Publish Advisories

GHSA-6mqc-jqh6-x8fc
GHSA-cg6c-q2hx-69h7
GHSA-wq58-2pvg-5h4f
GHSA-3pm9-5j7m-59vc
GHSA-3xv9-89fm-7h4r
GHSA-f693-58pc-2gfr
GHSA-hhq4-97c2-p447

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-6mqc-jqh6-x8fc/GHSA-6mqc-jqh6-x8fc.json

@@ -1,11 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6mqc-jqh6-x8fc",
-  "modified": "2026-03-26T18:59:00Z",
+  "modified": "2026-04-09T13:43:42Z",
   "published": "2026-03-26T18:59:00Z",
   "aliases": [],
   "summary": "OpenClaw: Gateway Canvas local-direct requests bypass Canvas HTTP and WebSocket authentication",
-  "details": "## Summary\nBefore `v2026.3.23`, Canvas and A2UI loopback requests could bypass Canvas bearer-or-capability authentication because `authorizeCanvasRequest(...)` treated `isLocalDirectRequest(...)` as an unconditional allow path.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: `< 2026.3.23`\n- Fixed: `>= 2026.3.23`\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Root Cause\nThe vulnerable logic lived in `src/gateway/server/http-auth.ts`. `authorizeCanvasRequest(...)` returned `{ ok: true }` for local-direct requests before checking bearer authentication or an active node canvas capability, which meant unauthenticated loopback Canvas HTTP and WebSocket requests could succeed.\n\n## Fix Commit(s)\n- `d5dc6b6573ae489bc7e5651090f4767b93537c9e` — `fix(gateway): require auth for canvas routes`\n\n## Release Status\nThe fix commit is contained in released tags `v2026.3.23` and `v2026.3.23-2`. The latest shipped tag and npm release both include the fix.\n\n## Code-Level Confirmation\n- `src/gateway/server/http-auth.ts` no longer contains the local-direct early return in `authorizeCanvasRequest(...)`.\n- `src/gateway/server.canvas-auth.test.ts` adds the regression test `denies canvas HTTP/WS on loopback without bearer or capability by default`.\n\nOpenClaw thanks @smaeljaish771 for reporting.",
+  "details": "## Summary\nBefore `v2026.3.23`, Canvas and A2UI loopback requests could bypass Canvas bearer-or-capability authentication because `authorizeCanvasRequest(...)` treated `isLocalDirectRequest(...)` as an unconditional allow path.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: `< 2026.3.23`\n- Fixed: `>= 2026.3.23`\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Root Cause\nThe vulnerable logic lived in `src/gateway/server/http-auth.ts`. `authorizeCanvasRequest(...)` returned `{ ok: true }` for local-direct requests before checking bearer authentication or an active node canvas capability, which meant unauthenticated loopback Canvas HTTP and WebSocket requests could succeed.\n\n## Fix Commit(s)\n- `d5dc6b6573ae489bc7e5651090f4767b93537c9e` — `fix(gateway): require auth for canvas routes`\n\n## Release Status\nThe fix commit is contained in released tags `v2026.3.23` and `v2026.3.23-2`. The latest shipped tag and npm release both include the fix.\n\n## Code-Level Confirmation\n- `src/gateway/server/http-auth.ts` no longer contains the local-direct early return in `authorizeCanvasRequest(...)`.\n- `src/gateway/server.canvas-auth.test.ts` adds the regression test `denies canvas HTTP/WS on loopback without bearer or capability by default`.\n\nThanks @smaeljaish771 for reporting.",
   "severity": [
     {
       "type": "CVSS_V4",

advisories/github-reviewed/2026/03/GHSA-cg6c-q2hx-69h7/GHSA-cg6c-q2hx-69h7.json

@@ -1,11 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-cg6c-q2hx-69h7",
-  "modified": "2026-03-26T18:56:32Z",
+  "modified": "2026-04-09T13:43:38Z",
   "published": "2026-03-26T18:56:32Z",
   "aliases": [],
   "summary": "OpenClaw: Plivo V2 verified replay identity drifts on query-only variants",
-  "details": "## Summary\nBefore `v2026.3.23`, the Plivo V2 verification path treated query-only variants of the same signed request as fresh verified work. Plivo V2 signatures authenticate `baseUrl + nonce`, but the replay key was derived from the full verification URL including the query string, so unsigned query-only changes minted a new `verifiedRequestKey`.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: `< 2026.3.23`\n- Fixed: `>= 2026.3.23`\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Root Cause\nThe vulnerable logic lived in `extensions/voice-call/src/webhook-security.ts`. V2 signature validation already canonicalized to the base URL without query parameters, but the replay key used the full `verificationUrl`, letting query-only variants bypass replay identity stability.\n\n## Fix Commit(s)\n- `b0ce53a79cf63834660270513e26d921899b4e5b` — `fix(voice-call): stabilize plivo v2 replay keys`\n\n## Release Status\nThe fix commit is contained in released tags `v2026.3.23` and `v2026.3.23-2`. The latest shipped tag and npm release both include the fix.\n\n## Code-Level Confirmation\n- `extensions/voice-call/src/webhook-security.ts` now derives the V2 replay key with `createPlivoV2ReplayKey(...)`, which hashes `getBaseUrlNoQuery(url)` plus the nonce.\n- `extensions/voice-call/src/webhook-security.test.ts` contains the regression test `treats query-only V2 variants as the same verified request`.\n\nOpenClaw thanks @smaeljaish771 for reporting.",
+  "details": "## Summary\nBefore `v2026.3.23`, the Plivo V2 verification path treated query-only variants of the same signed request as fresh verified work. Plivo V2 signatures authenticate `baseUrl + nonce`, but the replay key was derived from the full verification URL including the query string, so unsigned query-only changes minted a new `verifiedRequestKey`.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: `< 2026.3.23`\n- Fixed: `>= 2026.3.23`\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Root Cause\nThe vulnerable logic lived in `extensions/voice-call/src/webhook-security.ts`. V2 signature validation already canonicalized to the base URL without query parameters, but the replay key used the full `verificationUrl`, letting query-only variants bypass replay identity stability.\n\n## Fix Commit(s)\n- `b0ce53a79cf63834660270513e26d921899b4e5b` — `fix(voice-call): stabilize plivo v2 replay keys`\n\n## Release Status\nThe fix commit is contained in released tags `v2026.3.23` and `v2026.3.23-2`. The latest shipped tag and npm release both include the fix.\n\n## Code-Level Confirmation\n- `extensions/voice-call/src/webhook-security.ts` now derives the V2 replay key with `createPlivoV2ReplayKey(...)`, which hashes `getBaseUrlNoQuery(url)` plus the nonce.\n- `extensions/voice-call/src/webhook-security.test.ts` contains the regression test `treats query-only V2 variants as the same verified request`.\n\nThanks @smaeljaish771 for reporting.",
   "severity": [
     {
       "type": "CVSS_V4",

advisories/github-reviewed/2026/03/GHSA-wq58-2pvg-5h4f/GHSA-wq58-2pvg-5h4f.json

@@ -1,11 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-wq58-2pvg-5h4f",
-  "modified": "2026-03-26T19:00:45Z",
+  "modified": "2026-04-09T13:43:30Z",
   "published": "2026-03-26T19:00:45Z",
   "aliases": [],
   "summary": "OpenClaw: Gateway agent /reset exposes admin session reset to operator.write callers",
-  "details": "## Summary\nBefore `v2026.3.23`, the Gateway `agent` RPC accepted `/reset` and `/new` for callers with only `operator.write`, even though the direct `sessions.reset` RPC correctly requires `operator.admin`.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: `< 2026.3.23`\n- Fixed: `>= 2026.3.23`\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Root Cause\nThe vulnerable path lived in `src/gateway/server-methods/agent.ts`. A `/reset` or `/new` message with an explicit `sessionKey` reached `performGatewaySessionReset(...)` without enforcing the same `operator.admin` guard used by `sessions.reset`.\n\n## Fix Commit(s)\n- `50f6a2f136fed85b58548a38f7a3dbb98d2cd1a0` — `fix(gateway): require admin for agent session reset`\n\n## Release Status\nThe fix commit is contained in released tags `v2026.3.23` and `v2026.3.23-2`. The latest shipped tag and npm release both include the fix.\n\n## Code-Level Confirmation\n- `src/gateway/server-methods/agent.ts` now rejects `/reset` and `/new` for callers that do not have `operator.admin` before calling `performGatewaySessionReset(...)`.\n- `src/gateway/server-methods/agent.test.ts` contains the regression test `rejects /reset for write-scoped gateway callers`.\n\nOpenClaw thanks @smaeljaish771 for reporting.",
+  "details": "## Summary\nBefore `v2026.3.23`, the Gateway `agent` RPC accepted `/reset` and `/new` for callers with only `operator.write`, even though the direct `sessions.reset` RPC correctly requires `operator.admin`.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: `< 2026.3.23`\n- Fixed: `>= 2026.3.23`\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Root Cause\nThe vulnerable path lived in `src/gateway/server-methods/agent.ts`. A `/reset` or `/new` message with an explicit `sessionKey` reached `performGatewaySessionReset(...)` without enforcing the same `operator.admin` guard used by `sessions.reset`.\n\n## Fix Commit(s)\n- `50f6a2f136fed85b58548a38f7a3dbb98d2cd1a0` — `fix(gateway): require admin for agent session reset`\n\n## Release Status\nThe fix commit is contained in released tags `v2026.3.23` and `v2026.3.23-2`. The latest shipped tag and npm release both include the fix.\n\n## Code-Level Confirmation\n- `src/gateway/server-methods/agent.ts` now rejects `/reset` and `/new` for callers that do not have `operator.admin` before calling `performGatewaySessionReset(...)`.\n- `src/gateway/server-methods/agent.test.ts` contains the regression test `rejects /reset for write-scoped gateway callers`.\n\nThanks @smaeljaish771 for reporting.",
   "severity": [
     {
       "type": "CVSS_V4",

advisories/github-reviewed/2026/04/GHSA-3pm9-5j7m-59vc/GHSA-3pm9-5j7m-59vc.json

@@ -1,11 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3pm9-5j7m-59vc",
-  "modified": "2026-04-03T03:20:16Z",
+  "modified": "2026-04-09T13:44:52Z",
   "published": "2026-04-03T03:20:16Z",
   "aliases": [],
   "summary": "OpenClaw: Tlon Startup Migration Rehydrates Empty-Array Revocations From File Config",
-  "details": "## Summary\nTlon Startup Migration Rehydrates Empty-Array Revocations From File Config\n\n## Current Maintainer Triage\n- Normalized severity: low\n- Assessment: v2026.3.28 startup migration still treats empty-array settings as missing and can rehydrate revoked Tlon config from file state after restart.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `a4d72a83f01fedd35964c352e3473c7712a3511b` — 2026-03-31T14:57:03+01:00\n\nOpenClaw thanks @smaeljaish771 for reporting.",
+  "details": "## Summary\nTlon Startup Migration Rehydrates Empty-Array Revocations From File Config\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: low\n- Assessment: v2026.3.28 startup migration still treats empty-array settings as missing and can rehydrate revoked Tlon config from file state after restart.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `a4d72a83f01fedd35964c352e3473c7712a3511b` — 2026-03-31T14:57:03+01:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @smaeljaish771 for reporting.",
   "severity": [
     {
       "type": "CVSS_V4",

advisories/github-reviewed/2026/04/GHSA-3xv9-89fm-7h4r/GHSA-3xv9-89fm-7h4r.json

@@ -1,11 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3xv9-89fm-7h4r",
-  "modified": "2026-04-03T03:24:25Z",
+  "modified": "2026-04-09T13:44:18Z",
   "published": "2026-04-03T03:24:25Z",
   "aliases": [],
   "summary": "OpenClaw: diffs viewer misclassifies proxied remote requests as loopback when `allowRemoteViewer` is disabled",
-  "details": "## Summary\ndiffs viewer misclassifies proxied remote requests as loopback when `allowRemoteViewer` is disabled\n\n## Current Maintainer Triage\n- Assessment: Shipped v2026.3.28 misclassified proxied diff-viewer requests as local loopback in some cases, a real but low-severity access-control flaw.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `30a1690323088fd291abd11643a264a6828a002c` — 2026-03-30T14:17:27-06:00\n\nOpenClaw thanks @smaeljaish771 for reporting.",
+  "details": "## Summary\ndiffs viewer misclassifies proxied remote requests as loopback when `allowRemoteViewer` is disabled\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: low\n- Assessment: Shipped v2026.3.28 misclassified proxied diff-viewer requests as local loopback in some cases, a real but low-severity access-control flaw.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `30a1690323088fd291abd11643a264a6828a002c` — 2026-03-30T14:17:27-06:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @smaeljaish771 for reporting.",
   "severity": [
     {
       "type": "CVSS_V4",

advisories/github-reviewed/2026/04/GHSA-f693-58pc-2gfr/GHSA-f693-58pc-2gfr.json

@@ -1,11 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-f693-58pc-2gfr",
-  "modified": "2026-04-03T03:20:58Z",
+  "modified": "2026-04-09T13:44:02Z",
   "published": "2026-04-03T03:20:58Z",
   "aliases": [],
   "summary": "OpenClaw: Telegram legacy allowFrom migration fans default-account trust into all named accounts",
-  "details": "## Summary\nTelegram legacy allowFrom migration fans default-account trust into all named accounts\n\n## Current Maintainer Triage\n- Normalized severity: low\n- Assessment: Shipped v2026.3.28 Telegram migration fans legacy default-account allowFrom trust into named accounts, which is an in-scope auth-boundary bug and low fits.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `d8c68c8d4265ea6fa5e8c5e056534c351bddef37` — 2026-03-31T12:51:38+01:00\n\nOpenClaw thanks @smaeljaish771 for reporting.",
+  "details": "## Summary\nTelegram legacy allowFrom migration fans default-account trust into all named accounts\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: low\n- Assessment: Shipped v2026.3.28 Telegram migration fans legacy default-account allowFrom trust into named accounts, which is an in-scope auth-boundary bug and low fits.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `d8c68c8d4265ea6fa5e8c5e056534c351bddef37` — 2026-03-31T12:51:38+01:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @smaeljaish771 for reporting.",
   "severity": [
     {
       "type": "CVSS_V4",

advisories/github-reviewed/2026/04/GHSA-hhq4-97c2-p447/GHSA-hhq4-97c2-p447.json

@@ -1,11 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-hhq4-97c2-p447",
-  "modified": "2026-04-02T20:59:11Z",
+  "modified": "2026-04-09T13:44:39Z",
   "published": "2026-04-02T20:59:11Z",
   "aliases": [],
   "summary": "OpenClaw: Zalo webhook replay cache cross-target messageId scope bypass",
-  "details": "## Summary\nZalo webhook replay cache cross-target messageId scope bypass\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: low\n- Assessment: v2026.3.28 replay dedupe is still keyed too broadly, but the issue should stay scoped to authenticated sibling-target delivery paths rather than arbitrary unauthenticated attackers.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `4d038bb242c11f39e45f6a4bde400e5fd42e4ebf` — 2026-03-31T19:33:57+09:00\n\nOpenClaw thanks @smaeljaish771 for reporting.",
+  "details": "## Summary\nZalo webhook replay cache cross-target messageId scope bypass\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: low\n- Assessment: v2026.3.28 replay dedupe is still keyed too broadly, but the issue should stay scoped to authenticated sibling-target delivery paths rather than arbitrary unauthenticated attackers.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `4d038bb242c11f39e45f6a4bde400e5fd42e4ebf` — 2026-03-31T19:33:57+09:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @smaeljaish771 for reporting.",
   "severity": [
     {
       "type": "CVSS_V4",