Publish Advisories

GHSA-j27p-hq53-9wgc
GHSA-jqpq-mgvm-f9r6
GHSA-rwj8-p9vq-25gv
GHSA-w2cg-vxx6-5xjg
GHSA-xc7w-v5x6-cc87
GHSA-5r2p-pjr8-7fh7
GHSA-5wmx-573v-2qwq

Author: advisory-database[bot]

advisories/github-reviewed/2026/02/GHSA-j27p-hq53-9wgc/GHSA-j27p-hq53-9wgc.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-j27p-hq53-9wgc",
-  "modified": "2026-02-18T00:51:37Z",
+  "modified": "2026-03-05T21:59:50Z",
   "published": "2026-02-18T00:51:37Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-29609"
+  ],
   "summary": "OpenClaw affected by denial of service via unbounded URL-backed media fetch",
   "details": "### Summary\nURL-backed media fetch handling allocated the entire response payload in memory (`arrayBuffer`) before enforcing `maxBytes`, allowing oversized responses to cause memory exhaustion.\n\n### Affected Versions\n- `openclaw` (npm): < `2026.2.14`\n- `clawdbot` (npm): <= `2026.1.24-3`\n\n### Patched Versions\n- `openclaw` (npm): `2026.2.14`\n\n### Fix Commit\n- `openclaw/openclaw` `main`: `00a08908892d1743d1fc52e5cbd9499dd5da2fe0`\n\n### Details\nAffected component:\n- `src/media/input-files.ts` (`fetchWithGuard`)\n\nWhen `content-length` is missing or incorrect, reading the body via `response.arrayBuffer()` buffers the full payload before a size check can run.\n\n### Proof of Concept\n1. Configure URL-based media input.\n2. Serve a response larger than `maxBytes` (chunked transfer / no `content-length`).\n3. Trigger the `fetchWithGuard` URL fetch path.\n\nExample local server (large response):\n```bash\nnode -e 'require(\"http\").createServer((_,res)=>{res.writeHead(200,{\"content-type\":\"application/octet-stream\"});for(let i=0;i<1024;i++)res.write(Buffer.alloc(1024*64));res.end();}).listen(18888)'\n```\n\n### Impact\nAvailability loss via memory pressure from attacker-controlled remote media responses.\n\n### Mitigation\nUntil a patched release is available, disable URL-backed media inputs (or restrict to a tight hostname allowlist) and use conservative `maxBytes` limits.\n\n### Credits\nReported by @vincentkoc.",
   "severity": [

advisories/github-reviewed/2026/02/GHSA-jqpq-mgvm-f9r6/GHSA-jqpq-mgvm-f9r6.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-jqpq-mgvm-f9r6",
-  "modified": "2026-02-18T00:55:50Z",
+  "modified": "2026-03-05T22:00:12Z",
   "published": "2026-02-18T00:55:50Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-29610"
+  ],
   "summary": "OpenClaw: Command hijacking via unsafe PATH handling (bootstrapping + node-host PATH overrides)",
   "details": "# Command hijacking via PATH handling\n\n**Discovered:** 2026-02-04\n**Reporter:** @akhmittra\n\n## Summary\n\nOpenClaw previously accepted untrusted PATH sources in limited situations. In affected versions, this could cause OpenClaw to resolve and execute an unintended binary (\"command hijacking\") when running host commands.\n\nThis issue primarily matters when OpenClaw is relying on allowlist/safe-bin protections and expects `PATH` to be trustworthy.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected: `< 2026.2.14`\n- Patched: `>= 2026.2.14` (planned next release)\n\n## What Is Required To Trigger This\n\n### A) Node Host PATH override (remote command hijack)\n\nAn attacker needs all of the following:\n\n- Authenticated/authorized access to an execution surface that can invoke node-host execution (for example, a compromised gateway or a caller that can issue `system.run`).\n- A node host connected and exposing `system.run`.\n- A configuration where allowlist/safe-bins are expected to restrict execution (this is not meaningful if full arbitrary exec is already allowed).\n- The ability to pass request-scoped environment overrides (specifically `PATH`) into `system.run`.\n- A way to place an attacker-controlled executable earlier in `PATH` (for example, a writable directory on the node host), with a name that matches an allowlisted/safe-bin command that OpenClaw will run.\n\nNotes:\n\n- OpenClaw deployments commonly require a gateway token/password (or equivalent transport authentication). This should not be treated as unauthenticated Internet RCE.\n- This scenario typically depends on **non-standard / misconfigured deployments** (for example, granting untrusted parties access to invoke node-host execution or otherwise exposing a privileged execution surface beyond the intended trust boundary).\n\n### B) Project-local PATH bootstrapping (local command hijack)\n\nAn attacker needs all of the following:\n\n- The victim runs OpenClaw from within an attacker-controlled working directory (for example, cloning and running inside a malicious repository).\n- That directory contains a `node_modules/.bin/openclaw` and additional attacker-controlled executables in the same directory.\n- OpenClaw subsequently executes a command by name (resolved via `PATH`) that matches one of those attacker-controlled executables.\n\n## Fix\n\n- Project-local `node_modules/.bin` PATH bootstrapping is now **disabled by default**. If explicitly enabled, it is **append-only** (never prepended) via `OPENCLAW_ALLOW_PROJECT_LOCAL_BIN=1`.\n- Node Host now ignores request-scoped `PATH` overrides.\n\n## Fix Commit(s)\n\n- 013e8f6b3be3333a229a066eef26a45fec47ffcc\n\nThanks @akhmittra for reporting.",
   "severity": [

advisories/github-reviewed/2026/02/GHSA-rwj8-p9vq-25gv/GHSA-rwj8-p9vq-25gv.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-rwj8-p9vq-25gv",
-  "modified": "2026-02-18T17:44:58Z",
+  "modified": "2026-03-05T22:00:36Z",
   "published": "2026-02-18T17:44:58Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-29611"
+  ],
   "summary": "OpenClaw has a LFI in BlueBubbles media path handling",
   "details": "### Summary\nThe BlueBubbles extension accepted attacker-controlled local filesystem paths via `mediaPath` and could read arbitrary local files from disk before sending them as media attachments.\n\n### Details\nWhen `sendBlueBubblesMedia` received a non-HTTP media source, the previous implementation resolved it to a local path and read it directly from disk. There was no required allowlist of safe directories, so values like `/etc/passwd` (or equivalent sensitive paths on other platforms) could be requested and exfiltrated.\n\nThe fix hardens local media loading by requiring explicit configured roots (`channels.bluebubbles.mediaLocalRoots`) and by enforcing canonical-path containment checks before reading local files. Paths outside allowed roots are rejected.\n\nFix PR: https://github.com/openclaw/openclaw/pull/16322\nFix commit: https://github.com/openclaw/openclaw/commit/71f357d9498cebb0efe016b0496d5fbe807539fc\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: `< v2026.2.14`\n- Fixed: `>= v2026.2.14` (planned)\n\n### Impact\nAn attacker able to trigger BlueBubbles media sends could exfiltrate local files accessible to the OpenClaw process.\n\n### Remediation\nUpgrade to a release that includes commit `71f357d9498cebb0efe016b0496d5fbe807539fc` and configure `channels.bluebubbles.mediaLocalRoots` to explicit trusted directories.",
   "severity": [

advisories/github-reviewed/2026/02/GHSA-w2cg-vxx6-5xjg/GHSA-w2cg-vxx6-5xjg.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-w2cg-vxx6-5xjg",
-  "modified": "2026-02-18T00:52:36Z",
+  "modified": "2026-03-05T22:00:56Z",
   "published": "2026-02-18T00:52:36Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-29612"
+  ],
   "summary": "OpenClaw: denial of service through large base64 media files allocating large buffers before limit checks",
   "details": "## Summary\n\nBase64-backed media inputs could be decoded into Buffers before enforcing decoded-size budgets. An attacker supplying oversized base64 payloads can force large allocations, causing memory pressure and denial of service.\n\n## Attack Scenario Notes\n\n- Recommended deployments bind the gateway to loopback by default and require gateway auth for HTTP endpoints. In that configuration, this is best modeled as a local/authorized DoS.\n- If an operator exposes the gateway to untrusted networks (or disables/weakens auth and rate limits), treat this as a higher-severity network DoS risk.\n\n## Affected Packages / Versions\n\n- openclaw (npm): <= 2026.2.13\n- clawdbot (npm): <= 2026.1.24-3\n\n## Fixed In\n\n- openclaw (npm): 2026.2.14 (planned)\n- clawdbot (npm): no patched release planned; migrate to openclaw\n\n## Fix Commit(s)\n\n- 31791233d60495725fa012745dde8d6ee69e9595\n\n## Credits\nThanks @vincentkoc for reporting.",
   "severity": [

advisories/github-reviewed/2026/02/GHSA-xc7w-v5x6-cc87/GHSA-xc7w-v5x6-cc87.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-xc7w-v5x6-cc87",
-  "modified": "2026-02-17T17:14:00Z",
+  "modified": "2026-03-05T22:01:17Z",
   "published": "2026-02-17T17:14:00Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-29613"
+  ],
   "summary": "OpenClaw has a webhook auth bypass when gateway is behind a reverse proxy (loopback remoteAddress trust)",
   "details": "## Summary\n\nThe BlueBubbles webhook handler previously treated any request whose socket `remoteAddress` was loopback (`127.0.0.1`, `::1`, `::ffff:127.0.0.1`) as authenticated. When OpenClaw Gateway is behind a reverse proxy (Tailscale Serve/Funnel, nginx, Cloudflare Tunnel, ngrok), the proxy typically connects to the gateway over loopback, allowing unauthenticated remote requests to bypass the configured webhook password.\n\nThis could allow an attacker who can reach the proxy endpoint to inject arbitrary inbound BlueBubbles message/reaction events.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `< 2026.2.12`\n- Patched versions: `>= 2026.2.12`\n\n## Exposure / Configuration\n\n- BlueBubbles is an optional channel plugin (intended to eventually replace the legacy iMessage plugin, which is also optional). It is not enabled by default and is not part of a standard OpenClaw configuration.\n- Only deployments with the BlueBubbles webhook endpoint exposed through a reverse proxy are impacted.\n\n## Details\n\nThe BlueBubbles webhook handler accepts inbound events via an HTTP POST endpoint under the configured BlueBubbles webhook path.\n\nIn vulnerable versions, the handler would accept requests as authenticated if `req.socket.remoteAddress` is loopback, without validating forwarding headers. With common reverse-proxy setups, the gateway sees the proxy as the direct client (loopback), even when the original request is remote.\n\n## Fix\n\n- Primary fix (released in `2026.2.12`): remove loopback-based authentication bypass and require the configured webhook secret.\n- Defense-in-depth follow-up (next release after commit below): treat requests with forwarding headers as proxied and never accept passwordless webhooks through a proxy.\n\n## Fix Commit(s)\n\n- [`f836c385ffc746cb954e8ee409f99d079bfdcd2f`](https://github.com/openclaw/openclaw/commit/f836c385ffc746cb954e8ee409f99d079bfdcd2f) (released in `2026.2.12`)\n- [`743f4b28495cdeb0d5bf76f6ebf4af01f6a02e5a`](https://github.com/openclaw/openclaw/commit/743f4b28495cdeb0d5bf76f6ebf4af01f6a02e5a) (defense-in-depth follow-up)\n\n## Mitigations\n\n- Ensure a BlueBubbles webhook password is configured.\n- Do not expose the gateway webhook endpoint publicly without authentication.\n\nThanks @simecek for reporting.",
   "severity": [

advisories/github-reviewed/2026/03/GHSA-5r2p-pjr8-7fh7/GHSA-5r2p-pjr8-7fh7.json

@@ -0,0 +1,63 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5r2p-pjr8-7fh7",
+  "modified": "2026-03-05T22:01:09Z",
+  "published": "2026-03-05T22:01:09Z",
+  "aliases": [],
+  "summary": "SageMaker Python SDK replaced eval() with safe parser in JumpStart search functionality",
+  "details": "## Summary\n\nThis advisory addresses the use of the search_hub() function within the SageMaker Python SDK's JumpStart search functionality. An actor with the ability to control query parameters passed to the search_hub() function could potentially provide malformed input that causes the eval() function to execute arbitrary commands, access sensitive data, or compromise the execution environment.\n\nA defense-in-depth enhancement has been implemented to replace code evaluation with safe string operations when processing search query parameters. This enhancement removes the use of eval() from the execution path, replacing it with a safe recursive descent parser. The change was released in SageMaker Python SDK version 3.4.0 on January 23, 2026. This advisory is informational to help customers understand their responsibilities regarding input validation and configuration security under the [AWS Shared Responsibility Model](https://aws.amazon.com/compliance/shared-responsibility-model/).\n\n\n## Impact\n\nCustomer applications that pass unsanitized or untrusted input directly to the search_hub() function's query parameter could be prone to Remote Code Execution (RCE), potentially allowing attackers to execute arbitrary commands, access sensitive data, or compromise the execution environment. While the SDK was functioning within the requirements of the shared responsibility model—where input sanitization falls on the customer side—additional safeguards have been added to support secure customer implementations and provide defense-in-depth protection.\n\n**Impacted versions:** All versions of SageMaker Python SDK prior to 3.4.0\n\n\n## Patches\n\nOn January 23, 2026, an enhancement was made to SageMaker Python SDK version 3.4.0, which replaces eval() with a safe recursive descent parser that uses string operations for pattern matching with proper operator precedence and exception handling. We recommend upgrading to version 3.4.0 or later, using the following command:\n\n```\npip install --upgrade sagemaker>=3.4.0\n```\nCustomers using forked or derivative code should incorporate the fixes from the referenced pull request.\n\n## Workarounds\n\nNo workarounds are needed, but as always you should ensure that your application is following security best practices:\n- Sanitize and validate input to SDK methods to ensure only expected formats are processed\n- Update to the latest SageMaker Python SDK release on a regular basis\n- Follow AWS security best practices for SDK configuration and usage\n- Ensure proper access controls are in place for environments where the SDK is deployed\n\n\n## References\n\n- Fixed in PR: https://github.com/aws/sagemaker-python-sdk/pull/5497\n- Release: https://pypi.org/project/sagemaker/3.4.0/\n- AWS Shared Responsibility Model: https://aws.amazon.com/compliance/shared-responsibility-model/\n\nIf you have any questions or comments about this advisory, contact AWS Security via our [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting/) or email [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.\n\n\n## Acknowledgement\n\nWe thank Dan Aridor (@daridor9) and the security research community for bringing these customer security considerations to our attention through the coordinated disclosure process and for collaborating on this issue through responsible disclosure practices.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "sagemaker"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.4.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/aws/sagemaker-python-sdk/security/advisories/GHSA-5r2p-pjr8-7fh7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/aws/sagemaker-python-sdk/pull/5497"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/aws/sagemaker-python-sdk/commit/e706e578519bd9b92ea44b9b15f872eca5e77ea4"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/aws/sagemaker-python-sdk"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-184"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-05T22:01:09Z",
+    "nvd_published_at": null
+  }
+}

…-5wmx-573v-2qwq/GHSA-5wmx-573v-2qwq.json …-5wmx-573v-2qwq/GHSA-5wmx-573v-2qwq.jsonadvisories/unreviewed/2026/03/GHSA-5wmx-573v-2qwq/GHSA-5wmx-573v-2qwq.json renamed to advisories/github-reviewed/2026/03/GHSA-5wmx-573v-2qwq/GHSA-5wmx-573v-2qwq.json advisories/unreviewed/2026/03/GHSA-5wmx-573v-2qwq/GHSA-5wmx-573v-2qwq.json renamed to advisories/github-reviewed/2026/03/GHSA-5wmx-573v-2qwq/GHSA-5wmx-573v-2qwq.json

@@ -1,14 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5wmx-573v-2qwq",
-  "modified": "2026-03-05T15:30:36Z",
+  "modified": "2026-03-05T21:59:47Z",
   "published": "2026-03-05T15:30:36Z",
   "aliases": [
     "CVE-2025-69534"
   ],
+  "summary": "Python-Markdown has an Uncaught Exception",
   "details": "Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions.",
-  "severity": [],
-  "affected": [],
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "Markdown"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.8.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -18,6 +44,10 @@
       "type": "WEB",
       "url": "https://github.com/Python-Markdown/markdown/issues/1534"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Python-Markdown/markdown/pull/1535"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/Python-Markdown/markdown"
@@ -28,10 +58,12 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "cwe_ids": [
+      "CWE-248"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-05T21:59:47Z",
     "nvd_published_at": "2026-03-05T15:16:11Z"
   }
 }