Publish Advisories

GHSA-8q4h-8crm-5cvc
GHSA-f934-5rqf-xx47
GHSA-mr34-9552-qr95
GHSA-xh72-v6v9-mwhc

Author: advisory-database[bot]

advisories/github-reviewed/2026/04/GHSA-8q4h-8crm-5cvc/GHSA-8q4h-8crm-5cvc.json

@@ -0,0 +1,55 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8q4h-8crm-5cvc",
+  "modified": "2026-04-17T22:33:51Z",
+  "published": "2026-04-17T22:33:51Z",
+  "aliases": [],
+  "summary": "elFinder: Command injection in resize background color parameter when using ImageMagick CLI",
+  "details": "### Severity\n**High**  \n`bg` can be injected into shell command construction, leading to possible RCE in affected configurations.\n\n### Summary\n\nelFinder contains a command injection vulnerability in the `resize` command.\n\nThe `bg` (background color) parameter is accepted from user input and passed through image resize/rotate processing. In configurations that use the ImageMagick CLI backend, this value is incorporated into shell command strings without sufficient escaping. An attacker able to invoke the `resize` command with a crafted `bg` value may achieve arbitrary command execution as the web server process user.\n\nThis issue affects configurations where:\n- the `resize` command is enabled,\n- image processing uses the ImageMagick CLI backend, and\n- the vulnerable code paths are reachable.\n\n\n### Impact\n\nAn attacker may execute arbitrary OS commands with the privileges of the web server process.\n\nImpact depends on server configuration, enabled commands, backend image library selection, and surrounding deployment controls.\n\n\n### Affected versions\n\nAffected: all versions before <FIXED_VERSION>\nPatched: <FIXED_VERSION>\n\n\n### Details\n\nThe vulnerable flow is:\n\n1. The `resize` command accepts the `bg` parameter from the request.\n2. The parameter is passed into volume resize handling.\n3. In ImageMagick CLI code paths, the value is interpolated into shell command strings.\n4. Because the value is not safely constrained and escaped, shell metacharacters may be injected.\n\nThe issue was addressed by:\n- validating `bg` against a strict allowlist of supported color formats, and\n- safely escaping the value before it is passed into CLI command construction.\n\n\n### Workarounds\n\nPossible mitigations for users who cannot upgrade immediately:\n\n- disable the `resize` command if not required,\n- avoid using the ImageMagick CLI backend for image processing,\n- restrict access to trusted users only.\n\nUpgrading to the patched release is strongly recommended.\n\n\n### Credits\n\nThanks to Lin, WeiChi for the responsible disclosure.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "studio-42/elfinder"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.1.67"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/Studio-42/elFinder/security/advisories/GHSA-8q4h-8crm-5cvc"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/Studio-42/elFinder"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-78"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-17T22:33:51Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/04/GHSA-f934-5rqf-xx47/GHSA-f934-5rqf-xx47.json

@@ -0,0 +1,63 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-f934-5rqf-xx47",
+  "modified": "2026-04-17T22:33:33Z",
+  "published": "2026-04-17T22:33:33Z",
+  "aliases": [],
+  "summary": "OpenClaw: QMD memory_get restricts reads to canonical or indexed memory paths",
+  "details": "## Summary\n\nThe QMD backend `memory_get` read path accepted arbitrary workspace Markdown paths that were inside the workspace but outside the canonical memory locations or indexed QMD result set.\n\n## Impact\n\nWhen the QMD backend was enabled, a caller with access to `memory_get` could read arbitrary `*.md` files under the configured workspace root, even when those files were not canonical memory files and had not been returned by QMD search. Severity remains low because exploitation requires access to the memory tool surface and is limited to workspace Markdown files, but it bypassed the intended memory-path policy.\n\n## Affected versions\n\n- Affected: `< 2026.4.15`\n- Patched: `2026.4.15`\n\n## Fix\n\nOpenClaw `2026.4.15` restricts QMD reads to canonical memory paths or previously indexed QMD workspace paths. Workspace containment alone is no longer sufficient.\n\nVerified in `v2026.4.15`:\n\n- `extensions/memory-core/src/memory/qmd-manager.ts` rejects non-default workspace Markdown paths unless they match an indexed QMD workspace read path.\n- `extensions/memory-core/src/memory/qmd-manager.test.ts` covers QMD session search-result reads and the read-path restriction behavior.\n\nFix commit included in `v2026.4.15` and absent from `v2026.4.14`:\n\n- `37d5971db36491d5050efd42c333cbe0b98ed292` via PR #66026\n\nThanks to @zsxsoft, Keen Security Lab, and @qclawer for reporting this issue.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.4.15"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f934-5rqf-xx47"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/pull/66026"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/37d5971db36491d5050efd42c333cbe0b98ed292"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-17T22:33:33Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/04/GHSA-mr34-9552-qr95/GHSA-mr34-9552-qr95.json

@@ -0,0 +1,80 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-mr34-9552-qr95",
+  "modified": "2026-04-17T22:33:09Z",
+  "published": "2026-04-17T22:33:09Z",
+  "aliases": [],
+  "summary": "OpenClaw: Webchat media embedding enforces local-root containment for tool-result files",
+  "details": "## Summary\n\nWebchat tool-result media normalization could pass local and UNC-style file paths into the host-side media embedding path without applying the configured local-root containment policy.\n\n## Impact\n\nA crafted tool-result media reference could cause the host to attempt local file reads or Windows UNC/network path access while preparing webchat media blocks. This could disclose allowed host files or trigger network credential exposure on affected Windows deployments. Severity remains medium because exploitation depends on a tool-result media path reaching the webchat embedding path, but the sink is a host-side file read before the user sees the rendered result.\n\n## Affected versions\n\n- Affected: `>= 2026.4.7, < 2026.4.15`\n- Patched: `2026.4.15`\n\n## Fix\n\nOpenClaw `2026.4.15` hardens the webchat media path and the shared media resolver. Remote-host `file://` URLs and Windows network paths are rejected before filesystem access, and audio embedding now enforces configured `localRoots` containment before `stat` or read operations.\n\nVerified in `v2026.4.15`:\n\n- `src/gateway/server-methods/chat-webchat-media.ts` uses safe file-URL parsing, rejects Windows network paths, and calls `assertLocalMediaAllowed` before probing local audio files.\n- `src/media/web-media.ts` rejects remote-host `file://` URLs, Windows network paths, and local-root bypasses on the shared media path.\n- `src/gateway/server-methods/chat-webchat-media.test.ts` covers both remote-host `file://` rejection and local-root denial before filesystem access.\n\nFix commits included in `v2026.4.15` and absent from `v2026.4.14`:\n\n- `1470de5d3e0970856d86cd99336bb8ada3fe87da` via PR #67293\n- `6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde` via PR #67298\n- `52ef42302ead9e183e6c8810e0a04ee4ef8ae9fc` via PR #67303 as defense-in-depth for trusted media passthrough anchoring\n\nThanks to @Kherrisan for reporting this issue.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2026.4.7"
+            },
+            {
+              "fixed": "2026.4.15"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mr34-9552-qr95"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/pull/67293"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/pull/67298"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/pull/67303"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/1470de5d3e0970856d86cd99336bb8ada3fe87da"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/52ef42302ead9e183e6c8810e0a04ee4ef8ae9fc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22",
+      "CWE-73"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-17T22:33:09Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/04/GHSA-xh72-v6v9-mwhc/GHSA-xh72-v6v9-mwhc.json

@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-xh72-v6v9-mwhc",
+  "modified": "2026-04-17T22:32:47Z",
+  "published": "2026-04-17T22:32:47Z",
+  "aliases": [],
+  "summary": "OpenClaw: Feishu webhook and card-action validation now fail closed",
+  "details": "## Summary\n\nFeishu webhook mode accepted missing `encryptKey` configuration as valid and blank card-action callback tokens as usable lifecycle tokens. Together, those fail-open paths could allow unauthenticated webhook or card-action traffic to reach command dispatch in affected deployments.\n\n## Impact\n\nA deployment using Feishu webhook mode without a configured `encryptKey`, or handling malformed card-action callbacks with blank callback tokens, could fail open instead of rejecting the request. Severity remains critical because affected webhook deployments expose a network-triggered path into OpenClaw command handling without the expected Feishu signature or replay protection.\n\n## Affected versions\n\n- Affected: `< 2026.4.15`\n- Patched: `2026.4.15`\n\n## Fix\n\nOpenClaw `2026.4.15` makes Feishu webhook and card-action validation fail closed. Webhook mode now refuses to start without an `encryptKey`, missing signing configuration returns invalid instead of valid, invalid signatures return `401`, and blank card-action callback tokens are rejected before dispatch.\n\nVerified in `v2026.4.15`:\n\n- `extensions/feishu/src/monitor.transport.ts` returns invalid when `encryptKey` is missing, refuses webhook mode without `encryptKey`, and rejects invalid signatures before JSON handling.\n- `extensions/feishu/src/card-action.ts` rejects blank callback tokens in the card-action lifecycle guard.\n- `extensions/feishu/src/monitor.webhook-security.test.ts` covers missing-`encryptKey` startup and transport rejection.\n- `extensions/feishu/src/monitor.card-action.lifecycle.test.ts` covers malformed blank-token card actions being dropped before handler dispatch.\n\nFix commit included in `v2026.4.15` and absent from `v2026.4.14`:\n\n- `c8003f1b33ed2924be5f62131bd28742c5a41aae` via PR #66707\n\nThanks to @dhyabi2 for reporting this issue.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.4.15"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xh72-v6v9-mwhc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/pull/66707"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/c8003f1b33ed2924be5f62131bd28742c5a41aae"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1188",
+      "CWE-287",
+      "CWE-294"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-17T22:32:47Z",
+    "nvd_published_at": null
+  }
+}