Publish Advisories

GHSA-7rcp-mxpq-72pj
GHSA-fh3f-q9qw-93j9
GHSA-mqpw-46fh-299h
GHSA-pg2v-8xwh-qhcc
GHSA-q447-rj3r-2cgh
GHSA-r5h9-vjqc-hq3r
GHSA-rv39-79c4-7459
GHSA-47q7-97xp-m272

Author: advisory-database[bot]

advisories/github-reviewed/2026/02/GHSA-7rcp-mxpq-72pj/GHSA-7rcp-mxpq-72pj.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7rcp-mxpq-72pj",
-  "modified": "2026-02-18T17:41:00Z",
+  "modified": "2026-03-05T21:53:10Z",
   "published": "2026-02-18T17:41:00Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-28477"
+  ],
   "summary": "OpenClaw Chutes manual OAuth state validation bypass can cause credential substitution",
   "details": "## Summary\n\nThe manual Chutes OAuth login flow could accept attacker-controlled callback input in a way that bypassed OAuth CSRF state validation, potentially resulting in credential substitution.\n\n## Impact\n\nIf an attacker can convince a user to paste attacker-provided OAuth callback data during the manual login prompt, OpenClaw may exchange an attacker-obtained authorization code and persist tokens for the wrong Chutes account.\n\nThe automatic local callback flow is not affected (it validates state in the local HTTP callback handler).\n\n## Affected Packages / Versions\n\n- `openclaw` (npm): `<= 2026.2.13` when using the manual Chutes OAuth login flow.\n\n## Fix\n\nThe manual flow now requires the full redirect URL (must include `code` and `state`), validates the returned `state` against the expected value, and rejects code-only pastes.\n\n## Fix Commit(s)\n\n- a99ad11a4107ba8eac58f54a3c1a8a0cf5686f47\n\nThanks @aether-ai-agent for reporting.",
   "severity": [

advisories/github-reviewed/2026/02/GHSA-fh3f-q9qw-93j9/GHSA-fh3f-q9qw-93j9.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-fh3f-q9qw-93j9",
-  "modified": "2026-02-19T19:41:07Z",
+  "modified": "2026-03-05T21:54:01Z",
   "published": "2026-02-19T19:41:07Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-28479"
+  ],
   "summary": "OpenClaw replaced a deprecated sandbox hash algorithm",
   "details": "## Affected Packages / Versions\n- npm package: `openclaw`\n- Affected versions: `<= 2026.2.14`\n- Fixed version (pre-set): `2026.2.15`\n\n## Description\nThe sandbox identifier cache key for Docker/browser sandbox configuration used SHA-1 to hash normalized configuration payloads.\n\nSHA-1 is deprecated for cryptographic use and has known collision weaknesses. In this code path, deterministic IDs are used to decide whether an existing sandbox container can be reused safely. A collision in this hash could let one configuration be interpreted as another under the same sandbox cache identity, increasing the risk of cache poisoning and unsafe sandbox state reuse.\n\nThe implementation now uses SHA-256 for these deterministic hashes to restore collision resistance for this security-relevant identifier path.\n\n## Fix Commit(s)\n- `559c8d993`\n\n## Release Process Note\n`patched_versions` is pre-set to `2026.2.15` for the next release. After that release is published, mark this advisory ready for publication.\n\nThanks @kexinoh ( of Tencent zhuque Lab, by https://github.com/Tencent/AI-Infra-Guard) for reporting.",
   "severity": [

advisories/github-reviewed/2026/02/GHSA-mqpw-46fh-299h/GHSA-mqpw-46fh-299h.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mqpw-46fh-299h",
-  "modified": "2026-02-17T21:39:11Z",
+  "modified": "2026-03-05T21:51:41Z",
   "published": "2026-02-17T21:39:11Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-28473"
+  ],
   "summary": "OpenClaw authorization bypass: operator.write can resolve exec approvals via chat.send -> /approve",
   "details": "## Summary\n\n### What this means (plain language)\n\nIf you give a client “chat/write” access to the gateway (`operator.write`) but you do not intend to let that client approve exec requests (`operator.approvals`), affected versions could still let that client approve/deny a pending exec approval by sending the `/approve` chat command.\n\nThis is mainly relevant for shared or multi-client setups where different tokens are intentionally scoped differently. Single-operator installs are typically less impacted.\n\n### Technical summary\n\nA gateway client authenticated with a device token scoped only to `operator.write` (without `operator.approvals`) could approve/deny pending exec approval requests by sending a chat message containing the built-in `/approve` command.\n\n`exec.approval.resolve` is correctly scoped to `operator.approvals` for direct RPC calls, but the `/approve` command path invoked it via an internal privileged gateway client.\n\n## Affected Packages / Versions\n\n- `openclaw` (npm): `< 2026.2.2`\n\n## Fix\n\n- Fixed in `openclaw` `2026.2.2`.\n- Fix commit(s): `efe2a464afcff55bb5a95b959e6bd9ec0fef086e`.\n- Change: when `/approve` is invoked from gateway clients (webchat/internal channel), it now requires the requesting client to have `operator.approvals` (or `operator.admin`).\n\n## Workarounds\n\n- Upgrade to `openclaw >= 2026.2.2`.\n- If you cannot upgrade: avoid issuing write-only device tokens to untrusted clients; disable text commands (`commands.text=false`) or restrict access to the webchat/control UI.\n\n## References\n\n- Fix: `src/auto-reply/reply/commands-approve.ts`\n- Coverage: `src/auto-reply/reply/commands-approve.test.ts`\n\n## Release Process Note\n\nThis advisory is kept in draft; once the fixed npm versions are available, it can be published without further edits.\n\nThanks @yueyueL for reporting.",
   "severity": [

advisories/github-reviewed/2026/02/GHSA-pg2v-8xwh-qhcc/GHSA-pg2v-8xwh-qhcc.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-pg2v-8xwh-qhcc",
-  "modified": "2026-02-18T00:55:00Z",
+  "modified": "2026-03-05T21:52:42Z",
   "published": "2026-02-18T00:55:00Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-28476"
+  ],
   "summary": "OpenClaw affected by SSRF in optional Tlon (Urbit) extension authentication",
   "details": "## Summary\nThe optional Tlon (Urbit) extension previously accepted a user-provided base URL for authentication and used it to construct an outbound HTTP request, enabling server-side request forgery (SSRF) in affected deployments.\n\n## Impact\nThis only affects deployments that have installed and configured the Tlon (Urbit) extension, and where an attacker can influence the configured Urbit URL. Under those conditions, the gateway could be induced to make HTTP requests to attacker-chosen hosts (including internal addresses).\n\nDeployments that do not use the Tlon extension, or where untrusted users cannot change the Urbit URL, are not impacted.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.2.13`\n\n## Fixed Versions\n- `2026.2.14` (planned next release)\n\n## Fix Commit(s)\n- `bfa7d21e997baa8e3437657d59b1e296815cc1b1`\n\n## Details\nUrbit authentication now validates and normalizes the base URL and uses an SSRF guard that blocks private/internal hosts by default (opt-in: `channels.tlon.allowPrivateNetwork`).\n\n## Release Process Note\nThis advisory is pre-populated with the planned patched version (`2026.2.14`). After `openclaw@2026.2.14` is published to npm, publish this advisory without further edits.\n\nThanks @p80n-sec for reporting.",
   "severity": [

advisories/github-reviewed/2026/02/GHSA-q447-rj3r-2cgh/GHSA-q447-rj3r-2cgh.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-q447-rj3r-2cgh",
-  "modified": "2026-02-18T00:53:07Z",
+  "modified": "2026-03-05T21:53:39Z",
   "published": "2026-02-18T00:53:07Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-28478"
+  ],
   "summary": "OpenClaw affected by denial of service via unbounded webhook request body buffering",
   "details": "### Summary\nMultiple webhook handlers accepted and buffered request bodies without a strict unified byte/time limit. A remote unauthenticated attacker could send oversized payloads and cause memory pressure, degrading availability.\n\n### Details\nAffected packages:\n- `openclaw` (npm): `<2026.2.12`\n- `clawdbot` (npm): `<=2026.1.24-3`\n\nRoot cause:\n- Webhook code paths buffered request payloads without consistent `maxBytes` + `timeoutMs` enforcement.\n- Some SDK-backed handlers parse request bodies internally and needed stream-level guards.\n\nAttack shape:\n- Send very large JSON payloads or slow/incomplete uploads to webhook endpoints.\n- Observe elevated memory usage and request handler pressure.\n\n### Impact\nRemote unauthenticated availability impact (DoS) via request body amplification/memory pressure.\n\n### Patch details (implemented)\n- Added shared bounded request-body helper in `src/infra/http-body.ts`.\n- Exported helper in `src/plugin-sdk/index.ts` for extension reuse.\n- Migrated webhook body readers to shared helper for:\n  - LINE\n  - Nextcloud Talk\n  - Google Chat\n  - Zalo\n  - BlueBubbles\n  - Nostr profile HTTP\n  - Voice-call\n  - Gateway hooks\n- Added stream guards for SDK handlers that parse request bodies internally:\n  - Slack\n  - Telegram\n  - Feishu\n- Added explicit Express JSON body limit handling for MS Teams webhook path.\n- Standardized failure responses:\n  - `413 Payload Too Large`\n  - `408 Request Timeout`\n\n### Tests\n- Added regression tests:\n  - `src/infra/http-body.test.ts`\n  - `src/line/monitor.read-body.test.ts`\n  - `extensions/nextcloud-talk/src/monitor.read-body.test.ts`\n- Focused webhook/security test suite passes for patched paths.\n\n### Remediation\nUpgrade to the first release containing this patch.\n\n## Credits\nThanks @vincentkoc for reporting.",
   "severity": [

advisories/github-reviewed/2026/02/GHSA-r5h9-vjqc-hq3r/GHSA-r5h9-vjqc-hq3r.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-r5h9-vjqc-hq3r",
-  "modified": "2026-02-17T21:36:15Z",
+  "modified": "2026-03-05T21:52:01Z",
   "published": "2026-02-17T21:36:15Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-28474"
+  ],
   "summary": "Nextcloud Talk allowlist bypass via actor.name display name spoofing",
   "details": "## Summary\n\nIn affected versions of the optional Nextcloud Talk plugin (installed separately; not bundled with the core OpenClaw install), an untrusted webhook field (`actor.name`, display name) could be treated as an allowlist identifier. An attacker could change their Nextcloud display name to match an allowlisted user ID and bypass DM or room allowlists.\n\n## Details\n\nNextcloud Talk webhook payloads provide a stable sender identifier (`actor.id`) and a mutable display name (`actor.name`). In affected versions, the plugin’s allowlist matching accepted equality on the display name, which is attacker-controlled.\n\n## Affected Packages / Versions\n\n- Package: `@openclaw/nextcloud-talk` (npm)\n- Affected: `<= 2026.2.2`\n- Fixed: `>= 2026.2.6`\n\nNote: This advisory applies to the optional Nextcloud Talk plugin package. Core `openclaw` is not impacted unless you installed and use `@openclaw/nextcloud-talk`.\n\n## Fix Commit(s)\n\n- [6b4b6049b47c3329a7014509594647826669892d](https://github.com/openclaw/openclaw/commit/6b4b6049b47c3329a7014509594647826669892d)\n\n## Timeline\n\n- Introduced: [660f87278c9f292061e097441e0b10c20d62b31b](https://github.com/openclaw/openclaw/commit/660f87278c9f292061e097441e0b10c20d62b31b) (2026-01-20)\n- Fixed in repo: [6b4b6049b47c3329a7014509594647826669892d](https://github.com/openclaw/openclaw/commit/6b4b6049b47c3329a7014509594647826669892d) (2026-02-04 UTC)\n- First fixed tag containing the change: [v2026.2.3](https://github.com/openclaw/openclaw/releases/tag/v2026.2.3)\n- First fixed npm release of `@openclaw/nextcloud-talk`: `2026.2.6` (published 2026-02-07 UTC)\n\n## Mitigation\n\nUpgrade `@openclaw/nextcloud-talk` to `>= 2026.2.6`.\n\n## Release Process Note\n\nThe patched version range is set to the first npm release that contains the fix. Once you are ready, you can publish this advisory without additional version edits.\n\nThanks @MegaManSec (https://joshua.hu) of [AISLE Research Team](https://aisle.com/) for reporting.",
   "severity": [

advisories/github-reviewed/2026/02/GHSA-rv39-79c4-7459/GHSA-rv39-79c4-7459.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-rv39-79c4-7459",
-  "modified": "2026-02-17T16:37:04Z",
+  "modified": "2026-03-05T21:51:22Z",
   "published": "2026-02-17T16:37:04Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-28472"
+  ],
   "summary": "OpenClaw's gateway connect could skip device identity checks when auth.token was present but not yet validated",
   "details": "### Summary\n\nThe gateway WebSocket `connect` handshake could allow skipping device identity checks when `auth.token` was present but not yet validated.\n\n### Details\n\nIn `src/gateway/server/ws-connection/message-handler.ts`, the device-identity requirement could be bypassed based on the *presence* of a non-empty `connectParams.auth.token` rather than a *validated* shared-secret authentication result.\n\n### Impact\n\nIn deployments where the gateway WebSocket is reachable and connections can be authorized via Tailscale without validating the shared secret, a client could connect without providing device identity/pairing. Depending on version and configuration, this could result in operator access.\n\n### Deployment Guidance\n\nPer OpenClaw security guidance, the gateway should only be reachable from a trusted network and by trusted users (for example, restrict Tailnet users/ACLs when using Tailscale Serve).\n\nIf the gateway WebSocket is only reachable by trusted users, there is typically no untrusted party with network access to exploit this issue.\n\n### Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected: `<= 2026.2.1`\n- Fixed: `>= 2026.2.2`\n\n### Fix\n\nDevice-identity skipping now requires *validated* shared-secret authentication (token/password). Tailscale-authenticated connections without validated shared secret require device identity.\n\n### Fix Commit(s)\n\n- fe81b1d7125a014b8280da461f34efbf5f761575\n\nThanks @simecek for reporting.",
   "severity": [

advisories/github-reviewed/2026/03/GHSA-47q7-97xp-m272/GHSA-47q7-97xp-m272.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-47q7-97xp-m272",
-  "modified": "2026-03-02T22:43:10Z",
+  "modified": "2026-03-05T21:52:23Z",
   "published": "2026-03-02T22:43:10Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-28475"
+  ],
   "summary": "OpenClaw: Config writes could persist resolved ${VAR} secrets to disk",
   "details": "## Summary\n\nOpenClaw hooks previously compared the provided hook token using a regular string comparison. Because this comparison is not constant-time, an attacker with network access to the hooks endpoint could potentially use timing measurements across many requests to gradually infer the token.\n\nIn practice, this typically requires hooks to be exposed to an untrusted network and a large number of requests; real-world latency and jitter can make reliable measurement difficult.\n\n## Affected Packages / Versions\n\n- openclaw (npm): < 2026.2.12\n\n## Patched Versions\n\n- openclaw (npm): >= 2026.2.12\n\n## Mitigations\n\n- Upgrade to openclaw >= 2026.2.12.\n- If users cannot upgrade immediately: restrict network access to the hooks endpoint and rotate the hooks token after updating.\n\n## Fix Commit(s)\n\n- 113ebfd6a23c4beb8a575d48f7482593254506ec\n\nOpenClaw thanks @akhmittra for reporting.",
   "severity": [