Petr Simecek

**Name of the Vulnerable Software and Affected Versions** PostgreSQL versions prior to 18.4 PostgreSQL versions prior to 17.10 PostgreSQL versions prior to 16.14 PostgreSQL versions prior to 15.18 PostgreSQL versions prior to 14.23 **Description** Integer wraparound in multiple server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This can lead to arbitrary code execution as the operating system user running the database. In applications that pass gigabyte-scale user inputs to the relevant database functions, the input provider may cause a segmentation fault, which is an error occurring when a program attempts to access a memory location that it is not allowed to access. **Recommendations** Update to version 18.4 or later. Update to version 17.10 or later. Update to version 16.14 or later. Update to version 15.18 or later. Update to version 14.23 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.2 **Description** An authentication bypass exists in the optional `voice-call` extension when inbound allowlist policy validation is used. The system accepts empty caller IDs and uses suffix-based matching instead of strict equality. This allows remote attackers to bypass inbound access controls by placing calls with missing caller IDs or numbers ending with allowlisted digits, potentially reaching the voice-call agent and executing tools. The issue affects deployments that have the `voice-call` extension installed and enabled. The vulnerability is related to the inbound allowlist check in the `extensions/voice-call/src/manager.ts` file, which used suffix-based matching and accepted empty caller IDs after normalization. Specifically, missing or empty `from` values normalized to an empty string, causing the allowlist predicate to evaluate as allowed. Additionally, suffix-based matching meant any caller number whose digits ended with an allowlisted number would be accepted. The vulnerable component is the `voice-call` extension. **Recommendations** OpenClaw versions prior to 2026.2.2 should be updated to version 2026.2.2 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.12 **Description** The OpenClaw Nostr channel plugin, when installed and enabled, exposes unauthenticated HTTP endpoints at `/api/channels/nostr/:accountId/profile` and `/api/channels/nostr/:accountId/profile/import`. These endpoints allow reading and modifying Nostr profiles without gateway authentication. Attackers can exploit these endpoints to read sensitive profile data, modify Nostr profiles, persist malicious changes to gateway configuration, and publish signed Nostr events using the bot's private key if the gateway HTTP port is accessible beyond localhost. The issue is exploitable when the gateway HTTP port is reachable beyond localhost. **Recommendations** Upgrade to OpenClaw version 2026.2.12 or later. As a temporary mitigation, restrict gateway HTTP exposure (bind loopback-only and/or enforce network-layer access controls) until upgraded.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.2 OpenClaw versions 2026.1.30 and earlier **Description** When Telegram webhook mode is enabled without a configured webhook secret, the software may accept unauthenticated HTTP POST requests at the Telegram webhook endpoint and trust attacker-controlled update JSON. This can allow forged Telegram updates that spoof `message.from.id` and `chat.id`, potentially bypassing sender allowlists and executing privileged bot commands. Attackers can forge Telegram updates by spoofing these fields to bypass sender allowlists and execute privileged bot commands. The vulnerability occurs due to a failure to validate webhook secrets when Telegram webhook mode is enabled. The API endpoint affected is the Telegram webhook endpoint. The vulnerable parameters include `message.from.id` and `chat.id`. **Recommendations** OpenClaw versions prior to 2026.2.1: Configure a strong `channels.telegram.webhookSecret` and ensure your reverse proxy forwards the `X-Telegram-Bot-Api-Secret-Token` header unchanged. OpenClaw version 2026.1.30 and earlier: Configure a strong `channels.telegram.webhookSecret` and ensure your reverse proxy forwards the `X-Telegram-Bot-Api-Secret-Token` header unchanged.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.2 **Description** The software does not properly validate Windows cmd.exe metacharacters in allowlist-gated exec requests, potentially allowing attackers to bypass command approval restrictions. Attackers can craft command strings with shell metacharacters like `&` or `%...%` to execute unapproved commands beyond the allowlisted operations. The software uses `cmd.exe /d /s /c <rawCommand>` for executing requests on Windows nodes. The allowlist analysis does not model Windows `cmd.exe` parsing and metacharacter behavior. The vulnerable code is located in `src/infra/node-shell.ts`. The fix hardens Windows allowlist enforcement by passing the platform into allowlist analysis, rejecting Windows shell metacharacters, treating `cmd.exe` invocation as not allowlist-safe on Windows, and avoiding `cmd.exe` entirely in allowlist mode by executing the parsed argv directly when possible. **Recommendations** Update to version 2026.2.2 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.2 **Description** The software contains a flaw in its exec approvals allowlist, which can be bypassed when command substitution syntax is used. Specifically, attackers can execute arbitrary commands by injecting command substitution syntax, such as `$()` or backticks, within double-quoted strings. This bypasses the intended allowlist protection. The issue only affects installations where the exec approvals allowlist feature is explicitly enabled. **Recommendations** Update to version 2026.2.2 or later. Reject unescaped `$()` and backticks inside double quotes during allowlist analysis.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.2 **Description** The gateway WebSocket `connect` handshake allows skipping device identity checks when `auth.token` is present but not validated. Attackers can connect to the gateway without providing device identity or pairing by exploiting the presence check instead of validation, potentially gaining operator access in vulnerable deployments. The issue resides in `src/gateway/server/ws-connection/message-handler.ts`, where the device-identity requirement could be bypassed based on the presence of a non-empty `connectParams.auth.token` rather than a validated shared-secret authentication result. The gateway should only be reachable from a trusted network and by trusted users. **Recommendations** Versions prior to 2026.2.2 require device-identity skipping to now require validated shared-secret authentication (token/password). Tailscale-authenticated connections without validated shared secret require device identity.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.2 **Description** The software contains a server-side request forgery issue in attachment and media URL handling. This allows remote attackers to retrieve data from arbitrary HTTP(S) URLs. An attacker who can control media URLs through mechanisms like `sendAttachment` or auto-reply features can trigger SSRF to internal resources and potentially exfiltrate the fetched response data as attachments. The issue stems from a raw `fetch(url)` call without SSRF protections in affected versions. Starting with version 2026.2.2, remote media fetching includes SSRF checks, such as blocking private, loopback, and link-local addresses, DNS pinning, and redirect handling. The vulnerable component is the remote media fetching functionality. **Recommendations** Upgrade to OpenClaw version 2026.2.2 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.12 **Description** The BlueBubbles webhook handler in OpenClaw authenticates requests based solely on loopback remoteAddress without validating forwarding headers. This allows bypass of configured webhook passwords when the gateway operates behind a reverse proxy. An unauthenticated remote attacker can inject arbitrary BlueBubbles message and reaction events by reaching the proxy endpoint. The issue occurs because the handler accepts requests as authenticated if the `remoteAddress` is loopback, without validating forwarding headers. This is exploitable when OpenClaw Gateway is behind a reverse proxy such as Tailscale Serve/Funnel, nginx, Cloudflare Tunnel, or ngrok. The vulnerable component is the BlueBubbles webhook handler, which accepts inbound events via an HTTP POST endpoint. The `req.socket.remoteAddress` is used for authentication. **Recommendations** Versions prior to 2026.2.12 should be updated to version 2026.2.12 or later. Ensure a BlueBubbles webhook password is configured. Do not expose the gateway webhook endpoint publicly without authentication.