P80N-Sec

**Name of the Vulnerable Software and Affected Versions** @nocobase/database versions prior to 2.0.39 **Description** An issue exists in the `queryParentSQL()` function within the core database package where a recursive CTE query is constructed by joining `nodeIds` using string concatenation instead of parameterized queries. An attacker with record-creation permissions on a tree collection using string-type primary keys can inject arbitrary SQL. This occurs when a subsequent request triggers recursive eager loading on that collection. The flaw allows for error-based extraction of sensitive database information, such as user emails and password hashes. In certain environments, such as PostgreSQL with superuser privileges, this could potentially lead to OS command execution via the `COPY ... TO PROGRAM` command. **Recommendations** Update @nocobase/database to version 2.0.39 or later. As a temporary workaround, restrict the use of string-type primary keys in tree collections or validate primary key values at record creation to reject strings containing SQL metacharacters.

**Name of the Vulnerable Software and Affected Versions** @nocobase/plugin-collection-sql versions prior to 2.0.39 **Description** An issue exists where the `checkSQL()` validation function, designed to block dangerous SQL keywords such as `pg read file`, `LOAD FILE`, and `dblink`, is not applied to the 'sqlCollection:update' endpoint. While this validation is active for 'collections:create' and 'sqlCollection:execute', its absence in the update process allows an attacker with collection management permissions to bypass security checks. By creating a collection with benign SQL and subsequently updating it with arbitrary SQL, an attacker can execute unauthorized queries to exfiltrate sensitive data, read arbitrary files from the database server filesystem, or perform lateral movement to other databases. **Recommendations** Update @nocobase/plugin-collection-sql to version 2.0.39 or later. As a temporary workaround, restrict access to the 'sqlCollection:update' endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Koa versions prior to 3.1.2 Koa versions prior to 2.16.4 **Description** Koa middleware for Node.js, using ES2017 async functions, has an issue where the `ctx.hostname` API improperly parses the HTTP Host header. The parsing does not validate input against RFC 3986 hostname syntax, specifically failing to properly handle colons. A malformed Host header containing an `@` symbol can result in `ctx.hostname` returning an attacker-controlled value, such as `evil[.]com`. Applications utilizing `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are susceptible to Host header injection attacks. The `ctx.hostname` API endpoint is vulnerable. The `Host` header is a vulnerable parameter. **Recommendations** Update to Koa version 3.1.2 or later. Update to Koa version 2.16.4 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.14 **Description** Authenticated attackers can read arbitrary files from the Gateway host by supplying absolute paths or path traversal sequences to the browser tool's `upload` action. The server passes these paths to Playwright's `setInputFiles()` APIs without restricting them to a safe root. An attacker must reach the Gateway HTTP surface, present valid Gateway authentication (bearer token or password), and have the `browser` tool permitted by tool policy. If the Gateway is exposed beyond loopback, the impact increases. The `upload` action is accessed via the `POST /tools/invoke` API endpoint with the `{"tool":"browser","action":"upload",...}` payload, or through the `POST /hooks/file-chooser` browser control hook. The vulnerability allows reading files from the local filesystem and potentially exfiltrating their contents using page JavaScript or agent/browser snapshots. The vulnerable parameter is the file path provided to the `upload` action. **Recommendations** Update OpenClaw to version 2026.2.14 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.14 **Description** The OpenClaw software, when using the `@openclaw/voice-call` plugin, is susceptible to an authentication bypass. Specifically, the Telnyx webhook handler could accept unsigned inbound webhook requests if the `telnyx.publicKey` configuration was not set. This allows unauthenticated callers to potentially forge Telnyx events. The issue occurs because the `TelnyxProvider.verifyWebhook()` function could fail open when no Telnyx public key was configured, treating arbitrary HTTP POST requests as legitimate Telnyx events. The vulnerability is present only when the Voice Call plugin is installed, enabled, and the webhook endpoint is reachable from an attacker. A signature verification bypass exists only for local development via `skipSignatureVerification: true`, which is off by default and emits a warning. **Recommendations** Configure `plugins.entries.voice-call.config.telnyx.publicKey` (or `TELNYX PUBLIC KEY`) to enable signature verification.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.14 **Description** The Gateway tool in OpenClaw accepted a tool-supplied `gatewayUrl` without sufficient restrictions, potentially causing the OpenClaw host to attempt outbound WebSocket connections to user-specified targets. This requires the ability to invoke tools that accept `gatewayUrl` overrides. The issue stemmed from tool call paths allowing `gatewayUrl` overrides to flow into the Gateway WebSocket client without validation, enabling connections to non-gateway endpoints like localhost services, private network addresses, or cloud metadata IPs. In most cases, this results in outbound connection attempts and errors. However, if the target speaks WebSocket and is reachable, further interaction may be possible. **Recommendations** Versions prior to 2026.2.14 should be updated to version 2026.2.14 or later.