Publish Advisories

GHSA-48wf-g7cp-gr3m
GHSA-6f6j-wx9w-ff4j
GHSA-f964-whrq-44h8
GHSA-fgvx-58p6-gjwc
GHSA-g99v-8hwm-g76g
GHSA-gw85-xp4q-5gp9
GHSA-h5vh-m7fg-w5h6
GHSA-h8vw-ph9r-xpch
GHSA-jj82-76v6-933r
GHSA-pj5x-38rw-6fph
GHSA-q4r8-xm5f-56gw
GHSA-qvvf-q994-x79v
GHSA-rx3g-mvc3-qfjf
GHSA-wm8r-w8pf-2v6w

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-48wf-g7cp-gr3m/GHSA-48wf-g7cp-gr3m.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-48wf-g7cp-gr3m",
-  "modified": "2026-03-03T18:00:06Z",
+  "modified": "2026-03-20T21:36:21Z",
   "published": "2026-03-03T18:00:06Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-31992"
+  ],
   "summary": "OpenClaw has allowlist exec-guard bypass via env -S",
   "details": "### Summary\nIn `allowlist` mode, `system.run` guardrails could be bypassed through `env -S`, causing policy-analysis/runtime-execution mismatch for shell wrapper payloads.\n\n### Severity Rationale (Medium)\nThis issue is rated **medium** because it is a guardrail/policy bypass in OpenClaw's trusted-operator model, not an authentication boundary break.\n\n- Authenticated Gateway callers are trusted operators by design.\n- `exec` approvals/allowlists are operator safety controls.\n- The bug still weakens expected safety behavior and can enable unintended command execution when untrusted content influences tool input.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Vulnerable versions: `<= 2026.2.22-2`\n- Patched versions: `>= 2026.2.23`\n\nLatest published npm version checked during triage: `2026.2.22-2`.\n\n### Technical Impact\nWhen `/usr/bin/env` is allowlisted, `env -S 'sh -c ...'` could be treated as allowed non-wrapper argv while runtime still executes shell-wrapper semantics.\n\n### Fix Commit(s)\n- `a1c4bf07c6baad3ef87a0e710fe9aef127b1f606` (core allowlist/runtime parity hardening)\n- `3f923e831364d83d0f23499ee49961de334cf58b` (explicit `env -S` regressions)\n\n### Release Process Note\n`patched_versions` is pre-set to `>= 2026.2.23`, so this advisory is now public.\n\nOpenClaw thanks @tdjackey for reporting.",
   "severity": [
@@ -38,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-48wf-g7cp-gr3m"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31992"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/3f923e831364d83d0f23499ee49961de334cf58b"
@@ -49,6 +55,10 @@
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-allowlist-exec-guard-bypass-via-env-s"
     }
   ],
   "database_specific": {

advisories/github-reviewed/2026/03/GHSA-6f6j-wx9w-ff4j/GHSA-6f6j-wx9w-ff4j.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6f6j-wx9w-ff4j",
-  "modified": "2026-03-02T21:55:05Z",
+  "modified": "2026-03-20T21:36:39Z",
   "published": "2026-03-02T21:55:05Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-31999"
+  ],
   "summary": "CpenClaw's ACPX Windows wrapper shell fallback allowed cwd injection in specific paths",
   "details": "### Summary\nOn Windows ACPX paths, wrapper resolution for `.cmd`/`.bat` could fall back to shell execution in ways that allowed `cwd` influence to alter execution behavior.\n\n### Impact\nIn affected Windows ACPX configurations, this could enable command execution integrity loss through cwd-influenced wrapper resolution.\n\n### Fix\nWrapper resolution now prefers explicit PATH/PATHEXT entrypoint resolution and unwrapped Node/EXE execution, with strict fail-closed handling enabled by default for unresolvable wrapper cases.\n\n### Affected and Patched Versions\n- Affected: `>= 2026.2.26, < 2026.3.1`\n- Patched: `2026.3.1`",
   "severity": [
@@ -38,9 +40,17 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6f6j-wx9w-ff4j"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31999"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-current-working-directory-injection-via-windows-wrapper-resolution-fallback"
     }
   ],
   "database_specific": {

advisories/github-reviewed/2026/03/GHSA-f964-whrq-44h8/GHSA-f964-whrq-44h8.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-f964-whrq-44h8",
-  "modified": "2026-03-19T16:27:43Z",
+  "modified": "2026-03-20T21:35:11Z",
   "published": "2026-03-19T16:27:43Z",
   "aliases": [
     "CVE-2026-27953"
@@ -43,9 +43,45 @@
       "type": "WEB",
       "url": "https://github.com/ormar-orm/ormar/security/advisories/GHSA-f964-whrq-44h8"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27953"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ormar-orm/ormar/commit/7f22aa21a7614b993970345b392dabb0ccde0ab3"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/ormar-orm/ormar"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ormar-orm/ormar/blob/master/examples/fastapi_quick_start.py#L55"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ormar-orm/ormar/blob/master/ormar/fields/foreign_key.py#L41"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ormar-orm/ormar/blob/master/ormar/models/helpers/pydantic.py#L108"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ormar-orm/ormar/blob/master/ormar/models/model.py#L89"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ormar-orm/ormar/blob/master/ormar/models/newbasemodel.py#L128"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ormar-orm/ormar/blob/master/ormar/models/newbasemodel.py#L292"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ormar-orm/ormar/releases/tag/0.23.1"
     }
   ],
   "database_specific": {
@@ -55,6 +91,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-19T16:27:43Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-19T21:17:09Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-fgvx-58p6-gjwc/GHSA-fgvx-58p6-gjwc.json

@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-fgvx-58p6-gjwc",
-  "modified": "2026-03-19T22:20:50Z",
+  "modified": "2026-03-20T21:36:47Z",
   "published": "2026-03-02T22:40:36Z",
   "aliases": [
     "CVE-2026-32013"
   ],
   "summary": "OpenClaw gateway agents.files symlink escape allowed out-of-workspace file read/write",
   "details": "## Impact\n\nThe gateway `agents.files.get` and `agents.files.set` methods allowed symlink traversal for allowlisted workspace files. A symlinked allowlisted file (for example `AGENTS.md`) could resolve outside the agent workspace and be read/written by the gateway process.\n\nThis could enable arbitrary host file read/write within the gateway process permissions, and chained impact up to code execution depending on which files are overwritten.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.2.24`\n- Latest published vulnerable version at patch time: `2026.2.24`\n- Patched versions: `>= 2026.2.25` \n\n## Remediation\n\n`agents.files` now resolves real workspace paths, enforces containment for resolved targets, rejects out-of-workspace symlink targets, and keeps in-workspace symlink targets supported. The patch also adds gateway regression tests for blocked escapes and valid in-workspace symlink behavior.\n\n## Fix Commit(s)\n\n- `125f4071bcbc0de32e769940d07967db47f09d3d`\n\n## Release Process Note\n\n`patched_versions` is intentionally pre-set to the release (`2026.2.25`). Advisory published with npm release `2026.2.25`.\n\nOpenClaw thanks @tdjackey for reporting.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"
@@ -40,13 +44,21 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fgvx-58p6-gjwc"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32013"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/125f4071bcbc0de32e769940d07967db47f09d3d"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-agents-files-methods"
     }
   ],
   "database_specific": {
@@ -57,6 +69,6 @@
     "severity": "CRITICAL",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-02T22:40:36Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-19T22:16:34Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-g99v-8hwm-g76g/GHSA-g99v-8hwm-g76g.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-g99v-8hwm-g76g",
-  "modified": "2026-03-02T22:03:09Z",
+  "modified": "2026-03-20T21:36:03Z",
   "published": "2026-03-02T22:03:09Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-31989"
+  ],
   "summary": "OpenClaw has web_search citation redirect SSRF via private-network-allowing policy",
   "details": "### Summary\nGemini `web_search` citation redirect resolution used a private-network-allowing SSRF policy. A citation URL redirect could target loopback/private/internal destinations and be fetched by the gateway.\n\n### Impact\nAn attacker who can influence citation redirect targets could trigger internal-network requests from the OpenClaw host.\n\n### Fix\nCitation redirect resolution now uses strict/default SSRF policy (no private-network override), blocking localhost/private/internal redirect targets.\n\n### Affected and Patched Versions\n- Affected: `<= 2026.2.26`\n- Patched: `2026.3.1`",
   "severity": [
@@ -38,9 +40,17 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g99v-8hwm-g76g"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31989"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-web-search-citation-redirect"
     }
   ],
   "database_specific": {

advisories/github-reviewed/2026/03/GHSA-gw85-xp4q-5gp9/GHSA-gw85-xp4q-5gp9.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-gw85-xp4q-5gp9",
-  "modified": "2026-03-03T23:03:49Z",
+  "modified": "2026-03-20T21:36:30Z",
   "published": "2026-03-03T23:03:49Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-31998"
+  ],
   "summary": "OpenClaw's Synology Chat dmPolicy=allowlist failed open on empty allowedUserIds, allowing unauthorized agent dispatch",
   "details": "### Summary\nIn `openclaw` versions `2026.2.22` and `2026.2.23`, the optional `synology-chat` channel plugin had an authorization fail-open condition: when `dmPolicy` was `allowlist` and `allowedUserIds` was empty/unset, unauthorized senders were still allowed through to agent dispatch.\n\nThis is assessed as **medium** severity because it requires channel/plugin setup and Synology sender access, but can still trigger downstream agent/tool actions.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected versions: `>= 2026.2.22, <= 2026.2.23`\n- Latest published affected version at patch time: `2026.2.23`\n- Planned patched version: `2026.2.24`\n\n### Details\nRoot cause was a policy mismatch across plugin code paths:\n1. Default resolved DM policy was `allowlist`.\n2. Empty `allowedUserIds` was treated as allow-all.\n3. Webhook auth in allowlist mode depended on that helper.\n\nResult: `allowlist` with empty list behaved like open access for inbound Synology senders.\n\n### Fix Commit(s)\n- `0ee30361b8f6ef3f110f3a7b001da6dd3df96bb5`\n- `7655c0cb3a47d0647cbbf5284e177f90b4b82ddb`\n\n### Release Process Note\n`patched_versions` is pre-set to the planned next release (`>= 2026.2.24`). Once npm release `2026.2.24` is published, the advisory can be published directly.\n\nOpenClaw thanks @tdjackey for reporting.\n\n\n### Publication Update (2026-02-25)\n`openclaw@2026.2.24` is published on npm and contains the fix commit(s) listed above. This advisory now marks `>= 2026.2.24` as patched.",
   "severity": [
@@ -41,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gw85-xp4q-5gp9"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31998"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/0ee30361b8f6ef3f110f3a7b001da6dd3df96bb5"
@@ -52,6 +58,10 @@
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-synology-chat-plugin-via-empty-alloweduserids"
     }
   ],
   "database_specific": {

advisories/github-reviewed/2026/03/GHSA-h5vh-m7fg-w5h6/GHSA-h5vh-m7fg-w5h6.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-h5vh-m7fg-w5h6",
-  "modified": "2026-03-19T18:30:09Z",
+  "modified": "2026-03-20T21:35:33Z",
   "published": "2026-03-16T18:46:14Z",
   "aliases": [
     "CVE-2026-32747"
@@ -40,9 +40,21 @@
       "type": "WEB",
       "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-h5vh-m7fg-w5h6"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32747"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/siyuan-note/siyuan/commit/9914fd1d39e5f0a8dcc9fb587e1c0b46f31490a1"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/siyuan-note/siyuan"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1"
     }
   ],
   "database_specific": {
@@ -53,6 +65,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-16T18:46:14Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-19T21:17:10Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-h8vw-ph9r-xpch/GHSA-h8vw-ph9r-xpch.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-h8vw-ph9r-xpch",
-  "modified": "2026-03-19T16:28:04Z",
+  "modified": "2026-03-20T21:35:26Z",
   "published": "2026-03-19T16:28:04Z",
   "aliases": [
     "CVE-2026-30924"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/autobrr/qui/security/advisories/GHSA-h8vw-ph9r-xpch"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30924"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/autobrr/qui/commit/424f7a0de089dce881e8bbecd220163a78e0295f"
@@ -56,6 +60,6 @@
     "severity": "CRITICAL",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-19T16:28:04Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-19T21:17:09Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-jj82-76v6-933r/GHSA-jj82-76v6-933r.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-jj82-76v6-933r",
-  "modified": "2026-03-03T23:13:51Z",
+  "modified": "2026-03-20T21:35:56Z",
   "published": "2026-03-03T23:13:51Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-27566"
+  ],
   "summary": "OpenClaw's exec allowlist wrapper analysis did not unwrap env/shell dispatch chains",
   "details": "### Summary\n`system.run` exec allowlist analysis treated wrapper binaries as the effective executable and did not fully unwrap `env`/shell-dispatch wrappers.\n\nThis allowed wrapper-smuggled payloads (for example `env bash -lc ...`) to satisfy an allowlist entry for the wrapper while executing non-allowlisted commands.\n\n### Impact\nOn affected versions, an actor who can trigger `system.run` requests under an allowlist policy could bypass intended allowlist restrictions by routing execution through wrapper binaries.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: `<= 2026.2.21-2`\n- Patched in next release: `2026.2.22` (pre-set below so publish can happen immediately after npm release)\n\n### Fix Commit(s)\n- `2b63592be57782c8946e521bc81286933f0f99c7`\n\n### Release Process Note\n`patched_versions` is pre-set to the planned next release (`>= 2026.2.22`).\n\nAfter npm `2026.2.22` is published, this advisory can be published directly without further metadata edits.\n\nOpenClaw thanks @tdjackey for reporting.",
   "severity": [
@@ -38,13 +40,21 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jj82-76v6-933r"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27566"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/2b63592be57782c8946e521bc81286933f0f99c7"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-wrapper-binary-unwrapping-in-system-run"
     }
   ],
   "database_specific": {

advisories/github-reviewed/2026/03/GHSA-pj5x-38rw-6fph/GHSA-pj5x-38rw-6fph.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-pj5x-38rw-6fph",
-  "modified": "2026-03-03T21:50:05Z",
+  "modified": "2026-03-20T21:35:48Z",
   "published": "2026-03-03T21:50:05Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-22176"
+  ],
   "summary": "OpenClaw has a Command Injection via unescaped environment assignments in Windows Scheduled Task script generation",
   "details": "### Summary\nA command injection vulnerability existed in Windows Scheduled Task script generation for OpenClaw. Environment values were written into `gateway.cmd` using unquoted `set KEY=VALUE`, which allowed Windows shell metacharacters in config-provided environment variables to break out of assignment context.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.2.17`\n- Patched version: `>= 2026.2.19`\n- Latest published vulnerable version at review time (2026-02-19): `2026.2.17`\n\n### Practical Risk Context\nFor a single-user, localhost-only setup on a personally controlled machine, practical risk is typically low.\n\nThis issue becomes materially relevant when configuration or environment values are sourced from less-trusted inputs, for example:\n- shared/team config templates,\n- copied config snippets,\n- setup scripts, automation, or repos that write config,\n- any workflow where another party can influence env values before `gateway install`/reinstall.\n\nIn those scenarios, it provides a reliable config-to-command-execution path when the scheduled task script is generated and run.\n\n### Details\nOn Windows, gateway service installation writes a helper batch script and then registers it via Scheduled Task (`schtasks`).\nBefore the fix, env lines were rendered as `set KEY=VALUE` in `src/daemon/schtasks.ts`, so values containing metacharacters (for example `&`, `|`, `^`, `%`, `!`) could alter command behavior in `cmd.exe`.\n\nThe fix now renders quoted assignments (`set \"KEY=VALUE\"`) with explicit escaping for cmd metacharacters, updates parser compatibility for quoted assignments, and adds regression tests for metacharacter handling and round-trip parsing.\n\n### Fix Commit(s)\n- `dafe52e8cf1a041d898cfb304a485fa05e5f58fb`\n\nOpenClaw thanks @tdjackey for reporting.",
   "severity": [
@@ -41,13 +43,21 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-pj5x-38rw-6fph"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22176"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/dafe52e8cf1a041d898cfb304a485fa05e5f58fb"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-command-injection-via-unescaped-environment-variables-in-windows-scheduled-task"
     }
   ],
   "database_specific": {