Publish Advisories

GHSA-98hh-7ghg-x6rq
GHSA-9f4w-67g7-mqwv
GHSA-9q7v-8mr7-g23p
GHSA-g5cg-8x5w-7jpm
GHSA-h43v-27wg-5mf9

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-98hh-7ghg-x6rq/GHSA-98hh-7ghg-x6rq.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-98hh-7ghg-x6rq",
-  "modified": "2026-03-31T23:52:38Z",
+  "modified": "2026-04-21T00:00:40Z",
   "published": "2026-03-31T23:52:38Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-41303"
+  ],
   "summary": "OpenClaw: Discord text `/approve` bypasses `channels.discord.execApprovals.approvers` and allows non-approvers to resolve pending exec approvals",
   "details": "## Summary\n\nDiscord text approval commands resolved pending exec approvals without honoring the configured approver allowlist.\n\n## Impact\n\nA Discord user who was allowed to send commands but was not in the approver list could still approve pending host execution.\n\n## Affected Component\n\n`extensions/discord/src/exec-approvals.ts, src/auto-reply/reply/commands-approve.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `355abe5eba` (`Discord: enforce approver checks for text approvals`).",
   "severity": [

advisories/github-reviewed/2026/04/GHSA-9f4w-67g7-mqwv/GHSA-9f4w-67g7-mqwv.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9f4w-67g7-mqwv",
-  "modified": "2026-04-06T19:42:33Z",
+  "modified": "2026-04-20T23:59:40Z",
   "published": "2026-04-03T03:26:14Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-41300"
+  ],
   "summary": "OpenClaw: Endpoint persists after trust decline, leaking gateway credentials",
   "details": "## Summary\nRemote onboarding preserves attacker-discovered endpoint after trust decline, routing gateway credentials to it\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: medium\n- Assessment: Real shipped onboarding trust-decline bug because the declined discovered URL survived into the manual prompt, but operator acceptance of that prefill is still required, so medium.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `2a75416634837c21ed05b8c3ed906eb7a7807060` — 2026-03-30T20:03:06+01:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @zsxsoft for reporting.",
   "severity": [

advisories/github-reviewed/2026/04/GHSA-9q7v-8mr7-g23p/GHSA-9q7v-8mr7-g23p.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9q7v-8mr7-g23p",
-  "modified": "2026-04-02T21:22:56Z",
+  "modified": "2026-04-21T00:00:18Z",
   "published": "2026-04-02T21:22:56Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-41302"
+  ],
   "summary": "OpenClaw: SSRF via Unguarded `fetch()` in Marketplace Plugin Download and Ollama Model Discovery",
   "details": "## Summary\nSSRF via Unguarded `fetch()` in Marketplace Plugin Download and Ollama Model Discovery\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: medium\n- Assessment: Keep the shipped marketplace archive-fetch SSRF, but narrow out the Ollama half because it is operator-configured and overlaps weaker trust-model or duplicate SSRF ground.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `8deb9522f3d2680820588b190adb4a2a52f3670b` — 2026-03-30T20:08:38+01:00\n\nOpenClaw thanks @tdjackey for reporting.",
   "severity": [

advisories/github-reviewed/2026/04/GHSA-g5cg-8x5w-7jpm/GHSA-g5cg-8x5w-7jpm.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-g5cg-8x5w-7jpm",
-  "modified": "2026-04-02T20:59:29Z",
+  "modified": "2026-04-21T00:01:01Z",
   "published": "2026-04-02T20:59:29Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-41329"
+  ],
   "summary": "OpenClaw: Heartbeat context inheritance bypasses sandbox via senderIsOwner escalation",
   "details": "## Summary\nHeartbeat context inheritance bypasses sandbox via senderIsOwner escalation\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: Critical\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `a30214a624946fc5c85c9558a27c1580172374fd` — 2026-03-31T09:06:51+09:00\n\nOpenClaw thanks @AntAISecurityLab for reporting.",
   "severity": [

advisories/github-reviewed/2026/04/GHSA-h43v-27wg-5mf9/GHSA-h43v-27wg-5mf9.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-h43v-27wg-5mf9",
-  "modified": "2026-04-07T18:14:39Z",
+  "modified": "2026-04-20T23:59:59Z",
   "published": "2026-04-07T18:14:39Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-41301"
+  ],
   "summary": "OpenClaw: Forged Nostr DMs could create pairing state before signature verification",
   "details": "## Summary\n\nBefore OpenClaw 2026.3.31, the Nostr DM ingress path could issue pairing challenges before validating the event signature. A forged DM could create a pending pairing entry and trigger a pairing-reply attempt before signature rejection.\n\n## Impact\n\nAn unauthenticated remote sender could consume shared pairing capacity and trigger bounded relay/logging work on the Nostr channel. This issue did not grant message decryption, pairing approval, or broader authorization bypass.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `>= 2026.3.22, < 2026.3.31`\n- Patched versions: `>= 2026.3.31`\n- Latest published npm version: `2026.4.1`\n\n## Fix Commit(s)\n\n- `4ee742174f36b5445703e3b1ef2fbd6ae6700fa4` — verify inbound DM signatures before pairing replies\n\n## Release Process Note\n\nThe fix shipped in OpenClaw `2026.3.31` on March 31, 2026. The current published npm release `2026.4.1` from April 1, 2026 also contains the fix.\n\nThanks @smaeljaish771 for reporting.",
   "severity": [