Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 9e505fb6dcd8 · 2026-04-21T00:04:33.000Z
GHSA-9gp8-hjxr-6f34 GHSA-m6fx-m8hc-572m
diff --git a/advisories/github-reviewed/2026/04/GHSA-9gp8-hjxr-6f34/GHSA-9gp8-hjxr-6f34.json b/advisories/github-reviewed/2026/04/GHSA-9gp8-hjxr-6f34/GHSA-9gp8-hjxr-6f34.json
@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9gp8-hjxr-6f34",
-  "modified": "2026-04-03T02:57:00Z",
+  "modified": "2026-04-21T00:01:21Z",
   "published": "2026-04-03T02:57:00Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-41330"
+  ],
   "summary": "OpenClaw: Host exec environment overrides miss proxy, TLS, Docker, and Git TLS controls",
   "details": "## Summary\nHost exec environment overrides miss proxy, TLS, Docker, and Git TLS controls\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: medium\n- Assessment: Real in shipped v2026.3.28: host exec env policy still missed proxy, TLS, Docker, and Git TLS variables until 4d912e0451 on 2026-03-31; maintainers already accepted it and the fix is unreleased.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `4d912e04519b4bd53b248437c53748cdebce9a41` — 2026-03-31T21:25:36+09:00\n\nOpenClaw thanks @AntAISecurityLab for reporting.",
   "severity": [
diff --git a/advisories/github-reviewed/2026/04/GHSA-m6fx-m8hc-572m/GHSA-m6fx-m8hc-572m.json b/advisories/github-reviewed/2026/04/GHSA-m6fx-m8hc-572m/GHSA-m6fx-m8hc-572m.json
@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-m6fx-m8hc-572m",
-  "modified": "2026-04-03T03:15:56Z",
+  "modified": "2026-04-21T00:01:43Z",
   "published": "2026-04-03T03:15:56Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-41331"
+  ],
   "summary": "OpenClaw: Telegram audio preflight transcription enables resource consumption by unauthorized senders",
   "details": "## Summary\nTelegram audio preflight transcription enables resource consumption by unauthorized senders\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: medium\n- Assessment: v2026.3.28 still lets unauthorized Telegram group senders trigger audio preflight before allowlist enforcement, but the real impact is resource or billing burn rather than direct data exposure or host compromise.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `c4fa8635d03943ffe9e294d501089521dca635c5` — 2026-03-30T12:19:31+01:00\n\nOpenClaw thanks @AntAISecurityLab for reporting.",
   "severity": [
