Publish Advisories

GHSA-2fgq-7j6h-9rm4
GHSA-2ww6-868g-2c56
GHSA-vpj2-69hf-rppw
GHSA-wpph-cjgr-7c39

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-2fgq-7j6h-9rm4/GHSA-2fgq-7j6h-9rm4.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2fgq-7j6h-9rm4",
-  "modified": "2026-03-19T22:17:15Z",
+  "modified": "2026-03-30T13:19:17Z",
   "published": "2026-03-03T00:40:56Z",
   "aliases": [
     "CVE-2026-32003"
@@ -12,6 +12,10 @@
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -40,23 +44,31 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2fgq-7j6h-9rm4"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32003"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/e80c803fa887f9699ad87a9e906ab5c1ff85bd9a"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-remote-code-execution-via-shellopts-ps4-environment-injection-in-system-run"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-15",
       "CWE-78"
     ],
-    "severity": "MODERATE",
+    "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-03T00:40:56Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-19T22:16:32Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-2ww6-868g-2c56/GHSA-2ww6-868g-2c56.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2ww6-868g-2c56",
-  "modified": "2026-03-20T21:14:26Z",
+  "modified": "2026-03-30T13:17:36Z",
   "published": "2026-03-03T18:30:39Z",
   "aliases": [
     "CVE-2026-32040"
@@ -15,7 +15,7 @@
     },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
     }
   ],
   "affected": [
@@ -69,7 +69,7 @@
     "cwe_ids": [
       "CWE-79"
     ],
-    "severity": "MODERATE",
+    "severity": "LOW",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-03T18:30:39Z",
     "nvd_published_at": "2026-03-19T22:16:40Z"

advisories/github-reviewed/2026/03/GHSA-vpj2-69hf-rppw/GHSA-vpj2-69hf-rppw.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-vpj2-69hf-rppw",
-  "modified": "2026-03-20T21:14:11Z",
+  "modified": "2026-03-30T13:17:04Z",
   "published": "2026-03-02T21:49:14Z",
   "aliases": [
     "CVE-2026-32041"
@@ -15,7 +15,7 @@
     },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"
+      "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -61,7 +61,7 @@
     "cwe_ids": [
       "CWE-306"
     ],
-    "severity": "MODERATE",
+    "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-02T21:49:14Z",
     "nvd_published_at": "2026-03-19T22:16:40Z"

advisories/github-reviewed/2026/03/GHSA-wpph-cjgr-7c39/GHSA-wpph-cjgr-7c39.json

@@ -1,17 +1,21 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-wpph-cjgr-7c39",
-  "modified": "2026-03-19T22:29:51Z",
+  "modified": "2026-03-30T13:18:04Z",
   "published": "2026-03-03T23:12:21Z",
   "aliases": [
     "CVE-2026-32039"
   ],
   "summary": "OpenClaw's typed sender-key matching for toolsBySender prevents identity-collision policy bypass",
   "details": "### Summary\n`channels.*.groups.*.toolsBySender` could match a privileged sender policy using a colliding mutable identity value (for example `senderName` or `senderUsername`) when deployments used untyped keys.\n\nThe fix introduces explicit typed sender keys (`id:`, `e164:`, `username:`, `name:`), keeps legacy untyped keys on a deprecated ID-only path, and adds regression coverage to prevent cross-identifier collisions.\n\n### Affected Packages / Versions\n- Package: npm `openclaw`\n- Affected versions: `<= 2026.2.21-2`\n- Latest published npm version at triage time (February 22, 2026): `2026.2.21-2`\n- Patched version (planned next release): `2026.2.22`\n\n### Impact\nThis is a sender-authorization bypass in group tool policy matching for deployments that use `toolsBySender` with untyped keys. Under those conditions, an attacker could inherit stronger tool permissions intended for another sender if they can force an identifier collision.\n\n### Fix Commit(s)\n- `5547a2275cb69413af3b62c795b93214fe913b57`\n\n### Release Process Note\n`patched_versions` is pre-set to the planned next release (`2026.2.22`). Once that npm release is published, this advisory should only need publishing.\n\nOpenClaw thanks @jiseoung for reporting.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N"
+    },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
+      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -40,22 +44,31 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wpph-cjgr-7c39"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32039"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/5547a2275cb69413af3b62c795b93214fe913b57"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-sender-authorization-bypass-via-identity-collision-in-toolsbysender"
     }
   ],
   "database_specific": {
     "cwe_ids": [
+      "CWE-639",
       "CWE-863"
     ],
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-03T23:12:21Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-19T22:16:40Z"
   }
 }