Peng Zhou

**Name of the Vulnerable Software and Affected Versions** Django versions prior to 6.0.6 Django versions prior to 5.2.15 **Description** An issue exists in the `get signed cookie()` function within `django.http.HttpRequest`. The function employs a non-injective salt derivation by concatenating the cookie name and the salt argument. This allows a remote attacker to use a cookie in a context different from its original signing context by utilizing distinct `name` and `salt` pairs that result in the same concatenated string. **Recommendations** Update to version 6.0.6 or later. Update to version 5.2.15 or later.

**Name of the Vulnerable Software and Affected Versions** Logtivity Activity Logs, User Activity Tracking, Multisite Activity Log versions prior to 3.3.7 **Description** An issue involving the insertion of sensitive information into sent data allows for the retrieval of embedded sensitive data. **Recommendations** Update to a version newer than 3.3.6.

**Name of the Vulnerable Software and Affected Versions** miniorange otp verification versions prior to 5.4.10 **Description** An incorrect privilege assignment issue allows for privilege escalation within the software. **Recommendations** Update to a version later than 5.4.9.

**Name of the Vulnerable Software and Affected Versions** Advanced IP Blocker versions prior to 8.10.8 **Description** Improper neutralization of input during web page generation allows DOM-Based Cross-site Scripting (XSS), a flaw where the application contains client-side JavaScript that processes data from an untrusted source in an unsafe way, typically by writing the data to a Document Object Model (DOM) element. **Recommendations** Update to a version later than 8.10.7.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.4.10 **Description** Insufficient access control in the Nostr plugin HTTP profile routes allows operators with write permissions to persist profile configuration without requiring admin authority. Attackers with `operator.write` scope can modify Nostr profile settings through unprotected mutation endpoints to gain unauthorized configuration persistence. **Recommendations** Update to version 2026.4.10.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.28 **Description** Improper authorization checks in the 'chat.send' path allow write-scoped gateway callers to perform admin-only session reset operations. This enables attackers to rotate target sessions, archive previous transcript states, and force the generation of new session IDs without possessing the required admin scope. **Recommendations** Update to version 2026.3.28 or later. As a temporary workaround, restrict access to the 'chat.send' function to minimize the risk of unauthorized session resets.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.4.9 **Description** An authentication bypass allows untrusted workspace plugins to be automatically enabled during non-interactive onboarding when provider authentication choices are shadowed. This occurs because the system could select a provider authentication choice shadowed by an untrusted workspace plugin, enabling the plugin during authentication setup without explicit user consent. **Recommendations** Update to version 2026.4.9 or newer.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.4.10 **Description** An authorization bypass exists where gateway 'operator.write' message-tool paths can access Matrix profile persistence, which should require admin-level authority. This occurs due to insufficient access controls, allowing attackers to mutate persistent profile configuration through non-owner message-tool runs. **Recommendations** Update to version 2026.4.10 or newer.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions 2026.4.5 through 2026.4.9 **Description** An issue allows write-scoped operators to modify persistent memory dreaming settings. Attackers with write-scoped gateway access can toggle admin-class configuration mutations through the '/dreaming' endpoint to escalate privileges. **Recommendations** Update to version 2026.4.10 or newer.

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.25 Description OpenClaw contains an improper access control issue in the `/sessions/:sessionKey/kill` route. Any bearer-authenticated user can invoke admin-level session termination functions without proper scope validation. An attacker can exploit this by sending authenticated requests to terminate arbitrary subagent sessions via the `killSubagentRunAdmin` function, bypassing ownership and operator scope restrictions. Recommendations Update to version 2026.3.25 or later.

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.25 Description OpenClaw contains a privilege escalation issue where silent local shared-auth reconnects automatically approve scope-upgrade requests, increasing paired device permissions from operator.read to operator.admin. An attacker can trigger a local reconnection to escalate privileges and potentially achieve remote code execution on the node. Recommendations Update to version 2026.3.25 or later.

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.25 Description OpenClaw contains an authorization bypass issue where group reaction events circumvent the `requireMention` access control. This allows attackers to trigger reactions in groups that require a mention, leading to the enqueueing of system events that should be restricted to agent visibility. Recommendations Update to version 2026.3.25 or later.

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.22 Description OpenClaw before version 2026.3.22 contains an information disclosure issue. Attackers with operator.read scope can expose credentials embedded in the channel baseUrl and httpUrl fields. Sensitive authentication information can be retrieved from URL userinfo components via the `config.get` and `channels.status` API endpoints. Recommendations Update to version 2026.3.22 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.28 **Description** Authenticated operators with write permissions can escalate privileges to access admin-class Talk Voice configuration persistence. This is possible by exploiting the 'chat.send' endpoint to reach and modify sensitive voice configuration settings intended exclusively for administrators. **Recommendations** Update to version 2026.3.28 or later. Restrict access to the 'chat.send' endpoint for users with operator.write privileges to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.28 **Description** Insufficient access controls allow authenticated operators with write permissions to perform privilege escalation. By utilizing the 'send' endpoint, attackers with `operator.write` credentials can access administrative Telegram configuration and cron persistence settings, enabling the modification of persistence mechanisms. **Recommendations** Update to version 2026.3.28 or later. Restrict access to the 'send' endpoint for users with operator permissions until the update is applied.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.4.2 **Description** An improper trust boundary issue exists where untrusted workspace channel shadows can execute during built-in channel setup and login. A malicious workspace plugin claiming a bundled channel id can achieve unintended in-process code execution before the plugin is explicitly trusted, bypassing the intended security boundary during the setup and login process. **Recommendations** Update to version 2026.4.2 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.12 **Description** The software applies rate limiting only after successful webhook authentication. This allows attackers to bypass rate limits and attempt to brute-force webhook secrets without triggering 429 responses. An attacker can repeatedly guess invalid secrets to discover valid credentials and subsequently submit forged Zalo webhook traffic. The vulnerable component involves the authentication process for webhooks. The `webhook` authentication is affected. **Recommendations** Update to version 2026.3.12 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.8 **Description** The software contains a sender allowlist bypass in its Microsoft Teams plugin. This allows unauthorized senders to bypass intended authorization checks. Specifically, when a team/channel route allowlist is configured with an empty `groupAllowFrom` parameter, the message handler creates wildcard sender authorization, permitting any sender in the matched team/channel to trigger replies in allowlisted Teams routes. **Recommendations** Update to version 2026.3.8 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.28 **Description** An authorization bypass exists in the 'chat.send' gateway method. The issue occurs because ACP-only provenance fields are gated by self-declared client metadata from the WebSocket handshake instead of a verified authorization state. This allows authenticated operator clients to spoof ACP identity labels and inject reserved provenance fields intended exclusively for the ACP bridge by manipulating client metadata during the connection process. **Recommendations** Update to version 2026.3.28.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.28 **Description** A privilege escalation issue exists in the "chat.send" endpoint. Write-scoped gateway callers can persist admin-only `verboseLevel` session overrides by exploiting the `/verbose` parameter. This allows attackers to bypass access controls and expose sensitive reasoning or tool output that should be restricted to administrators. **Recommendations** Update to version 2026.3.28 or later. As a temporary workaround, restrict access to the `/verbose` parameter in the "chat.send" endpoint.