Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit d417c8747008 · 2026-03-30T13:37:25.000Z
GHSA-43x4-g22p-3hrq GHSA-6rcp-vxwf-3mfp GHSA-792q-qw95-f446 GHSA-mwcg-wfq3-4gjc GHSA-rxxp-482v-7mrh
diff --git a/advisories/github-reviewed/2026/03/GHSA-43x4-g22p-3hrq/GHSA-43x4-g22p-3hrq.json b/advisories/github-reviewed/2026/03/GHSA-43x4-g22p-3hrq/GHSA-43x4-g22p-3hrq.json
@@ -1,15 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-43x4-g22p-3hrq",
-  "modified": "2026-03-03T18:10:34Z",
+  "modified": "2026-03-30T13:35:13Z",
   "published": "2026-03-03T18:10:34Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-32046"
+  ],
   "summary": "OpenClaw: Chrome --no-sandbox disabled OS-level browser sandbox in sandbox browser container",
   "details": "## Summary\nSandbox browser container launched Chromium with `--no-sandbox` by default, disabling Chromium's OS-level sandbox protections.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm ecosystem)\n- Latest published npm version at triage time (2026-02-21): `2026.2.19-2`\n- Affected range: `<= 2026.2.19-2`\n- Planned patched version for next release: `2026.2.21`\n\n## Impact\nWhen `--no-sandbox` is enabled by default, renderer compromise no longer requires a separate sandbox escape. This weakens container browser isolation and increases impact from renderer-side bugs.\n\n## Resolution\n- Default `--no-sandbox` removed from sandbox browser entrypoint.\n- Explicit opt-in added via `OPENCLAW_BROWSER_NO_SANDBOX` / `CLAWDBOT_BROWSER_NO_SANDBOX`.\n- Browser container hash migration + security audit checks added so stale containers are surfaced and can be recreated safely.\n\n## Fix Commit(s)\n- e7eba01efc4c3c400e9cfd3ce3d661cbc788a631\n- 1835dec2004fe7a62c6a7ba46b8485f124ec6199\n\n## Release Process Note\nThe advisory `patched_versions` field is pre-set to the planned next release (`2026.2.21`). After npm release publication, only advisory publish action should remain.\n\nOpenClaw thanks @TerminalsandCoffee for reporting.",
   "severity": [
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -38,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-43x4-g22p-3hrq"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32046"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/1835dec2004fe7a62c6a7ba46b8485f124ec6199"
@@ -49,6 +55,10 @@
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-os-level-sandbox-bypass-via-no-sandbox-flag"
     }
   ],
   "database_specific": {
diff --git a/advisories/github-reviewed/2026/03/GHSA-6rcp-vxwf-3mfp/GHSA-6rcp-vxwf-3mfp.json b/advisories/github-reviewed/2026/03/GHSA-6rcp-vxwf-3mfp/GHSA-6rcp-vxwf-3mfp.json
@@ -1,15 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6rcp-vxwf-3mfp",
-  "modified": "2026-03-03T19:46:42Z",
+  "modified": "2026-03-30T13:36:43Z",
   "published": "2026-03-03T19:46:42Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-32052"
+  ],
   "summary": "OpenClaw's system.run shell-wrapper positional argv carriers could execute hidden commands under misleading approval text",
   "details": "### Summary\nIn `openclaw` up to and including **2026.2.23** (latest npm release as of **February 25, 2026**), `system.run` shell-wrapper inputs could present misleading approval/display text while still carrying hidden positional argv payloads that execute at runtime.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: `<= 2026.2.23`\n- Patched: `>= 2026.2.24` (planned next release)\n\n### Root Cause\nFor shell-wrapper forms (for example `/bin/sh -c ...`), command-text binding could focus on inline shell payload text while runtime execution still used the full argv vector. Positional argv carriers after the inline payload could therefore be executed under incomplete display context.\n\n### Security Impact\nApproval/display context could omit executed argv carriers, enabling hidden command execution under misleading operator-visible text.\n\n### Fix\n- Detect shell-wrapper inline-command forms that carry trailing positional argv values.\n- Bind approval/display command text to full formatted argv for those carrier forms.\n- Reject payload-only `rawCommand` values when they do not match the execution-bound argv context for those forms.\n- Forward canonical command display text to the macOS companion exec host and validate `rawCommand`/argv consistency there for carrier wrappers and env-modifier shell preludes.\n\n### Verification\n- `pnpm check`\n- `pnpm exec vitest run --config vitest.gateway.config.ts`\n- `pnpm test:fast`\n- `pnpm vitest run src/infra/system-run-command.test.ts src/node-host/invoke-system-run.test.ts src/cli/nodes-cli.coverage.test.ts src/gateway/node-invoke-system-run-approval.test.ts`\n- `cd apps/macos && swift test --filter ExecSystemRunCommandValidatorTests`\n\n### Fix Commit(s)\n- `0f0a680d3df81739ea5088a2f88e65f938b7936b`\n- `55cf92578d266987e390c4bf688196af98eac748`\n\n### Release Process Note\n`patched_versions` is pre-set to the planned next release (`2026.2.24`) so after npm publish the advisory can be published without further field edits.\n\nOpenClaw thanks @tdjackey for reporting.\n\n\n### Publication Update (2026-02-25)\n`openclaw@2026.2.24` is published on npm and contains the fix commit(s) listed above. This advisory now marks `>= 2026.2.24` as patched.",
   "severity": [
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -41,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6rcp-vxwf-3mfp"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32052"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/0f0a680d3df81739ea5088a2f88e65f938b7936b"
@@ -52,14 +58,18 @@
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-hidden-command-execution-via-shell-wrapper-positional-argv-carriers"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-436",
       "CWE-863"
     ],
-    "severity": "HIGH",
+    "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-03T19:46:42Z",
     "nvd_published_at": null
diff --git a/advisories/github-reviewed/2026/03/GHSA-792q-qw95-f446/GHSA-792q-qw95-f446.json b/advisories/github-reviewed/2026/03/GHSA-792q-qw95-f446/GHSA-792q-qw95-f446.json
@@ -1,15 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-792q-qw95-f446",
-  "modified": "2026-03-03T23:11:47Z",
+  "modified": "2026-03-30T13:36:18Z",
   "published": "2026-03-03T23:11:47Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-32050"
+  ],
   "summary": "OpenClaw's Signal reaction-only status events could, in limited cases, be enqueued before access checks",
   "details": "### Summary\nIn a narrow Signal reaction-notification path, reaction-only inbound events could enqueue a status event before sender access checks were applied.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: `<= 2026.2.24` (latest published at patch time)\n- Fixed: `2026.2.25` \n\n### Details\nIn the affected flow (`src/signal/monitor/event-handler.ts`), reaction-only handling could return after `enqueueSystemEvent(...)` before DM/group authorization checks were evaluated for that sender.\n\nThis behavior was limited to reaction-only inbound events with reaction notifications enabled. In that case, a sender not authorized for normal DM flow could still queue a Signal reaction status line for that session.\n\nThe fix applies shared DM/group access checks before reaction notification enqueue. Pairing behavior for normal DM messages is unchanged.\n\n### Impact\n- Limited to Signal reaction-only inbound events.\n- Could add an unauthorized reaction status line to agent context for affected sessions.\n- Did not directly enable normal DM delivery or direct host command execution.\n\n### Fix Commit(s)\n- `2aa7842adeedef423be7ce283a9144b9f1a0a669`\n\n### Release Process Note\n`patched_versions` is pre-set to `2026.2.25` so once npm release is out, advisory publish can proceed directly.\n\nOpenClaw thanks @tdjackey for reporting.",
   "severity": [
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
+      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -41,13 +43,21 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-792q-qw95-f446"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32050"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/2aa7842adeedef423be7ce283a9144b9f1a0a669"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-unauthorized-reaction-status-event-enqueue-via-access-check-bypass"
     }
   ],
   "database_specific": {
diff --git a/advisories/github-reviewed/2026/03/GHSA-mwcg-wfq3-4gjc/GHSA-mwcg-wfq3-4gjc.json b/advisories/github-reviewed/2026/03/GHSA-mwcg-wfq3-4gjc/GHSA-mwcg-wfq3-4gjc.json
@@ -1,15 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mwcg-wfq3-4gjc",
-  "modified": "2026-03-03T19:18:06Z",
+  "modified": "2026-03-30T13:34:50Z",
   "published": "2026-03-03T19:18:06Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-32043"
+  ],
   "summary": "OpenClaw's system.run approval TOCTOU via mutable symlink cwd target on node host",
   "details": "### Summary\nIn `openclaw@2026.2.24`, approval-bound `system.run` on node hosts could be influenced by mutable symlink `cwd` targets between approval and execution.\n\n### Details\nApproval matching on the gateway validated command/argv and binding fields, including `cwd`, as provided text. Node execution later used runtime `cwd` resolution. A symlinked `cwd` could therefore be retargeted after approval and before spawn.\n\nOpenClaw's trust model does not treat one shared gateway as a multi-tenant adversarial boundary, but approval integrity is still a security boundary for operator-reviewed command execution.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: `<= 2026.2.24`\n- Patched: `>= 2026.2.25` \n\n### Fix Commit(s)\n- `f789f880c934caa8be25b38832f27f90f37903db`\n\n### Remediation\nThe fix adds defense-in-depth hardening for approval-bound node execution:\n- reject symlink `cwd` paths for approval-bound `system.run`\n- canonicalize path-like executable argv before spawn\n- bind CLI approval requests to exact `commandArgv`\n\n### Release Process Note\nPatched version is pre-set to the release (`2026.2.25`). Advisory published with npm release `2026.2.25`.\n\nOpenClaw thanks @tdjackey for reporting.",
   "severity": [
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
+      "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -41,21 +43,29 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mwcg-wfq3-4gjc"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32043"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/f789f880c934caa8be25b38832f27f90f37903db"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-time-of-check-time-of-use-via-mutable-symlink-in-system-run-cwd-parameter"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-367",
       "CWE-59"
     ],
-    "severity": "HIGH",
+    "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-03T19:18:06Z",
     "nvd_published_at": null
diff --git a/advisories/github-reviewed/2026/03/GHSA-rxxp-482v-7mrh/GHSA-rxxp-482v-7mrh.json b/advisories/github-reviewed/2026/03/GHSA-rxxp-482v-7mrh/GHSA-rxxp-482v-7mrh.json
@@ -1,15 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-rxxp-482v-7mrh",
-  "modified": "2026-03-02T22:32:55Z",
+  "modified": "2026-03-30T13:35:40Z",
   "published": "2026-03-02T22:32:55Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-32049"
+  ],
   "summary": "OpenClaw's inbound media downloads could exceed configured byte limits before rejection across multiple channels",
   "details": "## Summary\nOpenClaw did not consistently enforce configured inbound media byte limits before buffering remote media in several channel ingestion paths. A remote sender could trigger oversized downloads and memory pressure before rejection.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.2.21-2` (latest published at triage time)\n- Fixed in: `2026.2.22` (planned next release)\n\n## Impact\nAn attacker could cause elevated memory usage and potential process instability (denial of service) by sending oversized media payloads.\n\n## Fix Commit(s)\n- `73d93dee64127a26f1acd09d0403b794cdeb4f5c`\n\n## Release Process Note\n`patched_versions` is pre-set to the planned next release (`2026.2.22`). After that npm release is published, this advisory can be published without further version-field edits.\n\nOpenClaw thanks @tdjackey for reporting.",
   "severity": [
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -38,21 +40,29 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rxxp-482v-7mrh"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32049"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/73d93dee64127a26f1acd09d0403b794cdeb4f5c"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-inbound-media-download-byte-limit-bypass"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-400",
       "CWE-770"
     ],
-    "severity": "MODERATE",
+    "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-02T22:32:55Z",
     "nvd_published_at": null
