Publish Advisories

GHSA-3cvx-236h-m9fj
GHSA-f8mp-vj46-cq8v

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-3cvx-236h-m9fj/GHSA-3cvx-236h-m9fj.json

@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3cvx-236h-m9fj",
-  "modified": "2026-03-19T22:28:21Z",
+  "modified": "2026-03-25T18:45:34Z",
   "published": "2026-03-03T21:49:18Z",
   "aliases": [
     "CVE-2026-32034"
   ],
   "summary": "OpenClaw has an opt-in insecure Control UI auth over plaintext HTTP could allow privileged access",
   "details": "## Description\n\nIn affected releases, when an operator explicitly enabled `gateway.controlUi.allowInsecureAuth: true` and exposed the gateway over plaintext HTTP, Control UI authentication could permit privileged operator access without the intended device identity + pairing guarantees.\n\nThis required an insecure deployment choice and credential exposure risk (for example, plaintext transit or prior token leak). It was fixed on `main` in commit `40a292619e1f2be3a3b1db663d7494c9c2dc0abf` ([PR #20684](https://github.com/openclaw/openclaw/pull/20684)).\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected published versions: `<= 2026.2.19-2`\n- Planned patched version: `2026.2.21`\n\n## Impact\n\nIn these explicitly insecure deployments, an attacker with leaked/intercepted credentials could obtain high-privilege Control UI access.\n\n## Fix Commit(s)\n\n- `40a292619e1f2be3a3b1db663d7494c9c2dc0abf` (merged 2026-02-20)\n\nOpenClaw thanks @Vasco0x4 for reporting.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
@@ -43,6 +47,10 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3cvx-236h-m9fj"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32034"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/pull/20684"
@@ -54,16 +62,21 @@
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-insecure-control-ui-authentication-over-plaintext-http"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-285",
-      "CWE-319"
+      "CWE-319",
+      "CWE-78"
     ],
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-03T21:49:18Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-19T22:16:39Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-f8mp-vj46-cq8v/GHSA-f8mp-vj46-cq8v.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-f8mp-vj46-cq8v",
-  "modified": "2026-03-19T22:27:42Z",
+  "modified": "2026-03-25T18:44:27Z",
   "published": "2026-03-03T19:52:45Z",
   "aliases": [
     "CVE-2026-32032"
@@ -11,7 +11,11 @@
   "severity": [
     {
       "type": "CVSS_V3",
-      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -40,23 +44,31 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f8mp-vj46-cq8v"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32032"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/25e89cc86338ef475d26be043aa541dfdb95e52a"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-shell-execution-via-unvalidated-shell-environment-variable"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-426",
       "CWE-78"
     ],
-    "severity": "MODERATE",
+    "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-03T19:52:45Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-19T22:16:38Z"
   }
 }