Cantinagen

OpenClaw before 2026.5.26 contains an authorization bypass vulnerability where a surviving pairing-scoped device session can re-establish node token authority after revocation. Attackers with a paired device can regain WebSocket node-level access without renewed approval, weakening revocation controls and maintaining unauthorized access longer than intended.

OpenClaw before 2026.4.2 contains an inline-eval bypass vulnerability allowing authenticated operators to weaken strict allowlist checks via shell positional parameters. Attackers can combine allowlisted tools with shell positional arguments to place inline-eval content in shell carriers outside intended allowlist rules, enabling execution of unapproved shell-provided content.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.5.12 **Description** An exec denylist bypass exists in the bundle MCP loopback session-spawn path. This allows authenticated callers to bypass intended command restrictions and start sessions with broader command reach than intended. **Recommendations** Update to version 2026.5.12.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.5.18 **Description** An approval display truncation issue allows authenticated users to hide command suffixes from approvers. This enables attackers to submit oversized exec commands that feature benign prefixes and malicious suffixes, leading to the execution of unauthorized operations once the command is approved. **Recommendations** Update to version 2026.5.18.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.5.18 **Description** A policy enforcement issue exists in the `system.run` safe-bin allowlist validation on POSIX nodes. This flaw allows shell expansion to modify how commands are interpreted. Authenticated operators can use shell metacharacters within approved commands to read unintended node-local files and expose sensitive configuration data. **Recommendations** Update to version 2026.5.18.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.5.18 **Description** An identity header validation issue allows local same-host callers to forge trusted-proxy identity headers. Attackers with access to the proxy-facing Gateway port can supply these forged headers to assume operator identity, which may lead to privilege escalation. **Recommendations** Update to version 2026.5.18.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.5.18 **Description** An issue in browser control allows authenticated users to perform server-side request forgery (SSRF), which is a flaw that enables an attacker to induce the server-side application to make requests to an unintended location. This allows the bypass of private-network navigation checks through Playwright act interactions. Attackers can trigger navigation to private-network targets via action-triggered redirects and subsequently read restricted page content using browser evaluation capabilities. **Recommendations** Update to version 2026.5.18.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.5.20 **Description** A privilege escalation issue exists where hook-triggered agent runs incorrectly receive owner-scoped MCP loopback authority instead of the appropriate hook scope. This allows attackers possessing a valid hook token to exploit the '/hooks/agent' endpoint, causing spawned CLI runtimes to access or invoke owner-only MCP tools. This can lead to the execution of privileged actions, such as persistent cron state modifications. **Recommendations** Update to version 2026.5.20 or later. Restrict access to the '/hooks/agent' endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.5.18 **Description** Insufficient provenance validation in node event handling allows paired nodes to forge exec lifecycle events without `system.run` authorization. A malicious or compromised paired node can send crafted `node.event` messages to the gateway, steering target sessions into exec-event paths that expose capabilities the reduced node surface should not provide. **Recommendations** Update to version 2026.5.18.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.5.22 **Description** An issue in the Control UI pairing process involves insufficient locality-derived trust validation. This allows attackers with network access to spoof locality information to convert temporary shared access into persistent administrative credentials. These durable admin-capable device tokens remain valid even after token rotation. **Recommendations** Update to version 2026.5.22.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.5.18 **Description** An issue exists where marketplace runtime extension metadata can redirect loading toward unscanned package payloads. Attackers with trusted operator access can manipulate extension metadata to load plugin code outside reviewed package entry points, which allows them to bypass security scanning and achieve arbitrary code execution. **Recommendations** Update to version 2026.5.18.