Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 8ea22aa188c9 · 2026-04-20T23:44:57.000Z
GHSA-2qrv-rc5x-2g2h GHSA-83f3-hh45-vfw9 GHSA-8rh7-6779-cjqq GHSA-9p3r-hh9g-5cmg
diff --git a/advisories/github-reviewed/2026/04/GHSA-2qrv-rc5x-2g2h/GHSA-2qrv-rc5x-2g2h.json b/advisories/github-reviewed/2026/04/GHSA-2qrv-rc5x-2g2h/GHSA-2qrv-rc5x-2g2h.json
@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2qrv-rc5x-2g2h",
-  "modified": "2026-04-07T18:15:41Z",
+  "modified": "2026-04-20T23:44:01Z",
   "published": "2026-04-07T18:15:41Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-41295"
+  ],
   "summary": "OpenClaw: Untrusted workspace channel shadows could execute during built-in channel setup",
   "details": "## Summary\n\nBefore OpenClaw 2026.4.2, built-in channel setup and login could resolve an untrusted workspace channel shadow before the plugin was explicitly trusted. A malicious workspace plugin that claimed a bundled channel id could execute during channel setup even while still disabled.\n\n## Impact\n\nA cloned workspace could turn channel setup for a built-in channel into unintended in-process code execution from an untrusted workspace plugin. This bypassed the intended workspace-plugin trust boundary during setup and login.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.4.1`\n- Patched versions: `>= 2026.4.2`\n- Latest published npm version: `2026.4.1`\n\n## Fix Commit(s)\n\n- `53c29df2a9eb242a70d0ff29f3d1e67c8d6801f0` — ignore untrusted workspace channel shadows during setup resolution\n\n## Release Process Note\n\nThe fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live.\n\nThanks @zpbrent for reporting.",
   "severity": [
diff --git a/advisories/github-reviewed/2026/04/GHSA-83f3-hh45-vfw9/GHSA-83f3-hh45-vfw9.json b/advisories/github-reviewed/2026/04/GHSA-83f3-hh45-vfw9/GHSA-83f3-hh45-vfw9.json
@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-83f3-hh45-vfw9",
-  "modified": "2026-04-07T18:16:07Z",
+  "modified": "2026-04-20T23:43:22Z",
   "published": "2026-04-07T18:16:06Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-40045"
+  ],
   "summary": "OpenClaw: Android accepted cleartext remote gateway endpoints and sent stored credentials over ws://",
   "details": "## Summary\n\nBefore OpenClaw 2026.4.2, Android accepted non-loopback cleartext `ws://` gateway endpoints and would send stored gateway credentials over that connection. Discovery beacons or setup codes could therefore steer the client onto a cleartext remote endpoint.\n\n## Impact\n\nA user who followed a forged discovery result or scanned a crafted setup code could disclose stored gateway credentials to an attacker-controlled endpoint in plaintext. This was a transport-security bug in the Android gateway client.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.4.1`\n- Patched versions: `>= 2026.4.2`\n- Latest published npm version: `2026.4.1`\n\n## Fix Commit(s)\n\n- `a941a4fef9bc43b2973c92d0dcff5b8a426210c5` — require TLS for remote Android gateway endpoints\n\n## Release Process Note\n\nThe fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live.\n\nThanks @zsxsoft for reporting.",
   "severity": [
diff --git a/advisories/github-reviewed/2026/04/GHSA-8rh7-6779-cjqq/GHSA-8rh7-6779-cjqq.json b/advisories/github-reviewed/2026/04/GHSA-8rh7-6779-cjqq/GHSA-8rh7-6779-cjqq.json
@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8rh7-6779-cjqq",
-  "modified": "2026-04-01T00:02:42Z",
+  "modified": "2026-04-20T23:43:42Z",
   "published": "2026-04-01T00:02:42Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-41294"
+  ],
   "summary": "OpenClaw has a CWD `.env` environment variable injection which bypasses host-env policy and allows config takeover",
   "details": "## Summary\n\nOpenClaw loaded the current working directory `.env` before trusted state-dir configuration, allowing untrusted workspace state to inject host environment values.\n\n## Impact\n\nA repository or workspace containing a malicious `.env` file could override runtime configuration and security-sensitive environment settings when OpenClaw started there.\n\n## Affected Component\n\n`src/infra/dotenv.ts, src/cli/dotenv.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `6a79324802` (`Filter untrusted CWD .env entries before OpenClaw startup`).",
   "severity": [
diff --git a/advisories/github-reviewed/2026/04/GHSA-9p3r-hh9g-5cmg/GHSA-9p3r-hh9g-5cmg.json b/advisories/github-reviewed/2026/04/GHSA-9p3r-hh9g-5cmg/GHSA-9p3r-hh9g-5cmg.json
@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9p3r-hh9g-5cmg",
-  "modified": "2026-04-03T03:14:16Z",
+  "modified": "2026-04-20T23:44:20Z",
   "published": "2026-04-03T03:14:16Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-41296"
+  ],
   "summary": "OpenClaw: Sandbox escape via TOCTOU race in remote FS bridge readFile",
   "details": "## Summary\nSandbox escape via TOCTOU race in remote FS bridge readFile\n\n## Current Maintainer Triage\n- Normalized severity: critical\n- Assessment: v2026.3.28 remote sandbox reads still do path-check then separate file read, so the TOCTOU sandbox escape remains present in the latest shipped tag.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `121870a08583033ed6a0ed73d9ffea32991252bb` — 2026-03-31T09:55:51+09:00\n\nOpenClaw thanks @AntAISecurityLab for reporting.",
   "severity": [
