Publish Advisories

GHSA-8fmp-37rc-p5g7
GHSA-c6hr-w26q-c636
GHSA-gwqp-86q6-w47g
GHSA-v3j7-34xh-6g3w

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-8fmp-37rc-p5g7/GHSA-8fmp-37rc-p5g7.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8fmp-37rc-p5g7",
-  "modified": "2026-03-03T19:53:02Z",
+  "modified": "2026-03-18T01:30:34Z",
   "published": "2026-03-03T19:53:02Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-22177"
+  ],
   "summary": "OpenClaw's config env vars allowed startup env injection into service runtime",
   "details": "### Summary\nOpenClaw allowed dangerous process-control environment variables from `env.vars` (for example `NODE_OPTIONS`, `LD_*`, `DYLD_*`) to flow into gateway service runtime environments, enabling startup-time code execution in the OpenClaw process context.\n\n### Details\n`collectConfigEnvVars()` accepted unfiltered keys from config and those values were merged into the daemon install environment in `buildGatewayInstallPlan()`. Before the fix, startup-control variables were not blocked in this path.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published affected version: `2026.2.19-2` (published February 19, 2026)\n- Affected range (structured): `<=2026.2.19-2 || =2026.2.19`\n- Patched version (pre-set for next release): `>= 2026.2.21`\n\n### Fix Commit(s)\n- `2cdbadee1f8fcaa93302d7debbfc529e19868ea4`\n\n### Release Process Note\n`patched_versions` is pre-set to the planned next release (`2026.2.21`). Once that npm release is published, this advisory is ready to publish without further content edits.\n\nOpenClaw thanks @tdjackey for reporting.",
   "severity": [

advisories/github-reviewed/2026/03/GHSA-c6hr-w26q-c636/GHSA-c6hr-w26q-c636.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-c6hr-w26q-c636",
-  "modified": "2026-03-02T22:17:30Z",
+  "modified": "2026-03-18T01:30:54Z",
   "published": "2026-03-02T22:17:30Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-22178"
+  ],
   "summary": "OpenClaw has ReDoS and regex injection via unescaped Feishu mention metadata in RegExp construction",
   "details": "## Summary\n\n`extensions/feishu/src/bot.ts` constructed `new RegExp()` directly from Feishu mention metadata (`mention.name`, `mention.key`) in `stripBotMention()` without escaping regex metacharacters.\n\n## Affected Packages / Versions\n\n- Package: npm `openclaw`\n- Affected versions: `<= 2026.2.17`\n- First affected release: `2026.2.6`\n- Patched version: `2026.2.19`\n\n## Impact\n\n- ReDoS: crafted nested-quantifier patterns in mention metadata can trigger catastrophic backtracking and block message processing.\n- Regex injection: metacharacters in mention metadata can remove unintended message content before it is sent to the model.\n\n## Fix Commit(s)\n\n- `7e67ab75cc2f0e93569d12fecd1411c2961fcc8c`\n- `74268489137510b6f6349919d1e197b17290d92c`\n\nThanks @allsmog for reporting.",
   "severity": [

advisories/github-reviewed/2026/03/GHSA-gwqp-86q6-w47g/GHSA-gwqp-86q6-w47g.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-gwqp-86q6-w47g",
-  "modified": "2026-03-02T22:30:43Z",
+  "modified": "2026-03-18T01:30:11Z",
   "published": "2026-03-02T22:30:43Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-22175"
+  ],
   "summary": "OpenClaw's exec allow-always can be bypassed via unrecognized multiplexer shell wrappers (busybox/toybox sh -c)",
   "details": "### Summary\nOpenClaw exec approvals could be bypassed in `allowlist` mode when `allow-always` was granted through unrecognized multiplexer shell wrappers (notably `busybox sh -c` and `toybox sh -c`).\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: `<= 2026.2.22-2`\n- Latest published vulnerable version at triage time: `2026.2.22-2` (checked on February 24, 2026)\n- Fixed on `main`: yes\n- Patched release: `2026.2.23`\n\n### Details\nWrapper analysis treated `busybox`/`toybox` invocations as non-wrapper commands in this path, so `allow-always` persisted the wrapper binary path instead of the inner executable. That allowed later arbitrary payloads under the same multiplexer wrapper to satisfy the stored allowlist rule.\n\nThe fix hardens wrapper detection and persistence behavior for these multiplexer shell applets so approvals bind to intended inner executables and fail closed when unwrap safety is uncertain.\n\n### Fix Commit(s)\n- `a67689a7e3ad494b6637c76235a664322d526f9e`\n\n### Release Process Note\n`patched_versions` is pre-set to the released version (`2026.2.23`). This advisory now reflects released fix version `2026.2.23`.\n\nOpenClaw thanks @jiseoung for reporting.",
   "severity": [

advisories/github-reviewed/2026/03/GHSA-v3j7-34xh-6g3w/GHSA-v3j7-34xh-6g3w.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-v3j7-34xh-6g3w",
-  "modified": "2026-03-03T21:50:34Z",
+  "modified": "2026-03-18T01:29:44Z",
   "published": "2026-03-03T21:50:34Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-22174"
+  ],
   "summary": "OpenClaw Loopback CDP probe can leak Gateway token to local listener",
   "details": "### Summary\nA local process can capture the OpenClaw Gateway auth token from Chrome CDP probe traffic on loopback.\n\n### Details\nAffected versions inject `x-openclaw-relay-token` for loopback CDP URLs, and CDP reachability probes send that header to `/json/version`.\nIf an attacker controls the probed loopback port, they can read that token and reuse it as Gateway bearer auth.\n\nRelevant code paths (pre-fix):\n- `src/browser/extension-relay.ts` (`getChromeExtensionRelayAuthHeaders`)\n- `src/browser/cdp.helpers.ts` (`getHeadersWithAuth`)\n- `src/browser/chrome.ts` (`fetchChromeVersion`)\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published (at triage): `2026.2.21-2`\n- Vulnerable: `<= 2026.2.21-2`\n- Patched: >= 2026.2.22\n\n### Deployment Model Applicability\nThis does **not** change OpenClaw’s documented security model for standard single-owner installs (you own the machine/VPS and trust local processes under that OS account boundary).\nRisk is for **non-standard shared-user/shared-host installs** where an untrusted local user/process can race/bind the loopback relay port.\n\n### Impact\n- Local credential disclosure.\n- Follow-on impact depends on local deployment and enabled Gateway capabilities.\n\n### Fix Commit(s)\n- `afa22acc4a09fdf32be8a167ae216bee85c30dad`\n\n### Release Process Note\nPatched version is set to >= 2026.2.22 for the published release.\n\nOpenClaw thanks @tdjackey for reporting.",
   "severity": [