Publish Advisories

GHSA-33rq-m5x2-fvgf
GHSA-4rj2-gpmh-qq5x
GHSA-h89v-j3x9-8wqj
GHSA-mv9j-6xhh-g383
GHSA-p536-vvpp-9mc8
GHSA-qrq5-wjgg-rvqw
GHSA-qw99-grcx-4pvm
GHSA-x22m-j5qq-j49m
GHSA-fpx8-73gf-7x73

Author: advisory-database[bot]

advisories/github-reviewed/2026/02/GHSA-33rq-m5x2-fvgf/GHSA-33rq-m5x2-fvgf.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-33rq-m5x2-fvgf",
-  "modified": "2026-02-17T21:37:55Z",
+  "modified": "2026-03-05T21:43:49Z",
   "published": "2026-02-17T21:37:55Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-28448"
+  ],
   "summary": "OpenClaw Twitch allowFrom is not enforced in optional plugin, unauthorized chat users can trigger agent pipeline",
   "details": "### Summary\n\nIn the optional Twitch channel plugin (`extensions/twitch`), `allowFrom` is documented as a hard allowlist of Twitch user IDs, but it was not enforced as a hard gate. If `allowedRoles` is unset or empty, the access control path defaulted to allow, so any Twitch user who could mention the bot could reach the agent dispatch pipeline.\n\n**Scope note:** This only affects deployments that installed and enabled the Twitch plugin. Core OpenClaw installs that do not install/enable the Twitch plugin are not impacted.\n\n### Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected: `>= 2026.1.29, < 2026.2.1`\n- Fixed: `>= 2026.2.1`\n\n### Details\n\nAffected component: Twitch plugin access control (`extensions/twitch/src/access-control.ts`).\n\nProblematic logic in `checkTwitchAccessControl()`:\n\n- When `allowFrom` was configured, the code returned `allowed: true` for members but did not return `allowed: false` for non-members, so execution fell through.\n- If `allowedRoles` was unset or empty, the function returned `allowed: true` by default, even when `allowFrom` was configured.\n\n### Proof of Concept (PoC)\n\n1. Install and enable the Twitch plugin.\n2. Configure an `allowFrom` list, but do not set `allowedRoles` (or set it to an empty list).\n3. From a different Twitch account whose user ID is NOT in `allowFrom`, send a message that mentions the bot (for example `@<botname> hello`).\n4. Observe the message is processed and can trigger agent dispatch/replies despite not being allowlisted.\n\n### Impact\n\nAuthorization bypass for operators who relied on `allowFrom` to restrict who can invoke the bot in Twitch chat. Depending on configuration (tools, routing, model costs), this could lead to unintended actions/responses and resource or cost exhaustion.\n\n### Fix Commit(s)\n\n- `8c7901c984866a776eb59662dc9d8b028de4f0d0`\n\n### Workaround\n\nUpgrade to `openclaw >= 2026.2.1`.\n\nThanks @MegaManSec (https://joshua.hu) of [AISLE Research Team](https://aisle.com/) for reporting.",
   "severity": [

advisories/github-reviewed/2026/02/GHSA-4rj2-gpmh-qq5x/GHSA-4rj2-gpmh-qq5x.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4rj2-gpmh-qq5x",
-  "modified": "2026-02-17T21:36:34Z",
+  "modified": "2026-03-05T21:43:06Z",
   "published": "2026-02-17T21:36:34Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-28446"
+  ],
   "summary": "OpenClaw has an inbound allowlist policy bypass in voice-call extension (empty caller ID + suffix matching)",
   "details": "### Summary\n\nAn authentication bypass in the optional `voice-call` extension/plugin allowed unapproved or anonymous callers to reach the voice-call agent when inbound policy was set to `allowlist` or `pairing`.\n\nDeployments that do not install/enable the `voice-call` extension are not affected.\n\n### Affected Packages / Versions\n\n- `openclaw` (npm): `<= 2026.2.1`\n- Fixed in: `>= 2026.2.2`\n\n### Details\n\nIn affected versions (for example `2026.2.1`), the inbound allowlist check in `extensions/voice-call/src/manager.ts` used suffix-based matching and accepted empty caller IDs after normalization.\n\nThis allowed two bypasses:\n\n1. Missing/empty `from` values normalized to an empty string, which caused the allowlist predicate to evaluate as allowed.\n2. Suffix-based matching meant any caller number whose digits ended with an allowlisted number would be accepted.\n\n### Proof Of Concept\n\n1. Configure the voice-call extension with `inboundPolicy: allowlist` and `allowFrom: [\"+15550001234\"]`.\n2. Place/trigger an inbound call with missing/empty caller ID (provider-dependent; for example anonymous/restricted caller). The call is accepted.\n3. Place a call from a number whose E.164 digits end with `15550001234` (for example `+99915550001234`). The call is accepted.\n\n### Impact\n\nOnly operators who install/enable the optional `voice-call` extension and use `inboundPolicy=allowlist` or `pairing` could have inbound access controls bypassed, potentially allowing unauthorized callers to reach auto-response and tool execution.\n\n### Fix\n\nThe fix hardens inbound policy handling:\n\n- Reject inbound calls when caller ID is missing.\n- Require strict equality when comparing normalized caller IDs against the allowlist (no suffix/prefix matching).\n- Add regression tests for missing caller ID, anonymous caller ID, and suffix-collision cases.\n\nFix commit(s):\n\n- `f8dfd034f5d9235c5485f492a9e4ccc114e97fdb`\n\nThanks @simecek for reporting.",
   "severity": [

advisories/github-reviewed/2026/02/GHSA-h89v-j3x9-8wqj/GHSA-h89v-j3x9-8wqj.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-h89v-j3x9-8wqj",
-  "modified": "2026-02-18T00:52:54Z",
+  "modified": "2026-03-05T21:45:06Z",
   "published": "2026-02-18T00:52:54Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-28452"
+  ],
   "summary": "OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR)",
   "details": "## Summary\nArchive extraction lacked strict resource budgets, allowing high-expansion ZIP/TAR archives to consume excessive CPU/memory/disk during install/update flows.\n\n## Affected Packages / Versions\n- openclaw (npm): <= 2026.2.13\n- clawdbot (npm): <= 2026.1.24-3\n\n## Details\nAffected component: `src/infra/archive.ts` (`extractArchive`).\n\nThe extractor now enforces resource budgets (entry count and extracted byte limits; ZIP also enforces a compressed archive size limit) and rejects over-budget archives.\n\n## Fix Commit(s)\n- openclaw/openclaw@d3ee5deb87ee2ad0ab83c92c365611165423cb71\n- openclaw/openclaw@5f4b29145c236d124524c2c9af0f8acd048fbdea\n\n## Release Process Note\nThis advisory will be updated with patched versions once the next npm release containing the fix is published.\n\n## Credits\nThanks @vincentkoc for reporting.",
   "severity": [

advisories/github-reviewed/2026/02/GHSA-mv9j-6xhh-g383/GHSA-mv9j-6xhh-g383.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mv9j-6xhh-g383",
-  "modified": "2026-02-17T21:31:17Z",
+  "modified": "2026-03-05T21:44:25Z",
   "published": "2026-02-17T21:31:17Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-28450"
+  ],
   "summary": "OpenClaw's unauthenticated Nostr profile HTTP endpoints allow remote profile/config tampering",
   "details": "## Summary\nThe OpenClaw Nostr channel plugin (optional, disabled by default, installed separately) exposes profile management HTTP endpoints under `/api/channels/nostr/:accountId/profile` (GET/PUT) and `/api/channels/nostr/:accountId/profile/import` (POST). In affected versions, these routes were dispatched via the gateway plugin HTTP layer without requiring gateway authentication, allowing unauthenticated remote callers to read or mutate the Nostr profile and persist changes to the gateway config. Profile updates are also published as a signed Nostr kind:0 event using the bot's private key.\n\nDeployments that do not have the Nostr plugin installed and enabled are not impacted.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.2.9`\n- Fixed versions: `>= 2026.2.12`\n- Scope note: only affects deployments with the optional `@openclaw/nostr` plugin installed and enabled\n\n## Details\nThis is exploitable when the gateway HTTP port is reachable beyond localhost (for example: bound to `0.0.0.0`, exposed on a LAN, behind a reverse proxy, or via Tailscale Funnel/Serve).\n\nUnauthenticated callers could update the Nostr profile and persist the new profile in the gateway config.\n\n## Mitigation\nUpgrade to `openclaw` `2026.2.12` or later.\n\nAs a temporary mitigation, restrict gateway HTTP exposure (bind loopback-only and/or enforce network-layer access controls) until upgraded.\n\n## Fix\nGateway now requires gateway authentication for plugin HTTP requests under `/api/channels/*` before dispatching to plugin handlers.\n\nFix commit(s):\n- 647d929c9d0fd114249230d939a5cb3b36dc70e7\n\nThanks @simecek for reporting.",
   "severity": [

advisories/github-reviewed/2026/02/GHSA-p536-vvpp-9mc8/GHSA-p536-vvpp-9mc8.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-p536-vvpp-9mc8",
-  "modified": "2026-02-19T19:40:56Z",
+  "modified": "2026-03-05T21:42:20Z",
   "published": "2026-02-19T19:40:56Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-28394"
+  ],
   "summary": "OpenClaw has a Web Fetch DoS via unbounded response parsing",
   "details": "### Summary\nThe `web_fetch` tool could be used to crash the OpenClaw Gateway process (OOM / resource exhaustion) by fetching and attempting to parse attacker-controlled web pages with oversized response bodies or pathological HTML nesting.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.2.14`\n- Fixed versions: `>= 2026.2.15`\n\n### Impact\nAn attacker can social-engineer a user (or any automation that uses `web_fetch`) into fetching a malicious URL that returns extremely large or deeply nested HTML. The Gateway may exhaust memory or become unresponsive, causing a denial of service.\n\n### Fix\nThe Gateway now caps the downloaded response body size before any HTML parsing and adds additional guards to avoid running Readability/DOM parsing on pathological HTML.\n\n### Fix Commit(s)\n- 166cf6a3e04c7df42bea70a7ad5ce2b9df46d147\n\n### Release Process Note\nThis advisory is prepared for the next npm release. Once `openclaw@2026.2.15` is published, publish this advisory without further edits.\n\nThanks @xuemian168 for reporting.",
   "severity": [

advisories/github-reviewed/2026/02/GHSA-qrq5-wjgg-rvqw/GHSA-qrq5-wjgg-rvqw.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-qrq5-wjgg-rvqw",
-  "modified": "2026-02-17T21:39:24Z",
+  "modified": "2026-03-05T21:43:26Z",
   "published": "2026-02-17T21:39:24Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-28447"
+  ],
   "summary": "OpenClaw has a Path Traversal in Plugin Installation",
   "details": "### Summary\n\nOpenClaw's plugin installation path derivation could be abused by a malicious plugin `package.json` `name` to escape the intended extensions directory and write files to a parent directory.\n\n### Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected: `>= 2026.1.20, < 2026.2.1`\n- Fixed: `>= 2026.2.1`\n- Latest published as of 2026-02-14: `2026.2.13` (not affected)\n\n### Details\n\nIn affected versions, the plugin installer derives the on-disk install directory from the plugin manifest name without robust validation.\n\nExample (POSIX / macOS / Linux):\n\n- Manifest name: `@malicious/..`\n- `unscopedPackageName(\"@malicious/..\")` yields `..`\n- The install directory becomes `path.join(extensionsDir, \"..\")`, which resolves to the parent of the extensions directory.\n\nThis can cause plugin files to be written into the OpenClaw state directory (default `~/.openclaw/`) rather than a subdirectory of `~/.openclaw/extensions/`.\n\nNote: on Windows, affected versions also failed to sanitize backslashes (`\\\\`) in the derived directory name, which can enable deeper traversal via crafted `pluginId` strings.\n\n### Impact\n\nThis issue requires a user/operator to install untrusted plugin content (for example via `openclaw plugins install`). In many deployments, plugin installation is an operator-only action and may be performed on a separate machine; that operational separation significantly reduces exposure for the primary gateway/runtime host.\n\nOn hosts where untrusted plugins are installed, this can lead to unintended file writes outside the extensions directory (potentially overwriting files under the OpenClaw state directory). On Windows, the traversal surface may extend further, within the privileges of the user running OpenClaw.\n\n### Fix\n\nFixed in `openclaw` `2026.2.1` by validating plugin IDs and ensuring the resolved install directory remains within the configured extensions base directory.\n\n### Fix Commit(s)\n\n- d03eca8450dc493b198a88b105fd180895238e57\n\nThanks @logicx24 for reporting.",
   "severity": [

advisories/github-reviewed/2026/02/GHSA-qw99-grcx-4pvm/GHSA-qw99-grcx-4pvm.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-qw99-grcx-4pvm",
-  "modified": "2026-02-17T17:09:43Z",
+  "modified": "2026-03-05T21:42:43Z",
   "published": "2026-02-17T17:09:43Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-28395"
+  ],
   "summary": "OpenClaw's Chrome extension relay binds publicly due to wildcard treated as loopback",
   "details": "## Summary\nThe Chrome extension relay (`ensureChromeExtensionRelayServer`) previously treated wildcard hosts (`0.0.0.0` / `::`) as loopback, which could make it bind the relay HTTP/WS server to all interfaces when a wildcard `cdpUrl` was passed.\n\n## Impact\nIf configured with a wildcard `cdpUrl`, relay HTTP endpoints could become reachable off-host, leaking service presence/port and enabling DoS/brute-force traffic against the relay token header.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: `>= 2026.1.14-1 < 2026.2.12`\n\n## Fixed Versions\n- Patched: `>= 2026.2.12` (released 2026-02-13)\n\n## Fix Commit(s)\n- 8d75a496bf5aaab1755c56cf48502d967c75a1d0\n\n## Notes\n- Earlier hardening for `/json*` auth and `/cdp` token checks landed in:\n  - a1e89afcc19efd641c02b24d66d689f181ae2b5c\n\nThanks @qi-scape for reporting.",
   "severity": [

advisories/github-reviewed/2026/02/GHSA-x22m-j5qq-j49m/GHSA-x22m-j5qq-j49m.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-x22m-j5qq-j49m",
-  "modified": "2026-02-18T17:45:12Z",
+  "modified": "2026-03-05T21:44:46Z",
   "published": "2026-02-18T17:45:12Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-28451"
+  ],
   "summary": "OpenClaw has two SSRF via sendMediaFeishu and markdown image fetching in Feishu extension",
   "details": "### Summary\nThe Feishu extension could fetch attacker-controlled remote URLs in two paths without SSRF protections:\n\n- `sendMediaFeishu(mediaUrl)`\n- Feishu DocX markdown image URLs (write/append -> image processing)\n\n### Affected versions\n- `< 2026.2.14`\n\n### Patched versions\n- `>= 2026.2.14`\n\n### Impact\nIf an attacker can influence tool calls (directly or via prompt injection), they may be able to trigger requests to internal services and re-upload the response as Feishu media.\n\n### Remediation\nUpgrade to OpenClaw `2026.2.14` or newer.\n\n### Notes\nThe fix routes Feishu remote media fetching through hardened runtime helpers that enforce SSRF policies and size limits.",
   "severity": [

advisories/github-reviewed/2026/03/GHSA-fpx8-73gf-7x73/GHSA-fpx8-73gf-7x73.json

@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-fpx8-73gf-7x73",
+  "modified": "2026-03-05T21:43:15Z",
+  "published": "2026-03-05T21:43:15Z",
+  "aliases": [
+    "CVE-2026-30242"
+  ],
+  "summary": "Plane has SSRF via Incomplete IP Validation in Webhook URL Serializer",
+  "details": "### Summary\nThe webhook URL validation in `plane/app/serializers/webhook.py` only checks `ip.is_loopback`, allowing attackers with workspace ADMIN role to create webhooks pointing to private/internal network addresses (`10.x.x.x`, `172.16.x.x`, `192.168.x.x`, `169.254.169.254`, etc.). When webhook events fire, the server makes requests to these internal addresses and stores the response — enabling SSRF with full response read-back.\n\n### Impact\n- **Cloud metadata exfiltration**: Access AWS/GCP/Azure instance metadata (IAM credentials, tokens)\n- **Internal service scanning**: Probe internal network services not exposed to the internet\n- **Data exfiltration via response logs**: Full response body from internal services is stored and returned to the attacker through the webhook logs API\n- Bypass vectors: `10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`, `169.254.0.0/16`, `0.0.0.0`, `::ffff:` mapped addresses",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "plane"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.2.3"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 1.2.1"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/makeplane/plane/security/advisories/GHSA-fpx8-73gf-7x73"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/makeplane/plane"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-05T21:43:15Z",
+    "nvd_published_at": null
+  }
+}