Antaisecuritylab

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.31 **Description** An issue in image processing fails to properly enforce pixel-limit guards on sips, leading to a decompression bomb. This allows attackers to cause a denial of service through excessive memory consumption by uploading oversized images. **Recommendations** Update to version 2026.3.31.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.4.2 **Description** OpenClaw fails to filter Slack thread context by sender allowlist, which allows messages from non-allowlisted senders to enter the agent context. This enables attackers to inject unauthorized thread messages via replies from allowlisted users, bypassing sender access controls to manipulate the model context. **Recommendations** Update to version 2026.4.2.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.31 **Description** SSH-based sandbox backends pass unsanitized `process.env` to child processes, leading to environment variable leakage. Attackers can leverage non-default SSH environment forwarding configurations to leak sensitive environment variables from parent processes to SSH child processes. **Recommendations** Update to version 2026.3.31 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.31 **Description** A credential exposure issue exists in the media download functionality. The software forwards Authorization headers across cross-origin redirects, allowing attackers to intercept sensitive authorization credentials by crafting malicious cross-origin redirect chains. **Recommendations** Update to version 2026.3.31.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.31 **Description** A time-of-check-time-of-use (TOCTOU) issue exists in sandbox file operations, which is a race condition where a system checks a condition and then acts on it, but the condition changes between the check and the action. This allows attackers to bypass fd-based defenses by exploiting check-then-act patterns in the `apply patch()`, `remove()`, and `mkdir()` functions to manipulate files between validation and execution. **Recommendations** Update to version 2026.3.31. As a temporary workaround, restrict access to the `apply patch()`, `remove()`, and `mkdir()` functions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.31 **Description** A resource exhaustion issue exists in media downloads that bypasses core safety limits regarding file size, count, and cleanup operations. This allows attackers to exhaust disk space by downloading media files without triggering safety restrictions, resulting in an availability impact. **Recommendations** Update to version 2026.3.31.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.31 **Description** A server-side request forgery (SSRF) issue exists in the marketplace plugin download functionality. The `marketplace.ts` module fails to restrict redirect destinations during archive downloads, allowing remote attackers to access internal resources or redirect requests to arbitrary internal or external servers by following unvalidated redirects. **Recommendations** Update to version 2026.3.31 or later. As a temporary workaround, restrict access to the `marketplace.ts` module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.28 **Description** An authorization bypass exists in the "/phone arm" and "/phone disarm" endpoints. The system fails to properly enforce `operator.admin` scope checks for external channels, allowing attackers to arm or disarm phone channels without the required administrative privileges. **Recommendations** Update to version 2026.3.28 or later. Restrict access to the "/phone arm" and "/phone disarm" endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.31 **Description** OpenClaw performs Discord audio preflight transcription before validating member authorization. This allows unauthenticated remote attackers to trigger audio preflight processing without member allowlist validation, leading to resource exhaustion. **Recommendations** Update to version 2026.3.31.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.31 **Description** A time-of-check-time-of-use (TOCTOU) race condition exists in the remote filesystem bridge `readFile()` function. This occurs because path validation and file read operations are performed separately, allowing attackers to bypass sandbox restrictions and read arbitrary files, resulting in a sandbox escape. **Recommendations** Update to version 2026.3.31 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.31 **Description** When operating in trusted-proxy mode, the software lacks browser-origin validation in HTTP operator endpoints. This allows cross-site request forgery (CSRF) attacks, where attackers send malicious requests from a browser in trusted-proxy deployments to perform unauthorized actions on HTTP operator endpoints. **Recommendations** Update to version 2026.3.31.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.31 **Description** An issue exists in the webhook signature handling that treats Base64 and Base64URL encoded signatures as distinct requests. This allows attackers to re-encode Telnyx webhook signatures to bypass replay detection, which is a mechanism designed to prevent the same request from being processed multiple times, while still maintaining valid signature verification. **Recommendations** Update to version 2026.3.31.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.31 **Description** A remote code execution issue exists where a device-paired node can bypass the node scope gate authentication mechanism. Attackers possessing device pairing credentials can execute arbitrary node commands on the host system because proper node pairing validation is not performed. **Recommendations** Update to version 2026.3.31.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.31 **Description** An issue in Telegram audio preflight transcription allows unauthorized group senders to trigger transcription processing. This occurs due to insufficient allowlist enforcement, enabling attackers to initiate audio preflight operations before authorization checks are applied, which leads to resource or billing consumption. **Recommendations** Update to version 2026.3.31 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.31 **Description** A privilege escalation issue allows paired nodes with `role=node` to dispatch `node.event` agent requests, granting unrestricted tool access on the gateway side. Attackers possessing trusted paired node credentials can leverage the unrestricted `agent.request` dispatch to achieve remote code execution on the gateway. **Recommendations** Update to version 2026.3.31.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.31 **Description** A sandbox escape allows attackers to traverse directory boundaries through symlink exploitation during file synchronization operations. Remote attackers can bypass sandbox restrictions by crafting malicious symlinks in mirror sync operations to access arbitrary files outside intended boundaries. **Recommendations** Update to version 2026.3.31.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.31 **Description** OpenClaw parses MS Teams webhook request bodies before performing JSON Web Token (JWT) validation—a process used to verify the identity of the sender. This allows unauthenticated remote attackers to send malicious Teams webhook payloads to trigger resource exhaustion, which occurs when a system's available resources are consumed, potentially leading to a denial of service. **Recommendations** Update to version 2026.3.31.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.31 **Description** An environment variable override issue exists in the host exec policy that fails to properly enforce proxy, TLS, Docker, and Git TLS controls. This allows attackers to bypass security controls by overriding environment variables to circumvent proxy settings, TLS verification, Docker restrictions, and Git TLS enforcement. **Recommendations** Update to version 2026.3.31 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.31 **Description** An issue allows attackers to escape sandbox restrictions and achieve unauthorized privilege escalation. This is possible through heartbeat context inheritance and the manipulation of the `senderIsOwner` parameter, where improper context validation enables the bypass. **Recommendations** Update to version 2026.3.31.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.31 **Description** An allowlist bypass exists in Matrix thread root and reply context handling due to improper validation of message senders. This allows attackers to fetch thread-root and reply context messages that should be filtered by sender allowlists, effectively bypassing access controls. **Recommendations** Update to version 2026.3.31.