Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit acf99cc47759 · 2026-02-18T00:52:58.000Z
GHSA-j27p-hq53-9wgc GHSA-v773-r54f-q32w GHSA-xvhf-x56f-2hpp
diff --git a/advisories/github-reviewed/2026/02/GHSA-j27p-hq53-9wgc/GHSA-j27p-hq53-9wgc.json b/advisories/github-reviewed/2026/02/GHSA-j27p-hq53-9wgc/GHSA-j27p-hq53-9wgc.json
@@ -0,0 +1,59 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-j27p-hq53-9wgc",
+  "modified": "2026-02-18T00:51:37Z",
+  "published": "2026-02-18T00:51:37Z",
+  "aliases": [],
+  "summary": "OpenClaw affected by denial of service via unbounded URL-backed media fetch",
+  "details": "### Summary\nURL-backed media fetch handling allocated the entire response payload in memory (`arrayBuffer`) before enforcing `maxBytes`, allowing oversized responses to cause memory exhaustion.\n\n### Affected Versions\n- `openclaw` (npm): < `2026.2.14`\n- `clawdbot` (npm): <= `2026.1.24-3`\n\n### Patched Versions\n- `openclaw` (npm): `2026.2.14`\n\n### Fix Commit\n- `openclaw/openclaw` `main`: `00a08908892d1743d1fc52e5cbd9499dd5da2fe0`\n\n### Details\nAffected component:\n- `src/media/input-files.ts` (`fetchWithGuard`)\n\nWhen `content-length` is missing or incorrect, reading the body via `response.arrayBuffer()` buffers the full payload before a size check can run.\n\n### Proof of Concept\n1. Configure URL-based media input.\n2. Serve a response larger than `maxBytes` (chunked transfer / no `content-length`).\n3. Trigger the `fetchWithGuard` URL fetch path.\n\nExample local server (large response):\n```bash\nnode -e 'require(\"http\").createServer((_,res)=>{res.writeHead(200,{\"content-type\":\"application/octet-stream\"});for(let i=0;i<1024;i++)res.write(Buffer.alloc(1024*64));res.end();}).listen(18888)'\n```\n\n### Impact\nAvailability loss via memory pressure from attacker-controlled remote media responses.\n\n### Mitigation\nUntil a patched release is available, disable URL-backed media inputs (or restrict to a tight hostname allowlist) and use conservative `maxBytes` limits.\n\n### Credits\nReported by @vincentkoc.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.2.14"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-j27p-hq53-9wgc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/00a08908892d1743d1fc52e5cbd9499dd5da2fe0"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-400"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-18T00:51:37Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/02/GHSA-v773-r54f-q32w/GHSA-v773-r54f-q32w.json b/advisories/github-reviewed/2026/02/GHSA-v773-r54f-q32w/GHSA-v773-r54f-q32w.json
@@ -0,0 +1,63 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-v773-r54f-q32w",
+  "modified": "2026-02-18T00:51:03Z",
+  "published": "2026-02-18T00:51:03Z",
+  "aliases": [],
+  "summary": "OpenClaw Slack: dmPolicy=open allowed any DM sender to run privileged slash commands",
+  "details": "## Summary\n\nWhen Slack DMs are configured with `dmPolicy=open`, the Slack slash-command handler incorrectly treated any DM sender as command-authorized. This allowed any Slack user who could DM the bot to execute privileged slash commands via DM, bypassing intended allowlist/access-group restrictions.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.2.13`\n- Affected configuration: Slack DMs enabled with `channels.slack.dm.policy: open` (aka `dmPolicy=open`)\n\n## Impact\n\nAny Slack user in the workspace who can DM the bot could invoke privileged slash commands via DM.\n\n## Fix\n\nThe slash-command path now computes `CommandAuthorized` for DMs using the same allowlist/access-group gating logic as other inbound paths.\n\nFix commit(s):\n- f19eabee54c49e9a2e264b4965edf28a2f92e657\n\n## Release Process Note\n\n`patched_versions` is set to the planned next release (`2026.2.14`). Once that npm release is published, this advisory should be published.\n\nThanks @christos-eth for reporting.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.2.14"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v773-r54f-q32w"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/f19eabee54c49e9a2e264b4965edf28a2f92e657"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-285"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-18T00:51:03Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/02/GHSA-xvhf-x56f-2hpp/GHSA-xvhf-x56f-2hpp.json b/advisories/github-reviewed/2026/02/GHSA-xvhf-x56f-2hpp/GHSA-xvhf-x56f-2hpp.json
@@ -0,0 +1,63 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-xvhf-x56f-2hpp",
+  "modified": "2026-02-18T00:50:47Z",
+  "published": "2026-02-18T00:50:47Z",
+  "aliases": [],
+  "summary": "OpenClaw exec approvals: safeBins could bypass stdin-only constraints via shell expansion",
+  "details": "## Summary\n\nOpenClaw's exec-approvals allowlist supports a small set of \"safe bins\" intended to be stdin-only (no positional file arguments) when running `tools.exec.host=gateway|node` with `security=allowlist`.\n\nIn affected configurations, the allowlist validation checked pre-expansion argv tokens, but execution used a real shell (`sh -c`) which expands globs and environment variables. This allowed safe bins like `head`, `tail`, or `grep` to read arbitrary local files via tokens such as `*` or `$HOME/...` without triggering approvals.\n\nThis issue is configuration-dependent and is not exercised by default settings (default `tools.exec.host` is `sandbox`).\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected: `<= 2026.2.13`\n- Patched: `>= 2026.2.14` (planned; publish the advisory after the npm release is out)\n\n## Impact\n\nAn authorized but untrusted caller (or prompt-injection) could cause the gateway/node process to disclose files readable by that process when host execution is enabled in allowlist mode.\n\n## Fix\n\nSafe-bins executions now force argv tokens to be treated as literal text at execution time (single-quoted), preventing globbing and `$VARS` expansion from turning \"safe\" tokens into file paths.\n\n## Fix Commit(s)\n\n- 77b89719d5b7e271f48b6f49e334a8b991468c3b\n\n## Release Process Note\n\n`patched_versions` is pre-set for the next planned release (`>= 2026.2.14`) so publishing is a single click once that npm version is available.\n\nThanks @christos-eth for reporting.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.2.14"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xvhf-x56f-2hpp"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/77b89719d5b7e271f48b6f49e334a8b991468c3b"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-78"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-18T00:50:47Z",
+    "nvd_published_at": null
+  }
+}
