Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit cf37656cbef6 · 2026-03-30T13:40:21.000Z
GHSA-hjvp-qhm6-wrh2 GHSA-mgrq-9f93-wpp5 GHSA-v8cg-4474-49v8 GHSA-vqx8-9xxw-f2m7 GHSA-vvgp-4c28-m3jm GHSA-xgf2-vxv2-rrmg
diff --git a/advisories/github-reviewed/2026/03/GHSA-hjvp-qhm6-wrh2/GHSA-hjvp-qhm6-wrh2.json b/advisories/github-reviewed/2026/03/GHSA-hjvp-qhm6-wrh2/GHSA-hjvp-qhm6-wrh2.json
@@ -1,15 +1,21 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-hjvp-qhm6-wrh2",
-  "modified": "2026-03-02T22:40:15Z",
+  "modified": "2026-03-30T13:39:35Z",
   "published": "2026-03-02T22:40:15Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-32058"
+  ],
   "summary": "OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows",
   "details": "### Summary\nIn approval-enabled `host=node` workflows, `system.run` approvals did not always carry a strict, versioned execution-context binding. In uncommon setups that rely on these approvals as an integrity guardrail, a previously approved request could be reused with changed env input.\n\n### Affected Packages / Versions\n- Package: npm `openclaw`\n- Latest published npm version at triage: `2026.2.25`\n- Affected range: `<= 2026.2.25`\n- Planned fixed version (next npm release): `2026.2.26`\n\n### Preconditions / Typical Exposure\nThis requires all of the following:\n- `system.run` usage through `host=node`\n- Exec approvals enabled and used as an execution-integrity control\n- Access to an approval id in the same context\n\nMost default single-operator local setups do not rely on this path, so practical exposure is typically lower.\n\n### Details\nApproval matching now uses a required versioned binding (`systemRunBindingV1`) over command argv, cwd, agent/session context, and env hash.\n\nThe fix:\n- Requires `commandArgv` when requesting `host=node` approvals.\n- Requires `systemRunBindingV1` when consuming approvals for node `system.run`.\n- Removes legacy non-versioned fallback matching and fails closed on missing/mismatched bindings.\n- Keeps env mismatch handling explicit and blocks `GIT_EXTERNAL_DIFF` in host env policy.\n- Adds/updates regression and contract coverage for mismatch mapping and binding rules.\n\n### Impact\nConfiguration-dependent approval-integrity weakness in node-host exec approval flows. Severity remains `medium` because exploitation depends on this specific approval mode and context.\n\n### Fix Commit(s)\n- `10481097f8e6dd0346db9be0b5f27570e1bdfcfa`\n\n### Release Process Note\n`patched_versions` is pre-set to the planned next release (`2026.2.26`) so once npm release `2026.2.26` is published, the advisory can be published without further metadata edits.\n\nOpenClaw thanks @tdjackey for reporting.",
   "severity": [
     {
       "type": "CVSS_V3",
-      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"
+      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -38,21 +44,29 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hjvp-qhm6-wrh2"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32058"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/10481097f8e6dd0346db9be0b5f27570e1bdfcfa"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-approval-context-binding-weakness-in-system-run-via-host-node"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-15",
       "CWE-863"
     ],
-    "severity": "MODERATE",
+    "severity": "LOW",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-02T22:40:15Z",
     "nvd_published_at": null
diff --git a/advisories/github-reviewed/2026/03/GHSA-mgrq-9f93-wpp5/GHSA-mgrq-9f93-wpp5.json b/advisories/github-reviewed/2026/03/GHSA-mgrq-9f93-wpp5/GHSA-mgrq-9f93-wpp5.json
@@ -1,15 +1,21 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mgrq-9f93-wpp5",
-  "modified": "2026-03-12T14:21:49Z",
+  "modified": "2026-03-30T13:37:32Z",
   "published": "2026-03-12T14:21:49Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-32055"
+  ],
   "summary": "OpenClaw: workspace path guard bypass on non-existent out-of-root symlink leaf",
   "details": "### Summary\n`openclaw` had a workspace boundary bypass in workspace-only path validation: when an in-workspace symlink pointed outside the workspace to a non-existent leaf, the first write could pass validation and create the file outside the workspace.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Vulnerable versions: `<= 2026.2.25`\n- Patched versions: `>= 2026.2.26` (pre-set for next planned release)\n- Latest published npm version at update time: `2026.2.25`\n\n### Details\nThe boundary check path resolved aliases in a way that allowed a non-existent out-of-root symlink target to pass the initial validation window. A first write through the guarded workspace path could therefore escape the workspace boundary.\n\nThe fix hardens canonical boundary resolution so missing-leaf alias paths are evaluated against canonical containment, while preserving valid in-root aliases. This closes the first-write escape condition without regressing valid in-root alias usage.\n\n### Fix Commit(s)\n- `46eba86b45e9db05b7b792e914c4fe0de1b40a23`\n- `1aef45bc060b28a0af45a67dc66acd36aef763c9`\n\n### Release Process Note\n`patched_versions` is pre-set to the planned next release (`2026.2.26`). Once npm release `2026.2.26` is published, this advisory can be published directly.\n\nThanks @tdjackey for reporting.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -41,6 +47,10 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mgrq-9f93-wpp5"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32055"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/1aef45bc060b28a0af45a67dc66acd36aef763c9"
@@ -52,6 +62,10 @@
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-workspace-path-boundary-bypass-via-non-existent-symlink"
     }
   ],
   "database_specific": {
diff --git a/advisories/github-reviewed/2026/03/GHSA-v8cg-4474-49v8/GHSA-v8cg-4474-49v8.json b/advisories/github-reviewed/2026/03/GHSA-v8cg-4474-49v8/GHSA-v8cg-4474-49v8.json
@@ -1,15 +1,21 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-v8cg-4474-49v8",
-  "modified": "2026-03-12T14:21:59Z",
+  "modified": "2026-03-30T13:39:01Z",
   "published": "2026-03-12T14:21:59Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-32895"
+  ],
   "summary": "OpenClaw: Slack system events bypass sender authorization in member and message subtype handlers",
   "details": "### Summary\nSlack `member_*` and `message` subtype system events (`message_changed`, `message_deleted`, `thread_broadcast`) were not consistently enforcing sender authorization before enqueueing system events.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published version: `2026.2.25`\n- Affected range: `<= 2026.2.25`\n- Planned patched version: `2026.2.26` (pre-set for publish-readiness)\n\n### Technical Details\nSlack system-event handlers in `src/slack/monitor/events/members.ts` and `src/slack/monitor/events/messages.ts` enqueued events after channel checks without shared sender authorization. Deployments relying on Slack DM allowlists (`dmPolicy` / `allowFrom`) or per-channel `users` allowlists could receive unauthorized system-event ingress from non-allowlisted senders.\n\nThe fix routes those handlers through `authorizeAndResolveSlackSystemEventContext(...)` and fails closed when message subtype sender identity cannot be resolved.\n\n### Fix Commit(s)\n- `3d30ba18a2aba1e1b302e77ff33145c3b06c01c8`\n\n### Release Process Note\n`patched_versions` is pre-set to `>= 2026.2.26` so once npm `2026.2.26` is published, this advisory can be published without further field edits.\n\nThanks @tdjackey for reporting.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -41,13 +47,21 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v8cg-4474-49v8"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32895"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/3d30ba18a2aba1e1b302e77ff33145c3b06c01c8"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-sender-authorization-bypass-in-slack-system-event-handlers"
     }
   ],
   "database_specific": {
diff --git a/advisories/github-reviewed/2026/03/GHSA-vqx8-9xxw-f2m7/GHSA-vqx8-9xxw-f2m7.json b/advisories/github-reviewed/2026/03/GHSA-vqx8-9xxw-f2m7/GHSA-vqx8-9xxw-f2m7.json
@@ -1,15 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-vqx8-9xxw-f2m7",
-  "modified": "2026-03-03T19:16:09Z",
+  "modified": "2026-03-30T13:37:03Z",
   "published": "2026-03-03T19:16:09Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-32053"
+  ],
   "summary": "OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse",
   "details": "## Impact\nTwilio webhook replay events could bypass voice-call manager dedupe because normalized event IDs were randomized per parse. A replayed event could be treated as new and trigger duplicate or stale call-state transitions.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Vulnerable versions: `<= 2026.2.22-2`\n- Patched version (released): `>= 2026.2.23`\n\n## Remediation\nThe fix preserves provider event IDs through normalization, adds bounded replay dedupe in webhook security validation, and enforces per-call turn-token checks on call-state transitions.\n\n## Fix Commit(s)\n- 1d28da55a5d0ff409e34999e0961157e9db0a2ab\n\n## Release Process Note\n`patched_versions` is pre-set to the released version (`2026.2.23`) This advisory now reflects released fix version `2026.2.23`.2.23`.\n\nOpenClaw thanks @jiseoung for reporting.",
   "severity": [
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -38,13 +40,21 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vqx8-9xxw-f2m7"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32053"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/1d28da55a5d0ff409e34999e0961157e9db0a2ab"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-twilio-webhook-replay-bypass-via-randomized-event-id-normalization"
     }
   ],
   "database_specific": {
diff --git a/advisories/github-reviewed/2026/03/GHSA-vvgp-4c28-m3jm/GHSA-vvgp-4c28-m3jm.json b/advisories/github-reviewed/2026/03/GHSA-vvgp-4c28-m3jm/GHSA-vvgp-4c28-m3jm.json
@@ -1,15 +1,21 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-vvgp-4c28-m3jm",
-  "modified": "2026-03-03T21:52:16Z",
+  "modified": "2026-03-30T13:38:27Z",
   "published": "2026-03-03T21:52:16Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-32057"
+  ],
   "summary": "OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions",
   "details": "## Summary\nA trusted-proxy Control UI pairing bypass accepted `client.id=control-ui` without device identity checks. The bypass did not require `operator` role, so an authenticated `node` role session could connect unpaired and reach node event methods.\n\n## Impact\nWith trusted-proxy authentication enabled, a `node` role websocket client could skip pairing by using `client.id=control-ui`. That created an authorization boundary bypass from a node-scoped connection into node event execution flows.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected range: `<= 2026.2.24`\n- Latest published vulnerable version: `2026.2.24`\n- Patched in next release: `2026.2.25` (pre-set below so this advisory is ready to publish after npm release)\n\n## Fix\nThe trusted-proxy Control UI bypass now additionally requires `role === \"operator\"`.\n\n### Fix Commit(s)\n- `ec45c317f5d0631a3d333b236da58c4749ede2a3`\n\n## Release Process Note\n`patched_versions` is intentionally pre-set to the release (`2026.2.25`). Advisory published with npm release `2026.2.25`.2.25` is published, the remaining GHSA action is to publish this advisory.\n\nOpenClaw thanks @tdjackey for reporting.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"
+    },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -41,20 +47,28 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vvgp-4c28-m3jm"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32057"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/ec45c317f5d0631a3d333b236da58c4749ede2a3"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-authentication-bypass-via-control-ui-client-id-parameter"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-807"
     ],
-    "severity": "LOW",
+    "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-03T21:52:16Z",
     "nvd_published_at": null
diff --git a/advisories/github-reviewed/2026/03/GHSA-xgf2-vxv2-rrmg/GHSA-xgf2-vxv2-rrmg.json b/advisories/github-reviewed/2026/03/GHSA-xgf2-vxv2-rrmg/GHSA-xgf2-vxv2-rrmg.json
@@ -1,15 +1,21 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-xgf2-vxv2-rrmg",
-  "modified": "2026-03-03T22:12:51Z",
+  "modified": "2026-03-30T13:37:58Z",
   "published": "2026-03-03T22:12:51Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-32056"
+  ],
   "summary": "OpenClaw's shell startup env injection bypasses system.run allowlist intent (RCE class)",
   "details": "### Summary\n`system.run` environment sanitization allowed shell-startup env overrides (`HOME`, `ZDOTDIR`) that can execute attacker-controlled startup files before allowlist-evaluated command bodies.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: `<= 2026.2.21-2` (latest published vulnerable version)\n- Planned patched version: `>= 2026.2.22`\n\n### Technical Details\nIn affected versions:\n- Env sanitization blocked many dangerous keys, but not startup-sensitive override keys (`HOME`, `ZDOTDIR`) in host exec env paths.\n- Shell-wrapper analysis for allowlist mode models command bodies, but not shell startup side effects.\n- Runtime execution used sanitized env, so attacker-provided startup-key overrides could run hidden startup payloads first.\n\nObserved exploit vectors:\n- `HOME` + `bash -lc` + malicious `.bash_profile`\n- `ZDOTDIR` + `zsh -c` + malicious `.zshenv`\n\n### Fix Commit(s)\n- `c2c7114ed39a547ab6276e1e933029b9530ee906`\n\n### Release Process Note\n`patched_versions` is pre-set to the planned next release (`>= 2026.2.22`). After the npm release is published, this advisory can be published directly.\n\nOpenClaw thanks @tdjackey for reporting.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -38,13 +44,21 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xgf2-vxv2-rrmg"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32056"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/c2c7114ed39a547ab6276e1e933029b9530ee906"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-remote-code-execution-via-shell-startup-environment-variable-injection-in-system-run"
     }
   ],
   "database_specific": {
