Nathan

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.4.15 **Description** An authorization bypass exists in Matrix room control-command authorization due to improper trust in DM pairing-store entries. Attackers possessing DM-paired sender IDs can execute room control commands by posting in bot rooms, bypassing configured allowlists and potentially triggering privileged behavior. **Recommendations** Update to version 2026.4.15.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions 2026.2.19 through 2026.3.30 **Description** An improper cache isolation issue exists in the Zalo webhook replay-dedupe mechanism, which is shared across authenticated webhook targets. In multi-account deployments, an attacker controlling one authenticated Zalo webhook path can suppress legitimate events on other accounts by matching the `event name` and `message id` parameters. **Recommendations** Update to version 2026.3.31.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions 2026.2.14 through 2026.3.24 **Description** OpenClaw fails to consistently apply guild and channel policy gates to Discord button and component interactions. This allows attackers to bypass channel policy enforcement and trigger privileged component actions from blocked contexts. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions 2026.4.5 through 2026.4.19 **Description** An environment variable injection allows the workspace dotenv to override the `MINIMAX API HOST` variable. This enables attackers to redirect credentialed MiniMax API requests to origins under their control, which exposes the MiniMax API key contained in the Authorization headers. **Recommendations** Update to version 2026.4.20.

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.22 Description OpenClaw contains a privilege escalation issue in the Control UI. Unauthenticated sessions can retain self-declared privileged scopes without device identity verification. Attackers can exploit the trusted-proxy mechanism's device-less allow path to maintain elevated permissions by declaring arbitrary scopes, bypassing device identity requirements. Recommendations Update to version 2026.3.22 or later.

Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.3.11 through 2026.3.24 Description OpenClaw versions 2026.3.11 through 2026.3.24 contain a session isolation bypass. The `session status` function resolves `sessionId` to canonical session keys before enforcing visibility checks. This allows sandboxed child sessions to access parent or sibling sessions that should be blocked by explicit sessionKey restrictions. Recommendations Update to a version later than 2026.3.24.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.4.2 **Description** An improper access control issue exists in the iOS A2UI bridge, which incorrectly treats generic local-network pages as trusted origins. This allows attackers to inject unauthorized `agent.request` runs by loading attacker-controlled pages from tailnet hosts or the local network, leading to session state pollution and budget consumption. **Recommendations** Update to version 2026.4.2.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.31 **Description** An authorization bypass exists in Discord slash command and autocomplete paths that fail to enforce group DM channel allowlist restrictions. This allows authorized Discord users to bypass channel restrictions by invoking slash commands, granting access to restricted group DM channels. **Recommendations** Update to version 2026.3.31.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.31 **Description** Workspace .env files can override the `OPENCLAW BUNDLED PLUGINS DIR` environment variable, which compromises the verification of plugin trust. This allows attackers who have control over the workspace configuration to inject malicious plugins by overriding the bundled plugin trust root directory. **Recommendations** Update to version 2026.3.31.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.31 **Description** A wide-area discovery issue allows arbitrary tailnet peers to be accepted as DNS authorities. Attackers with same-tailnet position and CA-trusted endpoint access can exfiltrate operator credentials by manipulating DNS steering. **Recommendations** Update to version 2026.3.31.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.31 **Description** A logic error exists in the Discord component interaction routing within the file extensions/discord/src/monitor/agent-components-helpers.ts. This issue causes group direct messages to be misclassified as direct messages, which allows attackers to bypass group DM policy enforcement or trigger incorrect session handling. **Recommendations** Update to version 2026.3.31.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.31 **Description** The public LINE webhook path lacks a shared pre-authentication concurrency budget. This allows remote attackers to flood the webhook endpoint with concurrent requests before signature verification occurs, leading to resource exhaustion and transient loss of service availability. **Recommendations** Update to version 2026.3.31.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.31 **Description** Workspace .env files can override the `OPENCLAW BUNDLED HOOKS DIR` environment variable, which allows the loading of attacker-controlled hook code. This enables attackers to replace trusted default-on bundled hooks from untrusted workspaces to execute arbitrary code. **Recommendations** Update to version 2026.3.31.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.31 **Description** Insufficient sanitization of the `PIP INDEX URL` and `UV INDEX URL` environment variables in host execution contexts allows attackers to redirect Python package-index traffic. This can lead to the interception or manipulation of package management operations by injecting malicious index URLs. **Recommendations** Update to version 2026.3.31 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.28 **Description** An execution approval issue exists in `exec-approvals-allowlist.ts` where allow-always persistence trusts wrapper carrier executables instead of the actual invoked targets. This allows attackers to use positional carrier executable routing through dispatch wrappers to create broader allowlist entries than intended, which weakens execution approval boundaries. **Recommendations** Update to version 2026.3.28.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.28 **Description** An authentication bypass exists in the remote onboarding component. The system persists unauthenticated discovery endpoints without requiring explicit trust confirmation. This allows attackers to spoof discovery endpoints to redirect onboarding processes toward malicious gateways, potentially capturing gateway credentials or traffic. **Recommendations** Update to version 2026.3.28.

Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.2.13 through 2026.3.24 Description OpenClaw contains an ANSI escape sequence injection vulnerability in approval prompts. Attackers can spoof terminal output through malicious tool titles, as untrusted tool metadata can carry ANSI control sequences into approval prompts and permission logs. This allows manipulation of displayed information. Recommendations Update to version 2026.3.25 or later.

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.22 Description The software contains a service discovery issue where TXT metadata from Bonjour and DNS-SD could influence command-line interface (CLI) routing even when service resolution failed. Attackers can exploit unresolved hints to redirect routing decisions to unintended targets by providing malicious discovery metadata. Recommendations Update to version 2026.3.22 or later.

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.22 Description OpenClaw contains a webhook reply delivery issue that allows attackers to redirect chat replies to unintended users. This is possible because the system uses mutable username matching instead of stable numeric user identifiers. By manipulating username changes, attackers can redirect webhook-triggered replies, bypassing the intended recipient binding recorded in webhook events. Recommendations Update to version 2026.3.22 or later.

**Name of the Vulnerable Software and Affected Versions** Car Demon plugin for WordPress versions up to, and including, 1.8.1 **Description** The Car Demon plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `search condition` parameter due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. **Recommendations** For Car Demon plugin for WordPress versions up to, and including, 1.8.1, update to a version later than 1.8.1 to resolve the issue. As a temporary workaround, consider restricting access to the `search condition` parameter to minimize the risk of exploitation.