Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 8c2c220ecdd2 · 2026-04-06T22:37:42.000Z
GHSA-8g75-q649-6pv6 GHSA-qc36-x95h-7j53 GHSA-rwwx-25m7-ww73 GHSA-wmgj-hrx3-23gj GHSA-wwrj-437c-ppq4 GHSA-xf99-j42q-5w5p GHSA-rwwx-25m7-ww73 GHSA-wmgj-hrx3-23gj
diff --git a/advisories/github-reviewed/2026/03/GHSA-8g75-q649-6pv6/GHSA-8g75-q649-6pv6.json b/advisories/github-reviewed/2026/03/GHSA-8g75-q649-6pv6/GHSA-8g75-q649-6pv6.json
@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8g75-q649-6pv6",
-  "modified": "2026-03-12T14:21:28Z",
+  "modified": "2026-04-06T22:37:15Z",
   "published": "2026-03-12T14:21:28Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-32921"
+  ],
   "summary": "OpenClaw's system.run approvals did not bind mutable script operands across approval and execution",
   "details": "OpenClaw's `system.run` approval flow did not bind mutable interpreter-style script operands across approval and execution.\n\nA caller could obtain approval for an execution such as `sh ./script.sh`, rewrite the approved script before execution, and then execute different content under the previously approved command shape. The approved `argv` values remained the same, but the mutable script operand content could drift after approval.\n\nLatest published npm version verified vulnerable: `2026.3.7`\n\nThe initial March 7, 2026 fix in `c76d29208bf6a7f058d2cf582519d28069e42240` added approval binding for shell scripts and a narrow interpreter set, but follow-up maintainer review on March 8, 2026 found that `bun` and `deno` script operands still did not produce `mutableFileOperand` snapshots.\n\nA complete fix shipped on March 9, 2026 in `cf3a479bd1204f62eef7dd82b4aa328749ae6c91`, which binds approved `bun` and `deno run` script operands to on-disk file snapshots and denies post-approval script drift before execution.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.3.7`\n- Patched version: `2026.3.8`\n\n## Fix Commit(s)\n\n- `c76d29208bf6a7f058d2cf582519d28069e42240`\n- `cf3a479bd1204f62eef7dd82b4aa328749ae6c91`\n\n## Release Verification\n\n- npm `2026.3.7` remains vulnerable.\n- npm `2026.3.8` contains the completed fix.\n\nThanks @tdjackey for reporting.",
   "severity": [
@@ -41,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8g75-q649-6pv6"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32921"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/c76d29208bf6a7f058d2cf582519d28069e42240"
@@ -52,6 +58,10 @@
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-script-content-modification-via-mutable-operand-binding-in-system-run"
     }
   ],
   "database_specific": {
diff --git a/advisories/github-reviewed/2026/03/GHSA-qc36-x95h-7j53/GHSA-qc36-x95h-7j53.json b/advisories/github-reviewed/2026/03/GHSA-qc36-x95h-7j53/GHSA-qc36-x95h-7j53.json
@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-qc36-x95h-7j53",
-  "modified": "2026-03-13T15:48:05Z",
+  "modified": "2026-04-06T22:35:57Z",
   "published": "2026-03-13T15:48:05Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-32978"
+  ],
   "summary": "OpenClaw: Unrecognized script runners could bypass `system.run` approval integrity",
   "details": "## Summary\nIn affected versions of `openclaw`, node-host `system.run` approvals did not bind a mutable file operand for some script runners, including forms such as `tsx` and `jiti`. An attacker could obtain approval for a benign script-runner command, rewrite the referenced script on disk, and have the modified code execute under the already approved run context.\n\n## Impact\nDeployments that rely on node-host `system.run` approvals for script integrity could execute rewritten local code after operator approval. This can lead to unintended local code execution as the OpenClaw runtime user.\n\n## Affected Packages and Versions\n- Package: `openclaw` (npm)\n- Affected versions: `< 2026.3.11`\n- Fixed in: `2026.3.11`\n\n## Technical Details\nThe approval planner only tracked mutable script operands for a hardcoded set of interpreters and runtime forms. Commands such as `tsx ./run.ts` and `jiti ./run.ts` fell through without a bound file snapshot, so the final pre-execution revalidation step was skipped.\n\n## Fix\nOpenClaw now fails closed for approval-backed interpreter and runtime commands unless it can bind exactly one concrete local file operand, and it extends direct-file binding coverage for additional runtime forms. The fix shipped in `openclaw@2026.3.11`.\n\n## Workarounds\nUpgrade to `2026.3.11` or later.",
   "severity": [
@@ -38,13 +40,21 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qc36-x95h-7j53"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32978"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
     },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.11"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-approval-bypass-via-unrecognized-script-runners"
     }
   ],
   "database_specific": {
diff --git a/advisories/github-reviewed/2026/03/GHSA-rwwx-25m7-ww73/GHSA-rwwx-25m7-ww73.json b/advisories/github-reviewed/2026/03/GHSA-rwwx-25m7-ww73/GHSA-rwwx-25m7-ww73.json
@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-rwwx-25m7-ww73",
+  "modified": "2026-04-06T22:35:49Z",
+  "published": "2026-03-29T15:30:19Z",
+  "withdrawn": "2026-04-06T22:35:49Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: OpenClaw: Unrecognized script runners could bypass `system.run` approval integrity",
+  "details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-qc36-x95h-7j53. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.11 contains an approval integrity vulnerability where system.run approvals fail to bind mutable file operands for certain script runners like tsx and jiti. Attackers can obtain approval for benign script commands, rewrite referenced scripts on disk, and execute modified code under the approved run context.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.3.12"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qc36-x95h-7j53"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32978"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-approval-bypass-via-unrecognized-script-runners"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-863"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-06T22:35:49Z",
+    "nvd_published_at": "2026-03-29T13:17:01Z"
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-wmgj-hrx3-23gj/GHSA-wmgj-hrx3-23gj.json b/advisories/github-reviewed/2026/03/GHSA-wmgj-hrx3-23gj/GHSA-wmgj-hrx3-23gj.json
@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-wmgj-hrx3-23gj",
+  "modified": "2026-04-06T22:36:11Z",
+  "published": "2026-03-29T15:30:19Z",
+  "withdrawn": "2026-04-06T22:36:11Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: OpenClaw: Unbound interpreter and runtime commands could bypass node-host approval integrity",
+  "details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-xf99-j42q-5w5p. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.11 contains an approval integrity vulnerability allowing attackers to execute rewritten local code by modifying scripts between approval and execution when exact file binding cannot occur. Remote attackers can change approved local scripts before execution to achieve unintended code execution as the OpenClaw runtime user.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.3.11"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xf99-j42q-5w5p"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32979"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-unbound-interpreter-and-runtime-commands-bypass-in-node-host-approval"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-367"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-06T22:36:11Z",
+    "nvd_published_at": "2026-03-29T13:17:02Z"
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-wwrj-437c-ppq4/GHSA-wwrj-437c-ppq4.json b/advisories/github-reviewed/2026/03/GHSA-wwrj-437c-ppq4/GHSA-wwrj-437c-ppq4.json
@@ -1,12 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-wwrj-437c-ppq4",
-  "modified": "2026-03-31T12:31:35Z",
+  "modified": "2026-04-06T22:37:07Z",
   "published": "2026-03-31T12:31:35Z",
-  "aliases": [
-    "CVE-2026-32921"
-  ],
-  "details": "OpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run where mutable script operands are not bound across approval and execution phases. Attackers can obtain approval for script execution, modify the approved script file before execution, and execute different content while maintaining the same approved command shape.",
+  "withdrawn": "2026-04-06T22:37:07Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: OpenClaw's system.run approvals did not bind mutable script operands across approval and execution",
+  "details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-8g75-q649-6pv6. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run where mutable script operands are not bound across approval and execution phases. Attackers can obtain approval for script execution, modify the approved script file before execution, and execute different content while maintaining the same approved command shape.",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -17,7 +17,27 @@
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.3.8"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "WEB",
@@ -45,8 +65,8 @@
       "CWE-367"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-06T22:37:07Z",
     "nvd_published_at": "2026-03-31T12:16:28Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/03/GHSA-xf99-j42q-5w5p/GHSA-xf99-j42q-5w5p.json b/advisories/github-reviewed/2026/03/GHSA-xf99-j42q-5w5p/GHSA-xf99-j42q-5w5p.json
@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-xf99-j42q-5w5p",
-  "modified": "2026-03-13T15:47:41Z",
+  "modified": "2026-04-06T22:36:18Z",
   "published": "2026-03-13T15:47:41Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-32979"
+  ],
   "summary": "OpenClaw: Unbound interpreter and runtime commands could bypass node-host approval integrity",
   "details": "## Summary\nIn affected versions of `openclaw`, node-host `system.run` approvals could still execute rewritten local code for interpreter and runtime commands when OpenClaw could not bind exactly one concrete local file operand during approval planning.\n\n## Impact\nDeployments using node-host `system.run` approval mode could approve a benign local script and then execute different local code if that script changed before execution. This can lead to unintended local code execution as the OpenClaw runtime user.\n\n## Affected Packages and Versions\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.3.8`\n- Fixed in: `2026.3.11`\n\n## Technical Details\nThe approval flow treated some interpreter and runtime forms as approval-backed even when it could not honestly bind a single direct local script file. That left residual approval-integrity gaps for runtime forms outside the directly bound file set.\n\n## Fix\nOpenClaw now fails closed for approval-backed interpreter and runtime commands unless it can bind exactly one concrete local file operand, and it extends best-effort direct-file binding for additional runtime forms. The fix shipped in `openclaw@2026.3.11`.\n\n## Workarounds\nUpgrade to `2026.3.11` or later.",
   "severity": [
@@ -38,13 +40,21 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xf99-j42q-5w5p"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32979"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
     },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.11"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-unbound-interpreter-and-runtime-commands-bypass-in-node-host-approval"
     }
   ],
   "database_specific": {
diff --git a/advisories/unreviewed/2026/03/GHSA-rwwx-25m7-ww73/GHSA-rwwx-25m7-ww73.json b/advisories/unreviewed/2026/03/GHSA-rwwx-25m7-ww73/GHSA-rwwx-25m7-ww73.json
diff --git a/advisories/unreviewed/2026/03/GHSA-wmgj-hrx3-23gj/GHSA-wmgj-hrx3-23gj.json b/advisories/unreviewed/2026/03/GHSA-wmgj-hrx3-23gj/GHSA-wmgj-hrx3-23gj.json
