Publish Advisories

GHSA-7jx5-9fjg-hp4m
GHSA-25pw-4h6w-qwvm
GHSA-3x3x-h76w-hp98
GHSA-5mx2-2mgw-x8rm
GHSA-7f4q-9rqh-x36p
GHSA-ccg8-46r6-9qgj
GHSA-h9xm-j4qg-fvpg
GHSA-rm2p-j3r7-4x4j

Author: advisory-database[bot]

advisories/github-reviewed/2026/02/GHSA-7jx5-9fjg-hp4m/GHSA-7jx5-9fjg-hp4m.json

@@ -1,15 +1,21 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7jx5-9fjg-hp4m",
-  "modified": "2026-02-27T22:08:36Z",
+  "modified": "2026-03-30T13:44:47Z",
   "published": "2026-02-27T22:08:36Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-32898"
+  ],
   "summary": "OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata",
   "details": "## Vulnerability Summary\n\nThe OpenClaw ACP client could auto-approve tool calls based on untrusted metadata and permissive name heuristics. A malicious or compromised ACP tool invocation could bypass expected interactive approval prompts for read-class operations.\n\n## Affected Packages / Versions\n\n- Package: npm `openclaw`\n- Affected published versions: `<= 2026.2.22-2` (latest published as of February 24, 2026 is `2026.2.22-2`)\n- Patched in code on `main`: `2026.2.23` (released)\n\n## Technical Details\n\n- Permission classification trusted incoming `toolCall.kind` and heuristic name matching.\n- Non-core read-like names and spoofed kind metadata could reach auto-approve paths.\n- `read` operations were not scoped strongly enough to cwd in all metadata/title forms.\n\n## Fix\n\n- Require trusted core tool IDs for auto-approval and ignore untrusted `toolCall.kind` as an authorization source.\n- Scope `read` auto-approval to cwd-resolved paths.\n- Add stricter tool-name validation and regression coverage for spoofed kind and non-core read-like names.\n\n## Affected Functions\n\n- `resolvePermissionRequest`\n- `resolveToolNameForPermission`\n- `shouldAutoApproveToolCall`\n\n## Fix Commit(s)\n\n- `12cc754332f9a7c92e158ce7644aa22df79c0904`\n- `63dcd28ae0be2de1c75af09cc81841cebeec068f`\n\nFound using [MCPwner](https://github.com/Pigyon/MCPwner)\n\n\nThanks @nedlir for reporting.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"
+    },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -41,6 +47,10 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7jx5-9fjg-hp4m"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32898"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/12cc754332f9a7c92e158ce7644aa22df79c0904"
@@ -56,6 +66,10 @@
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.23"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-acp-permission-auto-approval-bypass-via-untrusted-tool-metadata"
     }
   ],
   "database_specific": {

advisories/github-reviewed/2026/03/GHSA-25pw-4h6w-qwvm/GHSA-25pw-4h6w-qwvm.json

@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-25pw-4h6w-qwvm",
-  "modified": "2026-03-19T22:18:38Z",
+  "modified": "2026-03-30T13:47:34Z",
   "published": "2026-03-03T22:54:46Z",
   "aliases": [
     "CVE-2026-32006"
   ],
   "summary": "OpenClaw has a BlueBubbles group allowlist mismatch via DM pairing-store fallback",
   "details": "### Summary\nIn `openclaw@2026.2.25`, BlueBubbles group authorization could incorrectly treat DM pairing-store identities as group allowlist identities when `dmPolicy=pairing` and `groupPolicy=allowlist`.\n\nA sender that was only DM-paired (not explicitly present in `groupAllowFrom`) could pass group sender checks for message and reaction ingress.\n\nPer OpenClaw's `SECURITY.md` trust model, this is a constrained authorization-consistency issue, not a multi-tenant boundary bypass or host-privilege escalation.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version at triage time: `2026.2.25`\n- Affected versions: `<= 2026.2.25`\n- Patched versions: `>= 2026.2.26` (planned next release)\n\n### Technical Details\nRoot cause was DM/group allowlist composition where DM pairing-store identities could flow into group authorization decisions.\n\nFix approach:\n- centralize DM/group authorization composition via shared resolvers\n- remove local DM/group list recomposition at channel callsites\n- add cross-channel regression coverage for message + reaction ingress\n- add CI guard to block future pairing-store leakage into group auth composition\n\n### Impact\n- Affects deployments using BlueBubbles with `groupPolicy=allowlist` and `dmPolicy=pairing` when pairing-store entries are present.\n- Could allow DM-authorized identities to be treated as group-authorized without explicit `groupAllowFrom` membership.\n- Does **not** bypass gateway auth, sandbox boundaries, or create new host-level privilege beyond existing DM authorization.\n\n### Fix Commit(s)\n- `051fdcc428129446e7c084260f837b7284279ce9`\n\n### Release Process Note\n`patched_versions` is pre-set to the planned next release (`2026.2.26`) so once npm `2026.2.26` is published, this advisory can be published without further content edits.\n\nOpenClaw thanks @tdjackey for reporting.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
@@ -43,13 +47,25 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-25pw-4h6w-qwvm"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32006"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/051fdcc428129446e7c084260f837b7284279ce9"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/1aadf26f9acc399affabd859937a09468a9c5cb4"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-dm-pairing-store-fallback-in-group-allowlist"
     }
   ],
   "database_specific": {
@@ -59,6 +75,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-03T22:54:46Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-19T22:16:33Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-3x3x-h76w-hp98/GHSA-3x3x-h76w-hp98.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3x3x-h76w-hp98",
-  "modified": "2026-03-20T21:13:24Z",
+  "modified": "2026-03-30T13:47:25Z",
   "published": "2026-03-03T21:48:29Z",
   "aliases": [
     "CVE-2026-32017"
@@ -11,11 +11,11 @@
   "severity": [
     {
       "type": "CVSS_V3",
-      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L"
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"
     },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [

advisories/github-reviewed/2026/03/GHSA-5mx2-2mgw-x8rm/GHSA-5mx2-2mgw-x8rm.json

@@ -1,22 +1,28 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5mx2-2mgw-x8rm",
-  "modified": "2026-03-03T21:35:56Z",
+  "modified": "2026-03-30T13:45:44Z",
   "published": "2026-03-03T21:35:56Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-32896"
+  ],
   "summary": "OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback)",
   "details": "### Summary\nBlueBubbles webhook auth in the optional beta iMessage plugin allowed a passwordless fallback path. In some reverse-proxy/local routing setups, this could allow unauthenticated webhook events.\n\n### Affected Component and Scope\n- Component: `extensions/bluebubbles` webhook handler\n- Scope: only deployments using the optional BlueBubbles plugin where webhook password auth was not configured for incoming webhook events\n\n### Affected Packages / Versions\n- Package: `openclaw/openclaw` (npm)\n- Latest published npm version at triage time (2026-02-21): `2026.2.19-2`\n- Affected structured range: `<=2026.2.19-2`\n- Fixed on `main`; planned patched release: `2026.2.21` (`>=2026.2.21`)\n\n### Details\nThe vulnerable implementation had multiple auth branches, including a passwordless fallback with loopback/proxy heuristics.\n\nThe fix now uses one authentication codepath:\n- inbound webhook token/guid must match `channels.bluebubbles.password`\n- webhook target matching is consolidated to shared plugin-sdk logic\n- BlueBubbles config validation now requires `password` when `serverUrl` is set\n\n### Impact\nBlueBubbles is an optional beta iMessage plugin, and onboarding/channel-add flows already require a password. Practical exposure is mainly custom/manual configurations that omitted webhook password authentication.\n\n### Remediation\n- Upgrade to a release that includes this patch (`>=2026.2.21`, planned).\n- Ensure BlueBubbles webhook delivery includes a matching password (`?password=<password>` or `x-password`).\n\n### Fix Commit(s)\n- `6b2f2811dc623e5faaf2f76afaa9279637174590`\n- `283029bdea23164ab7482b320cb420d1b90df806`\n\n### Release Process Note\n`patched_versions` is pre-set to the planned next release (`2026.2.21`) so once npm release is out, advisory publish can proceed without additional ticket edits.\n\nOpenClaw thanks @zpbrent for reporting.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
+    },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
+      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
     {
       "package": {
         "ecosystem": "npm",
-        "name": "openclaw/openclaw"
+        "name": "openclaw"
       },
       "ranges": [
         {
@@ -38,6 +44,10 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5mx2-2mgw-x8rm"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32896"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/283029bdea23164ab7482b320cb420d1b90df806"
@@ -49,6 +59,10 @@
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-unauthenticated-webhook-access-via-passwordless-fallback-in-bluebubbles-plugin"
     }
   ],
   "database_specific": {

advisories/github-reviewed/2026/03/GHSA-7f4q-9rqh-x36p/GHSA-7f4q-9rqh-x36p.json

@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7f4q-9rqh-x36p",
-  "modified": "2026-03-19T22:21:47Z",
+  "modified": "2026-03-30T13:46:20Z",
   "published": "2026-03-03T00:41:20Z",
   "aliases": [
     "CVE-2026-32016"
   ],
   "summary": "OpenClaw: macOS optional allowlist basename matching could bypass path-based policy",
   "details": "### Summary\nOn macOS node-host, optional exec-approval allowlist mode previously treated basename-only entries (for example `echo`) as trusted command matches.\nThis could allow a same-name local binary (for example `./echo`) to run without approval under `security=allowlist` + `ask=on-miss`.\n\n### Scope / Preconditions\n- macOS node-host path.\n- Optional exec approvals feature enabled with `security=allowlist`.\n- Basename-only allowlist entries configured.\n\nDefault install posture is not impacted: `security=deny` by default.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version at triage time: `2026.2.21-2`\n- Vulnerable range: `<=2026.2.21-2`\n- Planned patched version (next release): `>= 2026.2.22`\n\n### Remediation\n- Enforced path-only allowlist matching on macOS node-host (basename fallback removed).\n- Added migration for legacy basename allowlist entries to last-resolved paths when available.\n- UI/store validation now rejects non-path allowlist patterns.\n\n### Fix Commit(s)\n- dd41fadcaf58fd9deb963d6e163c56161e7b35dd\n\n### Release Process Note\nPatched version is pre-set for the planned next release (`2026.2.22`). Once that npm release is out, advisory can be published without further field edits.\n\nOpenClaw thanks @tdjackey for reporting.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
@@ -40,22 +44,31 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7f4q-9rqh-x36p"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32016"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/dd41fadcaf58fd9deb963d6e163c56161e7b35dd"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-path-traversal-via-basename-only-allowlist-matching-on-macos"
     }
   ],
   "database_specific": {
     "cwe_ids": [
+      "CWE-426",
       "CWE-863"
     ],
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-03T00:41:20Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-19T22:16:35Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-ccg8-46r6-9qgj/GHSA-ccg8-46r6-9qgj.json

@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-ccg8-46r6-9qgj",
-  "modified": "2026-03-19T22:24:52Z",
+  "modified": "2026-03-30T13:46:28Z",
   "published": "2026-03-03T19:16:48Z",
   "aliases": [
     "CVE-2026-32023"
   ],
   "summary": "OpenClaw's dispatch-wrapper depth-cap mismatch can bypass shell-wrapper approval gating in system.run allowlist mode",
   "details": "### Summary\nA wrapper-depth parsing mismatch in `system.run` allowed nested transparent dispatch wrappers (for example repeated `/usr/bin/env`) to suppress shell-wrapper detection while still matching allowlist resolution. In `security=allowlist` + `ask=on-miss`, this could bypass the expected approval prompt for shell execution.\n\n### Severity / Trust Model\nOpenClaw’s documented model treats authenticated gateway callers as trusted operators and exec approvals as operator guardrails. This issue is still a real approval-boundary bypass and is triaged as **Medium** in that model.\n\n### Technical Details\n- Dispatch-wrapper unwrapping stopped at `MAX_DISPATCH_WRAPPER_DEPTH`.\n- Shell-wrapper extraction could return non-wrapper once depth was exhausted.\n- Allowlist resolution could still succeed on partially unwrapped argv beginning with `/usr/bin/env`.\n- Result: nested wrapper chains could execute `/bin/sh -c ...` without fresh approval in `allowlist` + `ask=on-miss`.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published version at triage time: `2026.2.23`\n- Vulnerable versions: `<= 2026.2.23`\n- Patched versions (planned next release): `>= 2026.2.24`\n\n### Fix Commit(s)\n- `57c9a18180c8b14885bbd95474cbb17ff2d03f0b`\n\n### Verification\n- Added regression coverage for depth-overflow wrapper chains at resolution and `system.run` invocation layers.\n- Reproduced previous PoC behavior before fix, then confirmed denial after fix with `SYSTEM_RUN_DENIED: approval required`.\n\n### Release Process Note\n`patched_versions` is pre-set to the planned next release (`2026.2.24`) so once npm publish is complete, advisory publication can proceed without additional version edits.\n\nOpenClaw thanks @tdjackey for reporting.\n\n\n### Publication Update (2026-02-25)\n`openclaw@2026.2.24` is published on npm and contains the fix commit(s) listed above. This advisory now marks `>= 2026.2.24` as patched.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
@@ -43,13 +47,21 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-ccg8-46r6-9qgj"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32023"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/57c9a18180c8b14885bbd95474cbb17ff2d03f0b"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-approval-gating-bypass-via-dispatch-wrapper-depth-cap-mismatch-in-system-run"
     }
   ],
   "database_specific": {
@@ -60,6 +72,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-03T19:16:48Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-19T22:16:36Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-h9xm-j4qg-fvpg/GHSA-h9xm-j4qg-fvpg.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-h9xm-j4qg-fvpg",
-  "modified": "2026-03-19T22:18:59Z",
+  "modified": "2026-03-30T13:46:57Z",
   "published": "2026-03-03T21:37:11Z",
   "aliases": [
     "CVE-2026-32007"
@@ -12,6 +12,10 @@
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -40,23 +44,32 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h9xm-j4qg-fvpg"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32007"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/6634030be31e1a1842967df046c2f2e47490e6bf"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-sandbox-bypass-in-apply-patch-tool-via-workspace-only-check-bypass"
     }
   ],
   "database_specific": {
     "cwe_ids": [
+      "CWE-22",
       "CWE-284",
       "CWE-863"
     ],
-    "severity": "MODERATE",
+    "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-03T21:37:11Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-19T22:16:33Z"
   }
 }