Publish Advisories

GHSA-6pfc-6m7w-m8fx
GHSA-6xg4-82hv-cp6f
GHSA-9528-x887-j2fp
GHSA-g86v-f9qv-rh6m
GHSA-j7p2-qcwm-94v4
GHSA-jp4j-q5fc-58gv

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-6pfc-6m7w-m8fx/GHSA-6pfc-6m7w-m8fx.json

@@ -0,0 +1,66 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6pfc-6m7w-m8fx",
+  "modified": "2026-03-31T23:59:53Z",
+  "published": "2026-03-31T23:59:53Z",
+  "aliases": [],
+  "summary": "OpenClaw has a gateway exec allowlist allow-always bypass via unregistered /usr/bin/script wrapper",
+  "details": "## Summary\n\nAllow-always persistence did not unwrap `/usr/bin/script` and similar wrappers to the actual executed target before storing trust decisions.\n\n## Impact\n\nA user approval for one wrapped command could persist trust for a wrapper binary that later executed a different underlying program.\n\n## Affected Component\n\n`src/infra/dispatch-wrapper-resolution.ts, src/infra/exec-wrapper-resolution.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `83da3cfe31` (`infra: unwrap script wrapper approval targets`).",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.3.28"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2026.3.24"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6pfc-6m7w-m8fx"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/83da3cfe31f016841e1deedda1a604696f4c488d"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.28"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-385"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-31T23:59:53Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/03/GHSA-6xg4-82hv-cp6f/GHSA-6xg4-82hv-cp6f.json

@@ -0,0 +1,58 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6xg4-82hv-cp6f",
+  "modified": "2026-03-31T23:57:51Z",
+  "published": "2026-03-31T23:57:51Z",
+  "aliases": [],
+  "summary": "OpenClaw: Gateway chat.send ACP-only provenance guard could be bypassed by client identity spoofing",
+  "details": "## Summary\n\nACP-only provenance fields in `chat.send` were gated by self-declared client metadata from the WebSocket handshake rather than verified authorization state.\n\n## Impact\n\nA normal authenticated operator client could spoof ACP identity labels and inject reserved provenance fields intended only for the ACP bridge.\n\n## Affected Component\n\n`src/gateway/server-methods/chat.ts, src/gateway/server/ws-connection/message-handler.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `4b9542716c` (`Gateway: require verified scope for chat provenance`).",
+  "severity": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.3.28"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2026.3.24"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6xg4-82hv-cp6f"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/4b9542716c26ac77652bcaa0f562043b298b409f"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-290",
+      "CWE-807"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-31T23:57:51Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/03/GHSA-9528-x887-j2fp/GHSA-9528-x887-j2fp.json

@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9528-x887-j2fp",
+  "modified": "2026-03-31T23:59:17Z",
+  "published": "2026-03-31T23:59:17Z",
+  "aliases": [],
+  "summary": "OpenClaw's Nextcloud Talk webhook missing rate limiting on shared secret authentication",
+  "details": "## Summary\n\nNextcloud Talk webhook signature failures were not throttled even though the integration relies on an operator-configured shared secret that may be weak.\n\n## Impact\n\nAn attacker who could reach the webhook endpoint could brute-force weak secrets online and then forge inbound webhook events.\n\n## Affected Component\n\n`extensions/nextcloud-talk/src/monitor.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `e403decb6e` (`nextcloud-talk: throttle repeated webhook auth failures`).",
+  "severity": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.3.28"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2026.3.24"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9528-x887-j2fp"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/e403decb6e20091b5402780a7ccd2085f98aa3cd"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.28"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-307"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-31T23:59:17Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/03/GHSA-g86v-f9qv-rh6m/GHSA-g86v-f9qv-rh6m.json

@@ -0,0 +1,62 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g86v-f9qv-rh6m",
+  "modified": "2026-03-31T23:58:43Z",
+  "published": "2026-03-31T23:58:43Z",
+  "aliases": [],
+  "summary": "OpenClaw SSRF guard misses four IPv6 special-use ranges",
+  "details": "## Summary\n\nThe SSRF/IP classifier treated several IPv6 special-use ranges as public and allowed fetches to proceed.\n\n## Impact\n\nAn attacker who controlled a fetched URL could target internal or non-routable IPv6 addresses that should have been blocked by the SSRF guard.\n\n## Affected Component\n\n`src/shared/net/ip.ts, src/infra/net/ssrf.*`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `d61f8e5672` (`Net: block missing IPv6 special-use ranges`).\n\nOpenClaw thanks @nicky-cc  of Tencent zhuque Lab [https://github.com/Tencent/AI-Infra-Guard](https://github.com/Tencent/AI-Infra-Guard) for reporting.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.3.28"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2026.3.24"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g86v-f9qv-rh6m"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/d61f8e56723e03573b847422468d99c44c26e34f"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-31T23:58:43Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/03/GHSA-j7p2-qcwm-94v4/GHSA-j7p2-qcwm-94v4.json

@@ -0,0 +1,63 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-j7p2-qcwm-94v4",
+  "modified": "2026-03-31T23:59:36Z",
+  "published": "2026-03-31T23:59:36Z",
+  "aliases": [],
+  "summary": "OpenClaw's incomplete host env sanitization blocklist allows supply-chain redirection via package-manager env overrides",
+  "details": "## Summary\n\nHost exec env override sanitization did not fail closed for several package-manager and related redirect variables that can steer dependency fetches or startup behavior.\n\n## Impact\n\nAn approved exec request could silently redirect package resolution or runtime bootstrap to attacker-controlled infrastructure and execute trojanized content.\n\n## Affected Component\n\n`src/infra/host-env-security-policy.json, src/infra/host-env-security.ts`\n\n## Fixed Versions\n\n- Affected: `< 2026.3.22`\n- Patched: `>= 2026.3.22`\n\n## Fix\n\nFixed by commit `7abfff756d` (`Exec: harden host env override handling across gateway and node`).",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.3.22"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-j7p2-qcwm-94v4"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/7abfff756d6c68d17e21d1657bbacbaec86de232"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.22"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-183"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-31T23:59:36Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/03/GHSA-jp4j-q5fc-58gv/GHSA-jp4j-q5fc-58gv.json

@@ -0,0 +1,66 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jp4j-q5fc-58gv",
+  "modified": "2026-03-31T23:58:08Z",
+  "published": "2026-03-31T23:58:08Z",
+  "aliases": [],
+  "summary": "OpenClaw's Discord component interaction ingress skips guild/channel policy enforcement",
+  "details": "## Summary\n\nDiscord button and component interaction ingress did not consistently reapply the same guild and channel policy gates used for normal inbound messages.\n\n## Impact\n\nUsers could trigger privileged component actions from contexts that should have been blocked by Discord channel policy.\n\n## Affected Component\n\n`extensions/discord/src/monitor/agent-components.ts`\n\n## Fixed Versions\n\n- Affected: `>= 2026.2.14, <= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `511093d4b3` (`Discord: apply component interaction policy gates`).",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2026.2.14"
+            },
+            {
+              "fixed": "2026.3.28"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2026.3.24"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jp4j-q5fc-58gv"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/511093d4b37c0831c778fabd25ec3020834983c3"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.28"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-31T23:58:08Z",
+    "nvd_published_at": null
+  }
+}