Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit c9cc512ba450 · 2026-03-26T19:51:19.000Z
GHSA-4qwc-c7g9-4xcw GHSA-g9ww-x58f-9g6m GHSA-rm59-992w-x2mv GHSA-rvqr-hrcc-j9vv
diff --git a/advisories/github-reviewed/2026/03/GHSA-4qwc-c7g9-4xcw/GHSA-4qwc-c7g9-4xcw.json b/advisories/github-reviewed/2026/03/GHSA-4qwc-c7g9-4xcw/GHSA-4qwc-c7g9-4xcw.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4qwc-c7g9-4xcw",
+  "modified": "2026-03-26T19:50:06Z",
+  "published": "2026-03-26T19:50:06Z",
+  "aliases": [],
+  "summary": "OpenClaw: Remote media error responses could trigger unbounded memory allocation before failure",
+  "details": "## Summary\nRemote media HTTP error bodies were read without a hard size cap before failure handling, allowing unbounded allocation on error responses.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: < 2026.3.22\n- Fixed: >= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `81445a901091a5d27ef0b56fceedbe4724566438`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- src/media/fetch.ts now routes non-2xx failures through bounded prefix reads instead of buffering the whole error body.\n- src/media/read-response-with-limit.ts enforces capped reads and truncates oversized snippets before surfacing failure text.\n\nOpenClaw thanks @YLChen-007 for reporting.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.3.22"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4qwc-c7g9-4xcw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/81445a901091a5d27ef0b56fceedbe4724566438"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-400",
+      "CWE-770"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-26T19:50:06Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-g9ww-x58f-9g6m/GHSA-g9ww-x58f-9g6m.json b/advisories/github-reviewed/2026/03/GHSA-g9ww-x58f-9g6m/GHSA-g9ww-x58f-9g6m.json
@@ -0,0 +1,63 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g9ww-x58f-9g6m",
+  "modified": "2026-03-26T19:49:27Z",
+  "published": "2026-03-26T19:49:27Z",
+  "aliases": [],
+  "summary": "Contrast BadAML injection allows arbitrary code execution",
+  "details": "# BadAML\n\nBadAML is an AML injection attack that exploits the ACPI interface and allows arbitrary code execution in a confidential VM. The attack was first published in 2024:\n\n- <https://blackhat.com/eu-24/briefings/schedule/#aml-injection-attacks-on-confidential-vms-42723>\n- <https://dl.acm.org/doi/pdf/10.1145/3719027.3765123>\n\n## Impact\n\nAn attacker with control over the host (which is assumed in the attacker model of Contrast) can execute malicious AML code to gain arbitrary code execution within the confidential guest.\n\nAML is byte code embedded in ACPI tables that are passed from the host (QEMU) to the guest firmware (OVMF), and then passed from OVMF to the Linux kernel. The Linux kernel has an interpreter that executes the AML code. An attacker can craft a table with malicious AML code and the kernel will execute it. AML is Turing-complete and the interpreter has access to the full guest memory, including private pages.\n\nSee the [paper](https://dl.acm.org/doi/pdf/10.1145/3719027.3765123) for a detailed description and background of the attack.\n\nNote that this is not a vulnerability specific to Contrast, but rather a generic vulnerability in Confidential Computing setups that use the ACPI interface.\n\n## Affected platforms\n\nThis issue affects the SNP platforms supported by Contrast: `Metal-QEMU-SNP` and `Metal-QEMU-SNP-GPU`.\nUsers on these platforms should switch to the fixed Contrast version immediately.\n\n`Metal-QEMU-TDX` isn't affected, as the content of the ACPI tables is covered by the runtime measurements (measured into RTMR 0 by OVMF) on Intel TDX.\n\n## Patches\n\nA sandbox similar to the one proposed in the paper has been implemented in the Linux kernel used by Contrast. The sandbox denies access to private memory pages by doing a page table lookup on every read/write by the AML interpreter.\n\nThis mitigates the attack completely: While an attacker can still run AML code, the code cannot read or modify private memory pages. Shared pages are readable/writable by the host hypervisor anyway.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/edgelesssys/contrast"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.18.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/edgelesssys/contrast/security/advisories/GHSA-g9ww-x58f-9g6m"
+    },
+    {
+      "type": "WEB",
+      "url": "https://blackhat.com/eu-24/briefings/schedule/#aml-injection-attacks-on-confidential-vms-42723"
+    },
+    {
+      "type": "WEB",
+      "url": "https://dl.acm.org/doi/pdf/10.1145/3719027.3765123"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/edgelesssys/contrast"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-94"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-26T19:49:27Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-rm59-992w-x2mv/GHSA-rm59-992w-x2mv.json b/advisories/github-reviewed/2026/03/GHSA-rm59-992w-x2mv/GHSA-rm59-992w-x2mv.json
@@ -0,0 +1,59 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-rm59-992w-x2mv",
+  "modified": "2026-03-26T19:50:41Z",
+  "published": "2026-03-26T19:50:41Z",
+  "aliases": [],
+  "summary": "OpenClaw is vulnerable to unauthenticated resource exhaustion through its voice call webhook handling",
+  "details": "## Summary\nVoice Call webhook handling buffered request bodies before provider signature checks, enabling bounded unauthenticated resource exhaustion.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: < 2026.3.22\n- Fixed: >= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `651dc7450b68a5396a009db78ef9382633707ead`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- extensions/voice-call/src/webhook.ts now enforces header gating and shared pre-auth body caps before reading attacker-controlled request bodies.\n- extensions/voice-call/src/webhook.test.ts ships regression coverage for missing-signature, oversize, and timeout pre-auth webhook cases.\n\nOpenClaw thanks @SEORY0 for reporting.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.3.22"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rm59-992w-x2mv"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/651dc7450b68a5396a009db78ef9382633707ead"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-400"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-26T19:50:41Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-rvqr-hrcc-j9vv/GHSA-rvqr-hrcc-j9vv.json b/advisories/github-reviewed/2026/03/GHSA-rvqr-hrcc-j9vv/GHSA-rvqr-hrcc-j9vv.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-rvqr-hrcc-j9vv",
+  "modified": "2026-03-26T19:50:24Z",
+  "published": "2026-03-26T19:50:24Z",
+  "aliases": [],
+  "summary": "OpenClaw: Bonjour/DNS-SD TXT metadata steers CLI routing after failed service resolution",
+  "details": "## Summary\nBonjour and DNS-SD TXT metadata could still steer CLI routing even when actual service resolution failed, allowing unresolved hints to influence the chosen target.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: < 2026.3.22\n- Fixed: >= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `deecf68b59a9b7eea978e40fd3c2fe543087b569`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- src/infra/bonjour-discovery.ts now resolves and returns only concrete endpoints instead of falling back to unresolved TXT host and port hints.\n- src/cli/gateway-cli/discover.ts consumes only the fail-closed resolved endpoint path.\n\nOpenClaw thanks @nexrin for reporting.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.3.22"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rvqr-hrcc-j9vv"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/deecf68b59a9b7eea978e40fd3c2fe543087b569"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-345",
+      "CWE-642"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-26T19:50:24Z",
+    "nvd_published_at": null
+  }
+}
