Publish Advisories

GHSA-m4wj-hhwj-47qp
GHSA-2pr2-hcv6-7gwv
GHSA-9528-x887-j2fp
GHSA-v2v2-f783-358j
GHSA-v8wv-jg3q-qwpq
GHSA-2x4x-cc5g-qmmg
GHSA-qxgf-hmcj-3xw3

Author: advisory-database[bot]

advisories/github-reviewed/2025/04/GHSA-m4wj-hhwj-47qp/GHSA-m4wj-hhwj-47qp.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-m4wj-hhwj-47qp",
-  "modified": "2025-04-29T20:16:49Z",
+  "modified": "2026-04-06T17:33:37Z",
   "published": "2025-04-01T00:30:33Z",
   "aliases": [
     "CVE-2025-31675"
@@ -101,13 +101,21 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31675"
     },
+    {
+      "type": "WEB",
+      "url": "https://d7es.tag1.com/security-advisories/link-moderately-critical-cross-site-scripting-sa-core-2025-004"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/drupal/core"
     },
     {
       "type": "WEB",
       "url": "https://www.drupal.org/sa-core-2025-004"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.herodevs.com/vulnerability-directory/cve-2025-31675"
     }
   ],
   "database_specific": {

advisories/github-reviewed/2026/03/GHSA-2pr2-hcv6-7gwv/GHSA-2pr2-hcv6-7gwv.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2pr2-hcv6-7gwv",
-  "modified": "2026-03-31T23:52:03Z",
+  "modified": "2026-04-06T17:33:55Z",
   "published": "2026-03-31T23:52:03Z",
   "aliases": [
     "CVE-2026-34503"
   ],
   "summary": "OpenClaw's device removal and token revocation do not terminate active WebSocket sessions",
-  "details": "## Summary\n\nRemoving a device or revoking its token updated stored credentials but did not disconnect already-authenticated WebSocket sessions.\n\n## Impact\n\nA revoked device could continue using its existing live session until reconnect, extending access beyond credential removal.\n\n## Affected Component\n\n`src/gateway/server-methods/devices.ts, src/gateway/server.impl.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `7a801cc451` (`Gateway: disconnect revoked device sessions`).",
+  "details": "## Summary\n\nRemoving a device or revoking its token updated stored credentials but did not disconnect already-authenticated WebSocket sessions.\n\n## Impact\n\nA revoked device could continue using its existing live session until reconnect, extending access beyond credential removal.\n\n## Affected Component\n\n`src/gateway/server-methods/devices.ts, src/gateway/server.impl.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `7a801cc451` (`Gateway: disconnect revoked device sessions`).\n\nOpenClaw thanks @AntAISecurityLab for reporting.",
   "severity": [
     {
       "type": "CVSS_V3",

advisories/github-reviewed/2026/03/GHSA-9528-x887-j2fp/GHSA-9528-x887-j2fp.json

@@ -1,11 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9528-x887-j2fp",
-  "modified": "2026-03-31T23:59:17Z",
+  "modified": "2026-04-06T17:34:29Z",
   "published": "2026-03-31T23:59:17Z",
   "aliases": [],
   "summary": "OpenClaw's Nextcloud Talk webhook missing rate limiting on shared secret authentication",
-  "details": "## Summary\n\nNextcloud Talk webhook signature failures were not throttled even though the integration relies on an operator-configured shared secret that may be weak.\n\n## Impact\n\nAn attacker who could reach the webhook endpoint could brute-force weak secrets online and then forge inbound webhook events.\n\n## Affected Component\n\n`extensions/nextcloud-talk/src/monitor.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `e403decb6e` (`nextcloud-talk: throttle repeated webhook auth failures`).",
+  "details": "## Summary\n\nNextcloud Talk webhook signature failures were not throttled even though the integration relies on an operator-configured shared secret that may be weak.\n\n## Impact\n\nAn attacker who could reach the webhook endpoint could brute-force weak secrets online and then forge inbound webhook events.\n\n## Affected Component\n\n`extensions/nextcloud-talk/src/monitor.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `e403decb6e` (`nextcloud-talk: throttle repeated webhook auth failures`).\n\nOpenClaw thanks @AntAISecurityLab for reporting.",
   "severity": [],
   "affected": [
     {

advisories/github-reviewed/2026/03/GHSA-v2v2-f783-358j/GHSA-v2v2-f783-358j.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-v2v2-f783-358j",
-  "modified": "2026-03-31T23:50:44Z",
+  "modified": "2026-04-06T17:34:34Z",
   "published": "2026-03-31T23:50:44Z",
   "aliases": [
     "CVE-2026-33576"
   ],
   "summary": "OpenClaw: Zalo channel downloads media before sender authorization",
-  "details": "## Summary\n\nThe Zalo image path fetched and stored inbound media before the DM/pairing authorization checks ran.\n\n## Impact\n\nUnauthorized senders could force network fetches and disk writes in the inbound media store even when the message itself was rejected.\n\n## Affected Component\n\n`extensions/zalo/src/monitor.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `68ceaf7a5f` (`zalo: gate image downloads before DM auth`).",
+  "details": "## Summary\n\nThe Zalo image path fetched and stored inbound media before the DM/pairing authorization checks ran.\n\n## Impact\n\nUnauthorized senders could force network fetches and disk writes in the inbound media store even when the message itself was rejected.\n\n## Affected Component\n\n`extensions/zalo/src/monitor.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `68ceaf7a5f` (`zalo: gate image downloads before DM auth`).\n\nOpenClaw thanks @AntAISecurityLab for reporting.",
   "severity": [
     {
       "type": "CVSS_V3",

advisories/github-reviewed/2026/03/GHSA-v8wv-jg3q-qwpq/GHSA-v8wv-jg3q-qwpq.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-v8wv-jg3q-qwpq",
-  "modified": "2026-03-31T23:54:28Z",
+  "modified": "2026-04-06T17:34:18Z",
   "published": "2026-03-31T23:54:28Z",
   "aliases": [
     "CVE-2026-33581"
   ],
   "summary": "OpenClaw's message tool media parameter bypasses tool policy filesystem isolation",
-  "details": "## Summary\n\nThe message tool accepted `mediaUrl` and `fileUrl` aliases without applying the same sandbox localRoots validation as the canonical media path handling.\n\n## Impact\n\nA caller constrained to sandbox media roots could read arbitrary local files by routing them through the alias parameters.\n\n## Affected Component\n\n`src/infra/outbound/message-action-params.ts, src/infra/outbound/message-action-runner.ts`\n\n## Fixed Versions\n\n- Affected: `< 2026.3.24`\n- Patched: `>= 2026.3.24`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `1d7cb6fc03` (`fix: close sandbox media root bypass for mediaUrl/fileUrl aliases`).",
+  "details": "## Summary\n\nThe message tool accepted `mediaUrl` and `fileUrl` aliases without applying the same sandbox localRoots validation as the canonical media path handling.\n\n## Impact\n\nA caller constrained to sandbox media roots could read arbitrary local files by routing them through the alias parameters.\n\n## Affected Component\n\n`src/infra/outbound/message-action-params.ts, src/infra/outbound/message-action-runner.ts`\n\n## Fixed Versions\n\n- Affected: `< 2026.3.24`\n- Patched: `>= 2026.3.24`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `1d7cb6fc03` (`fix: close sandbox media root bypass for mediaUrl/fileUrl aliases`).\n\nOpenClaw thanks @AntAISecurityLab for reporting.",
   "severity": [
     {
       "type": "CVSS_V3",

advisories/github-reviewed/2026/04/GHSA-2x4x-cc5g-qmmg/GHSA-2x4x-cc5g-qmmg.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2x4x-cc5g-qmmg",
-  "modified": "2026-04-01T00:00:19Z",
+  "modified": "2026-04-06T17:34:40Z",
   "published": "2026-04-01T00:00:19Z",
   "aliases": [
     "CVE-2026-33577"
   ],
   "summary": "OpenClaw: node.pair.approve missing callerScopes validation allows low-privilege operator to approve malicious nodes",
-  "details": "## Summary\n\nThe node pairing approval path did not consistently enforce that the approving caller already held every scope requested by the node.\n\n## Impact\n\nA lower-privileged operator could approve a pending node request for broader scopes and extend privileges onto the paired node.\n\n## Affected Component\n\n`src/infra/node-pairing.ts, src/gateway/server-methods/nodes.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `4d7cc6bb4f` (`gateway: restrict node pairing approvals`).",
+  "details": "## Summary\n\nThe node pairing approval path did not consistently enforce that the approving caller already held every scope requested by the node.\n\n## Impact\n\nA lower-privileged operator could approve a pending node request for broader scopes and extend privileges onto the paired node.\n\n## Affected Component\n\n`src/infra/node-pairing.ts, src/gateway/server-methods/nodes.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `4d7cc6bb4f` (`gateway: restrict node pairing approvals`).\n\nOpenClaw thanks @AntAISecurityLab for reporting.",
   "severity": [
     {
       "type": "CVSS_V3",

advisories/github-reviewed/2026/04/GHSA-qxgf-hmcj-3xw3/GHSA-qxgf-hmcj-3xw3.json

@@ -1,11 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-qxgf-hmcj-3xw3",
-  "modified": "2026-04-01T00:01:51Z",
+  "modified": "2026-04-06T17:34:24Z",
   "published": "2026-04-01T00:01:51Z",
   "aliases": [],
   "summary": "OpenClaw affected by SSRF via unguarded image download in fal provider",
-  "details": "## Summary\n\nThe fal provider used raw fetches for both provider API traffic and returned image download URLs instead of the existing SSRF-guarded fetch path.\n\n## Impact\n\nA malicious or compromised fal relay could make the gateway fetch internal URLs and expose metadata or internal service responses through the image pipeline.\n\n## Affected Component\n\n`extensions/fal/image-generation-provider.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `80d1e8a11a` (`fal: guard image fetches`).",
+  "details": "## Summary\n\nThe fal provider used raw fetches for both provider API traffic and returned image download URLs instead of the existing SSRF-guarded fetch path.\n\n## Impact\n\nA malicious or compromised fal relay could make the gateway fetch internal URLs and expose metadata or internal service responses through the image pipeline.\n\n## Affected Component\n\n`extensions/fal/image-generation-provider.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `80d1e8a11a` (`fal: guard image fetches`).\n\nOpenClaw thanks @AntAISecurityLab for reporting.",
   "severity": [
     {
       "type": "CVSS_V4",