Baozongwixd

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.2 **Description** OpenClaw contains a denial of service issue in webhook handlers for BlueBubbles and Google Chat. These handlers parse request bodies before authentication and signature validation. Unauthenticated attackers can exploit this by sending slow or oversized request bodies to exhaust parser resources and degrade service availability. The affected packages are `openclaw` (npm) with vulnerable releases less than or equal to 2026.3.1. **Recommendations** Upgrade to version 2026.3.2 or newer. The fix enforces authentication before body processing for affected webhook paths, adds strict pre-authentication body and time limits, and introduces shared in-flight request guardrails with regression coverage.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.2 **Description** OpenClaw is susceptible to an issue related to archive extraction within the tar.bz2 installer path. This bypasses established safety checks applied to other archive formats. An attacker can create specially crafted malicious tar.bz2 skill archives to circumvent blocking of special entries and size limitations, potentially leading to a local denial of service during skill installation. **Recommendations** Update OpenClaw to version 2026.3.2 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.24 **Description** OpenClaw versions before 2026.2.24 contain a local media root bypass in the `sendAttachment` and `setGroupIcon` message actions when `sandboxRoot` is not configured. This allows attackers to read arbitrary host files accessible by the runtime user by hydrating media from local absolute paths. The vulnerability occurs because of bypassed local media root checks when `sandboxRoot` is unset. **Recommendations** Upgrade to OpenClaw version 2026.2.24 or later.