Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 195938b87f5a · 2026-03-04T18:57:25.000Z
GHSA-8cp7-rp8r-mg77 GHSA-vjp8-wprm-2jw9 GHSA-x2ff-j5c2-ggpr
diff --git a/advisories/github-reviewed/2026/03/GHSA-8cp7-rp8r-mg77/GHSA-8cp7-rp8r-mg77.json b/advisories/github-reviewed/2026/03/GHSA-8cp7-rp8r-mg77/GHSA-8cp7-rp8r-mg77.json
@@ -0,0 +1,59 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8cp7-rp8r-mg77",
+  "modified": "2026-03-04T18:55:48Z",
+  "published": "2026-03-04T18:55:48Z",
+  "aliases": [],
+  "summary": "OpenClaw has SSRF guard bypass via IPv6 transition over ISATAP",
+  "details": "## Summary\nOpenClaw's SSRF hostname/IP guard did not detect ISATAP embedded IPv4 addresses (`...:5efe:w.x.y.z`). A crafted URL containing an ISATAP IPv6 literal could embed a private IPv4 target (for example loopback) and bypass private-address filtering in URL-fetching paths.\n\n## Severity Assessment\nRated **medium**: the bug weakens SSRF protections in URL fetch flows, but impact depends on reaching a URL-fetching path with attacker-controlled input and is generally constrained to internal network access attempts.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: `>=2026.1.20 <=2026.2.17`\n- Latest published at patch time: `2026.2.17`\n- Patched release: `2026.2.19`\n\n## Security Policy Context\nPer `SECURITY.md`, OpenClaw's web/gateway surface is intended for local use by default, public internet exposure is out-of-scope, and prompt-injection reports are out-of-scope for bounty handling. This advisory tracks a core SSRF-guard bypass in fetch protections.\n\n## Impact\nThis can permit SSRF-style access attempts to internal/private network targets through URL ingestion/fetch paths that rely on shared hostname/IP blocking.\n\n## Fix\n- Added RFC 5214 ISATAP embedded-IPv4 detection to the shared SSRF classifier.\n- Centralized hostname/IP blocking through `isBlockedHostnameOrIp` and routed relevant validators to that shared path.\n- Added regression tests for ISATAP private vs public embedded IPv4 handling.\n\n## Fix Commit(s)\n- `d51929ecb52fe65e90bf36795f4247feb29eb8aa`\n\nOpenClaw thanks @zpbrent for reporting.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2026.1.20"
+            },
+            {
+              "fixed": "2026.2.19"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8cp7-rp8r-mg77"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/d51929ecb52fe65e90bf36795f4247feb29eb8aa"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-04T18:55:48Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-vjp8-wprm-2jw9/GHSA-vjp8-wprm-2jw9.json b/advisories/github-reviewed/2026/03/GHSA-vjp8-wprm-2jw9/GHSA-vjp8-wprm-2jw9.json
@@ -0,0 +1,66 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-vjp8-wprm-2jw9",
+  "modified": "2026-03-04T18:56:10Z",
+  "published": "2026-03-04T18:56:10Z",
+  "aliases": [],
+  "summary": "OpenClaw has cross-account DM pairing authorization bypass via unscoped pairing store access",
+  "details": "### Summary\nOpenClaw had account-scope gaps in pairing-store access for DM pairing policy, which could let a pairing approval from one account authorize the same sender on another account in multi-account setups.\n\n### Impact\nThis is an authorization-boundary weakness in multi-account channel deployments. A sender approved in one account could be accepted in another account before explicit approval there.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published version affected: `2026.2.25`\n- Vulnerable range: `<= 2026.2.25`\n- Patched version (planned next release): `>= 2026.2.26`\n\n### Fix\nOpenClaw now enforces account-scoped pairing reads/writes consistently across core and extension message channels, with stricter runtime/SDK helpers and shared policy wiring to prevent cross-account pairing bleed.\n\n### Fix Commit(s)\n- `a0c5e28f3bf0cc0cd9311f9e9ec2ca0352550dcf`\n- `bce643a0bd145d3e9cb55400af33bd1b85baeb02`\n\n### Release Process Note\n`patched_versions` is pre-set to the planned next release (`2026.2.26`). After npm publish of that version, this advisory is ready to publish without further content edits.\n\nOpenClaw thanks @tdjackey for reporting.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.2.26"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2026.2.25"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vjp8-wprm-2jw9"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/a0c5e28f3bf0cc0cd9311f9e9ec2ca0352550dcf"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/bce643a0bd145d3e9cb55400af33bd1b85baeb02"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-863"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-04T18:56:10Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-x2ff-j5c2-ggpr/GHSA-x2ff-j5c2-ggpr.json b/advisories/github-reviewed/2026/03/GHSA-x2ff-j5c2-ggpr/GHSA-x2ff-j5c2-ggpr.json
@@ -0,0 +1,62 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-x2ff-j5c2-ggpr",
+  "modified": "2026-03-04T18:55:19Z",
+  "published": "2026-03-04T18:55:19Z",
+  "aliases": [],
+  "summary": "OpenClaw: Slack interactive callbacks could skip configured sender checks in some shared-workspace flows",
+  "details": "## Impact\n\nIn shared Slack workspace deployments that rely on sender restrictions (`allowFrom`, DM policy, or channel user allowlists), some interactive callbacks (`block_action`, `view_submission`, `view_closed`) could be accepted before full sender authorization checks.\n\nIn that scenario, an unauthorized workspace member could enqueue system-event text into an active session. This issue did not provide unauthenticated access, cross-gateway isolation bypass, or host-level privilege escalation by itself.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Vulnerable versions: `<= 2026.2.24`\n- Patched version: `2026.2.25` (planned next npm release)\n\n## Fix Commit(s)\n\n- `ce8c67c314b93f570f53c2a9abc124e1e3a54715`\n\n## Release Process Note\n\n`patched_versions` is pre-set to the release (`2026.2.25`). Advisory published with npm release `2026.2.25`.\n\n## Trust Model Scope Note\n\nOpenClaw does not support adversarial multi-user isolation on a single shared gateway instance. The supported model is one trust boundary per gateway (separate gateways/hosts for mutually untrusted users). See: https://docs.openclaw.ai/gateway/security\n\nOpenClaw thanks @tdjackey for reporting.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.2.25"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2026.2.24"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-x2ff-j5c2-ggpr"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/ce8c67c314b93f570f53c2a9abc124e1e3a54715"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-863"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-04T18:55:19Z",
+    "nvd_published_at": null
+  }
+}
