Publish Advisories

GHSA-5v6x-rfc3-7qfr
GHSA-jwf4-8wf4-jf2m
GHSA-vmqr-rc7x-3446

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-5v6x-rfc3-7qfr/GHSA-5v6x-rfc3-7qfr.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5v6x-rfc3-7qfr",
-  "modified": "2026-03-02T22:15:53Z",
+  "modified": "2026-03-18T01:24:36Z",
   "published": "2026-03-02T22:15:53Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-22168"
+  ],
   "summary": "OpenClaw has Windows system.run approval mismatch on cmd.exe /c trailing arguments",
   "details": "### Summary\nA Windows `system.run` approval-integrity mismatch in the `cmd.exe /c` path could allow trailing arguments to execute while approval/audit text reflected only a benign command string.\n\nThis requires an authenticated operator context using the approvals flow and a trusted Windows node.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published vulnerable version (as of 2026-02-21): `2026.2.19-2`\n- Vulnerable range: `<=2026.2.19-2`\n- Patched version (planned next release): `2026.2.21`\n\n### Attack Scenario\n1. An authenticated operator approval is created for a benign command text (for example, `echo`).\n2. A `system.run` request uses `cmd.exe /c` with extra trailing arguments.\n3. Prior behavior could bind approval/audit text to the benign command while still executing the full argument tail on the node.\n\n### Impact\n- Local command execution on the trusted Windows node process account.\n- Approval/audit command text integrity mismatch.\n\n### Fix\n- Canonicalize the full command tail after `cmd.exe /c`.\n- Reuse one shared command canonicalization/validation path for validation, approval matching, and execution/audit text.\n- Add regression coverage for trailing-argument smuggling and approval binding.\n\n### Fix Commit(s)\n- `6007941f04df1edcca679dd6c95949744fdbd4df`\n\n### Release Process Note\n`patched_versions` is pre-set to the planned next release (`2026.2.21`). Once that npm release is live, this advisory can be published directly.\n\nOpenClaw thanks @tdjackey for reporting.",
   "severity": [

advisories/github-reviewed/2026/03/GHSA-jwf4-8wf4-jf2m/GHSA-jwf4-8wf4-jf2m.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-jwf4-8wf4-jf2m",
-  "modified": "2026-03-04T19:44:50Z",
+  "modified": "2026-03-18T01:25:21Z",
   "published": "2026-03-04T19:44:50Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-22170"
+  ],
   "summary": "OpenClaw: BlueBubbles (optional plugin) pairing/allowlist mismatch when allowFrom is empty",
   "details": "### Summary\nBlueBubbles is an optional OpenClaw channel plugin. A configuration-sensitive access-control mismatch allowed DM senders to be treated as authorized when `dmPolicy` was `pairing` or `allowlist` and `allowFrom` was empty/unset.\n\n### Severity Rationale (Medium)\nSeverity is set to **medium** because:\n- this affects an optional plugin, not core messaging surfaces;\n- many deployments use owner-controlled/private BlueBubbles identities with limited external reachability;\n- practical exploitability depends on an untrusted sender being able to reach that specific BlueBubbles account identifier.\n\nIn typical personal/self-hosted BlueBubbles setups, the mapped Apple identity is single-owner and not broadly reachable, so this is usually low practical risk.\n\nRisk is higher in deployments where the identifier is publicly reachable and/or agent tool permissions are broad.\n\n### Technical Details\n1. BlueBubbles DM policy defaults to `pairing` (`dmPolicy ?? \"pairing\"`).\n2. Effective allowlist can be empty (`effectiveAllowFrom`).\n3. DM/reaction authorization called `isAllowedBlueBubblesSender(...)`.\n4. That delegated to shared `isAllowedParsedChatSender(...)`, which previously returned `true` for empty allowlists.\n5. Result: unknown senders could bypass intended pairing/allowlist gating when `allowFrom` was empty.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Vulnerable versions: `<= 2026.2.21-2`\n- Planned fixed version: `2026.2.22`\n\n### Fix\nThe shared parsed-chat allowlist helper now fails closed on empty allowlists, restoring expected BlueBubbles DM gating behavior. BlueBubbles inbound gating was also refactored to use one shared DM/group decision helper for both message and reaction paths to reduce future drift.\n\n### Fix Commit(s)\n- `9632b9bcf032c5f2280c3103961fde912ab1f920`\n- `2ba6de7eaad812e5e8603018e14e54e96bdd57dd`\n- `51c0893673de8e5cea64e64351dbfa4680ba0dec`\n- `4540790cb62412676f7b61cfc6e47443f84a251e`\n\nOpenClaw thanks @tdjackey for reporting.",
   "severity": [

advisories/github-reviewed/2026/03/GHSA-vmqr-rc7x-3446/GHSA-vmqr-rc7x-3446.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-vmqr-rc7x-3446",
-  "modified": "2026-03-03T18:54:55Z",
+  "modified": "2026-03-18T01:24:57Z",
   "published": "2026-03-03T18:54:55Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-22169"
+  ],
   "summary": "OpenClaw's non-default safeBins sort configuration can bypass intended allowlist approval constraints",
   "details": "When `sort` is explicitly added to `tools.exec.safeBins` (non-default), the `--compress-program` option can invoke an external helper and bypass the intended safe-bin approval constraints in allowlist mode.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Vulnerable versions: `<=2026.2.21-2`\n- Latest published npm version checked during triage: `2026.2.21-2` (as of February 22, 2026)\n- Patched in planned next release: `2026.2.22`\n\n## Fix Commit(s)\n\n- `57fbbaebca4d34d17549accf6092ae26eb7b605c`\n\n## Release Process Note\n\n`patched_versions` is pre-set to the planned next release (`>=2026.2.22`). Once that npm release is published, the advisory can be published directly.\n\nOpenClaw thanks @tdjackey for reporting.",
   "severity": [