Publish Advisories

GHSA-8fmp-37rc-p5g7
GHSA-8mvx-p2r9-r375
GHSA-9p38-94jf-hgjj

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-8fmp-37rc-p5g7/GHSA-8fmp-37rc-p5g7.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8fmp-37rc-p5g7",
-  "modified": "2026-03-18T01:30:34Z",
+  "modified": "2026-03-19T18:34:44Z",
   "published": "2026-03-03T19:53:02Z",
   "aliases": [
     "CVE-2026-22177"
@@ -40,13 +40,21 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8fmp-37rc-p5g7"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22177"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/2cdbadee1f8fcaa93302d7debbfc529e19868ea4"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-environment-variable-injection-via-config-env-vars"
     }
   ],
   "database_specific": {
@@ -56,6 +64,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-03T19:53:02Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-18T02:16:21Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-8mvx-p2r9-r375/GHSA-8mvx-p2r9-r375.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8mvx-p2r9-r375",
-  "modified": "2026-03-18T01:32:16Z",
+  "modified": "2026-03-19T18:35:37Z",
   "published": "2026-03-03T21:19:47Z",
   "aliases": [
     "CVE-2026-22181"
@@ -10,8 +10,8 @@
   "details": "### Summary\n`openclaw` web tools strict URL fetch paths could lose DNS pinning when environment proxy variables are configured (`HTTP_PROXY`/`HTTPS_PROXY`/`ALL_PROXY`, including lowercase variants).\n\nIn affected builds, strict URL checks (for example `web_fetch` and citation redirect resolution) validated one destination during SSRF guard checks, but runtime connection routing could proceed through an env-proxy dispatcher.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Vulnerable version range: `<= 2026.3.1`\n- Latest published npm version at triage time (2026-03-02): `2026.3.1`\n- Patched versions: `>= 2026.3.2` (released)\n\n### Technical Details\nThe SSRF guard performed hostname resolution and policy checks, then selected a request dispatcher.\n\nWhen env proxy settings were present, strict web-tool flows could use `EnvHttpProxyAgent` instead of the DNS-pinned dispatcher. This created a destination-binding gap between check-time resolution and connect-time routing.\n\nThe fix keeps DNS pinning on strict/untrusted web-tool URL paths and limits env-proxy bypass behavior to trusted/operator-controlled endpoints via an explicit dangerous opt-in.\n\n### Impact\nIn deployments with env proxy variables configured, attacker-influenced URLs from web tools could be routed through proxy behavior instead of strict pinned-destination routing, which could allow access to internal/private targets reachable from that proxy environment.\n\n### Mitigations\nBefore upgrading, operators can reduce exposure by clearing proxy env vars for OpenClaw runtime processes or disabling `web_fetch` / `web_search` where untrusted URL input is possible.\n\n### Fix Commit(s)\n- `345abf0b2e0f43b0f229e96f252ebf56f1e5549e`",
   "severity": [
     {
-      "type": "CVSS_V3",
-      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L"
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -43,19 +43,31 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8mvx-p2r9-r375"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22181"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/345abf0b2e0f43b0f229e96f252ebf56f1e5549e"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-dns-pinning-bypass-via-environment-proxy-configuration-in-web-fetch"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-367",
       "CWE-918"
     ],
-    "severity": "HIGH",
+    "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-03T21:19:47Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-18T02:16:22Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-9p38-94jf-hgjj/GHSA-9p38-94jf-hgjj.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9p38-94jf-hgjj",
-  "modified": "2026-03-18T01:31:29Z",
+  "modified": "2026-03-19T18:36:18Z",
   "published": "2026-03-03T21:41:12Z",
   "aliases": [
     "CVE-2026-22179"
@@ -10,8 +10,8 @@
   "details": "### Summary\nIn OpenClaw's macOS node-host path, `system.run` allowlist parsing in `security=allowlist` mode failed to reject command substitution tokens when they appeared inside double-quoted shell text.\n\nBecause of that gap, payloads like `echo \"ok $(id)\"` could be treated as allowlist hits (first executable token `echo`) while still executing non-allowlisted subcommands through shell substitution.\n\n### Affected Packages / Versions\n- Package: npm `openclaw`\n- Latest published affected version: `2026.2.21-2`\n- Affected range: `<= 2026.2.21-2`\n- Patched version (planned next release): `2026.2.22`\n\nNotes:\n- Default installs are not affected (`security=deny` by default).\n- The issue requires opting into `security=allowlist` on the macOS node-host path.\n\n### Impact\nApproval/authorization bypass in allowlist mode that can lead to unintended command execution on the node host.\n\n### Preconditions\n- Target uses macOS node-host / companion-app execution path.\n- Exec approvals set to `security=allowlist`.\n- Ask mode is `on-miss` or `off`.\n- Allowlist contains a benign executable used in a shell wrapper flow (for example `/bin/echo`).\n\n### Reproduction (example)\nUse a shell-wrapper command where the visible executable is allowlisted but the quoted payload contains substitution:\n\n- command argv: `/bin/sh -lc 'echo \"ok $(/usr/bin/id > /tmp/openclaw-poc-rce)\"'`\n- allowlist pattern includes `/bin/echo`\n\nBefore the fix, allowlist analysis could resolve this as allowlisted while shell substitution still executed.\n\n### Remediation\n- Upgrade to `2026.2.22` (or newer) when released.\n- Temporary mitigation: set ask mode to `always` or set security mode to `deny`.\n\n### Fix Commit(s)\n- `90a378ca3a9ecbf1634cd247f17a35f4612c6ca6`\n\n### Release Process Note\n`patched_versions` is pre-set to planned next release `2026.2.22`. After npm release is out, advisory can be published directly.\n\nOpenClaw thanks @tdjackey for reporting.",
   "severity": [
     {
-      "type": "CVSS_V3",
-      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -40,22 +40,30 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9p38-94jf-hgjj"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22179"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/90a378ca3a9ecbf1634cd247f17a35f4612c6ca6"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-command-substitution-in-system-run"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-78"
     ],
-    "severity": "MODERATE",
+    "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-03T21:41:12Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-18T02:16:22Z"
   }
 }