•27 minutes ago•GHSA-V865-P3GQ-HW6M
6.5GHSA-V865-P3GQ-HW6M: Path Canonicalization Bypass in OpenClaw Gateway
A path-based authentication bypass vulnerability exists in the OpenClaw AI Gateway due to insufficient URL decoding depth. Attackers can bypass the Policy Enforcement Point (PEP) by using multi-encoded path separators (e.g., %252f), allowing unauthorized access to sensitive plugin routes.
1 views•5 min read
•about 1 hour ago•CVE-2026-28401
5.4CVE-2026-28401: Stored Cross-Site Scripting (XSS) in NocoDB Rich Text Components
NocoDB, an open-source airtable alternative, contains a stored Cross-Site Scripting (XSS) vulnerability in versions prior to 0.301.3. The vulnerability exists within the rendering logic for Rich Text cells, where user-supplied Markdown is converted to HTML and rendered without sufficient sanitization. Authenticated attackers with Editor permissions can inject malicious JavaScript payloads into database cells. These payloads execute in the context of other users' sessions—including Administrators—when the affected cell is viewed in the grid, form, or expanded view interfaces.
0 views•5 min read
•about 2 hours ago•GHSA-X9CF-3W63-RPQ9
6.6GHSA-x9cf-3w63-rpq9: Path Traversal in OpenClaw stageSandboxMedia Leading to Arbitrary File Read
OpenClaw, an AI automation tool for iMessage and other channels, contains a critical path traversal vulnerability in its media staging mechanism. The vulnerability exists within the `stageSandboxMedia` function, which prepares message attachments for AI processing. When configured to fetch attachments from a remote relay host via SSH/SCP, the system fails to validate the source file path provided in the message metadata. This allows an attacker to manipulate attachment metadata to point to arbitrary files on the host system (such as SSH keys or configuration files), which OpenClaw then copies into the AI's sandbox workspace. This effectively grants the AI agent—and potentially the attacker—read access to sensitive files outside the intended attachment directories.
5 views•5 min read
•about 3 hours ago•GHSA-VMQR-RC7X-3446
9.9CVE-2026-28363: Remote Code Execution in OpenClaw via safeBins Validation Bypass
A critical security bypass in OpenClaw's `safeBins` mechanism allows authenticated users to execute arbitrary commands. The vulnerability exploits a discrepancy between OpenClaw's strict string matching validator and the GNU `getopt_long` argument parser used by underlying system binaries. By using unique abbreviations of restricted flags (e.g., `--compress-prog` instead of `--compress-program`), attackers can evade security controls.
3 views•4 min read
•about 3 hours ago•GHSA-2WW6-868G-2C56
6.1CVE-2026-27009: Stored XSS via HTML Injection in OpenClaw Image Generation
OpenClaw contains a critical Stored Cross-Site Scripting (XSS) vulnerability within its image generation skill. The application fails to sanitize user-supplied prompts and filenames before interpolating them into HTML gallery files. This allows attackers to inject malicious JavaScript execution vectors that trigger when the gallery is viewed, potentially leading to session hijacking or arbitrary code execution in the context of the application dashboard.
3 views•5 min read
•about 4 hours ago•GHSA-48WF-G7CP-GR3M
8.8GHSA-48WF-G7CP-GR3M: OpenClaw Allowlist Bypass via 'env -S'
A critical security bypass exists in OpenClaw's execution guard mechanism, allowing attackers to circumvent binary allowlists using the `env` utility's split-string feature. By leveraging `env -S`, an attacker can execute arbitrary commands even when the system is configured to restrict execution to specific safe binaries. This vulnerability stems from a semantic mismatch between the policy engine's validation logic and the runtime behavior of command-line wrappers.
2 views•6 min read
•about 5 hours ago•CVE-2021-25320
9.9CVE-2021-25320: Privilege Escalation via Improper Access Control in Rancher Proxy
A critical improper access control vulnerability exists in Rancher's `/meta/proxy` endpoint, allowing authenticated users to bypass authorization checks. By manipulating the proxy request, attackers can utilize cloud credentials they do not own and inject impersonation headers to escalate privileges. This flaw enables unauthorized modification of cloud infrastructure and potential cluster takeover.
2 views•6 min read
•about 11 hours ago•GHSA-RXXP-482V-7MRH
6.5GHSA-RXXP-482V-7MRH: Memory Exhaustion via Unbounded Media Buffering in OpenClaw
OpenClaw, an open-source personal AI assistant framework, contains a Denial of Service (DoS) vulnerability in multiple messaging channel extensions (including Discord, Telegram, and Microsoft Teams). The vulnerability arises from improper handling of inbound media attachments, where the application buffers the entire content of a remote file into memory before verifying its size against configured limits. This 'sink-then-check' behavior allows remote attackers to trigger an Out-of-Memory (OOM) exception and crash the Node.js process by sending a sufficiently large file or a continuous data stream.
6 views•5 min read
•about 11 hours ago•GHSA-MFG5-7Q5G-F37J
6.6GHSA-MFG5-7Q5G-F37J: Denial of Service via Uncontrolled WebSocket Resource Allocation in OpenClaw
A resource exhaustion vulnerability exists in the `@openclaw/voice-call` package, a core component of the OpenClaw telephony platform. The vulnerability arises from an improper implementation of the WebSocket protocol upgrade mechanism, specifically an "Upgrade-First, Validate-Later" design pattern. By allowing an unlimited number of unauthenticated WebSocket connections to remain in an idle "pre-start" state indefinitely, remote attackers can consume available file descriptors and memory, leading to a Denial of Service (DoS) for legitimate voice services.
2 views•5 min read
•about 12 hours ago•GHSA-HJVP-QHM6-WRH2
6.5OpenClaw Node system.run Approval Context Bypass
A critical context-binding weakness in the OpenClaw AI assistant platform allows attackers to bypass human-in-the-loop approval controls. Specifically, the `system.run` workflow in the Node host environment fails to cryptographically bind user approvals to the exact execution context, including environment variables and command arguments. This flaw permits an attacker to hijack a legitimate approval ID and reuse it to execute arbitrary code by injecting malicious environment variables (e.g., `GIT_EXTERNAL_DIFF`) or modifying arguments, effectively nullifying the security guarantees of the approval system.
3 views•6 min read
•about 12 hours ago•GHSA-FGVX-58P6-GJWC
9.8GHSA-FGVX-58P6-GJWC: Critical Symlink Traversal in OpenClaw Gateway
A critical symbolic link traversal vulnerability exists in the OpenClaw gateway component, specifically within the `agents.files` API methods. The vulnerability permits attackers to bypass workspace isolation mechanisms by creating symbolic links with allowlisted filenames (e.g., `AGENTS.md`) that point to arbitrary locations on the host filesystem. Successful exploitation allows unauthorized read and write access to sensitive system files, potentially leading to full system compromise.
12 views•5 min read
•about 13 hours ago•GHSA-P25H-9Q54-FFVW
8.8OpenClaw Zip Slip Path Traversal in Archive Extraction
OpenClaw versions prior to 2026.2.14 contain a critical path traversal vulnerability, commonly known as 'Zip Slip', within the archive extraction and browser tool file handling components. This flaw allows remote attackers to write arbitrary files to the host filesystem by providing malicious archives or filenames containing directory traversal sequences. Successful exploitation can lead to Remote Code Execution (RCE) by overwriting sensitive configuration files or executables.
4 views•5 min read