Publish Advisories

GHSA-c447-w54g-f55j
GHSA-hh43-q692-2xmq
GHSA-jq3f-vjww-8rq7
GHSA-wcxr-59v9-rxr8
GHSA-ff66-236v-p4fg
GHSA-mmg8-87c5-jrc2
GHSA-c447-w54g-f55j
GHSA-hh43-q692-2xmq

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-c447-w54g-f55j/GHSA-c447-w54g-f55j.json

@@ -0,0 +1,68 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-c447-w54g-f55j",
+  "modified": "2026-04-01T00:05:26Z",
+  "published": "2026-03-29T15:30:19Z",
+  "withdrawn": "2026-04-01T00:05:26Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: OpenClaw Telegram webhook request bodies were read before secret validation, enabling unauthenticated resource exhaustion",
+  "details": "## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-jq3f-vjww-8rq7. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw before 2026.3.13 reads and buffers Telegram webhook request bodies before validating the x-telegram-bot-api-secret-token header, allowing unauthenticated attackers to exhaust server resources. Attackers can send POST requests to the webhook endpoint to force memory consumption, socket time, and JSON parsing work before authentication validation occurs.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "2026.3.12"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jq3f-vjww-8rq7"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32980"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/7e49e98f79073b11134beac27fdff547ba5a4a02"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-resource-exhaustion-via-unauthenticated-telegram-webhook-request"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-770"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-01T00:05:26Z",
+    "nvd_published_at": "2026-03-29T13:17:02Z"
+  }
+}

advisories/github-reviewed/2026/03/GHSA-hh43-q692-2xmq/GHSA-hh43-q692-2xmq.json

@@ -0,0 +1,68 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hh43-q692-2xmq",
+  "modified": "2026-04-01T00:06:58Z",
+  "published": "2026-03-29T15:30:19Z",
+  "withdrawn": "2026-04-01T00:06:14Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: `OpenClaw: session_status` let sandboxed subagents access parent or sibling session state",
+  "details": "## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-wcxr-59v9-rxr8. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw before 2026.3.11 contains a session sandbox escape vulnerability in the session_status tool that allows sandboxed subagents to access parent or sibling session state. Attackers can supply arbitrary sessionKey values to read or modify session data outside their sandbox scope, including persisted model overrides.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "2026.3.8"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wcxr-59v9-rxr8"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32918"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-session-sandbox-escape-via-session-status-tool"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-863"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-01T00:06:14Z",
+    "nvd_published_at": "2026-03-29T13:17:00Z"
+  }
+}

advisories/github-reviewed/2026/03/GHSA-jq3f-vjww-8rq7/GHSA-jq3f-vjww-8rq7.json

@@ -1,12 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-jq3f-vjww-8rq7",
-  "modified": "2026-03-16T20:40:57Z",
+  "modified": "2026-04-01T00:05:51Z",
   "published": "2026-03-16T20:40:57Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-32980"
+  ],
   "summary": "OpenClaw Telegram webhook request bodies were read before secret validation, enabling unauthenticated resource exhaustion",
   "details": "### Summary\n`openclaw` versions `<= 2026.3.12` read and buffered Telegram webhook request bodies before validating `x-telegram-bot-api-secret-token`. This let unauthenticated callers force up to the configured webhook body limit of pre-auth body I/O and JSON parse work per request.\n\n### Affected Packages / Versions\n- Package: `openclaw` (`npm`)\n- Affected versions: `<= 2026.3.12`\n- Fixed version: `2026.3.13`\n\n### Details\nThe vulnerable path was the standalone Telegram webhook listener in `src/telegram/webhook.ts`. In affected releases, the request handler accepted `POST` requests, called `readJsonBodyWithLimit(...)`, and only then checked the Telegram secret header. Because the secret validation happened after body reading, an unauthenticated caller could make the server spend memory, socket time, and JSON parse work on requests that should have been rejected before any body processing.\n\nThis issue is in scope under OpenClaw's trust model because the Telegram webhook endpoint accepts untrusted network traffic and the secret header is the authentication boundary for that ingress path.\n\n### Fix\n`openclaw@2026.3.13` validates the Telegram webhook secret before any body I/O. Current code reads the header, rejects invalid requests immediately with `401`, and only calls `readJsonBodyWithLimit(...)` after `hasValidTelegramWebhookSecret(...)` succeeds.\n\nRegression coverage exists in `src/telegram/webhook.test.ts` (`rejects unauthenticated requests before reading the request body`).\n\n### Fix Commit(s)\n- `7e49e98f79073b11134beac27fdff547ba5a4a02`\n\nThanks @space08 for reporting.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
@@ -41,18 +47,27 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jq3f-vjww-8rq7"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32980"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/7e49e98f79073b11134beac27fdff547ba5a4a02"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-resource-exhaustion-via-unauthenticated-telegram-webhook-request"
     }
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-400"
+      "CWE-400",
+      "CWE-770"
     ],
     "severity": "HIGH",
     "github_reviewed": true,

advisories/github-reviewed/2026/03/GHSA-wcxr-59v9-rxr8/GHSA-wcxr-59v9-rxr8.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-wcxr-59v9-rxr8",
-  "modified": "2026-03-13T20:55:19Z",
+  "modified": "2026-04-01T00:06:27Z",
   "published": "2026-03-13T20:55:19Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-32918"
+  ],
   "summary": "`OpenClaw: session_status` let sandboxed subagents access parent or sibling session state",
   "details": "### Summary\n\nThe built-in `session_status` tool did not enforce the intended session-visibility boundary. A sandboxed subagent could supply another session's `sessionKey` and inspect or modify state outside its own sandbox scope.\n\n### Impact\n\nThis allowed a sandboxed child session to read parent or sibling session data and, in affected releases, update the target session's persisted model override.\n\n### Affected versions\n\n`openclaw` `<= 2026.3.8`\n\n### Patch\n\nFixed in `openclaw` `2026.3.11` and included in later releases such as `2026.3.12`. Session visibility checks now enforce the sandbox boundary before reading or mutating session state.",
   "severity": [
@@ -41,13 +43,21 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wcxr-59v9-rxr8"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32918"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
     },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.11"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-session-sandbox-escape-via-session-status-tool"
     }
   ],
   "database_specific": {

advisories/github-reviewed/2026/04/GHSA-ff66-236v-p4fg/GHSA-ff66-236v-p4fg.json

@@ -0,0 +1,66 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-ff66-236v-p4fg",
+  "modified": "2026-04-01T00:05:11Z",
+  "published": "2026-04-01T00:05:11Z",
+  "aliases": [
+    "CVE-2026-34585"
+  ],
+  "summary": "SiYuan Desktop: Stored XSS in imported .sy.zip content leads to arbitrary command execution",
+  "details": "### Summary\nA vulnerability allows crafted block attribute values to bypass server-side attribute escaping when an HTML entity is mixed with raw special characters. An attacker can embed a malicious IAL value inside a `.sy` document, package it as a `.sy.zip`, and have the victim import it through the normal `Import -> SiYuan .sy.zip` workflow. Once the note is opened, the malicious attribute breaks out of its original HTML context and injects an event handler, resulting in stored XSS. In the Electron desktop client, this XSS reaches remote code execution because injected JavaScript runs with access to Node/Electron APIs.\n\n### Details\nThe issue is caused by a logic regression in `escapeNodeAttributeValues` in `kernel/filesys/tree.go`.\nPreviously, the escaping logic converted `node.KramdownIAL` with `parse.IAL2Map(...)` before deciding whether a value needed escaping. That conversion unescaped existing entities first, so mixed values such as:\n```\n&amp;\" onmouseenter=\"alert('IAL-XSS')\n```\nwere still recognized as unsafe and escaped correctly.\nThe logic changed to inspect raw `KramdownIAL` values directly. The new `needsEscapeForValue` implementation returns `false` as soon as it sees any known entity such as `&amp;`, `&quot;`, `&lt;`, or `&gt;`. This means a value containing both an entity and an unescaped raw quote bypasses escaping entirely.\n\nThat bypass becomes exploitable because the renderer later inserts block IAL values directly into HTML attributes. A payload like:\n```\n&amp;\" onmouseenter=\"require('child_process').exec('calc')\n```\ncan be rendered into HTML equivalent to:\n```\n<div title=\"&amp;\" onmouseenter=\"require('child_process').exec('calc')\">\n```\nThis creates a stored XSS condition. In SiYuan Desktop, the Electron renderer runs with Node.js integration available, so attacker-controlled JavaScript can invoke Node APIs directly. As a result, the issue is not limited to script execution in the page context and becomes arbitrary command execution on the victim’s machine.\n\nThe stored XSS path was validated by importing a crafted `.sy.zip` through the normal GUI and triggering JavaScript execution from the rendered block. Because the same injected JavaScript runs in the privileged Electron renderer, this is an RCE issue in the desktop client.\n\n### PoC\n1. Start SiYuan Desktop `v3.6.1`.\n2. Prepare a crafted `.sy.zip` containing a .sy document with a block IAL property such as:\n```\n\"title\": \"&amp;\\\" onmouseenter=\\\"require('child_process').exec('calc')\"\n```\n3. In the UI, right-click any notebook.\n4. Select `Import -> SiYuan .sy.zip`.\n5. Import the crafted archive.\n6. Open the imported note.\n7. Move the mouse over the affected paragraph block.\n8. Observe that the injected JavaScript executes.\n9. On Windows, `calc.exe` launches, demonstrating arbitrary command execution.\n\n### Impact\nThis vulnerability allows an attacker to deliver a malicious `.sy.zip` file that executes attacker-controlled JavaScript after import. In the desktop application, that JavaScript runs with Node/Electron privileges and can execute arbitrary operating system commands under the victim’s account. This makes the bug equivalent to local code execution triggered by importing and opening attacker-supplied content.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/siyuan-note/siyuan/kernel"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.0.0-20260329142331-918d1bd9f967"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-ff66-236v-p4fg"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/siyuan-note/siyuan/commit/918d1bd9f967d888f474f6764744a3d8cca4a501"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/siyuan-note/siyuan"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.2"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79",
+      "CWE-94"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-01T00:05:11Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/04/GHSA-mmg8-87c5-jrc2/GHSA-mmg8-87c5-jrc2.json

@@ -0,0 +1,96 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-mmg8-87c5-jrc2",
+  "modified": "2026-04-01T00:07:39Z",
+  "published": "2026-04-01T00:07:39Z",
+  "aliases": [
+    "CVE-2026-34595"
+  ],
+  "summary": "Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value",
+  "details": "### Impact\n\nAn authenticated user with `find` class-level permission can bypass the `protectedFields` class-level permission setting on LiveQuery subscriptions. By sending a subscription with a `$or`, `$and`, or `$nor` operator value as a plain object with numeric keys and a `length` property (an \"array-like\" object) instead of an array, the protected-field guard is bypassed. The subscription event firing acts as a binary oracle, allowing the attacker to infer whether a protected field matches a given test value.\n\n### Patches\n\nThe fix validates that `$or`, `$and`, and `$nor` operator values are arrays in the LiveQuery subscription handler, the query depth checker, and the protected-field guard. As defense in depth, the LiveQuery query evaluator also rejects non-array values for these operators.\n\n### Workarounds\n\nThere is no known workaround.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "parse-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "9.0.0"
+            },
+            {
+              "fixed": "9.7.0-alpha.16"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "parse-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "8.6.70"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mmg8-87c5-jrc2"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34595"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/pull/10350"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/pull/10351"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/commit/f63fd1a3fe0a7c1c5fe809f01b0e04759e8c9b98"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/commit/ffad0ec6b971ee0dd9545e1bf1fb34ddebf275c2"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/parse-community/parse-server"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-843"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-01T00:07:39Z",
+    "nvd_published_at": "2026-03-31T16:16:34Z"
+  }
+}