Vincent Koc

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.21 **Description** OpenClaw improperly parses the left-most X-Forwarded-For header value when requests originate from configured trusted proxies, allowing attackers to spoof client IP addresses. In proxy chains that append or preserve header values, attackers can inject malicious header content to influence security decisions, including authentication rate-limiting and IP-based access controls. The issue affects deployments behind trusted proxies with non-recommended forwarding behavior. The vulnerable component uses the left-most `X-Forwarded-For` value when processing requests from trusted proxies. This can lead to client-IP spoofing in security-sensitive areas such as authentication rate limits and identity classification. The API endpoint is not explicitly mentioned. The vulnerable parameter is the `X-Forwarded-For` header. **Recommendations** Versions prior to 2026.2.21 should be updated to version 2026.2.21 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.15 **Description** The `web fetch` tool within OpenClaw can cause a denial of service by crashing the Gateway process due to memory exhaustion. This occurs when parsing oversized or deeply nested HTML responses fetched from attacker-controlled URLs. An attacker can potentially social-engineer a user or automated system into fetching a malicious URL, leading to server memory exhaustion and service unavailability. **Recommendations** Update to OpenClaw version 2026.2.15 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.14 clawdbot versions prior to 2026.1.24-3 **Description** The software contains a webhook routing issue in the Google Chat monitor component. This allows for cross-account policy context misrouting when multiple webhook targets share the same HTTP path. Attackers can exploit first-match request verification semantics to process inbound webhook events under incorrect account contexts, bypassing intended allowlists and session policies. The affected component is `extensions/googlechat/src/monitor.ts`. The issue arises from allowing multiple webhook targets per path and selecting the first target that passes `verifyGoogleChatRequest(...)`. **Recommendations** OpenClaw versions prior to 2026.2.14: Upgrade to version 2026.2.14 or later. clawdbot versions prior to 2026.1.24-3: Migrate to OpenClaw and upgrade to OpenClaw version 2026.2.14 or later. Ensure each Google Chat webhook target uses a unique webhook path to avoid ambiguous routing.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.14 clawdbot versions prior to 2026.1.24-3 **Description** The software contains a denial of service issue in the `extractArchive` function within `src/infra/archive.ts`. Attackers can provide maliciously crafted ZIP and TAR archives during install or update operations to consume excessive CPU, memory, and disk resources. This can lead to service degradation or system unavailability. The issue stems from a lack of strict resource budgets during archive extraction. **Recommendations** OpenClaw versions prior to 2026.2.14 should be updated to version 2026.2.14 or later. clawdbot versions prior to 2026.1.24-3 should be updated to version 2026.1.24-3 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.14 clawdbot versions prior to 2026.1.24-3 **Description** The Telegram allowlist authorization mechanism incorrectly matched on mutable usernames (`@username`) instead of immutable numeric sender IDs. This allowed attackers to spoof identity by obtaining recycled usernames, bypassing allowlist restrictions and interacting with bots as unauthorized senders. This poses an identity rebinding and spoofing risk for operators who rely on Telegram allowlists as strict identity controls. The issue was addressed by requiring numeric Telegram sender IDs for allowlist authorization and rejecting usernames. A security audit warning was added to flag legacy configurations containing non-numeric Telegram allowlist entries. The `openclaw doctor --fix` command now attempts to resolve username allowFrom entries to numeric IDs. **Recommendations** Versions prior to 2026.2.14: Update to version 2026.2.14 or later. Versions prior to 2026.1.24-3: Update to version 2026.1.24-3 or later. Run `openclaw doctor --fix` to resolve any legacy configurations containing non-numeric Telegram allowlist entries.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.14 clawdbot versions 2026.1.24 and earlier **Description** The software contains a denial of service issue in the `fetchWithGuard` function. This function allocates entire response payloads in memory before enforcing `maxBytes` limits. Remote attackers can trigger memory exhaustion by serving oversized responses without content-length headers, leading to availability loss. The affected component is located in `src/media/input-files.ts`. When the `content-length` is missing or incorrect, the `response.arrayBuffer()` function buffers the full payload before a size check can run. **Recommendations** OpenClaw versions prior to 2026.2.14: Until a patched release is available, disable URL-backed media inputs or restrict them to a tight hostname allowlist and use conservative `maxBytes` limits. clawdbot versions 2026.1.24 and earlier: Until a patched release is available, disable URL-backed media inputs or restrict them to a tight hostname allowlist and use conservative `maxBytes` limits.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.14 clawdbot versions prior to 2026.1.24-3 **Description** The software decodes base64-backed media inputs into buffers before enforcing decoded-size budget limits. Attackers can supply oversized base64 payloads, leading to large memory allocations and potentially causing memory pressure and denial of service. Deployments binding the gateway to loopback with gateway authentication for HTTP endpoints are considered a local/authorized denial of service risk. Exposure to untrusted networks without adequate authentication and rate limits elevates the risk to a network denial of service. **Recommendations** Update OpenClaw to version 2026.2.14 or later. Migrate from clawdbot to OpenClaw.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.13 clawdbot versions prior to 2026.1.24-3 **Description** The software contains a denial of service issue in webhook handlers due to insufficient limits on request body size and processing time. Remote, unauthenticated attackers can exploit this by sending oversized JSON payloads or slow uploads to webhook endpoints, leading to increased memory usage and potential service degradation. The issue stems from a lack of consistent enforcement of `maxBytes` and `timeoutMs` limits on buffered request payloads across various webhook code paths. Specifically, some handlers parse request bodies internally without adequate stream-level protection. Affected webhook endpoints include LINE, Nextcloud Talk, Google Chat, Zalo, BlueBubbles, Nostr profile HTTP, voice-call, and gateway hooks. Additionally, Slack, Telegram, and Feishu handlers are vulnerable due to internal request body parsing. The MS Teams webhook path is also affected due to a lack of explicit Express JSON body limit handling. **Recommendations** OpenClaw versions prior to 2026.2.13 should be upgraded to version 2026.2.13 or later. clawdbot versions prior to 2026.1.24-3 should be upgraded to version 2026.1.24-3 or later.