Publish Advisories

GHSA-3hcm-ggvf-rch5
GHSA-3m3q-x3gj-f79x
GHSA-h9g4-589h-68xv
GHSA-rmxw-jxxx-4cpc
GHSA-rq6g-px6m-c248
GHSA-wfp2-v9c7-fh79
GHSA-595m-wc8g-6qgc
GHSA-g7hc-96xr-gvvx
GHSA-gv46-4xfq-jv58
GHSA-jmm5-fvh5-gf4p

Author: advisory-database[bot]

advisories/github-reviewed/2026/02/GHSA-3hcm-ggvf-rch5/GHSA-3hcm-ggvf-rch5.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3hcm-ggvf-rch5",
-  "modified": "2026-02-17T16:46:12Z",
+  "modified": "2026-03-05T21:50:40Z",
   "published": "2026-02-17T16:46:12Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-28470"
+  ],
   "summary": "OpenClaw has an exec allowlist bypass via command substitution/backticks inside double quotes",
   "details": "### Summary\n\nExec approvals allowlist bypass via command substitution/backticks inside double quotes.\n\n### Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected: `<= 2026.2.1`\n- Fixed: `>= 2026.2.2`\n\n### Impact\n\nOnly affects setups that explicitly enable the optional exec approvals allowlist feature. Default installs are unaffected.\n\n### Fix\n\nReject unescaped `$()` and backticks inside double quotes during allowlist analysis.\n\n### Fix Commit(s)\n\n- d1ecb46076145deb188abcba8f0699709ea17198\n\nThanks @simecek for reporting.",
   "severity": [

advisories/github-reviewed/2026/02/GHSA-3m3q-x3gj-f79x/GHSA-3m3q-x3gj-f79x.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3m3q-x3gj-f79x",
-  "modified": "2026-02-17T21:31:58Z",
+  "modified": "2026-03-05T21:48:53Z",
   "published": "2026-02-17T21:31:58Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-28465"
+  ],
   "summary": "OpenClaw optional voice-call plugin: webhook verification may be bypassed behind certain proxy configurations",
   "details": "## Affected Packages / Versions\n\nThis issue affects the optional voice-call plugin only. It is not enabled by default; it only applies to installations where the plugin is installed and enabled.\n\n- Package: `@openclaw/voice-call`\n- Vulnerable versions: `< 2026.2.3`\n- Patched versions: `>= 2026.2.3`\n\nLegacy package name (if you are still using it):\n\n- Package: `@clawdbot/voice-call`\n- Vulnerable versions: `<= 2026.1.24`\n- Patched versions: none published under this package name; migrate to `@openclaw/voice-call`\n\n## Summary\n\nIn certain reverse-proxy / forwarding setups, webhook verification can be bypassed if untrusted forwarded headers are accepted.\n\n## Impact\n\nAn external party may be able to send voice-call webhook requests that are accepted as valid, which can result in spoofed webhook events being processed.\n\n## Root Cause\n\nSome deployments implicitly trusted forwarded headers (for example `Forwarded` / `X-Forwarded-*`) when determining request properties used during webhook verification. If those headers are not overwritten by a trusted proxy, a client can supply them directly and influence verification.\n\n## Resolution\n\nIgnore forwarded headers by default unless explicitly trusted and allowlisted in configuration. Keep any loopback-only development bypass restricted to local development only. Upgrade to a patched version.\n\nIf you cannot upgrade immediately, strip `Forwarded` and `X-Forwarded-*` headers at the edge so clients cannot supply them directly.\n\n## Fix Commit(s)\n\n- `a749db9820eb6d6224032a5a34223d286d2dcc2f`\n\n## Credits\n\nThanks `@0x5t` for reporting.",
   "severity": [

advisories/github-reviewed/2026/02/GHSA-h9g4-589h-68xv/GHSA-h9g4-589h-68xv.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-h9g4-589h-68xv",
-  "modified": "2026-02-18T17:45:31Z",
+  "modified": "2026-03-05T21:50:00Z",
   "published": "2026-02-18T17:45:31Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-28468"
+  ],
   "summary": "OpenClaw has an authentication bypass in sandbox browser bridge server",
   "details": "## Summary\n\nopenclaw could start the sandbox browser bridge server without authentication.\n\nWhen the sandboxed browser is enabled, openclaw runs a local (loopback) HTTP bridge that exposes browser control endpoints (for example `/profiles`, `/tabs`, `/tabs/open`, `/agent/*`). Due to missing auth wiring in the sandbox initialization path, that bridge server accepted requests without requiring gateway auth.\n\n## Impact\n\nA local attacker (any process on the same machine) could access the bridge server port and:\n\n- enumerate open tabs and retrieve CDP WebSocket URLs\n- open/close/navigate tabs\n- execute JavaScript in page contexts via CDP\n- exfiltrate cookies/session data and page contents from authenticated sessions\n\nThis is a localhost-only exposure (CVSS AV:L), but provides full browser-session compromise for sandboxed browser usage.\n\n## Affected Versions\n\n- Introduced in: `2026.1.29-beta.1` (first npm release that shipped the sandbox browser bridge)\n- Affected range: `>=2026.1.29-beta.1 <2026.2.14`\n\n## Patched Versions\n\n- `2026.2.14`\n\n## Mitigation\n\n- Upgrade to `2026.2.14` (recommended).\n- Or disable the sandboxed browser (`agents.defaults.sandbox.browser.enabled=false`).\n\n## Fix Details\n\n- The sandbox browser bridge server now always requires auth and enforces the same gateway browser control auth (token/password) that loopback browser clients already use.\n- Additional hardening: bridge server refuses non-loopback binds; local helper servers are bound to loopback.\n- Added regression tests (including unit coverage for per-port bridge auth fallback).\n\nFix commits:\n\n- openclaw/openclaw@4711a943e30bc58016247152ba06472dab09d0b0\n- openclaw/openclaw@6dd6bce997c48752134f2d6ed89b27de01ced7e3\n- openclaw/openclaw@cd84885a4ac78eadb7bf321aae98db9519426d67\n## Credits\n\nThanks to Adnan Jakati (@jackhax) of [Praetorian](https://www.praetorian.com/) for reporting this issue.",
   "severity": [

advisories/github-reviewed/2026/02/GHSA-rmxw-jxxx-4cpc/GHSA-rmxw-jxxx-4cpc.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-rmxw-jxxx-4cpc",
-  "modified": "2026-02-17T21:34:17Z",
+  "modified": "2026-03-05T21:51:00Z",
   "published": "2026-02-17T21:34:17Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-28471"
+  ],
   "summary": "OpenClaw has a Matrix allowlist bypass via displayName and cross-homeserver localpart matching",
   "details": "### Summary\n\nOpenClaw Matrix DM allowlist matching could be bypassed in certain configurations.\n\nMatrix support ships as an optional plugin (not bundled with the core install), so this only affects deployments that have installed and enabled the Matrix plugin.\n\n### Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected: `>= 2026.1.14-1, < 2026.2.2`\n- Patched: `>= 2026.2.2`\n\n### Details\n\nIn affected versions, DM allowlist decisions could be made by exact-matching `channels.matrix.dm.allowFrom` entries against multiple sender-derived candidates, including:\n\n- The sender display name (attacker-controlled and non-unique)\n- The sender MXID localpart with the homeserver discarded, so `@alice:evil.example` and `@alice:trusted.example` both match `alice`\n\nIf an operator configured `channels.matrix.dm.allowFrom` with display names or bare localparts (for example, `\"Alice\"` or `\"alice\"`), a remote Matrix user may be able to impersonate an allowed identity for allowlist purposes and reach the routing/agent pipeline.\n\n### Impact\n\nMatrix DM allowlist identity confusion. The practical impact depends on your Matrix channel policies and what capabilities are enabled downstream.\n\n### Mitigation\n\n- Upgrade to `openclaw >= 2026.2.2`.\n- Ensure Matrix allowlists contain only full Matrix user IDs (MXIDs) like `@user:server` (or `*`). Do not use display names or bare localparts.\n\n### Fix Commit(s)\n\n- `8f3bfbd1c4fb967a2ddb5b4b9a05784920814bcf`\n\n### Release Process Note\n\nThe patched version is already published to npm; the advisory can be published once you're ready.\n\nThanks @MegaManSec (https://joshua.hu) of [AISLE Research Team](https://aisle.com/) for reporting.",
   "severity": [

advisories/github-reviewed/2026/02/GHSA-rq6g-px6m-c248/GHSA-rq6g-px6m-c248.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-rq6g-px6m-c248",
-  "modified": "2026-02-18T00:54:14Z",
+  "modified": "2026-03-05T21:50:21Z",
   "published": "2026-02-18T00:54:14Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-28469"
+  ],
   "summary": "OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting",
   "details": "## Summary\nWhen multiple Google Chat webhook targets are registered on the same HTTP path, and request verification succeeds for more than one target, inbound webhook events could be routed by first-match semantics. This can cause cross-account policy/context misrouting.\n\n## Affected Packages / Versions\n- npm: `openclaw` <= 2026.2.13\n- npm: `clawdbot` <= 2026.1.24-3\n\n## Details\nAffected component: `extensions/googlechat/src/monitor.ts`.\n\nBaseline behavior allowed multiple webhook targets per path and selected the first target that passed `verifyGoogleChatRequest(...)`. In shared-path deployments where multiple targets can verify successfully (for example, equivalent audience validation), inbound events could be processed under the wrong account context (wrong allowlist/session/policy).\n\n## Fix\n- Fix commit (merged to `main`): `61d59a802869177d9cef52204767cd83357ab79e`\n- `openclaw` will be patched in the next planned release: `2026.2.14`.\n\n`clawdbot` is a legacy/deprecated package name; no patched version is currently planned. Migrate to `openclaw` and upgrade to `openclaw >= 2026.2.14`.\n\n## Workaround\nEnsure each Google Chat webhook target uses a unique webhook path so routing is never ambiguous.\n\n## Release Process Note\nThe advisory is pre-populated with the planned patched version. After the npm release is published, the remaining action should be to publish the advisory.\n\nThanks @vincentkoc for reporting.\n\n---\n\nFix commit 61d59a802869177d9cef52204767cd83357ab79e confirmed on main and in v2026.2.14. Upgrade to `openclaw >= 2026.2.14`.",
   "severity": [

advisories/github-reviewed/2026/02/GHSA-wfp2-v9c7-fh79/GHSA-wfp2-v9c7-fh79.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-wfp2-v9c7-fh79",
-  "modified": "2026-02-17T21:30:48Z",
+  "modified": "2026-03-05T21:49:36Z",
   "published": "2026-02-17T21:30:48Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-28467"
+  ],
   "summary": "OpenClaw affected by SSRF via attachment/media URL hydration",
   "details": "### Summary\n\nVersions of the `openclaw` npm package prior to `2026.2.2` could be coerced into fetching arbitrary `http(s)` URLs during attachment/media hydration. An attacker who can influence the media URL (for example via model-controlled `sendAttachment` or auto-reply media URLs) could trigger SSRF to internal resources and exfiltrate the fetched bytes as an outbound attachment.\n\n### Plain-English Explanation\n\nOpenClaw can send files by downloading them first.\n\nOn vulnerable versions (`< 2026.2.2`), if an attacker could get OpenClaw to treat a URL as the “file to attach”, OpenClaw would download that URL from the gateway machine and then send the downloaded bytes back out as an attachment.\n\nThat matters because the gateway can often reach internal-only endpoints that an attacker cannot (for example `127.0.0.1` services, private RFC1918 addresses, or cloud metadata endpoints). This is a data-leak risk.\n\nThis does not directly grant code execution or shell access; it is about making the gateway perform HTTP requests and returning the response bytes.\n\n### Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected: `< 2026.2.2`\n- Fixed: `>= 2026.2.2`\n\nRelease timeline (npm):\n\n- `2026.2.1` published `2026-02-02T11:45:27Z`\n- `2026.2.2` published `2026-02-04T00:56:41Z`\n- This advisory was created `2026-02-05T10:42:26Z`\n\n### Details\n\nIn affected versions, remote media fetching performed a raw `fetch(url)` without SSRF protections.\n\nStarting in `2026.2.2`, remote media fetching is guarded by SSRF checks (private/loopback/link-local blocking, DNS pinning, and redirect handling), so attempts to fetch `127.0.0.1`, private RFC1918 space, or cloud metadata hostnames are rejected.\n\n### Proof of Concept\n\nFrom any context where an attacker can influence an attachment/media URL, provide a media URL targeting an internal endpoint (example: `http://127.0.0.1:9999/secret.txt`).\n\nOn vulnerable versions (`< 2026.2.2`), the gateway fetches the URL and uses the response bytes as the attachment payload.\n\n### Fix\n\nFix commits:\n\n- `81c68f582d4a9a20d9cca9f367d2da9edc5a65ae`\n- `9bd64c8a1f91dda602afc1d5246a2ff2be164647`\n\n### Mitigation\n\nUpgrade to `openclaw >= 2026.2.2`.\n\nThanks @simecek for reporting.",
   "severity": [

advisories/github-reviewed/2026/03/GHSA-595m-wc8g-6qgc/GHSA-595m-wc8g-6qgc.json

@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-595m-wc8g-6qgc",
+  "modified": "2026-03-05T21:49:03Z",
+  "published": "2026-03-05T21:49:03Z",
+  "aliases": [
+    "CVE-2026-30247"
+  ],
+  "summary": "WeKnora is Vulnerable to SSRF via Redirection",
+  "details": "### Summary\n\nThe application's \"Import document via URL\" feature is vulnerable to Server-Side Request Forgery (SSRF) through HTTP redirects. While the backend implements comprehensive URL validation (blocking private IPs, loopback addresses, reserved hostnames, and cloud metadata endpoints), it **fails to validate redirect targets**. An attacker can bypass all protections by using a redirect chain, forcing the server to access internal services. Additionally, Docker-specific internal addresses like `host.docker.internal` are not blocked.\n\n### Details\n\nThe `/api/v1/knowledge-bases/{id}/knowledge/url` endpoint validates the initial URL but follows HTTP redirects without re-validating the destination. This allows attackers to:\n1. Submit a URL to an attacker-controlled domain (passes validation)\n2. Have that domain respond with a 307 redirect to an internal service\n3. The backend automatically follows the redirect without checking if the destination is restricted\n4. The internal service response is exposed to the attacker\n\n### Validation Gaps\n- The `IsSSRFSafeURL()` function (in `internal/utils/security.go`) validates the initial URL thoroughly, but there's no validation of HTTP redirect targets\n- `host.docker.internal` is not in the `restrictedHostnames` list\n- Docker-specific IP ranges (172.17.0.0/16 for bridge networks) are not explicitly blocked\n- The code validates `parsed.Hostname()` from the initial URL, but redirect Location headers bypass this check\n\n### Root Cause Analysis\nThe backend makes the security mistake of trusting the server's HTTP client library to be secure. In Go, when using http.Get() or similar functions, the standard library will automatically follow redirects up to 10 times by default. The SSRF validation only checks the URL passed to the endpoint, not intermediate redirects.\n\n### PoC\n\n**Step 1**: Set up an attacker-controlled server that responds with a redirect:\n\n```http\nHTTP/1.1 307 Temporary Redirect\nLocation: http://host.docker.internal:7777\nContent-Type: text/html\nAccess-Control-Allow-Origin: *\n```\n**Step 2**: Send the request with a clean URL:\n\n```http\nPOST /api/v1/knowledge-bases/dbadd153-9e60-4213-9553-9f78dbcba0dc/knowledge/url HTTP/1.1\nHost: localhost\nContent-Type: application/json\nAuthorization: Bearer <valid_token>\n\n{\"url\":\"https://attacker-domain.com\",\"tag_id\":\"\"}\n```\n\nThe URL `https://attacker-domain.com` passes all validation checks because:\n✓ Valid `https://` scheme\n✓ Not an IP address (it's a domain)\n✓ Not in restricted hostnames\n✓ Doesn't resolve to a private IP (assuming attacker controls a public domain)\n\n**Step 3**: The backend's HTTP client follows the redirect to `http://host.docker.internal:7777`, which:\n✗ Is not validated\n✗ `host.docker.internal` is not in the blocklist\n✗ Successfully accesses the internal service\n\n### Impact\n\nVulnerability Type: Server-Side Request Forgery (SSRF) via HTTP Redirect\n\n**Who is Impacted**:\n- The organization running the application\n- Internal services and databases accessible from the application container\n- Services in the Docker network (other containers, internal infrastructure)\n- Sensitive data stored in internal services\n\n**Potential Consequences**:\n- Access to internal databases (PostgreSQL, MongoDB, MySQL) running in Docker\n- Information disclosure from internal services (Redis cache, configuration servers)\n- Access to Docker container metadata and environment variables\n- Lateral movement to other containers in the same Docker network\n- Exfiltration of sensitive configuration, API keys, or database credentials\n- Potential RCE if internal services have exploitable vulnerabilities\n\n**CVSS Score**: 7.5 (High) - Could be higher depending on what's exposed\n\n- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n- Reasoning: Network-accessible via public redirect, no privileges needed, high confidentiality impact",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/Tencent/WeKnora"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.2.12"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.2.11"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/Tencent/WeKnora/security/advisories/GHSA-595m-wc8g-6qgc"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/Tencent/WeKnora"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-05T21:49:03Z",
+    "nvd_published_at": null
+  }
+}