Tdjackey

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.4.9 **Description** A file read issue allows attackers to bypass navigation guards through browser act/evaluate interactions. This enables attackers to pivot into the local Chrome DevTools Protocol (CDP) origin and create or read disallowed `file://` pages, bypassing direct navigation policy restrictions. **Recommendations** Update to version 2026.4.9.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.31 **Description** A local roots self-whitelisting issue exists in the `appendLocalMediaParentRoots()` function. This flaw allows for model-initiated arbitrary host file read due to improper validation of the media parent directory, which could enable attackers to exfiltrate credentials and access sensitive files. **Recommendations** Update to version 2026.3.31 or later. As a temporary workaround, restrict access to the `appendLocalMediaParentRoots()` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.31 **Description** A session visibility bypass exists where the `session status()` function fails to enforce configured `tools.sessions.visibility` restrictions during unsandboxed invocations. This allows attackers to invoke `session status()` without sandbox constraints, bypassing session-policy controls to access restricted session information. **Recommendations** Update to version 2026.3.31 or later. As a temporary workaround, restrict access to the `session status()` function to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.22 Description OpenClaw versions prior to 2026.3.22 do not properly enforce operator.admin scope on mutating internal ACP chat commands, which allows unauthorized modifications. Attackers without admin privileges can bypass authorization gates by directly invoking affected ACP commands to execute mutating control-plane actions. Recommendations Update to version 2026.3.22 or later.

**Name of the Vulnerable Software and Affected Versions** OpenShell versions prior to 2026.3.28 **Description** An arbitrary code execution issue exists in mirror mode, which allows untrusted sandbox files to be converted into workspace hooks. Attackers with mirror mode access can execute arbitrary code on the host system during gateway startup by exploiting enabled workspace hooks. **Recommendations** Update to version 2026.3.28.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.22 **Description** An issue exists where bootstrap setup codes are not bound to intended device roles and scopes during pairing. This allows attackers to escalate privileges beyond their intended role and scope during first-use device pairing. **Recommendations** Update to version 2026.3.22.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.31 **Description** An incomplete `host-env-security-policy.json` fails to restrict compiler binary environment variables. This allows untrusted models to substitute `CC`, `CXX`, `CARGO BUILD RUSTC`, and `CMAKE C COMPILER` through environment overrides. Attackers with approved host-exec requests can override these compiler binaries to execute arbitrary code during build processes. **Recommendations** Update to version 2026.3.31.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.31 **Description** Insufficient environment variable sanitization in host exec operations allows for the injection of malicious environment variables. The system fails to filter variables related to packages, registries, Docker, compilers, and TLS overrides, which can be used to override critical system configurations and compromise host execution integrity. **Recommendations** Update to version 2026.3.31.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.31 **Description** A server-side request forgery (SSRF) issue exists in the marketplace plugin download functionality. This occurs due to unguarded `fetch()` calls, which allow remote attackers to make arbitrary network requests to access internal resources or interact with external services on behalf of the affected system. **Recommendations** Update to version 2026.3.31 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.28 **Description** An environment variable injection issue occurs because the software loads the .env file from the current working directory before the trusted state-dir configuration. This allows untrusted workspace state to inject host environment values. An attacker can place a malicious .env file in a repository or workspace to override runtime configuration and security-sensitive environment settings during startup, potentially leading to configuration takeover and bypassing host-env policy. The issue is located in the `src/infra/dotenv.ts` and `src/cli/dotenv.ts` components. **Recommendations** Update to version 2026.3.28.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.28 **Description** An authorization bypass exists in Discord text approval commands, specifically affecting the '/approve' command. This issue allows users who are permitted to send commands but are not included in the `channels.discord.execApprovals.approvers` allowlist to resolve pending host execution requests. The flaw is located within the `extensions/discord/src/exec-approvals.ts` and `src/auto-reply/reply/commands-approve.ts` components. **Recommendations** Update to version 2026.3.28.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.11 **Description** The software contains a sandbox boundary bypass issue in fs-bridge staged writes. Temporary file creation and population are not restricted to a verified parent directory, allowing attackers to exploit a race condition in parent-path alias changes. This enables writing attacker-controlled data outside the intended validated path before the final replacement step. The issue involves a bypass of the sandbox security measures. **Recommendations** Update to version 2026.3.11 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.22 **Description** Incomplete host environment variable sanitization in `host-env-security-policy.json` and `host-env-security.ts` allows package-manager environment overrides. This enables attackers to use approved exec requests to redirect package resolution or runtime bootstrap to infrastructure under their control, leading to the execution of trojanized content. **Recommendations** Update to version 2026.3.22.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.11 **Description** A flaw exists in OpenClaw that allows authorized users on one account to bypass authorization restrictions and modify configuration settings on other accounts, even when those accounts have configWrites set to false. This occurs through the execution of channel commands, such as `/config set channels.<provider>.accounts.<id>`, which are intended to modify configuration. The issue allows mutation of protected sibling-account configuration despite configWrites restrictions. **Recommendations** Update to version 2026.3.11 or later.

Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.3.22 and earlier Description OpenClaw versions 2026.3.22 and earlier contain an incorrect authorization issue in the ''POST /reset-profile'' endpoint. Authenticated callers with `operator.write` access to `browser.request` can bypass profile mutation restrictions. Attackers can invoke ''POST /reset-profile'' through the `browser.request` surface to stop the running browser, close Playwright connections, and move profile directories to Trash. The vulnerability is due to the `isPersistentBrowserProfileMutation()` function not classifying ''POST /reset-profile'' as a protected mutation, allowing access through the `browser.request` surface. The vulnerable paths include `src/gateway/method-scopes.ts:114`, `src/gateway/server-methods/browser.ts:155-165`, `src/browser/request-policy.ts:19-25`, `src/browser/routes/basic.ts:161-170`, `src/browser/server-context.reset.ts:37-63`, and `src/node-host/invoke-browser.ts:240-243`. Recommendations Extend the persistent-profile mutation classifier to include ''POST /reset-profile''. Reuse the same centralized route classification everywhere the release currently relies on `isPersistentBrowserProfileMutation(...)`, including `src/gateway/server-methods/browser.ts` and `src/node-host/invoke-browser.ts`. Add regression coverage with a deny control for ''POST /reset-profile'' on the lower-privilege `browser.request` surface and an allow control for non-mutating browser profile reads. Review nearby profile-management routes for any other state-changing endpoints that are still omitted from the mutation classifier.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.24 **Description** OpenClaw versions before 2026.3.24 contain missing authorization checks in the `/send` and `/allowlist` chat command handlers. The `/send` command allows non-owner command-authorized senders to modify owner-only session delivery policy settings. The `/allowlist` mutating commands fail to enforce operator.admin scope. Attackers with operator.write scope can use `/send on|off|inherit` to persistently change the current session's `sendPolicy` and use `/allowlist add` to modify allowlist entries without proper authorization. **Recommendations** Update to OpenClaw version 2026.3.24 or later. As a remediation, change the `/send` command to require owner status instead of just command authorization. Reuse the owner-only rejection pattern used by other privileged command surfaces like `/config` and `/debug`. Add regression coverage to ensure `/send` is rejected for non-owner senders, even if they are command-authorized. Verify that owners can still use `/send` normally.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.12 **Description** OpenClaw before version 2026.3.12 has an insufficient access control issue in the `/config` and `/debug` command handlers. Command-authorized non-owners can access owner-only surfaces, allowing them to read or modify privileged configuration settings. The issue stems from missing owner-level permission checks within these handlers. Exploitation requires existing command authorization, and does not require a specific network position. The `/config` and `/debug` API endpoints are affected. The vulnerable parameters are not specified. **Recommendations** Update OpenClaw to version 2026.3.12 or later.

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.25 Description OpenClaw versions prior to 2026.3.25 are susceptible to a denial of service. The software parses JSON request bodies before validating webhook signatures, which allows unauthenticated attackers to trigger resource-intensive parsing operations. Attackers can send malicious webhook requests to exhaust server resources by forcing JSON parsing before signature rejection. Recommendations Update to version 2026.3.25 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.11 **Description** OpenClaw before version 2026.3.11 contains a sandbox boundary bypass issue. This allows leaf subagents to access the subagents control surface and resolve against a parent requester scope instead of their own session tree. A low-privilege sandboxed leaf worker can exploit insufficient authorization checks on subagent control requests to steer or kill sibling runs and cause execution with broader tool policies. **Recommendations** Update OpenClaw to version 2026.3.11 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.11 **Description** The software contains an authorization bypass issue. Attackers possessing write-scoped access can execute admin-only session reset logic. Specifically, individuals with `operator.write` scope can send agent requests, including '/new' or '/reset' commands, to alter conversation state without the necessary `operator.admin` privileges. **Recommendations** Update to version 2026.3.11 or later.