Publish Advisories

GHSA-3pxq-f3cp-jmxp
GHSA-62f6-mrcj-v8h5
GHSA-8mvx-p2r9-r375
GHSA-9p38-94jf-hgjj
GHSA-fqcm-97m6-w7rm
GHSA-m8v2-6wwh-r4gc
GHSA-p4wh-cr8m-gm6c

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-3pxq-f3cp-jmxp/GHSA-3pxq-f3cp-jmxp.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3pxq-f3cp-jmxp",
-  "modified": "2026-03-03T21:20:01Z",
+  "modified": "2026-03-18T01:31:51Z",
   "published": "2026-03-03T21:20:01Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-22180"
+  ],
   "summary": "OpenClaw: Unified root-bound write hardening for browser output and related path-boundary flows",
   "details": "### Summary\nA path-confinement bypass in browser output handling allowed writes outside intended roots in `openclaw` versions up to and including `2026.3.1`.\n\nThe fix unifies root-bound, file-descriptor-verified write semantics and canonical path-boundary validation across browser output and related install/skills write paths.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version at triage time: `2026.3.1`\n- Affected range: `<= 2026.3.1`\n- Patched release: `2026.3.2` (released)\n\n### Fix Commit(s)\n- `104d32bb64cdf19d5e77f70553a511a2ae90ad1c`\n\n### Technical Notes\n- Browser output writes now use root-bound, fd/inode-verified commit flow.\n- Install + skills path checks now share canonical in-base validation to reduce drift and close equivalent escape surfaces.\n- Added regression coverage for symlink-rebind and root-bound source-path write behavior.",
   "severity": [

advisories/github-reviewed/2026/03/GHSA-62f6-mrcj-v8h5/GHSA-62f6-mrcj-v8h5.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-62f6-mrcj-v8h5",
-  "modified": "2026-03-03T22:12:21Z",
+  "modified": "2026-03-18T01:33:52Z",
   "published": "2026-03-03T22:12:20Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-27524"
+  ],
   "summary": "OpenClaw's runtime /debug override path accepted prototype-reserved keys",
   "details": "### Summary\nOpenClaw accepted prototype-reserved keys in runtime `/debug set` override object values (`__proto__`, `constructor`, `prototype`).\n\n### Impact\n`/debug` is disabled by default, and exploitation requires an already authorized `/debug set` caller. No unauthenticated vector was identified.\n\nThis issue affects runtime in-memory overrides only (non-persistent and cleared on restart/reset). Given the required prior authorization boundary, this is treated as defense-in-depth hardening for command flag evaluation.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published vulnerable version confirmed: `2026.2.19-2`\n- Vulnerable range: `<= 2026.2.19-2`\n- Patched in planned next release: `2026.2.21`\n\n### Technical Details\n- Runtime override merges now block reserved prototype keys during deep merge.\n- Runtime override writes now sanitize nested object values to remove reserved prototype keys before storing overrides.\n- Restricted command gates (`bash`, `config`, `debug`) now require own-property boolean flags, preventing inherited prototype values from enabling commands.\n\n### Fix Commit(s)\n- `fbb79d4013000552d6a2c23b9613d8b3cb92f6b6`\n\n### Release Process Note\n`patched_versions` is pre-set to `2026.2.21` so after the npm release is live, this advisory can be published immediately.\n\nOpenClaw thanks @tdjackey for reporting.",
   "severity": [

advisories/github-reviewed/2026/03/GHSA-8mvx-p2r9-r375/GHSA-8mvx-p2r9-r375.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8mvx-p2r9-r375",
-  "modified": "2026-03-03T21:19:47Z",
+  "modified": "2026-03-18T01:32:16Z",
   "published": "2026-03-03T21:19:47Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-22181"
+  ],
   "summary": "OpenClaw's web tools strict URL guard could lose DNS pinning when env proxy is configured",
   "details": "### Summary\n`openclaw` web tools strict URL fetch paths could lose DNS pinning when environment proxy variables are configured (`HTTP_PROXY`/`HTTPS_PROXY`/`ALL_PROXY`, including lowercase variants).\n\nIn affected builds, strict URL checks (for example `web_fetch` and citation redirect resolution) validated one destination during SSRF guard checks, but runtime connection routing could proceed through an env-proxy dispatcher.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Vulnerable version range: `<= 2026.3.1`\n- Latest published npm version at triage time (2026-03-02): `2026.3.1`\n- Patched versions: `>= 2026.3.2` (released)\n\n### Technical Details\nThe SSRF guard performed hostname resolution and policy checks, then selected a request dispatcher.\n\nWhen env proxy settings were present, strict web-tool flows could use `EnvHttpProxyAgent` instead of the DNS-pinned dispatcher. This created a destination-binding gap between check-time resolution and connect-time routing.\n\nThe fix keeps DNS pinning on strict/untrusted web-tool URL paths and limits env-proxy bypass behavior to trusted/operator-controlled endpoints via an explicit dangerous opt-in.\n\n### Impact\nIn deployments with env proxy variables configured, attacker-influenced URLs from web tools could be routed through proxy behavior instead of strict pinned-destination routing, which could allow access to internal/private targets reachable from that proxy environment.\n\n### Mitigations\nBefore upgrading, operators can reduce exposure by clearing proxy env vars for OpenClaw runtime processes or disabling `web_fetch` / `web_search` where untrusted URL input is possible.\n\n### Fix Commit(s)\n- `345abf0b2e0f43b0f229e96f252ebf56f1e5549e`",
   "severity": [

advisories/github-reviewed/2026/03/GHSA-9p38-94jf-hgjj/GHSA-9p38-94jf-hgjj.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9p38-94jf-hgjj",
-  "modified": "2026-03-03T21:41:12Z",
+  "modified": "2026-03-18T01:31:29Z",
   "published": "2026-03-03T21:41:12Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-22179"
+  ],
   "summary": "OpenClaw has macOS `system.run` allowlist bypass via quoted command substitution",
   "details": "### Summary\nIn OpenClaw's macOS node-host path, `system.run` allowlist parsing in `security=allowlist` mode failed to reject command substitution tokens when they appeared inside double-quoted shell text.\n\nBecause of that gap, payloads like `echo \"ok $(id)\"` could be treated as allowlist hits (first executable token `echo`) while still executing non-allowlisted subcommands through shell substitution.\n\n### Affected Packages / Versions\n- Package: npm `openclaw`\n- Latest published affected version: `2026.2.21-2`\n- Affected range: `<= 2026.2.21-2`\n- Patched version (planned next release): `2026.2.22`\n\nNotes:\n- Default installs are not affected (`security=deny` by default).\n- The issue requires opting into `security=allowlist` on the macOS node-host path.\n\n### Impact\nApproval/authorization bypass in allowlist mode that can lead to unintended command execution on the node host.\n\n### Preconditions\n- Target uses macOS node-host / companion-app execution path.\n- Exec approvals set to `security=allowlist`.\n- Ask mode is `on-miss` or `off`.\n- Allowlist contains a benign executable used in a shell wrapper flow (for example `/bin/echo`).\n\n### Reproduction (example)\nUse a shell-wrapper command where the visible executable is allowlisted but the quoted payload contains substitution:\n\n- command argv: `/bin/sh -lc 'echo \"ok $(/usr/bin/id > /tmp/openclaw-poc-rce)\"'`\n- allowlist pattern includes `/bin/echo`\n\nBefore the fix, allowlist analysis could resolve this as allowlisted while shell substitution still executed.\n\n### Remediation\n- Upgrade to `2026.2.22` (or newer) when released.\n- Temporary mitigation: set ask mode to `always` or set security mode to `deny`.\n\n### Fix Commit(s)\n- `90a378ca3a9ecbf1634cd247f17a35f4612c6ca6`\n\n### Release Process Note\n`patched_versions` is pre-set to planned next release `2026.2.22`. After npm release is out, advisory can be published directly.\n\nOpenClaw thanks @tdjackey for reporting.",
   "severity": [

advisories/github-reviewed/2026/03/GHSA-fqcm-97m6-w7rm/GHSA-fqcm-97m6-w7rm.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-fqcm-97m6-w7rm",
-  "modified": "2026-03-02T23:34:02Z",
+  "modified": "2026-03-18T01:33:05Z",
   "published": "2026-03-02T23:34:02Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-27522"
+  ],
   "summary": "OpenClaw: Message action attachment hydration bypasses local media root checks when sandboxRoot is unset",
   "details": "## Impact\n`sendAttachment` and `setGroupIcon` message actions could hydrate media from local absolute paths when `sandboxRoot` was unset, bypassing intended local media root checks. This could allow reads of arbitrary host files reachable by the runtime user when an authorized message-action path was triggered.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version at triage: `2026.2.23`\n- Vulnerable: `<= 2026.2.23`\n- Patched in code: `>= 2026.2.24` (planned next release)\n\n## Remediation\nUpgrade to `openclaw` `2026.2.24` or later once published.\n\n## Fix Commit(s)\n- 270ab03e379f9653e15f7033c9830399b66b7e51\n\n## Release Process Note\n`patched_versions` is pre-set to the planned next release (`>= 2026.2.24`). Once that npm release is published, this advisory can be published without further field edits.\n\nOpenClaw thanks @GCXWLP for reporting.\n\n\n### Publication Update (2026-02-25)\n`openclaw@2026.2.24` is published on npm and contains the fix commit(s) listed above. This advisory now marks `>= 2026.2.24` as patched.",
   "severity": [

advisories/github-reviewed/2026/03/GHSA-m8v2-6wwh-r4gc/GHSA-m8v2-6wwh-r4gc.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-m8v2-6wwh-r4gc",
-  "modified": "2026-03-03T23:10:01Z",
+  "modified": "2026-03-18T01:33:29Z",
   "published": "2026-03-03T23:10:01Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-27523"
+  ],
   "summary": "OpenClaw's sandbox bind validation could bypass allowed-root and blocked-path checks via symlink-parent missing-leaf paths",
   "details": "### Summary\nIn `openclaw` up to and including **2026.2.23** (latest npm release as of **February 24, 2026**), sandbox bind-source validation could be bypassed when a bind source used a symlinked parent plus a non-existent leaf path.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: `<= 2026.2.23`\n- Patched: `>= 2026.2.24` (planned next release)\n\n### Root Cause\n`validateBindMounts` previously relied on full-path realpath only when the full source path already existed. For missing-leaf paths, parent symlink traversal was not fully canonicalized before allowed-root and blocked-path checks.\n\n### Security Impact\nA source path that looked inside an allowed root could resolve outside that root (including blocked runtime paths) once the missing leaf was created, weakening sandbox bind-source boundary enforcement.\n\n### Fix\nThe validation path now canonicalizes through the nearest existing ancestor, then always re-checks the canonical path against both:\n- allowed source roots\n- blocked runtime paths\n\n### Verification\n- `pnpm check`\n- `pnpm exec vitest run --config vitest.gateway.config.ts`\n- `pnpm test:fast`\n- Added regression tests for symlink-parent + missing-leaf bypass patterns.\n\n### Fix Commit(s)\n- `b5787e4abba0dcc6baf09051099f6773c1679ec1`\n\n### Release Process Note\n`patched_versions` is pre-set to the planned next release (`2026.2.24`) so after npm publish the advisory can be published without further field edits.\n\nOpenClaw thanks @tdjackey for reporting.\n\n\n### Publication Update (2026-02-25)\n`openclaw@2026.2.24` is published on npm and contains the fix commit(s) listed above. This advisory now marks `>= 2026.2.24` as patched.",
   "severity": [

advisories/github-reviewed/2026/03/GHSA-p4wh-cr8m-gm6c/GHSA-p4wh-cr8m-gm6c.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-p4wh-cr8m-gm6c",
-  "modified": "2026-03-03T21:36:16Z",
+  "modified": "2026-03-18T01:32:40Z",
   "published": "2026-03-03T21:36:16Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-22217"
+  ],
   "summary": "OpenClaw: shell-env trusted-prefix fallback allowed attacker-controlled binary execution via $SHELL",
   "details": "### Summary\n`shell-env` fallback trusted prefix-based executable paths for `$SHELL`, allowing execution of attacker-controlled binaries in local/runtime-env influence scenarios.\n\n### Details\nIn affected versions, shell selection accepted either:\n1. a shell listed in `/etc/shells`, or\n2. any executable under hardcoded trusted prefixes (`/bin`, `/usr/bin`, `/usr/local/bin`, `/opt/homebrew/bin`, `/run/current-system/sw/bin`).\n\nThe selected shell was then executed as a login shell (`-l -c 'env -0'`) for PATH/environment probing.\n\nOn systems where a trusted-prefix directory is writable (for example common Homebrew layouts under `/opt/homebrew/bin`) and runtime `$SHELL` can be influenced, this enabled attacker-controlled binary execution in OpenClaw process context.\n\nThe fix removes the trusted-prefix executable fallback and now trusts only shells explicitly registered in `/etc/shells`; otherwise it falls back to `/bin/sh`.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected versions: `>= 2026.2.22, <= 2026.2.22-2`\n- Latest published vulnerable version: `2026.2.22-2`\n- Patched versions (released): `>= 2026.2.23`\n\n### Fix Commit(s)\n- `ff10fe8b91670044a6bb0cd85deb736a0ec8fb55`\n\n### Release Process Note\nThis advisory sets `patched_versions` to the released version (`2026.2.23`).\nThis advisory now reflects released fix version `2026.2.23`.\n\nOpenClaw thanks @tdjackey for reporting.",
   "severity": [