Edward-X

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.5.12 **Description** An information disclosure issue exists in streamable-http MCP servers that forwards operator-configured custom headers during cross-origin redirects. Attackers controlling or compromising an MCP endpoint can redirect requests to exfiltrate sensitive headers, such as API keys or tenant-routing credentials, to attacker-controlled origins. This occurs in deployments where an MCP server is configured with `transportType: "streamable-http"` and sensitive custom headers under `mcp.servers.*.headers`. The issue is limited to configured MCP Streamable HTTP servers using custom headers and does not expose unrelated credentials. **Recommendations** Update to version 2026.5.12. As a temporary mitigation, avoid using custom MCP headers with servers that are not fully trusted. Rotate any MCP-specific credentials that may have been exposed by a redirecting endpoint.

OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in shell inline-command parsing that allows authenticated operators to execute unapproved commands. A command request using shell inline-command forms could route through a parser case missing the expected allowlist decision, enabling shell content execution without intended approval prompts.

OpenClaw before 2026.5.12 contains a bootstrap token replay vulnerability allowing callers with pending token access to reuse tokens with broader requested scopes. Attackers can replay bootstrap tokens before approval to escalate pairing authority beyond intended scope limits.

OpenClaw before 2026.5.7 contains a sender policy bypass vulnerability in BlueBubbles that allows participants to match allowlist entries through conversation metadata rather than stable sender identity. Attackers can influence conversation-level identifiers to receive agent responses intended for configured senders, potentially bypassing access controls.

OpenClaw before 2026.5.12 contains a notification bypass vulnerability allowing Slack reaction events to enter the agent pipeline despite disabled reaction notifications. Attackers can trigger unintended agent processing by sending reaction events when the feature is enabled, potentially leading to unauthorized processing of lower-trust input.

OpenClaw before 2026.5.12 contains a cross-site scripting vulnerability in exported session HTML that preserves unsafe javascript: and data: links in generated content. Attackers can execute browser-side scripts if a trusted operator opens the exported file and activates a malicious link.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.5.27 **Description** A state mutation issue exists in the node pairing reconnection process. This allows paired nodes to confuse approval scope decisions, enabling attackers to exploit reconnection logic to restore or present broader node authority than intended, which can lead to the bypass of approval restrictions. **Recommendations** Update to version 2026.5.27.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.5.12 **Description** An allowlist bypass exists in the handling of PowerShell encoded commands. Remote authenticated operators can evade security controls by using abbreviated flag aliases that are not recognized by the allowlist parser, enabling the execution of arbitrary PowerShell content. **Recommendations** Update to version 2026.5.12.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.5.12 **Description** A shell option parsing issue allows combined POSIX shell flags to bypass exec revalidation checks. This enables attackers to execute inline shell content without the intended allowlist validation, potentially leading to unauthorized command execution when the affected feature is enabled. **Recommendations** Update to version 2026.5.12. As a temporary mitigation, disable the affected feature.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.28 **Description** An agentic consent bypass allows LLM agents to silently disable execution approval. Remote attackers can exploit this by using the `config.patch` parameter to bypass security controls and execute unauthorized operations without user consent. **Recommendations** Update to version 2026.3.28 or later. Avoid using the `config.patch` parameter until the update is applied.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.24 **Description** An environment variable injection issue exists in the CLI backend runner. Attackers can use malicious workspace configurations to inject arbitrary environment variables into the backend process spawning, which may lead to code execution or the exposure of sensitive data. **Recommendations** Update to version 2026.3.24.

Name of the Vulnerable Software and Affected Versions: OpenClaw versions prior to 2026.3.24 Description: OpenClaw versions before 2026.3.24 contain an incomplete fix for CVE-2026-27486. The `!stop` chat command uses an unpatched `killProcessTree` function from `shell-utils.ts` that sends `SIGKILL` immediately without a graceful `SIGTERM` shutdown. This can lead to data corruption, resource leaks, and skipped security-sensitive cleanup operations. The vulnerable function is located in `src/agents/shell-utils.ts` (lines 170–192) and is called by the `!stop` command handler in `src/auto-reply/reply/bash-command.ts` (lines 300-304). The issue arises because the `!stop` command imports the unpatched function instead of the corrected version in `src/process/kill-tree.ts`. A proof-of-concept demonstrates that the vulnerable function bypasses the graceful shutdown sequence, sending `SIGKILL` directly. This can affect processes writing to files, databases, or performing security-sensitive operations. Recommendations: Update to OpenClaw version 2026.3.24 or later.

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.24 Description OpenClaw versions before 2026.3.24 contain a path traversal vulnerability in its sandbox enforcement mechanism. This allows sandboxed agents to read arbitrary files from other agents' workspaces by exploiting unnormalized `mediaUrl` or `fileUrl` parameter keys. The vulnerability arises from incomplete parameter validation in the `normalizeSandboxMediaParams` function and the omission of `mediaLocalRoots` from the dispatch context in `handlePluginAction`. An attacker can leverage this to access sensitive files, including API keys and configuration data, outside of the designated sandbox roots. The vulnerability allows a sandboxed agent to read files from other agents' workspaces by using the `mediaUrl` or `fileUrl` parameter key in message tool calls. The `normalizeSandboxMediaParams` function only checks `media`, `path`, and `filePath` keys, while `mediaUrl` and `fileUrl` bypass validation. Combined with `handlePluginAction` dropping `mediaLocalRoots` from the dispatch context, this enables a full sandbox escape where any agent can read files outside its designated sandbox root. Recommendations Update to OpenClaw version 2026.3.24 or later.

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.22 Description OpenClaw is susceptible to an unbounded memory allocation issue in its remote media HTTP error handling. Attackers can exploit this by sending specially crafted HTTP error responses with large content to remote media endpoints. This causes the application to allocate an excessive amount of memory before error handling can take place, potentially leading to application failure. Recommendations Update to version 2026.3.22 or later.

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.22 Description A flaw exists in OpenClaw that allows attackers to bypass restrictions on executable bindings. This is achieved by misusing time wrappers within the system.run approvals functionality. Specifically, the vulnerability lies in the failure to properly unwrap `/usr/bin/time` wrappers, enabling an allowlist bypass. Attackers can reuse approval state for inner commands by utilizing an unregistered time wrapper. Recommendations Update to version 2026.3.22 or later.

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.2 Description The `image` tool did not fully enforce the `tools.fs.workspaceOnly` filesystem boundary. This allowed traversal of sandbox bridge mounts outside the workspace, enabling reading of files that other filesystem tools would reject. Recommendations Update to version 2026.3.2 or later.

Name of the Vulnerable Software and Affected Versions OpenClaw versions through 2026.2.22 Description OpenClaw through version 2026.2.22 has a symlink traversal issue in the `agents.create` and `agents.update` handlers. These handlers use `fs.appendFile` on `IDENTITY.md` without proper symlink containment checks. An attacker with workspace access can create symlinks to append content to arbitrary files. This can lead to remote code execution through crontab injection or unauthorized access via SSH key manipulation. Recommendations Update OpenClaw to a version later than 2026.2.22.