch released in version 2026.4.15. No public exploit code or CISA KEV listing identified at time of analysis, but the fail-open behavior and network attack vector (CVSS AV:N/AC:L/PR:N) make this highly exploitable against misconfigured deployments.
Bearer token revocation bypass in OpenClaw gateway allows attackers to authenticate using rotated-out tokens until process restart. OpenClaw gateway HTTP and WebSocket handlers captured bearer authentication configuration at startup, failing to re-resolve credentials after SecretRef rotation. Attackers possessing a previously valid token can maintain unauthorized gateway access to /v1/* endpoints, /tools/invoke, plugin routes, and canvas upgrade paths even after operators rotate secrets, believing the old token is revoked. Fixed in version 2026.4.15. CVSS 9.2 reflects network-accessible attack with high complexity; no public exploit identified at time of analysis.
Environment variable injection in OpenClaw before 2026.4.10 allows authenticated remote attackers to hijack interpreter execution behavior through insufficient filtering of high-risk startup variables (VIMINIT, EXINIT, LUA_INIT, HOSTALIASES). The vulnerability enables code execution by manipulating how downstream interpreters (Vim, ex, Lua) initialize and resolve hostnames. Patched in version 2026.4.10 following coordinated disclosure by Tencent zhuque Lab. No public exploit identified at time of analysis, though CVSS 8.7 reflects network-exploitable attack surface with low complexity requiring only low-privilege authentication.
OpenClaw versions 2026.4.10 through 2026.4.13 fail to persist session context when recovering queued outbound media after service restart, allowing authenticated attackers to bypass group tool policy enforcement and weaken channel media restrictions. The vulnerability affects the delivery queue recovery mechanism, which replays queued messages without the original requester's session context needed for policy validation. Exploitation requires authenticated access and prior knowledge of queued delivery entries, with CVSS 6.0 and confirmed patch available in version 2026.4.14.
Server-side request forgery in OpenClaw browser navigation policy before version 2026.4.10 allows authenticated attackers to bypass hostname validation through DNS rebinding attacks, enabling pivots to internal network resources via unallowlisted hostnames. The vulnerability exploits inconsistent hostname resolution between validation checks and actual network requests made by the Chromium engine, with fix confirmed in upstream commit 121c452d and released in version 2026.4.10.
OpenClaw before version 2026.4.10 allows authenticated attackers to bypass Server-Side Request Forgery (SSRF) policy enforcement through incomplete navigation guard coverage in browser press and type interactions. Attackers can trigger unauthorized navigation actions, including pressKey and type-submit flows, that skip post-action security checks, potentially enabling SSRF attacks against restricted endpoints.
OpenClaw before version 2026.4.10 allows operators with write permissions to persist Nostr profile configuration without requiring admin authority through unprotected HTTP mutation endpoints. Attackers holding the operator.write scope can modify profile settings via PUT and POST routes that should require operator.admin scope, enabling unauthorized configuration changes. This is a privilege escalation vulnerability affecting the Nostr plugin HTTP API layer.
Privilege escalation in OpenClaw 2026.3.31 through 2026.4.9 allows remote unauthenticated attackers to maintain elevated execution context by injecting malicious async completion events that bypass heartbeat owner-downgrade detection. The flaw stems from incomplete pattern matching in local background exec completion filtering, enabling attackers to submit untrusted completion content that prevents proper privilege de-escalation after operations complete. Vendor-released patch available in version 2026.4.10 and later. No evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis, but CVSS 9.1 critical rating reflects network-accessible attack surface with no authentication required.
Arbitrary file read in OpenClaw before 2026.4.9 allows authenticated remote attackers to bypass navigation guards and access local files via browser interaction routes. Attackers exploit the ability to trigger navigation into the local Chrome DevTools Protocol (CDP) origin through act/evaluate commands, then create or read disallowed file:// URLs despite direct navigation policy restrictions. Patch available in version 2026.4.9 and confirmed included in npm release 2026.4.14. No public exploit code identified at time of analysis, CVSS 7.1 (High) with network attack vector and low complexity.
Authentication bypass in OpenClaw 2026.2.21 through 2026.4.9 allows remote unauthenticated attackers to access the sandbox noVNC helper route and gain unauthorized control of interactive browser sessions. The vulnerability exposes session credentials by failing to enforce bridge authentication on the /sandbox/novnc endpoint. OpenClaw is an open-source AI agent framework. Patch available in version 2026.4.10 and later. No evidence of active exploitation (not in CISA KEV) and EPSS data not available at time of analysis.
OpenClaw before version 2026.4.12 contains an improper authorization flaw in helper-backed channels where empty resolved approver lists are incorrectly interpreted as explicit approval authorization. Authenticated attackers who know an approval ID can resolve pending approvals without proper authorization by exploiting this logic error, bypassing intended sender authorization checks. This vulnerability has a CVSS score of 6.5 (medium) with network attack vector and requires only low privileges, though no public exploit code or active exploitation has been identified.
Server-side request forgery policy bypass in OpenClaw npm package (versions < 2026.4.10) allows authenticated remote attackers to interact with or navigate to unauthorized targets through existing-session browser interaction routes. The vulnerability bypasses SSRF navigation guards in routes handling click, type, press, and evaluate actions, enabling cross-scope information disclosure. Vendor-released patch available in version 2026.4.10. No public exploit identified at time of analysis, though EPSS data not available. Reported by security researchers from KeenSecurityLab with detailed technical disclosure.
OpenClaw's channel setup catalog lookup mechanism allowed workspace plugins to shadow bundled channel plugins and bypass trust gates during setup-time plugin loading. Low-privileged authenticated attackers on the network can craft malicious workspace plugins that execute without the intended trust verification, enabling arbitrary code execution in the OpenClaw runtime. The vulnerability was responsibly disclosed by security researchers from Keen Security Lab and patched in version 2026.4.10. No public exploit identified at time of analysis, though the fix commit reveals the exact vulnerable lookup logic attackers would target.
Symlink traversal in OpenClaw versions 2026.3.22 before 2026.4.5 allows unauthenticated remote attackers with user interaction to read arbitrary files outside the remote marketplace repository root. The vulnerability exploits improper path canonicalization in the marketplace plugin's remote repository handler, exposing sensitive information with a CVSS score of 6.5. Vendor-released patch available in version 2026.4.5.
Authentication bypass in OpenClaw before 2026.4.9 enables untrusted workspace plugins to intercept provider authentication credentials during non-interactive onboarding. Malicious plugins can shadow legitimate provider authentication choices, causing the system to auto-enable attacker-controlled code and route sensitive API keys or credentials through untrusted handlers without user consent. Vendor-released patch available (v2026.4.9+). EPSS and KEV data not provided; exploitation requires user interaction (UI:P) and specific attack timing (AT:P), suggesting moderate real-world deployment complexity despite network attack vector.
OpenClaw npm package versions 2026.4.5 through 2026.4.9 allow privilege escalation from write-scoped operators to administrator-level configuration access. Authenticated attackers with 'operator.write' gateway credentials can modify persistent memory dreaming settings via the /dreaming endpoint, bypassing intended admin-only restrictions. Vendor-released patch available (v2026.4.10); no active exploitation confirmed at time of analysis.
Path traversal in OpenClaw's screen_record tool allows authenticated users to write files outside workspace boundaries via crafted outPath parameters, bypassing filesystem security controls. OpenClaw versions before 2026.4.10 are affected. Vendor-released patch available (version 2026.4.10 and later, including current release 2026.4.14). No active exploitation confirmed (CISA KEV negative), but publicly documented vulnerability with working proof-of-concept code in GitHub commit diff. CVSS 7.1 with high integrity impact reflects potential for unauthorized file system modifications outside intended workspace scope.
Privilege escalation in OpenClaw npm package versions 2026.4.7 through 2026.4.13 allows remote unauthenticated attackers to preserve elevated execution context by sending malicious webhook wake events. The heartbeat owner downgrade logic incorrectly skips validation of untrusted webhook payloads, enabling attackers to maintain owner-like privileges during runs that should operate with reduced permissions. Vendor-released patch available in version 2026.4.14. EPSS data not available; no public exploit identified at time of analysis, though VulnCheck and security researchers from KeenSecurityLab have confirmed the vulnerability through coordinated disclosure.
Authorization context reuse in OpenClaw's collect-mode queue batching allows attackers with low-privilege accounts to execute messages with elevated permissions inherited from subsequent higher-privileged senders. The vulnerability occurs when messages from multiple senders are batched together, causing earlier queued messages to execute under the authorization context of the final sender in the batch rather than their own. Vendor-released patch (version 2026.4.14) confirmed available via GitHub advisory GHSA-jwrq-8g5x-5fhm and commit 43d4be9. No public exploit identified at time of analysis.
Remote unauthenticated trust boundary violation in OpenClaw npm package before 2026.4.10 allows attackers to escalate untrusted external hook input into trusted system events. By supplying malicious hook metadata, adversaries can inject arbitrary content into the agent context with elevated privileges, bypassing security boundaries intended to isolate external input from system-level operations. Vendor-released patch available (version 2026.4.10+), with no evidence of active exploitation or public exploit code at time of analysis.
Arbitrary file read in OpenClaw QQBot extension allows remote unauthenticated attackers to disclose sensitive local files by crafting malicious media tags in reply text. The vulnerability exists in OpenClaw npm package versions before 2026.4.10, where QQBot outbound media handling fails to enforce storage boundaries, enabling path traversal to read files outside the intended media directory. Publicly available patch confirmed (GitHub commit 604777e4414cc3b2ff8861f18f4fb04374c702c6). EPSS data unavailable; no CISA KEV listing indicates targeted disclosure rather than widespread exploitation. CVSS 8.9 with network vector and no authentication required, but exploitation requires the QQBot extension to be enabled and processing attacker-controlled reply text.
Path traversal in OpenClaw npm package allows authenticated attackers to expose confidential host-local files via Discord event cover image parameters. Versions 2026.4.7 through 2026.4.9 fail to normalize Discord event cover image paths through sandbox media processing, enabling attackers with low-privilege Discord bot credentials to bypass media sandboxing and inject host-local file references (e.g., file:///workspace/assets/event-cover.png) into channel actions expecting normalized media. This results in high confidentiality impact with scope change, as local filesystem paths outside the intended sandbox can be accessed. Vendor-released patch available (2026.4.10+). No active exploitation confirmed (not in CISA KEV), but public exploit code exists via GitHub commit and advisory.
Environment variable injection in OpenClaw npm package versions before 2026.4.9 allows local attackers with low privileges to compromise application behavior through malicious workspace .env files. Attackers can redirect update sources to serve backdoored packages, modify gateway URLs and ClawHub resolution endpoints to intercept traffic, and override browser executable paths to launch attacker-controlled binaries. Vendor-released patch: version 2026.4.9, with fix also present in latest npm release 2026.4.14. No public exploit identified at time of analysis, but exploitation requires only an untrusted repository with a crafted .env file opened by a victim user.
{system("id")}' or 'toybox ash -c'. CVSS 8.7 (CVSS:4.0/AV:N/AC:L/PR:L) indicates network-accessible exploitation by low-privileged authenticated users. Vendor-released patch available in version 2026.4.12. EPSS and KEV data not provided; no public exploit identified at time of analysis beyond vendor-disclosed commit.
OpenClaw before 2026.4.10 allows local attackers with workspace write access to bypass boundary checks via a time-of-check-time-of-use race condition in the validateScriptFileForShellBleed function. An attacker can swap the target script file between validation and preflight read, causing the validator to inspect a different file than the one that passed the initial workspace boundary check, potentially leaking preflight metadata such as matched tokens or line numbers. No public exploit code identified at time of analysis; patch available in version 2026.4.10.
Authenticated configuration readers in OpenClaw gateway deployments can extract unredacted sensitive credentials through alias field bypass in versions prior to 2026.4.14. Attackers with legitimate config read permissions exploit sourceConfig and runtimeConfig alias fields to obtain provider API keys, gateway authentication tokens, and channel credentials that the redaction mechanism fails to sanitize. The vulnerability affects npm package 'openclaw' in gateway configurations where authenticated clients have config read access, confirmed fixed by vendor in version 2026.4.14 with patch commit 86734ef. CVSS 7.1 reflects network-accessible attack requiring low privileges with high confidentiality impact; no public exploit identified at time of analysis, though technical details published in GHSA-8372-7vhw-cm6q enable reproduction.
Server-side request forgery in OpenClaw npm package before 2026.4.14 allows authenticated remote attackers to access internal services and cloud metadata endpoints through browser-driven requests. The vulnerability stems from a misconfigured browser SSRF policy that permits private-network navigation by default, enabling cross-scope information disclosure without user interaction. Patch available in version 2026.4.14 with vendor advisory and multiple fix commits confirmed. No public exploit or CISA KEV listing identified at time of analysis, though CVSS 7.7 reflects high confidentiality impact with changed scope.
Server-side request forgery in OpenClaw's QQBot media URL handler allows remote unauthenticated attackers to fetch arbitrary internal or external resources and exfiltrate them through the bot's messaging channel. Attackers provide malicious media URLs in QQBot replies, triggering the server to fetch content from attacker-specified locations, which is then re-uploaded through legitimate channels. Vendor patch available as of version 2026.4.12, with fix commits published on GitHub. CVSS 8.3 reflects high confidentiality impact with low integrity impact; CVSS v4.0 vector indicates network-accessible, low complexity attack requiring no privileges or user interaction but specific attack conditions (AT:P).
Server-side request forgery (SSRF) policy bypass in OpenClaw npm package allows authenticated remote attackers to perform unauthorized browser tab navigation operations, circumventing configured SSRF protections through the /tabs/action endpoint. OpenClaw versions before 2026.4.10 are affected. Vendor-released patch version 2026.4.10 is available (confirmed by GitHub advisory GHSA-rj2p-j66c-mgqh and commit 48c0347). No public exploit identified at time of analysis, though EPSS data not available. The CVSS score of 8.5 with scope change (S:C) indicates potential for significant cross-boundary impact despite requiring low-privilege authentication.
Unauthorized local file disclosure in OpenClaw 2026.4.9 allows authenticated attackers with restricted sender/group permissions to bypass policy controls and read arbitrary host files through the media attachment path. Despite sender-scoped 'toolsBySender' or group policy denying read access, the outbound host-media attachment helper failed to honor these restrictions, enabling privilege escalation within multi-tenant deployments. Vendor-released patch available in version 2026.4.10 (commit c949af9) threads sender context through media access resolution to enforce policy boundaries correctly.
Remote attackers can crash OpenClaw 2026.4.9 by sending oversized WebSocket frames to the voice-call realtime webhook path, causing complete service unavailability. The vulnerability requires no authentication and affects deployments that expose the WebSocket endpoint externally. Vendor patch released in version 2026.4.10 with commit afadb7dae6738819ad9c7d2597ace0516957d20e. No active exploitation confirmed (not in CISA KEV), but public advisory with commit details provides exploitation blueprint.
Authenticated users of OpenClaw (npm package) can bypass server-side request forgery (SSRF) protections to access internal or restricted web pages via browser snapshot, screenshot, and tab routes. The vulnerability exploits incomplete validation after route-driven navigation - while initial requests pass SSRF policy checks, the final browser target after navigation is not re-validated before content is captured and returned. This allows lateral movement to internal endpoints (e.g., cloud metadata services at 169.254.169.254) in environments with restrictive browser SSRF configurations. Vendor-released patch available in OpenClaw 2026.4.14. No active exploitation confirmed (not in CISA KEV), though public exploit code has not been independently verified.
Remote attackers with low-privilege authentication can inject environment variable assignments into OpenClaw 2026.2.22 through 2026.4.11 to bypass shell wrapper detection mechanisms. By manipulating critical shell variables like SHELLOPTS and PS4 at the argv level, attackers achieve high-impact code execution that circumvents security controls. Vendor-released patch available in version 2026.4.12. No active exploitation confirmed (not in CISA KEV), but VulnCheck disclosed this vulnerability with specific technical details and a GitHub commit fix.
Sandbox escape in OpenClaw 2026.4.5 through 2026.4.9 allows low-privileged remote attackers to bypass sandbox boundaries and route code execution to arbitrary remote nodes by overriding exec routing parameters with host=node. This breaks sandboxed agent isolation, enabling privilege escalation and unauthorized access to production infrastructure. VulnCheck publicly disclosed this vulnerability with vendor patch available (commit dffad08). No active exploitation (CISA KEV) confirmed, but public disclosure increases exploitation risk for organizations running vulnerable OpenClaw agent deployments.
Authorization bypass in OpenClaw before 2026.4.10 allows low-privileged authenticated users with operator.write permissions to mutate persistent Matrix profile configurations that should require admin-level authority. Exploitation enables unauthorized modification of system-wide profile settings through message-tool paths, bypassing role-based access controls (CVSS:4.0 7.1 High, VI:H). Vendor patch available via GitHub commit fe0f686c. No confirmed active exploitation or public POC identified at time of analysis, with EPSS data not yet available for this 2026 CVE.
OpenClaw before 2026.4.8 contains a privilege escalation vulnerability allowing previously paired nodes to reconnect with exec-capable commands without operator.admin scope requirement. Attackers can bypass re-pairing authentication to execute privileged commands on the local assistant system.
OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invoke(browser.proxy) that allows mutation of persistent browser profiles. Attackers can exploit this path to circumvent the browser.request persistent profile-mutation guard and modify browser configurations.
OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in Playwright redirect handling that allows attackers to bypass strict SSRF checks. Attackers can exploit request-time navigation to reach private targets that should be restricted by browser SSRF protections.
OpenClaw before 2026.4.8 contains a privilege escalation vulnerability in the gateway plugin HTTP authentication mechanism that widens identity-bearing operator.read requests into runtime operator.write permissions. Attackers can exploit this by sending read-scoped requests through the gateway auth route to gain unauthorized write access to runtime operations.
OpenClaw versions before 2026.4.8 fail to enforce integrity verification on downloaded plugin archives. Attackers can install malicious or tampered plugin packages without detection, compromising the local assistant environment.
OpenClaw before 2026.4.8 contains a remote code execution vulnerability caused by missing environment variable denylist entries for HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS. Attackers can inject malicious build tool environment variables to influence host exec commands and achieve arbitrary code execution.
OpenClaw before 2026.4.8 contains an improper authorization vulnerability where the node.pair.approve method accepts operator.write scope instead of the narrower operator.pairing scope, allowing unprivileged users to approve node pairing. Attackers with operator.write permissions can bypass pairing approval restrictions to gain unauthorized access to exec-capable nodes.
OpenClaw before 2026.4.8 treats shared reply MEDIA paths as trusted, allowing crafted references to trigger cross-channel local file exfiltration. Attackers can exploit this by crafting malicious shared reply MEDIA references to cause another channel to read local file paths as trusted generated media.
OpenClaw before 2026.4.8 contains an approval-timeout fallback mechanism that bypasses strictInlineEval explicit-approval requirements on gateway and node exec hosts. Attackers can exploit this timeout fallback to execute inline eval commands that should require explicit user approval, circumventing the intended security boundary.
OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function that allows minting tokens for unapproved roles. Attackers can bypass device role-upgrade pairing to preserve or mint roles and scopes that had not undergone intended approval.
OpenClaw before 2026.4.8 contains a session management vulnerability where existing WebSocket sessions survive shared gateway token rotation. Attackers can maintain unauthorized access to WebSocket connections after token rotation by exploiting the failure to disconnect existing shared-token sessions.
OpenClaw before 2026.4.8 contains improper input validation in base64 decode paths that allocate memory before enforcing decoded-size limits. Attackers can exploit multiple code paths to cause memory exhaustion or denial of service through crafted base64-encoded input.
OpenClaw before 2026.4.8 contains an authentication state management vulnerability where the resolvedAuth closure becomes stale after configuration reload. Newly accepted gateway connections continue using outdated resolved auth state, allowing attackers to bypass authentication controls through config reload operations.
OpenClaw before 2026.4.8 fails to remove git plumbing environment variables from the execution environment before host exec operations. Attackers can exploit this by setting GIT_DIR and related variables to redirect git operations and compromise repository integrity.
OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in QQ Bot media download paths that bypass SSRF protection. Attackers can exploit unprotected media fetch endpoints to access internal resources and bypass allowlist policies.
OpenClaw before 2026.4.4 contains a race condition vulnerability in shared-secret authentication that allows concurrent asynchronous requests to bypass the per-key rate-limit budget. Attackers can exploit this by sending multiple simultaneous authentication attempts to circumvent intended rate-limiting protections on Tailscale-capable paths.
OpenClaw before 2026.4.8 contains a server-side request forgery policy bypass vulnerability allowing attackers to trigger navigations bypassing normal SSRF checks. Attackers can exploit browser interactions to bypass SSRF protections and access restricted resources.
OpenClaw before 2026.4.8 contains a filesystem policy bypass vulnerability in docx upload processing that allows local file reads outside workspace boundaries. Attackers can exploit upload_file and upload_image endpoints to access files beyond the intended workspace-only filesystem policy.
OpenClaw before 2026.4.8 omits owner-only enforcement for cross-channel allowlist writes in the /allowlist endpoint. An authorized non-owner sender can bypass access controls to perform allowlist modifications against different channels, violating the intended trust model.
OpenClaw before 2026.3.31 contains a resource exhaustion vulnerability in media downloads that bypasses core safety limits for file size, count, and cleanup operations. Attackers can exhaust disk space by downloading media files without triggering intended safety restrictions, causing availability impact.
OpenClaw before version 2026.4.2 leaks shared-secret length information through timing side-channel attacks in cryptographic comparison operations. The vulnerability stems from early length-mismatch checks in shared-secret comparison routines that violate constant-time security requirements, allowing remote attackers to measure timing differences and infer secret lengths without authentication. This weakens the cryptographic guarantees of the library's shared-secret handling.
OpenClaw before version 2026.3.31 contains a sender allowlist bypass vulnerability allowing remote attackers to access restricted messages by exploiting quoted, root, and thread context message retrieval mechanisms. The vulnerability affects default configurations and requires user interaction (CVSS UI:P), making it a moderate-risk authentication bypass that undermines message access controls.
Resource exhaustion in OpenClaw before 2026.3.31 allows remote unauthenticated attackers to crash servers by sending malicious Microsoft Teams webhook payloads. The application parses request bodies before performing JWT validation, enabling attackers to bypass authentication and trigger denial-of-service conditions. A vendor patch is available via GitHub commit 3834d47, with no evidence of active exploitation (not in CISA KEV) and no public POC identified at time of analysis.
Privilege escalation in OpenClaw's trusted-proxy authentication mode allows low-privileged authenticated users to gain operator.admin privileges by declaring operator scopes on non-Control-UI clients. The incomplete scope-clearing mechanism fails to sanitize self-declared scopes when identity-bearing authentication paths process requests, enabling attackers to bypass authorization checks and achieve full administrative access. Vendor patch available via commit 8b88b927 in version 2026.3.31; no confirmed active exploitation (not in CISA KEV) but publicly disclosed with detailed GitHub security advisory increasing attack feasibility.
OpenClaw before version 2026.3.31 misclassifies proxied remote requests as loopback connections in the diffs viewer, allowing attackers to bypass the allowRemoteViewer access control restriction. Unauthenticated remote attackers can exploit this authentication bypass by sending specially crafted proxied requests that are incorrectly identified as local traffic, gaining unauthorized access to the diffs viewer functionality. The vulnerability requires network access and specific timing/proximity conditions (per CVSS AT:P vector), but once exploited results in confidentiality impact through unauthorized information disclosure.
OpenClaw before version 2026.3.31 allows authenticated attackers to bypass webhook replay protection through overly broad cache keying, enabling delivery of duplicate webhook messages to unintended sibling targets when the same messageId is reused. The vulnerability exploits insufficient scope isolation in the webhook replay cache deduplication mechanism, allowing message replay across organizational boundaries within a single authentication context.
OpenClaw before version 2026.3.31 fails to properly validate WebSocket frame sizes in its voice-call component before processing, allowing remote unauthenticated attackers to send oversized frames that trigger excessive resource consumption and denial of service. This vulnerability represents an incomplete remediation of CVE-2026-32062, demonstrating that the original fix did not address the root validation sequencing issue.
Denial of service in OpenClaw (pre-2026.3.28) allows remote unauthenticated attackers to exhaust server resources by flooding the application with concurrent WebSocket upgrade requests. The vulnerability stems from lack of rate-limiting and resource budgeting before authentication, enabling attackers to monopolize socket and worker thread capacity and block legitimate WebSocket clients. No active exploitation confirmed (not in CISA KEV), but the technical barrier is low given unauthenticated network access (CVSS:4.0 AV:N/AC:L/PR:N). VulnCheck reported this vulnerability with vendor advisory available on GitHub.
Sandbox escape in OpenClaw file synchronization before version 2026.3.31 enables remote authenticated attackers to read and write arbitrary files outside intended boundaries via crafted symlinks during mirror sync operations. The vulnerability exploits CWE-59 (Improper Link Resolution Before File Access) with attack complexity rated High and requires low privileges, indicating targeted exploitation scenarios. Vendor patches available via GitHub commits c02ee8a and 3b9dab0, with CVSS 7.6 reflecting high confidentiality and integrity impact but no availability impact. No active exploitation or public POC identified at time of analysis beyond vendor disclosure.
Local attackers can execute malicious code in OpenClaw versions before 2026.3.31 by placing crafted .env files in workspaces to override the OPENCLAW_BUNDLED_PLUGINS_DIR variable, bypassing plugin trust verification. The vulnerability enables code injection through untrusted plugins masquerading as verified components when users open compromised workspace configurations. EPSS data not available; CVSS v4.0 rates this 8.5 HIGH with local attack vector requiring user interaction. Vendor patch available via GitHub commit 330a9f98cb and release 2026.3.31.
Webhook replay attacks in OpenClaw before 2026.3.28 allow remote attackers to trigger duplicate voice-call processing by reordering query parameters in captured Plivo V3 signed webhooks. The vulnerability stems from inconsistent canonicalization: signature verification sorts query parameters before validation, but replay detection hashes the raw URL with original parameter ordering. Attackers possessing a single valid signed webhook can bypass replay cache indefinitely by permuting query string order, causing repeated execution of voice-call workflows without requiring authentication or cryptographic breaks. No public exploit identified at time of analysis, though attack complexity is low (CVSS AC:L) with network vector (AV:N) requiring no privileges (PR:N).
Authentication bypass in OpenClaw allows remote unauthenticated attackers to execute privileged runtime operations intended for authorized operators. The vulnerability exists in plugin-auth HTTP routes that incorrectly grant operator-level write scopes without authentication checks. Attackers can remotely exploit this flaw with low complexity (CVSS:4.0 AV:N/AC:L/PR:N) to modify runtime configurations and perform administrative actions. Vendor-released patch available as of commit 2a1db0c (March 31, 2026). No active exploitation confirmed in CISA KEV, though EPSS data unavailable for risk calibration.
OpenClaw before version 2026.3.31 accepts arbitrary tailnet peers as DNS authorities due to improper validation in its wide-area discovery mechanism, enabling attackers positioned within the same tailnet with CA-trusted endpoint access to manipulate DNS resolution and exfiltrate operator credentials. The vulnerability requires adjacent network access, high attack complexity, and user interaction, but results in high confidentiality impact through credential theft. No active exploitation has been publicly confirmed at the time of analysis.
OpenClaw before version 2026.3.31 allows local authenticated users with user interaction to bypass exec allowlist restrictions via shell initialization file options (--rcfile, --init-file, --startup-file), enabling them to load attacker-controlled initialization files and achieve high-impact unauthorized access to confined resources. Exploitation requires local access, low privileges, user interaction, and specific timing conditions, but bypasses a critical security control intended to restrict executable trust.
Privilege escalation in OpenClaw before 2026.3.28 allows local authenticated attackers to bypass execution allowlist controls via wrapper binary persistence. When users grant trust to wrapped commands (e.g., via /usr/bin/script), OpenClaw fails to distinguish the wrapper from the underlying executable, allowing attackers to reuse the wrapper's persistent trust to execute arbitrary unauthorized programs. No active exploitation confirmed (CISA KEV: not listed), but VulnCheck has published technical advisory details. EPSS data not available.
OpenClaw before version 2026.3.31 allows remote attackers to bypass configuration revocation controls by restarting the application, which rehydrates revoked Tlon configuration settings from disk state due to improper handling of empty-array settings during startup migration. An attacker with network access and the ability to trigger application restarts can restore previously revoked authentication or authorization configurations without explicit re-enablement, potentially compromising intended security controls.
OpenClaw package manager allows supply chain attacks through incomplete environment variable sanitization before version 2026.3.22. Attackers can hijack approved package installation or execution requests by injecting environment variables that redirect package resolution to malicious infrastructure, enabling trojanized code execution with high impact to confidentiality, integrity, and availability. This requires local access and user interaction to trigger package manager operations, limiting remote exploitation but creating significant insider threat and social engineering risk vectors.
Privilege escalation in OpenClaw allows remote unauthenticated attackers to elevate privileges beyond intended device roles during first-use pairing. The vulnerability stems from bootstrap setup codes lacking proper binding to device roles and scopes, enabling attackers to exploit the pairing process with low complexity and no user interaction. VulnCheck reported this issue, and a vendor patch is available as of 2026.3.22. While no active exploitation has been confirmed (not in CISA KEV), the network attack vector (AV:N) and absence of authentication requirements (PR:N) create significant exposure for organizations deploying new OpenClaw instances.
Plaintext private key storage in OpenClaw versions before 2026.3.31 exposes Nostr protocol signing keys through configuration retrieval methods. Authenticated attackers with network access can exploit redaction bypass in config.get methods to extract unencrypted private keys, enabling full impersonation of the compromised Nostr identity for signing and authentication operations. Vendor patch available via GitHub commit 57700d716f660591fb6e09727f3ca8041fa48b9d. EPSS and KEV data not available, but the authentication bypass tag and network attack vector indicate elevated risk for multi-tenant or shared OpenClaw deployments.
Environment variable injection in OpenClaw's CLI backend runner enables local attackers to achieve arbitrary code execution or exfiltrate sensitive data by manipulating workspace configuration files. Attackers with the ability to supply malicious workspace configs can inject environment variables into backend processes during spawning, exploiting CWE-15 (external control of system or configuration setting). Vendor patch available via GitHub commit c2fb7f1. CVSS 8.5 reflects high impact across confidentiality, integrity, and availability, though exploitation requires local access and user interaction to load the malicious workspace config. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept at time of analysis.
OpenClaw before version 2026.4.2 allows authenticated attackers to delete arbitrary remote directories during mirror mode synchronization operations by manipulating remoteWorkspaceDir and remoteAgentWorkspaceDir configuration values. An attacker with login credentials can craft malicious OpenShell config paths that cause the mirror sync function to delete unintended remote directory contents before replacing them with uploaded workspace data, resulting in data loss and potential service disruption.
Remote code execution in OpenClaw npm package versions before 2026.4.20 allows local authenticated users to inject malicious code through MCP stdio server environment variables. Attackers craft workspace configurations containing dangerous environment variables (NODE_OPTIONS, LD_PRELOAD, BASH_ENV) that execute arbitrary code when operators start sessions using those MCP servers. Vendor-released patch available (version 2026.4.20). No public exploit code or active exploitation confirmed at time of analysis, though VulnCheck published detailed technical advisory. CVSS 7.3 reflects local attack vector requiring user interaction, limiting widespread exploitation risk despite high technical impact.
Authentication bypass in OpenClaw before version 2026.4.22 allows unauthenticated attackers to read sensitive bootstrap and configuration metadata from the Control UI config endpoint when Gateway authentication is enabled. The vulnerability exposes internal bootstrap information and configuration fields intended only for authenticated Control UI sessions via an unprotected HTTP GET request to the `/__openclaw/control-ui-config.json` endpoint, with no user interaction required.
OpenClaw before version 2026.4.20 misclassifies direct messages as group conversations in Feishu card-action callbacks, allowing authenticated attackers to bypass dmPolicy restrictions and trigger card-action flows that should have been blocked. The vulnerability affects direct message handling in the Feishu integration and requires authenticated access (PR:L per CVSS vector) but achieves both confidentiality and integrity impact with moderate CVSS score of 5.4.
OpenClaw versions 2026.4.5 through 2026.4.19 allow local attackers with user privileges to redirect credentialed MiniMax API requests to attacker-controlled servers via environment variable injection in workspace dotenv files, exposing MiniMax API keys in Authorization headers. The vulnerability requires user interaction (opening a malicious workspace) and local access but achieves high confidentiality impact by exfiltrating sensitive API credentials.
Authorization bypass in OpenClaw before 2026.4.21 allows non-owner senders to execute owner-enforced slash commands when channels are configured with wildcard inbound senders (allowFrom: ["*"]) without explicit owner allowFrom settings. Attackers with legitimate channel access can exploit this to bypass owner-only command authorization checks and execute commands such as /send, /config, or /debug. The vulnerability requires authenticated access to affected channels but is limited to command-owner authorization and does not grant tool access or gateway administrator scope.
Authentication bypass in OpenClaw's BlueBubbles webhook handler allows remote attackers to send crafted webhook requests without credentials. The handleBlueBubblesWebhookRequest function in extensions/bluebubbles/src/monitor.ts incorrectly exempts localhost requests from authentication, enabling IP spoofing attacks to bypass security controls. Exploit code is publicly available on GitHub. Patch released in version 2026.2.12 (commit a6653be). CVSS 7.3 reflects network-accessible unauthenticated attack with low complexity affecting confidentiality, integrity, and availability.
Authentication bypass in OpenClaw's MCP loopback interface allows local low-privilege attackers to escalate to owner-level access. Non-owner MCP client processes can spoof the 'x-openclaw-sender-is-owner' HTTP header to impersonate the owner and access owner-gated operations. Publicly available exploit code exists via GitHub commit 3cb1a56, and VulnCheck has published a detailed advisory. The vulnerability affects OpenClaw npm package versions <= 2026.4.21, with patch 2026.4.22 available since April 2026.
Server-side request forgery in OpenClaw before 2026.4.20 allows unauthenticated remote attackers to relay unintended requests through QQBot direct media upload endpoints (uploadC2CMedia and uploadGroupMedia) by sending crafted image URLs that bypass SSRF protections. The vulnerability affects QQBot outbound media handling and does not expose arbitrary local files, but could allow attackers to make configured QQBot media delivery requests to unintended destinations.
Server-side request forgery in OpenClaw before version 2026.4.22 allows remote attackers to bypass SSRF protection in the Zalo plugin's sendPhoto function by providing malicious photo URLs, enabling unauthorized access to internal resources. The vulnerability affects the Zalo Bot API integration and requires network access but involves time-based attack complexity; no public exploit code or active exploitation has been confirmed.
Shell expansion injection in OpenClaw's exec allowlist validation allows authenticated attackers to bypass command approval controls and execute arbitrary system commands. The vulnerability affects OpenClaw versions prior to 2026.4.22 through improper parsing of unquoted heredoc bodies, where shell expansion tokens ($VAR, $(), etc.) are treated as literal text during allowlist analysis but expanded at runtime. This enables attackers to embed unapproved commands within ostensibly safe allowlisted commands. VulnCheck disclosed this vulnerability, and a proof-of-concept fix commit is publicly available. CVSS 8.7 reflects high impact across confidentiality, integrity, and availability with low attack complexity.
Environment variable namespace collision in OpenClaw npm package before version 2026.4.20 enables malicious workspace dotenv files to override critical runtime control variables including OPENCLAW_GIT_DIR, potentially redirecting trusted operations like source updates and installer flows to attacker-controlled paths. Exploitation requires user interaction (opening a malicious workspace) but no authentication, achieving high confidentiality and integrity impact within the local scope. CVSS 8.5 severity reflects the local attack vector with low complexity. No active exploitation confirmed (not in CISA KEV), but public exploit code exists via the GitHub security advisory demonstrating the attack surface. Fixed in version 2026.4.20 per vendor commit 018494fa.
OpenClaw before 2026.4.22 contains a time-of-check/time-of-use (TOCTOU) race condition in the OpenShell filesystem bridge that allows authenticated attackers with local access to read files outside the intended mount root by performing symlink swaps during filesystem operations. The vulnerability affects sandbox security guarantees by enabling bypass of containment restrictions through coordinated symlink manipulation, and has been confirmed patched in version 2026.4.22.
OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in OpenShell sandbox filesystem writes that allows authenticated attackers to redirect file writes outside the intended mount root via symlink swaps. By exploiting the window between sandbox validation and actual file write operations, an attacker with local access can manipulate symlinks to bypass sandbox filesystem restrictions and write arbitrary files to locations outside the workspace.
Authorization bypass in OpenClaw Matrix bot integration allows DM-paired attackers to execute privileged room control commands without configured permissions. Attackers who have previously established direct message pairing can exploit misaligned allowlist logic to run room control commands in bot rooms, bypassing room membership and allowlist requirements. Fixed in version 2026.4.15 after responsible disclosure by Keen Security Lab. No evidence of active exploitation; publicly available vendor advisory and fix commits reduce exploitation probability.
OpenClaw's Feishu webhook integration fails open when encryptKey is missing or callback tokens are blank, allowing remote unauthenticated attackers to bypass signature verification and replay protection mechanisms. Attackers can submit crafted webhook requests or malformed card-action callbacks directly to command dispatch without authentication, enabling arbitrary command execution. Vendor-confirmed authentication bypass; patch released in version 2026.4.15. No public exploit code or CISA KEV listing identified at time of analysis, but the fail-open behavior and network attack vector (CVSS AV:N/AC:L/PR:N) make this highly exploitable against misconfigured deployments.
Bearer token revocation bypass in OpenClaw gateway allows attackers to authenticate using rotated-out tokens until process restart. OpenClaw gateway HTTP and WebSocket handlers captured bearer authentication configuration at startup, failing to re-resolve credentials after SecretRef rotation. Attackers possessing a previously valid token can maintain unauthorized gateway access to /v1/* endpoints, /tools/invoke, plugin routes, and canvas upgrade paths even after operators rotate secrets, believing the old token is revoked. Fixed in version 2026.4.15. CVSS 9.2 reflects network-accessible attack with high complexity; no public exploit identified at time of analysis.
Environment variable injection in OpenClaw before 2026.4.10 allows authenticated remote attackers to hijack interpreter execution behavior through insufficient filtering of high-risk startup variables (VIMINIT, EXINIT, LUA_INIT, HOSTALIASES). The vulnerability enables code execution by manipulating how downstream interpreters (Vim, ex, Lua) initialize and resolve hostnames. Patched in version 2026.4.10 following coordinated disclosure by Tencent zhuque Lab. No public exploit identified at time of analysis, though CVSS 8.7 reflects network-exploitable attack surface with low complexity requiring only low-privilege authentication.
OpenClaw versions 2026.4.10 through 2026.4.13 fail to persist session context when recovering queued outbound media after service restart, allowing authenticated attackers to bypass group tool policy enforcement and weaken channel media restrictions. The vulnerability affects the delivery queue recovery mechanism, which replays queued messages without the original requester's session context needed for policy validation. Exploitation requires authenticated access and prior knowledge of queued delivery entries, with CVSS 6.0 and confirmed patch available in version 2026.4.14.
Server-side request forgery in OpenClaw browser navigation policy before version 2026.4.10 allows authenticated attackers to bypass hostname validation through DNS rebinding attacks, enabling pivots to internal network resources via unallowlisted hostnames. The vulnerability exploits inconsistent hostname resolution between validation checks and actual network requests made by the Chromium engine, with fix confirmed in upstream commit 121c452d and released in version 2026.4.10.
OpenClaw before version 2026.4.10 allows authenticated attackers to bypass Server-Side Request Forgery (SSRF) policy enforcement through incomplete navigation guard coverage in browser press and type interactions. Attackers can trigger unauthorized navigation actions, including pressKey and type-submit flows, that skip post-action security checks, potentially enabling SSRF attacks against restricted endpoints.
OpenClaw before version 2026.4.10 allows operators with write permissions to persist Nostr profile configuration without requiring admin authority through unprotected HTTP mutation endpoints. Attackers holding the operator.write scope can modify profile settings via PUT and POST routes that should require operator.admin scope, enabling unauthorized configuration changes. This is a privilege escalation vulnerability affecting the Nostr plugin HTTP API layer.
Privilege escalation in OpenClaw 2026.3.31 through 2026.4.9 allows remote unauthenticated attackers to maintain elevated execution context by injecting malicious async completion events that bypass heartbeat owner-downgrade detection. The flaw stems from incomplete pattern matching in local background exec completion filtering, enabling attackers to submit untrusted completion content that prevents proper privilege de-escalation after operations complete. Vendor-released patch available in version 2026.4.10 and later. No evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis, but CVSS 9.1 critical rating reflects network-accessible attack surface with no authentication required.
Arbitrary file read in OpenClaw before 2026.4.9 allows authenticated remote attackers to bypass navigation guards and access local files via browser interaction routes. Attackers exploit the ability to trigger navigation into the local Chrome DevTools Protocol (CDP) origin through act/evaluate commands, then create or read disallowed file:// URLs despite direct navigation policy restrictions. Patch available in version 2026.4.9 and confirmed included in npm release 2026.4.14. No public exploit code identified at time of analysis, CVSS 7.1 (High) with network attack vector and low complexity.
Authentication bypass in OpenClaw 2026.2.21 through 2026.4.9 allows remote unauthenticated attackers to access the sandbox noVNC helper route and gain unauthorized control of interactive browser sessions. The vulnerability exposes session credentials by failing to enforce bridge authentication on the /sandbox/novnc endpoint. OpenClaw is an open-source AI agent framework. Patch available in version 2026.4.10 and later. No evidence of active exploitation (not in CISA KEV) and EPSS data not available at time of analysis.
OpenClaw before version 2026.4.12 contains an improper authorization flaw in helper-backed channels where empty resolved approver lists are incorrectly interpreted as explicit approval authorization. Authenticated attackers who know an approval ID can resolve pending approvals without proper authorization by exploiting this logic error, bypassing intended sender authorization checks. This vulnerability has a CVSS score of 6.5 (medium) with network attack vector and requires only low privileges, though no public exploit code or active exploitation has been identified.
Server-side request forgery policy bypass in OpenClaw npm package (versions < 2026.4.10) allows authenticated remote attackers to interact with or navigate to unauthorized targets through existing-session browser interaction routes. The vulnerability bypasses SSRF navigation guards in routes handling click, type, press, and evaluate actions, enabling cross-scope information disclosure. Vendor-released patch available in version 2026.4.10. No public exploit identified at time of analysis, though EPSS data not available. Reported by security researchers from KeenSecurityLab with detailed technical disclosure.
OpenClaw's channel setup catalog lookup mechanism allowed workspace plugins to shadow bundled channel plugins and bypass trust gates during setup-time plugin loading. Low-privileged authenticated attackers on the network can craft malicious workspace plugins that execute without the intended trust verification, enabling arbitrary code execution in the OpenClaw runtime. The vulnerability was responsibly disclosed by security researchers from Keen Security Lab and patched in version 2026.4.10. No public exploit identified at time of analysis, though the fix commit reveals the exact vulnerable lookup logic attackers would target.
Symlink traversal in OpenClaw versions 2026.3.22 before 2026.4.5 allows unauthenticated remote attackers with user interaction to read arbitrary files outside the remote marketplace repository root. The vulnerability exploits improper path canonicalization in the marketplace plugin's remote repository handler, exposing sensitive information with a CVSS score of 6.5. Vendor-released patch available in version 2026.4.5.
Authentication bypass in OpenClaw before 2026.4.9 enables untrusted workspace plugins to intercept provider authentication credentials during non-interactive onboarding. Malicious plugins can shadow legitimate provider authentication choices, causing the system to auto-enable attacker-controlled code and route sensitive API keys or credentials through untrusted handlers without user consent. Vendor-released patch available (v2026.4.9+). EPSS and KEV data not provided; exploitation requires user interaction (UI:P) and specific attack timing (AT:P), suggesting moderate real-world deployment complexity despite network attack vector.
OpenClaw npm package versions 2026.4.5 through 2026.4.9 allow privilege escalation from write-scoped operators to administrator-level configuration access. Authenticated attackers with 'operator.write' gateway credentials can modify persistent memory dreaming settings via the /dreaming endpoint, bypassing intended admin-only restrictions. Vendor-released patch available (v2026.4.10); no active exploitation confirmed at time of analysis.
Path traversal in OpenClaw's screen_record tool allows authenticated users to write files outside workspace boundaries via crafted outPath parameters, bypassing filesystem security controls. OpenClaw versions before 2026.4.10 are affected. Vendor-released patch available (version 2026.4.10 and later, including current release 2026.4.14). No active exploitation confirmed (CISA KEV negative), but publicly documented vulnerability with working proof-of-concept code in GitHub commit diff. CVSS 7.1 with high integrity impact reflects potential for unauthorized file system modifications outside intended workspace scope.
Privilege escalation in OpenClaw npm package versions 2026.4.7 through 2026.4.13 allows remote unauthenticated attackers to preserve elevated execution context by sending malicious webhook wake events. The heartbeat owner downgrade logic incorrectly skips validation of untrusted webhook payloads, enabling attackers to maintain owner-like privileges during runs that should operate with reduced permissions. Vendor-released patch available in version 2026.4.14. EPSS data not available; no public exploit identified at time of analysis, though VulnCheck and security researchers from KeenSecurityLab have confirmed the vulnerability through coordinated disclosure.
Authorization context reuse in OpenClaw's collect-mode queue batching allows attackers with low-privilege accounts to execute messages with elevated permissions inherited from subsequent higher-privileged senders. The vulnerability occurs when messages from multiple senders are batched together, causing earlier queued messages to execute under the authorization context of the final sender in the batch rather than their own. Vendor-released patch (version 2026.4.14) confirmed available via GitHub advisory GHSA-jwrq-8g5x-5fhm and commit 43d4be9. No public exploit identified at time of analysis.
Remote unauthenticated trust boundary violation in OpenClaw npm package before 2026.4.10 allows attackers to escalate untrusted external hook input into trusted system events. By supplying malicious hook metadata, adversaries can inject arbitrary content into the agent context with elevated privileges, bypassing security boundaries intended to isolate external input from system-level operations. Vendor-released patch available (version 2026.4.10+), with no evidence of active exploitation or public exploit code at time of analysis.
Arbitrary file read in OpenClaw QQBot extension allows remote unauthenticated attackers to disclose sensitive local files by crafting malicious media tags in reply text. The vulnerability exists in OpenClaw npm package versions before 2026.4.10, where QQBot outbound media handling fails to enforce storage boundaries, enabling path traversal to read files outside the intended media directory. Publicly available patch confirmed (GitHub commit 604777e4414cc3b2ff8861f18f4fb04374c702c6). EPSS data unavailable; no CISA KEV listing indicates targeted disclosure rather than widespread exploitation. CVSS 8.9 with network vector and no authentication required, but exploitation requires the QQBot extension to be enabled and processing attacker-controlled reply text.
Path traversal in OpenClaw npm package allows authenticated attackers to expose confidential host-local files via Discord event cover image parameters. Versions 2026.4.7 through 2026.4.9 fail to normalize Discord event cover image paths through sandbox media processing, enabling attackers with low-privilege Discord bot credentials to bypass media sandboxing and inject host-local file references (e.g., file:///workspace/assets/event-cover.png) into channel actions expecting normalized media. This results in high confidentiality impact with scope change, as local filesystem paths outside the intended sandbox can be accessed. Vendor-released patch available (2026.4.10+). No active exploitation confirmed (not in CISA KEV), but public exploit code exists via GitHub commit and advisory.
Environment variable injection in OpenClaw npm package versions before 2026.4.9 allows local attackers with low privileges to compromise application behavior through malicious workspace .env files. Attackers can redirect update sources to serve backdoored packages, modify gateway URLs and ClawHub resolution endpoints to intercept traffic, and override browser executable paths to launch attacker-controlled binaries. Vendor-released patch: version 2026.4.9, with fix also present in latest npm release 2026.4.14. No public exploit identified at time of analysis, but exploitation requires only an untrusted repository with a crafted .env file opened by a victim user.
{system("id")}' or 'toybox ash -c'. CVSS 8.7 (CVSS:4.0/AV:N/AC:L/PR:L) indicates network-accessible exploitation by low-privileged authenticated users. Vendor-released patch available in version 2026.4.12. EPSS and KEV data not provided; no public exploit identified at time of analysis beyond vendor-disclosed commit.
OpenClaw before 2026.4.10 allows local attackers with workspace write access to bypass boundary checks via a time-of-check-time-of-use race condition in the validateScriptFileForShellBleed function. An attacker can swap the target script file between validation and preflight read, causing the validator to inspect a different file than the one that passed the initial workspace boundary check, potentially leaking preflight metadata such as matched tokens or line numbers. No public exploit code identified at time of analysis; patch available in version 2026.4.10.
Authenticated configuration readers in OpenClaw gateway deployments can extract unredacted sensitive credentials through alias field bypass in versions prior to 2026.4.14. Attackers with legitimate config read permissions exploit sourceConfig and runtimeConfig alias fields to obtain provider API keys, gateway authentication tokens, and channel credentials that the redaction mechanism fails to sanitize. The vulnerability affects npm package 'openclaw' in gateway configurations where authenticated clients have config read access, confirmed fixed by vendor in version 2026.4.14 with patch commit 86734ef. CVSS 7.1 reflects network-accessible attack requiring low privileges with high confidentiality impact; no public exploit identified at time of analysis, though technical details published in GHSA-8372-7vhw-cm6q enable reproduction.
Server-side request forgery in OpenClaw npm package before 2026.4.14 allows authenticated remote attackers to access internal services and cloud metadata endpoints through browser-driven requests. The vulnerability stems from a misconfigured browser SSRF policy that permits private-network navigation by default, enabling cross-scope information disclosure without user interaction. Patch available in version 2026.4.14 with vendor advisory and multiple fix commits confirmed. No public exploit or CISA KEV listing identified at time of analysis, though CVSS 7.7 reflects high confidentiality impact with changed scope.
Server-side request forgery in OpenClaw's QQBot media URL handler allows remote unauthenticated attackers to fetch arbitrary internal or external resources and exfiltrate them through the bot's messaging channel. Attackers provide malicious media URLs in QQBot replies, triggering the server to fetch content from attacker-specified locations, which is then re-uploaded through legitimate channels. Vendor patch available as of version 2026.4.12, with fix commits published on GitHub. CVSS 8.3 reflects high confidentiality impact with low integrity impact; CVSS v4.0 vector indicates network-accessible, low complexity attack requiring no privileges or user interaction but specific attack conditions (AT:P).
Server-side request forgery (SSRF) policy bypass in OpenClaw npm package allows authenticated remote attackers to perform unauthorized browser tab navigation operations, circumventing configured SSRF protections through the /tabs/action endpoint. OpenClaw versions before 2026.4.10 are affected. Vendor-released patch version 2026.4.10 is available (confirmed by GitHub advisory GHSA-rj2p-j66c-mgqh and commit 48c0347). No public exploit identified at time of analysis, though EPSS data not available. The CVSS score of 8.5 with scope change (S:C) indicates potential for significant cross-boundary impact despite requiring low-privilege authentication.
Unauthorized local file disclosure in OpenClaw 2026.4.9 allows authenticated attackers with restricted sender/group permissions to bypass policy controls and read arbitrary host files through the media attachment path. Despite sender-scoped 'toolsBySender' or group policy denying read access, the outbound host-media attachment helper failed to honor these restrictions, enabling privilege escalation within multi-tenant deployments. Vendor-released patch available in version 2026.4.10 (commit c949af9) threads sender context through media access resolution to enforce policy boundaries correctly.
Remote attackers can crash OpenClaw 2026.4.9 by sending oversized WebSocket frames to the voice-call realtime webhook path, causing complete service unavailability. The vulnerability requires no authentication and affects deployments that expose the WebSocket endpoint externally. Vendor patch released in version 2026.4.10 with commit afadb7dae6738819ad9c7d2597ace0516957d20e. No active exploitation confirmed (not in CISA KEV), but public advisory with commit details provides exploitation blueprint.
Authenticated users of OpenClaw (npm package) can bypass server-side request forgery (SSRF) protections to access internal or restricted web pages via browser snapshot, screenshot, and tab routes. The vulnerability exploits incomplete validation after route-driven navigation - while initial requests pass SSRF policy checks, the final browser target after navigation is not re-validated before content is captured and returned. This allows lateral movement to internal endpoints (e.g., cloud metadata services at 169.254.169.254) in environments with restrictive browser SSRF configurations. Vendor-released patch available in OpenClaw 2026.4.14. No active exploitation confirmed (not in CISA KEV), though public exploit code has not been independently verified.
Remote attackers with low-privilege authentication can inject environment variable assignments into OpenClaw 2026.2.22 through 2026.4.11 to bypass shell wrapper detection mechanisms. By manipulating critical shell variables like SHELLOPTS and PS4 at the argv level, attackers achieve high-impact code execution that circumvents security controls. Vendor-released patch available in version 2026.4.12. No active exploitation confirmed (not in CISA KEV), but VulnCheck disclosed this vulnerability with specific technical details and a GitHub commit fix.
Sandbox escape in OpenClaw 2026.4.5 through 2026.4.9 allows low-privileged remote attackers to bypass sandbox boundaries and route code execution to arbitrary remote nodes by overriding exec routing parameters with host=node. This breaks sandboxed agent isolation, enabling privilege escalation and unauthorized access to production infrastructure. VulnCheck publicly disclosed this vulnerability with vendor patch available (commit dffad08). No active exploitation (CISA KEV) confirmed, but public disclosure increases exploitation risk for organizations running vulnerable OpenClaw agent deployments.
Authorization bypass in OpenClaw before 2026.4.10 allows low-privileged authenticated users with operator.write permissions to mutate persistent Matrix profile configurations that should require admin-level authority. Exploitation enables unauthorized modification of system-wide profile settings through message-tool paths, bypassing role-based access controls (CVSS:4.0 7.1 High, VI:H). Vendor patch available via GitHub commit fe0f686c. No confirmed active exploitation or public POC identified at time of analysis, with EPSS data not yet available for this 2026 CVE.
OpenClaw before 2026.4.8 contains a privilege escalation vulnerability allowing previously paired nodes to reconnect with exec-capable commands without operator.admin scope requirement. Attackers can bypass re-pairing authentication to execute privileged commands on the local assistant system.
OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invoke(browser.proxy) that allows mutation of persistent browser profiles. Attackers can exploit this path to circumvent the browser.request persistent profile-mutation guard and modify browser configurations.
OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in Playwright redirect handling that allows attackers to bypass strict SSRF checks. Attackers can exploit request-time navigation to reach private targets that should be restricted by browser SSRF protections.
OpenClaw before 2026.4.8 contains a privilege escalation vulnerability in the gateway plugin HTTP authentication mechanism that widens identity-bearing operator.read requests into runtime operator.write permissions. Attackers can exploit this by sending read-scoped requests through the gateway auth route to gain unauthorized write access to runtime operations.
OpenClaw versions before 2026.4.8 fail to enforce integrity verification on downloaded plugin archives. Attackers can install malicious or tampered plugin packages without detection, compromising the local assistant environment.
OpenClaw before 2026.4.8 contains a remote code execution vulnerability caused by missing environment variable denylist entries for HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS. Attackers can inject malicious build tool environment variables to influence host exec commands and achieve arbitrary code execution.
OpenClaw before 2026.4.8 contains an improper authorization vulnerability where the node.pair.approve method accepts operator.write scope instead of the narrower operator.pairing scope, allowing unprivileged users to approve node pairing. Attackers with operator.write permissions can bypass pairing approval restrictions to gain unauthorized access to exec-capable nodes.
OpenClaw before 2026.4.8 treats shared reply MEDIA paths as trusted, allowing crafted references to trigger cross-channel local file exfiltration. Attackers can exploit this by crafting malicious shared reply MEDIA references to cause another channel to read local file paths as trusted generated media.
OpenClaw before 2026.4.8 contains an approval-timeout fallback mechanism that bypasses strictInlineEval explicit-approval requirements on gateway and node exec hosts. Attackers can exploit this timeout fallback to execute inline eval commands that should require explicit user approval, circumventing the intended security boundary.
OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function that allows minting tokens for unapproved roles. Attackers can bypass device role-upgrade pairing to preserve or mint roles and scopes that had not undergone intended approval.
OpenClaw before 2026.4.8 contains a session management vulnerability where existing WebSocket sessions survive shared gateway token rotation. Attackers can maintain unauthorized access to WebSocket connections after token rotation by exploiting the failure to disconnect existing shared-token sessions.
OpenClaw before 2026.4.8 contains improper input validation in base64 decode paths that allocate memory before enforcing decoded-size limits. Attackers can exploit multiple code paths to cause memory exhaustion or denial of service through crafted base64-encoded input.
OpenClaw before 2026.4.8 contains an authentication state management vulnerability where the resolvedAuth closure becomes stale after configuration reload. Newly accepted gateway connections continue using outdated resolved auth state, allowing attackers to bypass authentication controls through config reload operations.
OpenClaw before 2026.4.8 fails to remove git plumbing environment variables from the execution environment before host exec operations. Attackers can exploit this by setting GIT_DIR and related variables to redirect git operations and compromise repository integrity.
OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in QQ Bot media download paths that bypass SSRF protection. Attackers can exploit unprotected media fetch endpoints to access internal resources and bypass allowlist policies.
OpenClaw before 2026.4.4 contains a race condition vulnerability in shared-secret authentication that allows concurrent asynchronous requests to bypass the per-key rate-limit budget. Attackers can exploit this by sending multiple simultaneous authentication attempts to circumvent intended rate-limiting protections on Tailscale-capable paths.
OpenClaw before 2026.4.8 contains a server-side request forgery policy bypass vulnerability allowing attackers to trigger navigations bypassing normal SSRF checks. Attackers can exploit browser interactions to bypass SSRF protections and access restricted resources.
OpenClaw before 2026.4.8 contains a filesystem policy bypass vulnerability in docx upload processing that allows local file reads outside workspace boundaries. Attackers can exploit upload_file and upload_image endpoints to access files beyond the intended workspace-only filesystem policy.
OpenClaw before 2026.4.8 omits owner-only enforcement for cross-channel allowlist writes in the /allowlist endpoint. An authorized non-owner sender can bypass access controls to perform allowlist modifications against different channels, violating the intended trust model.
OpenClaw before 2026.3.31 contains a resource exhaustion vulnerability in media downloads that bypasses core safety limits for file size, count, and cleanup operations. Attackers can exhaust disk space by downloading media files without triggering intended safety restrictions, causing availability impact.
OpenClaw before version 2026.4.2 leaks shared-secret length information through timing side-channel attacks in cryptographic comparison operations. The vulnerability stems from early length-mismatch checks in shared-secret comparison routines that violate constant-time security requirements, allowing remote attackers to measure timing differences and infer secret lengths without authentication. This weakens the cryptographic guarantees of the library's shared-secret handling.
OpenClaw before version 2026.3.31 contains a sender allowlist bypass vulnerability allowing remote attackers to access restricted messages by exploiting quoted, root, and thread context message retrieval mechanisms. The vulnerability affects default configurations and requires user interaction (CVSS UI:P), making it a moderate-risk authentication bypass that undermines message access controls.
Resource exhaustion in OpenClaw before 2026.3.31 allows remote unauthenticated attackers to crash servers by sending malicious Microsoft Teams webhook payloads. The application parses request bodies before performing JWT validation, enabling attackers to bypass authentication and trigger denial-of-service conditions. A vendor patch is available via GitHub commit 3834d47, with no evidence of active exploitation (not in CISA KEV) and no public POC identified at time of analysis.
Privilege escalation in OpenClaw's trusted-proxy authentication mode allows low-privileged authenticated users to gain operator.admin privileges by declaring operator scopes on non-Control-UI clients. The incomplete scope-clearing mechanism fails to sanitize self-declared scopes when identity-bearing authentication paths process requests, enabling attackers to bypass authorization checks and achieve full administrative access. Vendor patch available via commit 8b88b927 in version 2026.3.31; no confirmed active exploitation (not in CISA KEV) but publicly disclosed with detailed GitHub security advisory increasing attack feasibility.
OpenClaw before version 2026.3.31 misclassifies proxied remote requests as loopback connections in the diffs viewer, allowing attackers to bypass the allowRemoteViewer access control restriction. Unauthenticated remote attackers can exploit this authentication bypass by sending specially crafted proxied requests that are incorrectly identified as local traffic, gaining unauthorized access to the diffs viewer functionality. The vulnerability requires network access and specific timing/proximity conditions (per CVSS AT:P vector), but once exploited results in confidentiality impact through unauthorized information disclosure.
OpenClaw before version 2026.3.31 allows authenticated attackers to bypass webhook replay protection through overly broad cache keying, enabling delivery of duplicate webhook messages to unintended sibling targets when the same messageId is reused. The vulnerability exploits insufficient scope isolation in the webhook replay cache deduplication mechanism, allowing message replay across organizational boundaries within a single authentication context.
OpenClaw before version 2026.3.31 fails to properly validate WebSocket frame sizes in its voice-call component before processing, allowing remote unauthenticated attackers to send oversized frames that trigger excessive resource consumption and denial of service. This vulnerability represents an incomplete remediation of CVE-2026-32062, demonstrating that the original fix did not address the root validation sequencing issue.
Denial of service in OpenClaw (pre-2026.3.28) allows remote unauthenticated attackers to exhaust server resources by flooding the application with concurrent WebSocket upgrade requests. The vulnerability stems from lack of rate-limiting and resource budgeting before authentication, enabling attackers to monopolize socket and worker thread capacity and block legitimate WebSocket clients. No active exploitation confirmed (not in CISA KEV), but the technical barrier is low given unauthenticated network access (CVSS:4.0 AV:N/AC:L/PR:N). VulnCheck reported this vulnerability with vendor advisory available on GitHub.
Sandbox escape in OpenClaw file synchronization before version 2026.3.31 enables remote authenticated attackers to read and write arbitrary files outside intended boundaries via crafted symlinks during mirror sync operations. The vulnerability exploits CWE-59 (Improper Link Resolution Before File Access) with attack complexity rated High and requires low privileges, indicating targeted exploitation scenarios. Vendor patches available via GitHub commits c02ee8a and 3b9dab0, with CVSS 7.6 reflecting high confidentiality and integrity impact but no availability impact. No active exploitation or public POC identified at time of analysis beyond vendor disclosure.
Local attackers can execute malicious code in OpenClaw versions before 2026.3.31 by placing crafted .env files in workspaces to override the OPENCLAW_BUNDLED_PLUGINS_DIR variable, bypassing plugin trust verification. The vulnerability enables code injection through untrusted plugins masquerading as verified components when users open compromised workspace configurations. EPSS data not available; CVSS v4.0 rates this 8.5 HIGH with local attack vector requiring user interaction. Vendor patch available via GitHub commit 330a9f98cb and release 2026.3.31.
Webhook replay attacks in OpenClaw before 2026.3.28 allow remote attackers to trigger duplicate voice-call processing by reordering query parameters in captured Plivo V3 signed webhooks. The vulnerability stems from inconsistent canonicalization: signature verification sorts query parameters before validation, but replay detection hashes the raw URL with original parameter ordering. Attackers possessing a single valid signed webhook can bypass replay cache indefinitely by permuting query string order, causing repeated execution of voice-call workflows without requiring authentication or cryptographic breaks. No public exploit identified at time of analysis, though attack complexity is low (CVSS AC:L) with network vector (AV:N) requiring no privileges (PR:N).
Authentication bypass in OpenClaw allows remote unauthenticated attackers to execute privileged runtime operations intended for authorized operators. The vulnerability exists in plugin-auth HTTP routes that incorrectly grant operator-level write scopes without authentication checks. Attackers can remotely exploit this flaw with low complexity (CVSS:4.0 AV:N/AC:L/PR:N) to modify runtime configurations and perform administrative actions. Vendor-released patch available as of commit 2a1db0c (March 31, 2026). No active exploitation confirmed in CISA KEV, though EPSS data unavailable for risk calibration.
OpenClaw before version 2026.3.31 accepts arbitrary tailnet peers as DNS authorities due to improper validation in its wide-area discovery mechanism, enabling attackers positioned within the same tailnet with CA-trusted endpoint access to manipulate DNS resolution and exfiltrate operator credentials. The vulnerability requires adjacent network access, high attack complexity, and user interaction, but results in high confidentiality impact through credential theft. No active exploitation has been publicly confirmed at the time of analysis.
OpenClaw before version 2026.3.31 allows local authenticated users with user interaction to bypass exec allowlist restrictions via shell initialization file options (--rcfile, --init-file, --startup-file), enabling them to load attacker-controlled initialization files and achieve high-impact unauthorized access to confined resources. Exploitation requires local access, low privileges, user interaction, and specific timing conditions, but bypasses a critical security control intended to restrict executable trust.
Privilege escalation in OpenClaw before 2026.3.28 allows local authenticated attackers to bypass execution allowlist controls via wrapper binary persistence. When users grant trust to wrapped commands (e.g., via /usr/bin/script), OpenClaw fails to distinguish the wrapper from the underlying executable, allowing attackers to reuse the wrapper's persistent trust to execute arbitrary unauthorized programs. No active exploitation confirmed (CISA KEV: not listed), but VulnCheck has published technical advisory details. EPSS data not available.
OpenClaw before version 2026.3.31 allows remote attackers to bypass configuration revocation controls by restarting the application, which rehydrates revoked Tlon configuration settings from disk state due to improper handling of empty-array settings during startup migration. An attacker with network access and the ability to trigger application restarts can restore previously revoked authentication or authorization configurations without explicit re-enablement, potentially compromising intended security controls.
OpenClaw package manager allows supply chain attacks through incomplete environment variable sanitization before version 2026.3.22. Attackers can hijack approved package installation or execution requests by injecting environment variables that redirect package resolution to malicious infrastructure, enabling trojanized code execution with high impact to confidentiality, integrity, and availability. This requires local access and user interaction to trigger package manager operations, limiting remote exploitation but creating significant insider threat and social engineering risk vectors.
Privilege escalation in OpenClaw allows remote unauthenticated attackers to elevate privileges beyond intended device roles during first-use pairing. The vulnerability stems from bootstrap setup codes lacking proper binding to device roles and scopes, enabling attackers to exploit the pairing process with low complexity and no user interaction. VulnCheck reported this issue, and a vendor patch is available as of 2026.3.22. While no active exploitation has been confirmed (not in CISA KEV), the network attack vector (AV:N) and absence of authentication requirements (PR:N) create significant exposure for organizations deploying new OpenClaw instances.
Plaintext private key storage in OpenClaw versions before 2026.3.31 exposes Nostr protocol signing keys through configuration retrieval methods. Authenticated attackers with network access can exploit redaction bypass in config.get methods to extract unencrypted private keys, enabling full impersonation of the compromised Nostr identity for signing and authentication operations. Vendor patch available via GitHub commit 57700d716f660591fb6e09727f3ca8041fa48b9d. EPSS and KEV data not available, but the authentication bypass tag and network attack vector indicate elevated risk for multi-tenant or shared OpenClaw deployments.
Environment variable injection in OpenClaw's CLI backend runner enables local attackers to achieve arbitrary code execution or exfiltrate sensitive data by manipulating workspace configuration files. Attackers with the ability to supply malicious workspace configs can inject environment variables into backend processes during spawning, exploiting CWE-15 (external control of system or configuration setting). Vendor patch available via GitHub commit c2fb7f1. CVSS 8.5 reflects high impact across confidentiality, integrity, and availability, though exploitation requires local access and user interaction to load the malicious workspace config. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept at time of analysis.
OpenClaw before version 2026.4.2 allows authenticated attackers to delete arbitrary remote directories during mirror mode synchronization operations by manipulating remoteWorkspaceDir and remoteAgentWorkspaceDir configuration values. An attacker with login credentials can craft malicious OpenShell config paths that cause the mirror sync function to delete unintended remote directory contents before replacing them with uploaded workspace data, resulting in data loss and potential service disruption.