{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/openclaw/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.5,"id":"CVE-2026-41914"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["high"],"_cs_tags":["ssrf","cve-2026-41914","openclaw"],"_cs_type":"advisory","_cs_vendors":["openclaw"],"content_html":"\u003cp\u003eOpenClaw, a QQ Bot platform, is susceptible to a server-side request forgery (SSRF) vulnerability. This flaw exists in versions prior to 2026.4.8 within the media download paths of the QQ Bot functionality. Specifically, the vulnerability allows attackers to bypass existing SSRF protections. By exploiting unprotected media fetch endpoints, malicious actors can potentially gain unauthorized access to internal resources and circumvent established allowlist policies. This vulnerability poses a significant risk to the confidentiality and integrity of systems and data accessible from the OpenClaw server. Successful exploitation can lead to information disclosure, denial of service, or even remote code execution on internal systems, depending on the accessible resources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an OpenClaw instance running a version prior to 2026.4.8.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL targeting the QQ Bot media download functionality. This URL contains a payload designed to exploit the SSRF vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious URL into the QQ Bot\u0026rsquo;s media download path, bypassing expected SSRF protections.\u003c/li\u003e\n\u003cli\u003eOpenClaw processes the crafted URL without proper validation, initiating a request to an attacker-controlled internal resource.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw server makes a request to the specified internal resource, potentially exposing sensitive information or triggering unintended actions.\u003c/li\u003e\n\u003cli\u003eThe internal resource responds to the OpenClaw server, and the response is potentially relayed back to the attacker or used to further compromise the system.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to internal resources or sensitive data due to the successful SSRF attack.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability (CVE-2026-41914) can lead to the disclosure of sensitive information from internal systems, potentially affecting all users and services dependent on the compromised OpenClaw instance. The severity is amplified by the potential to bypass existing SSRF protections, increasing the attack surface and difficulty of detection. Impact ranges from information disclosure to potential compromise of other internal services, depending on the specific internal resources accessible from the OpenClaw server.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.4.8 or later to patch the SSRF vulnerability (CVE-2026-41914).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious OpenClaw SSRF Attempt\u003c/code\u003e to identify potential exploitation attempts targeting the vulnerable media download paths.\u003c/li\u003e\n\u003cli\u003eImplement strict network segmentation to limit the impact of a successful SSRF attack by restricting access to sensitive internal resources from the OpenClaw server.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-openclaw-ssrf/","summary":"OpenClaw before 2026.4.8 is vulnerable to server-side request forgery (SSRF) in QQ Bot media download paths, allowing attackers to bypass SSRF protections and access internal resources.","title":"OpenClaw QQ Bot Media Download SSRF Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-ssrf/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-41383"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["high"],"_cs_tags":["cve-2026-41383","directory-traversal","file-deletion","openclaw"],"_cs_type":"advisory","_cs_vendors":["openclaw"],"content_html":"\u003cp\u003eOpenClaw before version 2026.4.2 is susceptible to an arbitrary directory deletion vulnerability (CVE-2026-41383) when operating in mirror mode. An attacker with control over the OpenShell configuration paths, specifically \u003ccode\u003eremoteWorkspaceDir\u003c/code\u003e and \u003ccode\u003eremoteAgentWorkspaceDir\u003c/code\u003e, can trigger the deletion of unintended remote directory contents. This is achieved by manipulating these configuration values to point to sensitive directories. The subsequent mirror sync operation replaces the deleted contents with data from the attacker\u0026rsquo;s workspace, leading to data loss and potential system compromise. This vulnerability allows an attacker to potentially wipe out important data on the remote end.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains access to the OpenClaw configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eremoteWorkspaceDir\u003c/code\u003e and/or \u003ccode\u003eremoteAgentWorkspaceDir\u003c/code\u003e configuration values to point to a target directory they wish to delete.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a mirror sync operation.\u003c/li\u003e\n\u003cli\u003eOpenClaw, using the attacker-controlled path, connects to the remote system.\u003c/li\u003e\n\u003cli\u003eOpenClaw deletes the contents of the directory specified by the modified \u003ccode\u003eremoteWorkspaceDir\u003c/code\u003e or \u003ccode\u003eremoteAgentWorkspaceDir\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eOpenClaw uploads the contents of the attacker\u0026rsquo;s local workspace to the now-empty remote directory, effectively replacing the original data.\u003c/li\u003e\n\u003cli\u003eThe targeted remote directory now contains the attacker\u0026rsquo;s data instead of the original contents.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary directory deletion and data replacement, potentially causing significant disruption and data loss.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to arbitrary deletion of files and directories on the remote system where OpenClaw is used in mirror mode. The impact includes potential data loss, service disruption, and the replacement of legitimate data with attacker-controlled content. Given the CVSS v3.1 score of 8.1, this vulnerability is considered high severity due to the potential for significant data integrity and availability impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.4.2 or later to remediate CVE-2026-41383.\u003c/li\u003e\n\u003cli\u003eMonitor OpenClaw configuration files for unauthorized modifications to \u003ccode\u003eremoteWorkspaceDir\u003c/code\u003e and \u003ccode\u003eremoteAgentWorkspaceDir\u003c/code\u003e using a file integrity monitoring system.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to OpenClaw configuration files to prevent unauthorized modification of these settings.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect suspicious process execution related to modification of openclaw configuration files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-openclaw-directory-deletion/","summary":"OpenClaw before 2026.4.2 is vulnerable to arbitrary directory deletion in mirror mode, enabling attackers to delete remote directories by manipulating remoteWorkspaceDir and remoteAgentWorkspaceDir configuration values.","title":"OpenClaw Arbitrary Directory Deletion Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-directory-deletion/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-41295"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["openclaw","code-execution","trust-boundary","plugin"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw before version 2026.4.2 is vulnerable to an improper trust boundary issue. This vulnerability allows an attacker to achieve in-process code execution by exploiting the way OpenClaw handles workspace channel shadows. Specifically, an attacker can clone a workspace and include a malicious plugin. This plugin claims a bundled channel ID, which results in the execution of untrusted code during the built-in channel setup and login process, even before the plugin is explicitly trusted by the user. This poses a significant risk as it bypasses normal trust mechanisms within OpenClaw.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker clones a legitimate OpenClaw workspace.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious plugin designed to exploit the trust boundary vulnerability.\u003c/li\u003e\n\u003cli\u003eThe malicious plugin is configured to claim a bundled channel ID that OpenClaw uses for built-in channels.\u003c/li\u003e\n\u003cli\u003eThe cloned workspace, including the malicious plugin, is distributed to a target user.\u003c/li\u003e\n\u003cli\u003eThe target user opens the cloned workspace in a vulnerable version of OpenClaw (before 2026.4.2).\u003c/li\u003e\n\u003cli\u003eDuring the workspace loading and channel setup process, OpenClaw incorrectly trusts the malicious plugin due to the claimed channel ID.\u003c/li\u003e\n\u003cli\u003eThe malicious plugin executes arbitrary code within the OpenClaw process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control or compromises the user\u0026rsquo;s OpenClaw session.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41295 leads to arbitrary code execution within the OpenClaw application. An attacker can leverage this to potentially steal sensitive information, modify workspace data, or escalate privileges on the affected system. The vulnerability impacts all OpenClaw users running versions prior to 2026.4.2 who open a maliciously crafted workspace. The impact is severe, as it allows for immediate code execution without explicit user consent or trust of the malicious plugin.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.4.2 or later to patch CVE-2026-41295.\u003c/li\u003e\n\u003cli\u003eMonitor for the creation and loading of OpenClaw plugins, specifically those claiming bundled channel IDs, using a process creation rule with a focus on command-line arguments.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted plugins within OpenClaw to mitigate the risk of malicious plugin execution.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T00:16:29Z","date_published":"2026-04-21T00:16:29Z","id":"/briefs/2026-04-openclaw-trust-boundary/","summary":"OpenClaw before 2026.4.2 contains an improper trust boundary vulnerability (CVE-2026-41295) allowing attackers to execute unintended code by cloning a workspace with a malicious plugin claiming a bundled channel id.","title":"OpenClaw Improper Trust Boundary Vulnerability (CVE-2026-41295)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-trust-boundary/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["openclaw","local-file-inclusion","unc-path"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw versions 2026.4.7 through 2026.4.14 are vulnerable to a local-root containment bypass in the webchat media embedding feature. This flaw allows a malicious actor to craft a tool-result media reference with a local file path or UNC path that bypasses the intended \u003ccode\u003elocalRoots\u003c/code\u003e containment policy. The vulnerability resides in the handling of media paths during webchat media block preparation on the host side. Successful exploitation could lead to the disclosure of allowed host files or the exposure of network credentials on Windows systems. The issue was reported by @Kherrisan and patched in OpenClaw version 2026.4.15.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious tool-result that contains a media reference with a file path intended to bypass local-root containment (e.g., a path outside the allowed \u003ccode\u003elocalRoots\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe user interacts with the malicious tool-result within the OpenClaw webchat interface.\u003c/li\u003e\n\u003cli\u003eThe webchat media embedding functionality attempts to normalize the media reference.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the crafted file path bypasses the \u003ccode\u003elocalRoots\u003c/code\u003e containment check.\u003c/li\u003e\n\u003cli\u003eThe host system attempts to read the file from the specified path (either local or UNC).\u003c/li\u003e\n\u003cli\u003eIf successful, the file content is potentially exposed. On Windows, the system might attempt to access a UNC path, potentially exposing network credentials.\u003c/li\u003e\n\u003cli\u003eThe webchat media block is prepared with the (potentially exposed) file content.\u003c/li\u003e\n\u003cli\u003eAlthough the vulnerability is triggered host-side before the user sees the final rendered result, sensitive information could be leaked.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could lead to the disclosure of sensitive files on the host system. On Windows systems, exploitation may result in the exposure of network credentials if a UNC path is accessed. While the severity is medium because exploitation depends on a tool-result media path reaching the webchat embedding path, the sink is a host-side file read before the user sees the rendered result. This impacts OpenClaw installations running versions 2026.4.7 through 2026.4.14.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.4.15 or later to patch the vulnerability. The fix hardens the webchat media path and shared media resolver, rejecting remote-host \u003ccode\u003efile://\u003c/code\u003e URLs and Windows network paths.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious OpenClaw UNC Path Access\u003c/code\u003e to identify attempts to access UNC paths via OpenClaw.\u003c/li\u003e\n\u003cli\u003eReview the code changes in commits \u003ccode\u003e1470de5d3e0970856d86cd99336bb8ada3fe87da\u003c/code\u003e, \u003ccode\u003e6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde\u003c/code\u003e, and \u003ccode\u003e52ef42302ead9e183e6c8810e0a04ee4ef8ae9fc\u003c/code\u003e to understand the implemented security measures in version 2026.4.15.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-18T12:00:00Z","date_published":"2026-04-18T12:00:00Z","id":"/briefs/2026-04-openclaw-local-root-bypass/","summary":"A vulnerability in OpenClaw versions 2026.4.7 to before 2026.4.15 allows a crafted tool-result media reference to cause the host to attempt local file reads or Windows UNC/network path access, potentially disclosing files or network credentials.","title":"OpenClaw Webchat Media Embedding Local-Root Containment Bypass","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-local-root-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["npm","openclaw","environment-variable-injection","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003eopenclaw\u003c/code\u003e package, a tool used within the npm ecosystem, was found to have a vulnerability affecting versions prior to 2026.4.10. This vulnerability stems from an inadequate environment variable denylist in the exec environment policy. Specifically, the policy failed to block high-risk interpreter startup variables such as \u003ccode\u003eVIMINIT\u003c/code\u003e, \u003ccode\u003eEXINIT\u003c/code\u003e, \u003ccode\u003eLUA_INIT\u003c/code\u003e, and \u003ccode\u003eHOSTALIASES\u003c/code\u003e. This oversight allowed malicious actors to potentially inject arbitrary environment variables, thereby influencing the behavior of downstream execution or network operations. The vulnerability was reported by @feiyang666 of Tencent zhuque Lab. The fix was implemented in version 2026.4.10 and later, with version 2026.4.14 containing the fix as well. This vulnerability allows for potential code execution or network manipulation through environment variables.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains control over an environment where the vulnerable \u003ccode\u003eopenclaw\u003c/code\u003e package is utilized.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies that the \u003ccode\u003eopenclaw\u003c/code\u003e version is prior to 2026.4.10.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a malicious environment variable, such as \u003ccode\u003eVIMINIT\u003c/code\u003e, \u003ccode\u003eEXINIT\u003c/code\u003e, \u003ccode\u003eLUA_INIT\u003c/code\u003e, or \u003ccode\u003eHOSTALIASES\u003c/code\u003e, into the system\u0026rsquo;s environment.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eopenclaw\u003c/code\u003e package executes a process that reads and utilizes environment variables without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe injected environment variable overrides the intended behavior of the process. For example, \u003ccode\u003eVIMINIT\u003c/code\u003e can be used to execute arbitrary vim commands upon startup.\u003c/li\u003e\n\u003cli\u003eThis execution leads to arbitrary code execution or modified network behavior, depending on the injected variable. For example, \u003ccode\u003eHOSTALIASES\u003c/code\u003e can redirect network requests to attacker-controlled servers.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as gaining unauthorized access, exfiltrating data, or causing denial of service.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised environment to propagate the attack further.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows for arbitrary code execution or network redirection by injecting malicious environment variables. Successful exploitation could lead to unauthorized access to sensitive data, system compromise, or denial-of-service conditions. The specific impact depends on the context in which \u003ccode\u003eopenclaw\u003c/code\u003e is used and the permissions of the user running the affected process. The reported vulnerability has been fixed in \u003ccode\u003eopenclaw\u003c/code\u003e version 2026.4.10 and later.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003eopenclaw\u003c/code\u003e package to version 2026.4.10 or later to remediate the vulnerability, as indicated in the advisory (\u003ca href=\"https://github.com/advisories/GHSA-vfp4-8x56-j7c5\"\u003ehttps://github.com/advisories/GHSA-vfp4-8x56-j7c5\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor process execution for the presence of environment variables being passed to child processes, focusing on \u003ccode\u003eVIMINIT\u003c/code\u003e, \u003ccode\u003eEXINIT\u003c/code\u003e, \u003ccode\u003eLUA_INIT\u003c/code\u003e, and \u003ccode\u003eHOSTALIASES\u003c/code\u003e. Implement the Sigma rule below to detect suspicious process execution involving these variables.\u003c/li\u003e\n\u003cli\u003eImplement a system-wide policy to restrict the modification of environment variables by non-administrative users.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T21:54:20Z","date_published":"2026-04-17T21:54:20Z","id":"/briefs/2024-01-23-openclaw-env-injection/","summary":"The openclaw package versions prior to 2026.4.10 are vulnerable to environment variable injection, where the exec environment policy missed interpreter startup variables allowing operator-supplied environment overrides to influence downstream execution or network behavior, addressed in versions 2026.4.10 and later.","title":"OpenClaw Environment Variable Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-23-openclaw-env-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-35660"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-35660","openclaw","access-control","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw, a yet-to-be-defined application, suffers from an insufficient access control vulnerability (CVE-2026-35660) affecting versions prior to 2026.3.23. The vulnerability exists within the Gateway agent\u0026rsquo;s \u003ccode\u003e/reset\u003c/code\u003e endpoint.  An attacker possessing \u003ccode\u003eoperator.write\u003c/code\u003e permissions can exploit this flaw to reset administrative sessions, circumventing the intended \u003ccode\u003eoperator.admin\u003c/code\u003e requirement.  Specifically, the vulnerability allows attackers to invoke \u003ccode\u003e/reset\u003c/code\u003e or \u003ccode\u003e/new\u003c/code\u003e messages including an explicit \u003ccode\u003esessionKey\u003c/code\u003e to manipulate arbitrary sessions. This could lead to unauthorized access and modification of sensitive system configurations, depending on the scope of the OpenClaw application. The vulnerability was disclosed on April 10, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized \u003ccode\u003eoperator.write\u003c/code\u003e privileges within the OpenClaw application, potentially through account compromise or privilege escalation from another vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the Gateway agent\u0026rsquo;s \u003ccode\u003e/reset\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a specific \u003ccode\u003esessionKey\u003c/code\u003e belonging to an administrative user.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker could send a \u003ccode\u003e/new\u003c/code\u003e message containing the admin\u0026rsquo;s \u003ccode\u003esessionKey\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the insufficient access control, the Gateway agent processes the request, incorrectly resetting the targeted admin session.\u003c/li\u003e\n\u003cli\u003eThe administrative user is forcibly logged out of their session, disrupting their work.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially hijack the reset session depending on implementation details.\u003c/li\u003e\n\u003cli\u003eThe attacker could then use their elevated access to perform unauthorized actions, such as modifying critical system configurations or accessing sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35660 allows attackers with \u003ccode\u003eoperator.write\u003c/code\u003e privileges to reset arbitrary admin sessions in OpenClaw. This can lead to denial of service for legitimate administrators, and potentially allow the attacker to hijack the reset session or perform unauthorized actions, leading to data breaches or system compromise, depending on the application\u0026rsquo;s functionalities and the scope of admin privileges. The severity is rated as high with a CVSS score of 8.1.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.23 or later to patch CVE-2026-35660.\u003c/li\u003e\n\u003cli\u003eReview and enforce strict access control policies for the OpenClaw application, ensuring that \u003ccode\u003eoperator.write\u003c/code\u003e privileges are only granted to trusted users.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to the \u003ccode\u003e/reset\u003c/code\u003e endpoint, especially those containing explicit \u003ccode\u003esessionKey\u003c/code\u003e parameters and correlate with user roles.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect OpenClaw Session Reset Attempt\u0026rdquo; to detect exploitation attempts (see below).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T17:50:21Z","date_published":"2026-04-10T17:50:21Z","id":"/briefs/2026-04-openclaw-reset-vuln/","summary":"OpenClaw before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent /reset endpoint that allows callers with operator.write permission to reset admin sessions by invoking /reset or /new messages with an explicit sessionKey, bypassing operator.admin requirements.","title":"OpenClaw Insufficient Access Control in Gateway Agent Session Reset (CVE-2026-35660)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-reset-vuln/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.7,"id":"CVE-2026-35668"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path-traversal","vulnerability","openclaw"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw versions prior to 2026.3.24 are susceptible to a path traversal vulnerability (CVE-2026-35668) that compromises sandbox enforcement. This flaw allows a sandboxed agent to read arbitrary files from another agent\u0026rsquo;s workspace by exploiting weaknesses in the handling of \u003ccode\u003emediaUrl\u003c/code\u003e and \u003ccode\u003efileUrl\u003c/code\u003e parameters. The vulnerability stems from incomplete parameter validation within the \u003ccode\u003enormalizeSandboxMediaParams\u003c/code\u003e function and the absence of \u003ccode\u003emediaLocalRoots\u003c/code\u003e context, which enables attackers to bypass intended sandbox restrictions and access sensitive data, such as API keys and configuration files, located outside the agent\u0026rsquo;s designated sandbox root. Successful exploitation allows unauthorized data access, potentially leading to lateral movement or data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an OpenClaw instance running a version prior to 2026.3.24.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request containing either a \u003ccode\u003emediaUrl\u003c/code\u003e or \u003ccode\u003efileUrl\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe crafted URL includes path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e) designed to navigate outside the intended sandbox directory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enormalizeSandboxMediaParams\u003c/code\u003e function processes the URL but fails to adequately sanitize or normalize the path, due to insufficient validation.\u003c/li\u003e\n\u003cli\u003eThe lack of proper \u003ccode\u003emediaLocalRoots\u003c/code\u003e context during path resolution further contributes to the bypass.\u003c/li\u003e\n\u003cli\u003eThe application attempts to access the file specified by the manipulated URL.\u003c/li\u003e\n\u003cli\u003eDue to the path traversal vulnerability, the application reads a file outside the intended sandbox root, potentially revealing sensitive information like API keys.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the contents of the targeted file, completing the unauthorized access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35668 can lead to the disclosure of sensitive information, including API keys and configuration data, stored within other agents\u0026rsquo; workspaces. This unauthorized access can enable attackers to perform lateral movement, escalate privileges, or exfiltrate valuable data. While specific victim counts are unavailable, any OpenClaw deployment running a vulnerable version is at risk. The impact is heightened in environments where OpenClaw agents handle sensitive data or manage critical infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.24 or later to remediate CVE-2026-35668 and address the underlying path traversal vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for all URL parameters, especially those related to file or media access, to prevent path traversal attacks.\u003c/li\u003e\n\u003cli\u003eApply the provided Sigma rule to detect suspicious requests containing path traversal sequences in \u003ccode\u003emediaUrl\u003c/code\u003e or \u003ccode\u003efileUrl\u003c/code\u003e parameters within web server logs.\u003c/li\u003e\n\u003cli\u003eReview and strengthen sandbox configurations to ensure proper isolation between OpenClaw agents and restrict access to sensitive files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T17:17:09Z","date_published":"2026-04-10T17:17:09Z","id":"/briefs/2026-04-openclaw-path-traversal/","summary":"OpenClaw before 2026.3.24 is vulnerable to path traversal, allowing sandboxed agents to read arbitrary files from other agents' workspaces via manipulated URL parameters.","title":"OpenClaw Path Traversal Vulnerability (CVE-2026-35668)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["rce","environment-variable-injection","openclaw"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw, a user-controlled local assistant, is vulnerable to a remote code execution (RCE) issue affecting versions prior to 2026.4.8. The vulnerability, identified as GHSA-cm8v-2vh9-cxf3, stems from missing denylist entries for environment variables that influence build tools. Specifically, HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS were not properly sanitized, allowing a malicious actor to inject arbitrary commands into the build process. This can lead to the execution of untrusted code on the host system. The vulnerability was reported by @boy-hack of Tencent zhuque Lab. The fix is available in version 2026.4.8 and commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable OpenClaw instance running a version prior to 2026.4.8.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts malicious environment variables, such as HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, or MAKEFLAGS, containing shell commands.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a build process within OpenClaw that utilizes the affected environment variables. This could involve providing a specific input or interacting with OpenClaw in a way that initiates a build operation.\u003c/li\u003e\n\u003cli\u003eDue to the missing denylist, OpenClaw does not sanitize the malicious environment variables.\u003c/li\u003e\n\u003cli\u003eThe build tool, influenced by the attacker-controlled environment variables, executes the injected shell commands.\u003c/li\u003e\n\u003cli\u003eThe injected commands execute with the privileges of the OpenClaw process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the host system.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform actions such as installing malware, exfiltrating data, or compromising other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code on the system running OpenClaw. This could lead to complete system compromise, including data theft, malware installation, and further lateral movement within the network. Given OpenClaw\u0026rsquo;s nature as a user-controlled local assistant, the impact is primarily on individual user systems. However, in environments where OpenClaw is deployed more broadly, the vulnerability could be leveraged to compromise multiple machines.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.4.8 or later to patch the vulnerability (see \u0026ldquo;Affected Packages / Versions\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unexpected processes spawned by OpenClaw or its build tool subprocesses (see rules below).\u003c/li\u003e\n\u003cli\u003eImplement additional input validation and sanitization measures to prevent environment variable injection in other applications.\u003c/li\u003e\n\u003cli\u003eReview and harden build processes to limit the influence of environment variables.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T14:22:29Z","date_published":"2026-04-09T14:22:29Z","id":"/briefs/2024-01-09-openclaw-rce/","summary":"OpenClaw versions prior to 2026.4.8 are vulnerable to remote code execution (RCE) via build tool environment variable injection due to missing denylist entries for HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS, allowing hostile environment variables to influence host exec commands.","title":"OpenClaw RCE via Build Tool Environment Variable Injection","url":"https://feed.craftedsignal.io/briefs/2024-01-09-openclaw-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["openclaw","trust-model","system-prompt-injection","npm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw, a user-controlled local assistant, is susceptible to a vulnerability affecting its trust model. This vulnerability, present in versions 2026.4.2 and earlier, allows authenticated \u003ccode\u003e/hooks/wake\u003c/code\u003e calls and mapped \u003ccode\u003ewake\u003c/code\u003e payloads to be improperly promoted into the trusted \u003ccode\u003eSystem:\u003c/code\u003e prompt channel. This occurs because the application fails to correctly differentiate between trusted system events and untrusted user-supplied events. The issue was reported on April 9th, 2026, and addressed in version 2026.4.8. The vulnerability specifically impacts the OpenClaw trust model, which assumes a single-tenant environment; it is not applicable to multi-tenant service boundaries. Defenders need to ensure OpenClaw is updated to the patched version to mitigate potential security exploits within this trust model.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable OpenClaw instance running version 2026.4.2 or earlier.\u003c/li\u003e\n\u003cli\u003eAttacker authenticates to the OpenClaw instance.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious payload intended to be interpreted as a standard \u0026ldquo;wake\u0026rdquo; command.\u003c/li\u003e\n\u003cli\u003eAttacker sends a specially crafted \u003ccode\u003e/hooks/wake\u003c/code\u003e request or a mapped \u003ccode\u003ewake\u003c/code\u003e payload containing the malicious content.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, OpenClaw incorrectly promotes the attacker-controlled payload into the trusted \u003ccode\u003eSystem:\u003c/code\u003e prompt channel.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw assistant processes the malicious payload within the \u003ccode\u003eSystem:\u003c/code\u003e context, granting it elevated privileges within the application\u0026rsquo;s trust model.\u003c/li\u003e\n\u003cli\u003eThe malicious payload executes arbitrary commands or actions within the OpenClaw environment as a trusted system component.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, which could involve data manipulation, unauthorized access to local resources, or other malicious activities within the scope of the OpenClaw assistant.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows an attacker to inject malicious commands into the trusted system prompt channel of OpenClaw. Successful exploitation could lead to unauthorized data access, modification, or execution of arbitrary code within the OpenClaw environment. While the advisory does not specify the number of affected users, any instance running OpenClaw version 2026.4.2 or earlier is vulnerable. The primary risk is the compromise of the user\u0026rsquo;s local assistant and potentially the data it manages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.4.8 or later to remediate the vulnerability (reference: Affected Packages / Versions).\u003c/li\u003e\n\u003cli\u003eMonitor OpenClaw logs for suspicious activity related to the \u003ccode\u003e/hooks/wake\u003c/code\u003e endpoint (develop custom rules based on your OpenClaw logging configuration).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to detect potential exploitation attempts by monitoring process execution following \u003ccode\u003e/hooks/wake\u003c/code\u003e requests.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T14:22:23Z","date_published":"2026-04-09T14:22:23Z","id":"/briefs/2026-04-openclaw-trust-model/","summary":"OpenClaw versions 2026.4.2 and earlier are vulnerable to a trust model issue where authenticated wake hooks or mapped wake payloads can be promoted into the trusted System prompt channel, potentially leading to security vulnerabilities within the OpenClaw trust model.","title":"OpenClaw Trust Model Vulnerability: System Prompt Channel Injection","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-trust-model/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["openclaw","sandbox-escape","toctou"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw versions up to and including 2026.3.28 contain a critical vulnerability related to how they handle remote file system operations within a sandboxed environment. Specifically, the \u003ccode\u003ereadFile\u003c/code\u003e function in the remote file system bridge is susceptible to a Time-of-Check Time-of-Use (TOCTOU) race condition. This means that the application verifies the path of a file before reading it, but an attacker can potentially modify the file path in between the check and the read operation. The vulnerability was reported by AntAISecurityLab and patched in version 2026.3.31. Successful exploitation allows attackers to escape the sandbox, potentially leading to arbitrary code execution on the host system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a request to the OpenClaw application, specifying a file path within the allowed sandbox.\u003c/li\u003e\n\u003cli\u003eOpenClaw\u0026rsquo;s \u003ccode\u003ereadFile\u003c/code\u003e function receives the request and validates that the requested path is within the allowed sandbox.\u003c/li\u003e\n\u003cli\u003eAfter the path is validated, but before the file is read, the attacker leverages a race condition to modify the file path. This could be achieved by symlink replacement or other file system manipulation techniques.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ereadFile\u003c/code\u003e function now attempts to read the file from the modified path, which could point to a location outside the intended sandbox.\u003c/li\u003e\n\u003cli\u003eThe file from the attacker-controlled path is read, bypassing the initial security check.\u003c/li\u003e\n\u003cli\u003eOpenClaw processes the content of the file, potentially executing malicious code or leaking sensitive information, depending on the file\u0026rsquo;s contents and the application\u0026rsquo;s handling of it.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully escapes the sandbox, gaining unauthorized access to the host system\u0026rsquo;s resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this TOCTOU vulnerability allows an attacker to bypass the intended security restrictions of the OpenClaw sandbox. This can lead to arbitrary code execution on the host system, potentially allowing the attacker to install malware, steal sensitive data, or pivot to other systems on the network. While the specific number of affected installations is unknown, all deployments of OpenClaw versions 2026.3.28 or earlier are vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.31 or later to patch the vulnerability as indicated in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect attempts to exploit this TOCTOU vulnerability by monitoring file access patterns.\u003c/li\u003e\n\u003cli\u003eEnable file integrity monitoring (FIM) on critical system files to detect unauthorized modifications that could indicate exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T03:15:00Z","date_published":"2026-04-03T03:15:00Z","id":"/briefs/2026-04-openclaw-sandbox-escape/","summary":"A critical time-of-check time-of-use (TOCTOU) vulnerability in OpenClaw's remote file system bridge allows a sandbox escape by exploiting the delay between path validation and file reading, affecting versions up to 2026.3.28.","title":"OpenClaw TOCTOU Race Condition Leads to Sandbox Escape","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-sandbox-escape/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","web-application","openclaw"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA high-severity vulnerability exists in the OpenClaw npm package, specifically affecting versions 2026.3.28 and earlier. This vulnerability arises from an incomplete fix related to scope clearing within the trusted-proxy authentication mode. The flaw allows attackers to escalate their privileges to operator.admin, potentially gaining unauthorized access to sensitive data or system functionalities. The vulnerability was reported by @north-echo and patched in version 2026.3.31, with the fix committed on March 30, 2026. This issue is critical for organizations utilizing OpenClaw with trusted-proxy authentication, as it could lead to significant security breaches. Defenders should prioritize upgrading to version 2026.3.31 or later to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an OpenClaw instance running a vulnerable version (\u0026lt;=2026.3.28) using trusted-proxy authentication.\u003c/li\u003e\n\u003cli\u003eAttacker gains initial access with limited privileges, potentially via compromised credentials or another vulnerability.\u003c/li\u003e\n\u003cli\u003eAttacker authenticates via the trusted proxy, declaring a set of operator scopes.\u003c/li\u003e\n\u003cli\u003eDue to the incomplete scope clearing, the attacker\u0026rsquo;s declared operator scopes are not properly sanitized by the system.\u003c/li\u003e\n\u003cli\u003eThe system incorrectly grants the attacker elevated privileges associated with the self-declared operator scopes.\u003c/li\u003e\n\u003cli\u003eAttacker exploits the elevated operator.admin privileges to access restricted resources or functionalities.\u003c/li\u003e\n\u003cli\u003eAttacker performs unauthorized actions, such as data modification, configuration changes, or lateral movement within the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to escalate their privileges to operator.admin within the OpenClaw environment. This could lead to unauthorized access to sensitive data, modification of critical system configurations, and potential disruption of services. The impact is especially significant for organizations that rely on OpenClaw for critical operations and have not yet upgraded to the patched version. The attacker could leverage the escalated privileges to perform a wide range of malicious activities, potentially compromising the entire system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.31 or later to remediate the vulnerability (Affected Packages / Versions).\u003c/li\u003e\n\u003cli\u003eMonitor OpenClaw logs for suspicious activity related to trusted-proxy authentication and privilege escalation (logsource: \u0026ldquo;webserver\u0026rdquo;, product: \u0026ldquo;linux\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and regularly review user permissions to minimize the impact of potential privilege escalation attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect potential exploitation attempts targeting this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T03:06:12Z","date_published":"2026-04-03T03:06:12Z","id":"/briefs/2026-05-openclaw-privesc/","summary":"An incomplete fix in OpenClaw versions 2026.3.28 and earlier allows for operator.admin privilege escalation via trusted-proxy authentication mode, which is fixed in version 2026.3.31.","title":"OpenClaw Incomplete Scope Clearing Allows Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-05-openclaw-privesc/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["arbitrary-file-read","credential-exfiltration","openclaw","npm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003eopenclaw\u003c/code\u003e npm package, versions 2026.3.28 and earlier, contains a vulnerability related to media local roots self-whitelisting in the \u003ccode\u003eappendLocalMediaParentRoots\u003c/code\u003e function. This flaw enables a malicious model to initiate arbitrary file reads on the host system. While the tool-fs root expansion requires prior configuration, the vulnerability can still be exploited, resulting in a narrower impact than a default-critical scenario. The vulnerability was reported by @tdjackey and patched in version 2026.3.31. Defenders should ensure they are running version 2026.3.31 or later of the \u003ccode\u003eopenclaw\u003c/code\u003e package to mitigate the risk of arbitrary file read and potential credential exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious actor crafts or modifies an existing OpenClaw model.\u003c/li\u003e\n\u003cli\u003eThe model includes instructions to trigger the \u003ccode\u003eappendLocalMediaParentRoots\u003c/code\u003e function within the \u003ccode\u003esrc/media/local-roots.ts\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eDue to the self-whitelisting behavior, the function expands the allowed media parent directories, potentially including sensitive system directories.\u003c/li\u003e\n\u003cli\u003eThe model leverages the expanded directory access to request the reading of arbitrary files on the host system.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eopenclaw\u003c/code\u003e application processes the model\u0026rsquo;s file read request without proper validation due to the bypassed whitelisting.\u003c/li\u003e\n\u003cli\u003eSensitive files, such as configuration files or credential stores, are read by the application.\u003c/li\u003e\n\u003cli\u003eThe extracted data, including credentials, are then potentially exfiltrated by the malicious model.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive data or systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to read arbitrary files on the host system where the \u003ccode\u003eopenclaw\u003c/code\u003e application is running. This can lead to the exfiltration of sensitive information, including credentials, API keys, or other confidential data. While the exact number of affected installations is unknown, any system running a vulnerable version of the \u003ccode\u003eopenclaw\u003c/code\u003e package (\u0026lt;=2026.3.28) is susceptible. The impact is narrowed because the tool-fs root expansion requires prior configuration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003eopenclaw\u003c/code\u003e npm package to version 2026.3.31 or later to remediate the vulnerability (reference: Affected Packages / Versions).\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization to prevent arbitrary file paths from being processed by the \u003ccode\u003eappendLocalMediaParentRoots\u003c/code\u003e function (reference: \u003ccode\u003esrc/media/local-roots.ts\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect attempts to access sensitive files via the \u003ccode\u003eopenclaw\u003c/code\u003e application (reference: Sigma rule below).\u003c/li\u003e\n\u003cli\u003eReview and restrict the tool-fs root expansion configuration to minimize the impact of potential exploitation (reference: Current Maintainer Triage).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T02:53:58Z","date_published":"2026-04-03T02:53:58Z","id":"/briefs/2026-04-openclaw-file-read/","summary":"The openclaw package is vulnerable to arbitrary file read and credential exfiltration due to media local roots self-whitelisting in `appendLocalMediaParentRoots`, allowing a model to initiate arbitrary host file reads, potentially leading to credential exfiltration.","title":"OpenClaw Arbitrary File Read and Credential Exfiltration Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-file-read/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["openclaw","npm","package-index-redirection","environment-variable-injection"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003eopenclaw\u003c/code\u003e npm package, versions 2026.3.28 and earlier, contains a vulnerability that allows for the redirection of Python package-index traffic. This is due to insufficient sanitization of the \u003ccode\u003ePIP_INDEX_URL\u003c/code\u003e and \u003ccode\u003eUV_INDEX_URL\u003c/code\u003e environment variables during host execution. An attacker can potentially exploit this vulnerability to redirect package installation traffic to a malicious index, potentially leading to the installation of compromised packages. The scope of this vulnerability is limited to approved or allowlisted package-management execution paths, mitigating the risk of arbitrary remote execution. Version 2026.3.31 and later contain the fix. The vulnerability was reported by @nexrin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a system using a vulnerable version (\u0026lt;=2026.3.28) of the \u003ccode\u003eopenclaw\u003c/code\u003e npm package.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to the system or its environment configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker sets either the \u003ccode\u003ePIP_INDEX_URL\u003c/code\u003e or \u003ccode\u003eUV_INDEX_URL\u003c/code\u003e environment variable to point to a malicious Python package index server.\u003c/li\u003e\n\u003cli\u003eThe system executes a package installation command (e.g., \u003ccode\u003epip install \u0026lt;package\u0026gt;\u003c/code\u003e) through \u003ccode\u003eopenclaw\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eopenclaw\u003c/code\u003e, without proper sanitization, uses the attacker-controlled environment variable when resolving package dependencies.\u003c/li\u003e\n\u003cli\u003eThe package manager connects to the malicious index server specified in the \u003ccode\u003ePIP_INDEX_URL\u003c/code\u003e or \u003ccode\u003eUV_INDEX_URL\u003c/code\u003e variable.\u003c/li\u003e\n\u003cli\u003eThe attacker serves malicious or backdoored Python packages through the rogue index.\u003c/li\u003e\n\u003cli\u003eThe system installs the malicious packages, potentially compromising the system with arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could lead to the installation of malicious Python packages on systems utilizing the vulnerable \u003ccode\u003eopenclaw\u003c/code\u003e version. This could result in arbitrary code execution, data theft, or other malicious activities, depending on the contents of the malicious packages. The scope is somewhat limited since only allowlisted execution paths are affected, which reduces the blast radius.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003eopenclaw\u003c/code\u003e npm package to version 2026.3.31 or later to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor process executions involving \u003ccode\u003eopenclaw\u003c/code\u003e and the use of \u003ccode\u003ePIP_INDEX_URL\u003c/code\u003e or \u003ccode\u003eUV_INDEX_URL\u003c/code\u003e environment variables. Deploy the Sigma rule \u003ccode\u003eDetect OpenClaw Using Suspicious Index URL\u003c/code\u003e to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement strict allowlisting of package management execution paths to further limit the potential impact.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging to capture command line arguments and environment variables for the \u003ccode\u003eopenclaw\u003c/code\u003e process.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T20:57:44Z","date_published":"2026-04-02T20:57:44Z","id":"/briefs/2026-04-openclaw-index-redirect/","summary":"The openclaw npm package is vulnerable to Python package-index redirection through host execution due to improper sanitization of `PIP_INDEX_URL` and `UV_INDEX_URL`, affecting versions 2026.3.28 and earlier.","title":"OpenClaw NPM Package Vulnerable to Python Package Index Redirection","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-index-redirect/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["openclaw","session-reset","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw Gateway versions 2026.3.24 and earlier contain a vulnerability that allows unauthorized session resets. A write-scoped gateway caller can exploit this flaw to rotate a target session, archive the prior transcript state, and force a new session ID, actions that should be restricted to administrative users. This is possible because the \u003ccode\u003echat.send\u003c/code\u003e path incorrectly reuses command authorization checks when triggering the \u003ccode\u003e/reset\u003c/code\u003e functionality. Defenders should upgrade to version 2026.3.28 or later to remediate this vulnerability. This issue affects deployments where write-scoped callers should not have the ability to reset sessions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an OpenClaw Gateway instance running a vulnerable version (\u0026lt;= 2026.3.24).\u003c/li\u003e\n\u003cli\u003eAttacker obtains valid credentials for a gateway caller with write scope permissions.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a \u003ccode\u003echat.send\u003c/code\u003e request.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003echat.send\u003c/code\u003e request is designed to trigger the \u003ccode\u003e/reset\u003c/code\u003e command within the application.\u003c/li\u003e\n\u003cli\u003eThe application incorrectly authorizes the \u003ccode\u003e/reset\u003c/code\u003e command based on the write scope of the \u003ccode\u003echat.send\u003c/code\u003e request.\u003c/li\u003e\n\u003cli\u003eThe target session is rotated, archiving the previous transcript state.\u003c/li\u003e\n\u003cli\u003eA new session ID is forced for the target.\u003c/li\u003e\n\u003cli\u003eThe attacker effectively resets the target session without requiring admin-level privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a write-scoped caller to perform administrative actions, specifically session resets. This could lead to disruption of service, unauthorized access to archived session data, or other unforeseen consequences depending on the specific implementation of OpenClaw Gateway. If an attacker can repeatedly reset sessions, it could create a denial-of-service condition.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw Gateway to version 2026.3.28 or later to patch the vulnerability described in \u003ca href=\"https://github.com/advisories/GHSA-5r8f-96gm-5j6g\"\u003eGHSA-5r8f-96gm-5j6g\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview the commit \u003ccode\u003ebe00fcfccb\u003c/code\u003e to understand the fix and identify any potential backporting needs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T00:00:34Z","date_published":"2026-04-01T00:00:34Z","id":"/briefs/2026-04-openclaw-session-reset/","summary":"A vulnerability in OpenClaw Gateway allows a write-scoped gateway caller to rotate a target session, archive the prior transcript state, and force a new session id without admin scope via the `chat.send` path by reusing command authorization to trigger `/reset` session rotation.","title":"OpenClaw Gateway Unauthorized Session Reset Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-session-reset/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-34506"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cve-2026-34506","openclaw","microsoft teams","allowlist bypass"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw, a Microsoft Teams plugin, is vulnerable to a sender allowlist bypass (CVE-2026-34506) in versions prior to 2026.3.8. The vulnerability stems from a misconfiguration issue where an empty \u003ccode\u003egroupAllowFrom\u003c/code\u003e parameter in the team/channel route allowlist leads to the synthesis of wildcard sender authorization. This allows any sender within the matched team/channel to trigger replies in allowlisted Teams routes, effectively bypassing intended authorization checks. This vulnerability was…\u003c/p\u003e\n","date_modified":"2026-03-31T12:16:30Z","date_published":"2026-03-31T12:16:30Z","id":"/briefs/2026-03-openclaw-allowlist-bypass/","summary":"OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin, allowing unauthorized senders to bypass intended authorization checks due to improper handling of empty groupAllowFrom parameters, potentially leading to information disclosure.","title":"OpenClaw Microsoft Teams Plugin Sender Allowlist Bypass (CVE-2026-34506)","url":"https://feed.craftedsignal.io/briefs/2026-03-openclaw-allowlist-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-32917"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["command-injection","imessage","openclaw"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw, a software application whose specific function is not detailed in the provided context, is vulnerable to a remote command injection flaw. Specifically, versions prior to 2026.3.13 are susceptible. This vulnerability, identified as CVE-2026-32917, resides within the iMessage attachment staging process.  Attackers can exploit this flaw by injecting shell metacharacters into unsanitized remote attachment paths. This occurs because these paths are directly passed to the SCP command…\u003c/p\u003e\n","date_modified":"2026-03-31T12:16:28Z","date_published":"2026-03-31T12:16:28Z","id":"/briefs/2026-03-openclaw-rce/","summary":"OpenClaw before 2026.3.13 is vulnerable to remote command injection via unsanitized iMessage attachment paths passed to the SCP remote operand, allowing attackers to execute arbitrary commands on configured remote hosts when remote attachment staging is enabled.","title":"OpenClaw Remote Command Injection via iMessage Attachment Staging (CVE-2026-32917)","url":"https://feed.craftedsignal.io/briefs/2026-03-openclaw-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["openclaw","vulnerability","authorization"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003eopenclaw\u003c/code\u003e package, specifically versions up to and including 2026.3.24, contains a vulnerability within the gateway plugin subagent fallback mechanism. The \u003ccode\u003edeleteSession\u003c/code\u003e function, when invoked without a request-scoped client, incorrectly dispatched \u003ccode\u003esessions.delete\u003c/code\u003e utilizing a synthetic \u003ccode\u003eoperator.admin\u003c/code\u003e runtime scope. This means that under certain conditions, session deletion operations were being performed with elevated privileges, potentially leading to unauthorized session management. This vulnerability was present in the code up to version 2026.3.24 and has been patched in version 2026.3.25. Defenders should ensure they are running version 2026.3.25 or later to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA request is made to the gateway plugin that triggers the \u003ccode\u003edeleteSession\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edeleteSession\u003c/code\u003e function checks for a request-scoped client.\u003c/li\u003e\n\u003cli\u003eIf no request-scoped client exists, the code falls back to a default mechanism.\u003c/li\u003e\n\u003cli\u003eThe vulnerable code path then incorrectly creates a synthetic \u003ccode\u003eoperator.admin\u003c/code\u003e runtime scope.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esessions.delete\u003c/code\u003e function is dispatched with the elevated \u003ccode\u003eoperator.admin\u003c/code\u003e scope.\u003c/li\u003e\n\u003cli\u003eSession deletion occurs with the privileges of the synthetic admin operator.\u003c/li\u003e\n\u003cli\u003eAn attacker could potentially trigger this code path to delete sessions they should not have access to.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could lead to unauthorized session deletion within the \u003ccode\u003eopenclaw\u003c/code\u003e application. While the exact impact depends on the specific deployment and usage of \u003ccode\u003eopenclaw\u003c/code\u003e, the ability to delete arbitrary sessions could disrupt service availability or allow an attacker to invalidate legitimate user sessions. If an attacker can reliably trigger this vulnerability, it could lead to denial-of-service or other forms of service disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003eopenclaw\u003c/code\u003e package to version 2026.3.25 or later to remediate the vulnerability described in the overview.\u003c/li\u003e\n\u003cli\u003eReview the \u003ccode\u003eopenclaw\u003c/code\u003e codebase and audit the usage of \u003ccode\u003edeleteSession\u003c/code\u003e to identify any potential misuse or unexpected invocations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-29T15:50:41Z","date_published":"2026-03-29T15:50:41Z","id":"/briefs/2026-04-openclaw-admin-scope/","summary":"The openclaw package versions 2026.3.24 and earlier are vulnerable due to the gateway plugin subagent fallback `deleteSession` function dispatching `sessions.delete` with a synthetic `operator.admin` runtime scope, potentially leading to unauthorized session deletion.","title":"OpenClaw Gateway Plugin Subagent Admin Scope Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-admin-scope/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ssrf","openclaw","cve-2026-28476"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003eopenclaw\u003c/code\u003e package, a Node.js module, contains a Server-Side Request Forgery (SSRF) vulnerability in versions 2026.3.24 and earlier. This flaw stems from an incomplete fix for CVE-2026-28476, where several channel extensions continued to use raw \u003ccode\u003efetch()\u003c/code\u003e against configured base URLs without proper SSRF protection. This omission allows attackers to potentially manipulate configured endpoints to target blocked internal destinations, bypassing intended security measures. The vulnerability was identified and patched in version 2026.3.25 through commit \u003ccode\u003ef92c92515bd439a71bd03eb1bc969c1964f17acf\u003c/code\u003e, which routes outbound requests through \u003ccode\u003efetchWithSsrFGuard\u003c/code\u003e. Defenders should ensure they are running version 2026.3.25 or later.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an \u003ccode\u003eopenclaw\u003c/code\u003e instance running version 2026.3.24 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a channel extension that uses a configured base URL.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious configuration that redirects the base URL to an internal resource.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003efetch()\u003c/code\u003e function in the channel extension makes an HTTP request to the attacker-controlled URL.\u003c/li\u003e\n\u003cli\u003eThe request bypasses the SSRF guard due to the incomplete fix for CVE-2026-28476.\u003c/li\u003e\n\u003cli\u003eThe targeted internal resource processes the attacker\u0026rsquo;s request.\u003c/li\u003e\n\u003cli\u003eSensitive information from the internal resource is potentially exposed to the attacker.\u003c/li\u003e\n\u003cli\u003eAttacker exfiltrates the exposed information, completing the SSRF attack.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability could allow an attacker to gain unauthorized access to internal resources and sensitive information. The number of potential victims is dependent on the prevalence of vulnerable \u003ccode\u003eopenclaw\u003c/code\u003e instances. If successful, the attacker can read internal files, access internal services, or even potentially execute commands on internal systems, leading to data breaches or further compromise of the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003eopenclaw\u003c/code\u003e package to version 2026.3.25 or later to incorporate the fix for CVE-2026-28476, as described in the overview.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of potential SSRF vulnerabilities by restricting access from the affected systems to sensitive internal resources.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect OpenClaw SSRF Vulnerable Versions\u0026rdquo; to identify potentially vulnerable instances of the \u003ccode\u003eopenclaw\u003c/code\u003e package based on user-agent strings.\u003c/li\u003e\n\u003cli\u003eMonitor outbound network connections from \u003ccode\u003eopenclaw\u003c/code\u003e instances for connections to internal IP addresses or unexpected domains, which could indicate SSRF exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-29T15:49:23Z","date_published":"2026-03-29T15:49:23Z","id":"/briefs/2026-05-openclaw-ssrf/","summary":"OpenClaw versions 2026.3.24 and earlier are vulnerable to Server-Side Request Forgery (SSRF) because of unguarded configured base URLs in multiple channel extensions, allowing attackers to potentially access internal resources.","title":"OpenClaw SSRF Vulnerability via Unguarded Configured Base URLs","url":"https://feed.craftedsignal.io/briefs/2026-05-openclaw-ssrf/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["credential-access","vulnerability","openclaw"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw versions before 2026.3.12 are vulnerable to credential exposure. The vulnerability stems from the embedding of long-lived shared gateway credentials directly into pairing setup codes. These codes are generated by the \u003ccode\u003e/pair\u003c/code\u003e endpoint and the \u003ccode\u003eOpenClaw qr\u003c/code\u003e command. An attacker who obtains these setup codes through various means, such as leaked chat histories, logs, or screenshots, can extract the embedded credentials. This allows the attacker to bypass the intended one-time pairing flow and gain unauthorized access to the shared gateway. The exposure of these credentials could lead to further unauthorized access and potential compromise of sensitive data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user generates a pairing setup code using the \u003ccode\u003e/pair\u003c/code\u003e endpoint or \u003ccode\u003eOpenClaw qr\u003c/code\u003e command. This code contains the embedded shared gateway credentials.\u003c/li\u003e\n\u003cli\u003eThe setup code is shared with the intended recipient via chat, logs or screenshots.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to the setup code through compromised chat history, exposed logs, or publicly shared screenshots.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the long-lived shared gateway credential from the setup code.\u003c/li\u003e\n\u003cli\u003eThe attacker reuses the stolen shared gateway credentials outside of the intended one-time pairing flow.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the shared gateway.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the access gained via the gateway for further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass the intended one-time pairing flow and gain unauthorized access to the shared gateway. The number of potential victims is dependent on the number of OpenClaw deployments and the exposure of pairing setup codes. The primary impact is unauthorized access and potential compromise of sensitive data accessible through the shared gateway.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.12 or later to remediate the vulnerability (CVE-2026-33575).\u003c/li\u003e\n\u003cli\u003eImplement strict controls over the handling and storage of pairing setup codes to prevent unauthorized access.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious activity originating from OpenClaw gateways, potentially indicating unauthorized access using leaked credentials.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect the usage of the \u003ccode\u003e/pair\u003c/code\u003e endpoint which could indicate unauthorized pairing attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-29T13:17:03Z","date_published":"2026-03-29T13:17:03Z","id":"/briefs/2026-03-openclaw-credential-exposure/","summary":"OpenClaw before 2026.3.12 embeds long-lived shared gateway credentials in pairing setup codes, allowing attackers with access to leaked codes to reuse credentials and gain unauthorized access.","title":"OpenClaw Credential Exposure via Leaked Pairing Codes","url":"https://feed.craftedsignal.io/briefs/2026-03-openclaw-credential-exposure/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-32979","code-execution","openclaw"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw, a software application, is susceptible to an approval integrity vulnerability identified as CVE-2026-32979. This flaw exists in versions prior to 2026.3.11. An attacker can exploit this vulnerability to execute malicious code within the context of the OpenClaw runtime user. The attack involves modifying approved local scripts between the time they are approved and the time they are executed. This is possible because exact file binding does not occur, which allows for the alteration of…\u003c/p\u003e\n","date_modified":"2026-03-29T13:17:02Z","date_published":"2026-03-29T13:17:02Z","id":"/briefs/2026-03-openclaw-code-exec/","summary":"OpenClaw before 2026.3.11 is vulnerable to an approval integrity issue (CVE-2026-32979) allowing attackers to execute arbitrary code by modifying approved local scripts before they are executed.","title":"OpenClaw Code Execution via Script Modification (CVE-2026-32979)","url":"https://feed.craftedsignal.io/briefs/2026-03-openclaw-code-exec/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-32973","openclaw","allowlist-bypass"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw versions prior to 2026.3.11 are susceptible to an exec allowlist bypass vulnerability, identified as CVE-2026-32973. The vulnerability stems from the \u003ccode\u003ematchesExecAllowlistPattern\u003c/code\u003e function\u0026rsquo;s flawed normalization process, specifically its handling of lowercasing and glob matching. This leads to overmatching on POSIX paths, enabling attackers to circumvent intended restrictions. By leveraging the \u0026lsquo;?\u0026rsquo; wildcard, attackers can match across path segments to execute commands or access paths…\u003c/p\u003e\n","date_modified":"2026-03-29T13:17:01Z","date_published":"2026-03-29T13:17:01Z","id":"/briefs/2026-03-openclaw-bypass/","summary":"OpenClaw before 2026.3.11 contains an exec allowlist bypass vulnerability (CVE-2026-32973) due to improper normalization of patterns, allowing attackers to execute unintended commands via wildcard matching in POSIX paths.","title":"OpenClaw Exec Allowlist Bypass via POSIX Path Overmatching (CVE-2026-32973)","url":"https://feed.craftedsignal.io/briefs/2026-03-openclaw-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["openclaw","sandbox-escape","authorization"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-32918 affects OpenClaw versions prior to 2026.3.11. The vulnerability resides in the \u003ccode\u003esession_status\u003c/code\u003e tool, which is intended to manage sandboxed subagents. However, a flaw allows these sandboxed agents to bypass their intended restrictions and access session data belonging to parent or sibling sessions. An attacker can exploit this by supplying arbitrary \u003ccode\u003esessionKey\u003c/code\u003e values, enabling them to read and modify sensitive session data, including persisted model overrides, far beyond the…\u003c/p\u003e\n","date_modified":"2026-03-29T13:17:00Z","date_published":"2026-03-29T13:17:00Z","id":"/briefs/2026-03-openclaw-sandbox-escape/","summary":"OpenClaw before 2026.3.11 contains a session sandbox escape vulnerability in the session_status tool, allowing sandboxed subagents to access and modify session data outside their intended scope.","title":"OpenClaw Session Sandbox Escape Vulnerability (CVE-2026-32918)","url":"https://feed.craftedsignal.io/briefs/2026-03-openclaw-sandbox-escape/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["openclaw","privilege-escalation","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe OpenClaw gateway plugin, specifically in versions up to and including 2026.3.24, contains a vulnerability related to runtime scope management. This flaw allows any caller interacting with the gateway to be granted the \u003ccode\u003eoperator.admin\u003c/code\u003e scope, irrespective of the permissions they should possess. This means that users or systems with limited access can potentially perform administrative actions within the OpenClaw environment. This vulnerability was resolved in version 2026.3.25 with the application of commit \u003ccode\u003eec2dbcff9afd8a52e00de054b506c91726d9fbbe\u003c/code\u003e, which implemented a least-privilege approach for plugin HTTP runtime scopes, ensuring that caller scope boundaries are respected. This issue poses a significant risk to OpenClaw deployments, especially in multi-tenant or environments where strict permission controls are required.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an OpenClaw instance running a vulnerable version (\u0026lt;= 2026.3.24) of the gateway plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a standard HTTP request to a gateway-authenticated plugin HTTP route.\u003c/li\u003e\n\u003cli\u003eThe gateway plugin authenticates the request (assuming valid credentials or bypassing authentication due to misconfiguration).\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the plugin incorrectly mints a runtime scope set that includes \u003ccode\u003eoperator.admin\u003c/code\u003e, regardless of the caller\u0026rsquo;s actual permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s request is processed with the elevated \u003ccode\u003eoperator.admin\u003c/code\u003e privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages these elevated privileges to perform unauthorized administrative actions within the OpenClaw system.\u003c/li\u003e\n\u003cli\u003eThese actions could include modifying system configurations, accessing sensitive data, or disrupting services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass intended permission controls within OpenClaw. The impact can range from unauthorized data access to complete system compromise, depending on the specific administrative actions the attacker is able to perform. The vulnerability affects all deployments using the vulnerable OpenClaw gateway plugin versions. This is especially critical in environments where strict role-based access control is required.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw gateway plugin to version 2026.3.25 or later to patch the vulnerability (reference: Affected Packages / Versions).\u003c/li\u003e\n\u003cli\u003eImplement monitoring for unusual activity related to OpenClaw administrative functions to detect potential exploitation attempts (reference: Sigma rule \u0026ldquo;Detect OpenClaw Admin Operations from Non-Admin Sources\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eReview and audit existing OpenClaw configurations and permissions to ensure adherence to the principle of least privilege (reference: Overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-27T22:32:36Z","date_published":"2026-03-27T22:32:36Z","id":"/briefs/2026-05-openclaw-admin-scope/","summary":"The openclaw gateway plugin versions 2026.3.24 and earlier incorrectly grants operator.admin runtime scope to all callers, regardless of their granted scopes, potentially allowing unauthorized actions.","title":"OpenClaw Gateway Plugin Grants Unrestricted operator.admin Runtime Scope","url":"https://feed.craftedsignal.io/briefs/2026-05-openclaw-admin-scope/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["openclaw","symlink-traversal","vulnerability","npm","rce","persistence"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003eopenclaw\u003c/code\u003e npm package is vulnerable to a symlink traversal vulnerability (CVE-2026-32013) affecting versions 2026.2.22 and earlier. The vulnerability lies in the \u003ccode\u003eagents.create\u003c/code\u003e and \u003ccode\u003eagents.update\u003c/code\u003e handlers within the \u003ccode\u003esrc/gateway/server-methods/agents.ts\u003c/code\u003e file. These handlers use \u003ccode\u003efs.appendFile\u003c/code\u003e on the \u003ccode\u003eIDENTITY.md\u003c/code\u003e file without proper symlink containment checks. An attacker capable of placing a symlink within the agent workspace can redirect the \u003ccode\u003eIDENTITY.md\u003c/code\u003e path to point to arbitrary files on the system, allowing them to append attacker-controlled content to these files. This can lead to serious consequences such as remote code execution by modifying \u003ccode\u003e/etc/crontab\u003c/code\u003e, persistent code execution by modifying shell configuration files like \u003ccode\u003e~/.bashrc\u003c/code\u003e, or unauthorized SSH access by modifying \u003ccode\u003e~/.ssh/authorized_keys\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the agent workspace.\u003c/li\u003e\n\u003cli\u003eThe attacker plants a symbolic link named \u003ccode\u003eIDENTITY.md\u003c/code\u003e within the agent workspace. This symlink points to a sensitive system file, such as \u003ccode\u003e/etc/crontab\u003c/code\u003e or \u003ccode\u003e~/.ssh/authorized_keys\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eensureAgentWorkspace\u003c/code\u003e function is called, but the exclusive-create flag (\u003ccode\u003ewx\u003c/code\u003e) skips creation due to the existing symlink (EEXIST error).\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the \u003ccode\u003eagents.create\u003c/code\u003e or \u003ccode\u003eagents.update\u003c/code\u003e API endpoint, for example, by sending an HTTP POST request.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eagents.create\u003c/code\u003e or \u003ccode\u003eagents.update\u003c/code\u003e handler constructs the path to \u003ccode\u003eIDENTITY.md\u003c/code\u003e using \u003ccode\u003epath.join(workspaceDir, DEFAULT_IDENTITY_FILENAME)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003efs.appendFile\u003c/code\u003e function is called to append agent metadata (name, emoji, avatar) to the \u003ccode\u003eIDENTITY.md\u003c/code\u003e file. Because \u003ccode\u003efs.appendFile\u003c/code\u003e follows symlinks, the content is written to the attacker-controlled target file.\u003c/li\u003e\n\u003cli\u003eAttacker-controlled data is appended to the target file.\u003c/li\u003e\n\u003cli\u003eIf the target file is a cron configuration file, this leads to remote code execution. If it\u0026rsquo;s an SSH authorized_keys file, this leads to unauthorized access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to append attacker-controlled content to arbitrary files on the system. This can lead to:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eRemote Code Execution:\u003c/strong\u003e By appending malicious entries to \u003ccode\u003e/etc/crontab\u003c/code\u003e or user crontab files.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistent Code Execution:\u003c/strong\u003e By modifying shell configuration files like \u003ccode\u003e~/.bashrc\u003c/code\u003e or \u003ccode\u003e~/.profile\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthorized SSH Access:\u003c/strong\u003e By appending SSH keys to \u003ccode\u003e~/.ssh/authorized_keys\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eService Disruption:\u003c/strong\u003e By modifying application configuration files.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThe vulnerability affects \u003ccode\u003eopenclaw\u003c/code\u003e versions 2026.2.22 and earlier, and no patches are currently available. The number of affected systems depends on the adoption rate of the \u003ccode\u003eopenclaw\u003c/code\u003e package.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor file creation events within agent workspace directories for the creation of symbolic links using file_event logs.\u003c/li\u003e\n\u003cli\u003eImplement and deploy the provided Sigma rule to detect exploitation attempts by monitoring \u003ccode\u003efs.appendFile\u003c/code\u003e calls related to IDENTITY.md without symlink resolution.\u003c/li\u003e\n\u003cli\u003eRestrict access to the agent workspace directory to prevent attackers from planting symlinks.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of \u003ccode\u003eopenclaw\u003c/code\u003e when available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-27T14:00:00Z","date_published":"2026-03-27T14:00:00Z","id":"/briefs/2026-03-openclaw-symlink/","summary":"OpenClaw is vulnerable to symlink traversal via IDENTITY.md appendFile in agents.create/update. An attacker who can place a symlink in the agent workspace can hijack the IDENTITY.md path to append attacker-controlled content to arbitrary files on the system leading to remote code execution, persistent code execution, unauthorized SSH access, or service disruption.","title":"OpenClaw Symlink Traversal via IDENTITY.md appendFile in agents.create/update","url":"https://feed.craftedsignal.io/briefs/2026-03-openclaw-symlink/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["openclaw","acp","chat-command-injection","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003eopenclaw\u003c/code\u003e npm package, versions prior to 2026.3.22, contained a vulnerability where internal ACP (Admin Control Panel) chat commands could be mutated without proper \u003ccode\u003eoperator.admin\u003c/code\u003e scope enforcement. This flaw could be exploited by an attacker to bypass intended security controls and execute unauthorized administrative actions within the OpenClaw application. The vulnerability was reported by @tdjackey and patched in version 2026.3.22. Defenders should ensure they are running version 2026.3.22 or later to mitigate this risk. The scope of impact is limited to systems running vulnerable versions of the \u003ccode\u003eopenclaw\u003c/code\u003e package.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an instance of OpenClaw running a version prior to 2026.3.22.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious chat command intended to interact with the ACP.\u003c/li\u003e\n\u003cli\u003eThe malicious command bypasses the intended \u003ccode\u003eoperator.admin\u003c/code\u003e scope check due to the vulnerability.\u003c/li\u003e\n\u003cli\u003eThe crafted command is sent to the OpenClaw application via the chat interface.\u003c/li\u003e\n\u003cli\u003eThe vulnerable code in \u003ccode\u003esrc/auto-reply/reply/commands-acp.ts\u003c/code\u003e processes the command without proper authorization.\u003c/li\u003e\n\u003cli\u003eThe command execution results in the mutation of internal ACP configurations or data.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the mutated configurations to gain further control over the OpenClaw application or its environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could allow an attacker to perform unauthorized administrative actions within the OpenClaw application. This may include modifying application settings, accessing sensitive data, or disrupting services. The severity of the impact depends on the specific ACP commands that are exposed and the attacker\u0026rsquo;s ability to chain together multiple commands for greater effect.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003eopenclaw\u003c/code\u003e npm package to version 2026.3.22 or later to apply the fix described in the advisory (see Affected Packages / Versions).\u003c/li\u003e\n\u003cli\u003eMonitor chat command inputs for unusual syntax or attempts to access administrative functionalities to detect potential exploitation attempts (use network or application logs).\u003c/li\u003e\n\u003cli\u003eReview and audit existing OpenClaw configurations for any unauthorized modifications that may have occurred due to this vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on all chat command inputs to prevent command injection attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect attempts to use ACP commands without proper authorization (see \u0026ldquo;OpenClaw ACP Command Execution Without Admin Scope\u0026rdquo;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T21:25:00Z","date_published":"2026-03-26T21:25:00Z","id":"/briefs/2026-06-openclaw-acp-bypass/","summary":"A vulnerability in the openclaw npm package before version 2026.3.22 allowed mutating internal ACP chat commands without requiring operator.admin scope enforcement, potentially allowing unauthorized control-plane actions.","title":"OpenClaw ACP Chat Command Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-06-openclaw-acp-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-32913","credential-access","header-injection","openclaw"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw, a Node.js framework, is susceptible to a critical vulnerability (CVE-2026-32913) affecting versions prior to 2026.3.7. The vulnerability lies in the \u003ccode\u003efetchWithSsrFGuard\u003c/code\u003e function, which improperly validates headers. This flaw allows attackers to potentially forward custom authorization headers, such as \u003ccode\u003eX-Api-Key\u003c/code\u003e and \u003ccode\u003ePrivate-Token\u003c/code\u003e, across cross-origin redirects. Successful exploitation enables the interception of sensitive credentials intended for the original, legitimate destination. The vulnerability was reported in March 2026 and impacts applications using the vulnerable versions of OpenClaw. Defenders should prioritize patching and implementing compensating controls to prevent credential leakage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious URL targeting an OpenClaw application using a version prior to 2026.3.7.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s browser or application requests the malicious URL, including custom authorization headers like \u003ccode\u003eX-Api-Key\u003c/code\u003e or \u003ccode\u003ePrivate-Token\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003efetchWithSsrFGuard\u003c/code\u003e function in OpenClaw fails to properly validate or sanitize headers during cross-origin redirects.\u003c/li\u003e\n\u003cli\u003eThe attacker configures their malicious server to respond with an HTTP 302 redirect to a different origin controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s client, upon receiving the redirect, unknowingly forwards the sensitive authorization headers to the attacker\u0026rsquo;s server.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s server logs or captures the leaked \u003ccode\u003eX-Api-Key\u003c/code\u003e and/or \u003ccode\u003ePrivate-Token\u003c/code\u003e values.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to gain unauthorized access to resources or data protected by those credentials on the original target application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-32913 can lead to the leakage of sensitive API keys and private tokens. This allows unauthorized access to protected resources, potentially leading to data breaches, account compromise, and other malicious activities. While the specific number of affected applications remains unknown, all OpenClaw deployments prior to version 2026.3.7 are vulnerable. The impact is significant due to the potential for widespread credential compromise across various sectors utilizing OpenClaw for their applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.7 or later to patch CVE-2026-32913 (see references for patch information).\u003c/li\u003e\n\u003cli\u003eImplement server-side validation to sanitize and strip potentially sensitive authorization headers before following redirects.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Header Forwarding\u003c/code\u003e to identify potential exploitation attempts by monitoring for cross-origin redirects involving sensitive headers.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual redirect activity and suspicious user agents (see log source information in the Sigma rules).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T12:00:00Z","date_published":"2026-03-24T12:00:00Z","id":"/briefs/2026-03-openclaw-header-leak/","summary":"OpenClaw before 2026.3.7 is vulnerable to improper header validation in fetchWithSsrFGuard, allowing attackers to intercept sensitive authorization headers via cross-origin redirects.","title":"OpenClaw Improper Header Validation Leads to Credential Leakage","url":"https://feed.craftedsignal.io/briefs/2026-03-openclaw-header-leak/"}],"language":"en","title":"CraftedSignal Threat Feed — Openclaw","version":"https://jsonfeed.org/version/1.1"}