Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 2915417e670a · 2026-03-16T20:42:08.000Z
GHSA-63f5-hhc7-cx6p GHSA-g2f6-pwvx-r275 GHSA-jq3f-vjww-8rq7 GHSA-xwcj-hwhf-h378
diff --git a/advisories/github-reviewed/2026/03/GHSA-63f5-hhc7-cx6p/GHSA-63f5-hhc7-cx6p.json b/advisories/github-reviewed/2026/03/GHSA-63f5-hhc7-cx6p/GHSA-63f5-hhc7-cx6p.json
@@ -0,0 +1,62 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-63f5-hhc7-cx6p",
+  "modified": "2026-03-16T20:40:23Z",
+  "published": "2026-03-16T20:40:23Z",
+  "aliases": [],
+  "summary": "OpenClaw bootstrap setup codes could be replayed to escalate pending pairing scopes before approval",
+  "details": "### Summary\n`openclaw` versions `<= 2026.3.12` allowed bootstrap setup codes to be replayed before approval, which could widen the scopes on a pending device pairing request.\n\n### Affected Packages / Versions\n- Package: `openclaw` (`npm`)\n- Affected versions: `<= 2026.3.12`\n- Fixed version: `2026.3.13`\n\n### Details\nThe vulnerable path was bootstrap token verification in `src/infra/device-bootstrap.ts`. In affected releases, a valid bootstrap setup code could be verified more than once before the pairing request was approved. That allowed a second verification attempt to mutate a pending device pairing and request broader scopes, including escalation from a lower operator scope to `operator.admin`, before an approver finalized the pairing.\n\nThis issue is in scope under OpenClaw's trust model because bootstrap setup codes are an authentication primitive for device pairing and the replay changed the privileges granted to the pending device.\n\n### Fix\n`openclaw@2026.3.13` makes bootstrap setup codes single-use. Current code consumes the bootstrap token record on the first successful verification, so replay attempts fail before pending scopes can be widened.\n\nRegression coverage exists in `src/infra/device-pairing.test.ts` (`rejects bootstrap token replay before pending scope escalation can be approved`).\n\n### Fix Commit(s)\n- `1803d16d5cec970c54b0e1ac46b31b1cbade335c`\n\nThanks @tdjackey for reporting.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.3.13"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2026.3.12"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-63f5-hhc7-cx6p"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/1803d16d5cec970c54b0e1ac46b31b1cbade335c"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-269"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-16T20:40:23Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-g2f6-pwvx-r275/GHSA-g2f6-pwvx-r275.json b/advisories/github-reviewed/2026/03/GHSA-g2f6-pwvx-r275/GHSA-g2f6-pwvx-r275.json
@@ -0,0 +1,62 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g2f6-pwvx-r275",
+  "modified": "2026-03-16T20:41:12Z",
+  "published": "2026-03-16T20:41:12Z",
+  "aliases": [],
+  "summary": "OpneClaw accepts unsanitized iMessage attachment paths which allowed SCP remote-path command injection",
+  "details": "### Summary\n`openclaw` versions `<= 2026.3.12` accepted unsanitized iMessage remote attachment paths when staging files over SCP, allowing shell metacharacters in the remote path operand.\n\n### Affected Packages / Versions\n- Package: `openclaw` (`npm`)\n- Affected versions: `<= 2026.3.12`\n- Fixed version: `2026.3.13`\n\n### Details\nThe vulnerable path was the remote attachment staging flow in `src/auto-reply/reply/stage-sandbox-media.ts`. When `ctx.MediaRemoteHost` was set, OpenClaw staged the attachment by spawning `/usr/bin/scp` against `<remoteHost>:<remotePath>`. In affected releases, the remote host was normalized but the remote attachment path was not validated for shell metacharacters before being passed to the SCP remote operand. A sender-controlled iMessage attachment filename containing shell metacharacters could therefore trigger command execution on the configured remote host when remote attachment staging was enabled.\n\nThis issue is in scope under OpenClaw's trust model because it crosses an inbound content boundary into host command execution on a configured remote attachment host.\n\n### Fix\n`openclaw@2026.3.13` validates the SCP remote path before spawning `scp`. Current code calls `normalizeScpRemotePath(...)` and rejects paths containing shell metacharacters instead of passing them through to the remote shell.\n\nRegression coverage exists in `src/auto-reply/reply.stage-sandbox-media.scp-remote-path.test.ts` (`rejects remote attachment filenames with shell metacharacters before spawning scp`).\n\n### Fix Commit(s)\n- `a54bf71b4c0cbe554a84340b773df37ee8e959de`\n\nThanks @lintsinghua for reporting.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.3.13"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2026.3.12"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g2f6-pwvx-r275"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/a54bf71b4c0cbe554a84340b773df37ee8e959de"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-78"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-16T20:41:12Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-jq3f-vjww-8rq7/GHSA-jq3f-vjww-8rq7.json b/advisories/github-reviewed/2026/03/GHSA-jq3f-vjww-8rq7/GHSA-jq3f-vjww-8rq7.json
@@ -0,0 +1,62 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jq3f-vjww-8rq7",
+  "modified": "2026-03-16T20:40:57Z",
+  "published": "2026-03-16T20:40:57Z",
+  "aliases": [],
+  "summary": "OpenClaw Telegram webhook request bodies were read before secret validation, enabling unauthenticated resource exhaustion",
+  "details": "### Summary\n`openclaw` versions `<= 2026.3.12` read and buffered Telegram webhook request bodies before validating `x-telegram-bot-api-secret-token`. This let unauthenticated callers force up to the configured webhook body limit of pre-auth body I/O and JSON parse work per request.\n\n### Affected Packages / Versions\n- Package: `openclaw` (`npm`)\n- Affected versions: `<= 2026.3.12`\n- Fixed version: `2026.3.13`\n\n### Details\nThe vulnerable path was the standalone Telegram webhook listener in `src/telegram/webhook.ts`. In affected releases, the request handler accepted `POST` requests, called `readJsonBodyWithLimit(...)`, and only then checked the Telegram secret header. Because the secret validation happened after body reading, an unauthenticated caller could make the server spend memory, socket time, and JSON parse work on requests that should have been rejected before any body processing.\n\nThis issue is in scope under OpenClaw's trust model because the Telegram webhook endpoint accepts untrusted network traffic and the secret header is the authentication boundary for that ingress path.\n\n### Fix\n`openclaw@2026.3.13` validates the Telegram webhook secret before any body I/O. Current code reads the header, rejects invalid requests immediately with `401`, and only calls `readJsonBodyWithLimit(...)` after `hasValidTelegramWebhookSecret(...)` succeeds.\n\nRegression coverage exists in `src/telegram/webhook.test.ts` (`rejects unauthenticated requests before reading the request body`).\n\n### Fix Commit(s)\n- `7e49e98f79073b11134beac27fdff547ba5a4a02`\n\nThanks @space08 for reporting.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.3.13"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2026.3.12"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jq3f-vjww-8rq7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/7e49e98f79073b11134beac27fdff547ba5a4a02"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-400"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-16T20:40:57Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-xwcj-hwhf-h378/GHSA-xwcj-hwhf-h378.json b/advisories/github-reviewed/2026/03/GHSA-xwcj-hwhf-h378/GHSA-xwcj-hwhf-h378.json
@@ -0,0 +1,62 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-xwcj-hwhf-h378",
+  "modified": "2026-03-16T20:40:13Z",
+  "published": "2026-03-16T20:40:13Z",
+  "aliases": [],
+  "summary": "OpenClaw Telegram media fetch errors exposed bot tokens in logged file URLs",
+  "details": "### Summary\n`openclaw` versions `<= 2026.3.12` could include raw Telegram bot tokens in media fetch error strings when inbound Telegram media downloads failed.\n\n### Affected Packages / Versions\n- Package: `openclaw` (`npm`)\n- Affected versions: `<= 2026.3.12`\n- Fixed version: `2026.3.13`\n\n### Details\nThe vulnerable path was `fetchRemoteMedia()` in `src/media/fetch.ts`. In affected releases, fetch and HTTP error paths embedded the original Telegram file URL into `MediaFetchError` messages. For Telegram media, those URLs can include `/file/bot<TOKEN>/...`, so the resulting error strings could leak bot tokens into logs, console output, or any downstream error surface that rendered the exception text.\n\nThis issue is in scope under OpenClaw's trust model because the leaked secret is an OpenClaw-operated integration credential, not a user-supplied third-party secret.\n\n### Fix\n`openclaw@2026.3.13` redacts sensitive media URLs before constructing fetch error messages. Current code routes the source URL and follow-on error paths through `redactMediaUrl()` / `redactSensitiveText()`, so Telegram bot tokens are no longer emitted in those error strings.\n\nRegression coverage exists in `src/media/fetch.test.ts` (`redacts Telegram bot tokens from fetch failure messages` and `redacts Telegram bot tokens from HTTP error messages`).\n\n### Fix Commit(s)\n- `7a53eb7ea8295b08be137e231c9a98c1a79b5cd5`\n\nThanks @space08 for reporting.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.3.13"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2026.3.12"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xwcj-hwhf-h378"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/7a53eb7ea8295b08be137e231c9a98c1a79b5cd5"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-532"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-16T20:40:13Z",
+    "nvd_published_at": null
+  }
+}
