Publish Advisories

GHSA-3h52-cx59-c456
GHSA-4hmj-39m8-jwc7
GHSA-77w2-crqv-cmv3
GHSA-h4jx-hjr3-fhgc
GHSA-j4c9-w69r-cw33
GHSA-mf5g-6r6f-ghhm
GHSA-rf6h-5gpw-qrgq
GHSA-rhfg-j8jq-7v2h

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-3h52-cx59-c456/GHSA-3h52-cx59-c456.json

@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3h52-cx59-c456",
+  "modified": "2026-03-29T15:48:58Z",
+  "published": "2026-03-29T15:48:58Z",
+  "aliases": [],
+  "summary": "OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation",
+  "details": "## Summary\n\nFeishu webhook reads and parses unauthenticated request bodies before signature validation\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `<= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nFeishu webhook handling previously parsed JSON before signature validation, which let unauthenticated callers force full JSON parsing work before rejection. Commit `5e8cb22176e9235e224be0bc530699261eb60e53` reads the raw request body, validates the signature first, and only then parses JSON.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `5e8cb22176e9235e224be0bc530699261eb60e53`.\n\n## Fix Commit(s)\n\n- `5e8cb22176e9235e224be0bc530699261eb60e53`",
+  "severity": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.3.28"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2026.3.24"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3h52-cx59-c456"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/5e8cb22176e9235e224be0bc530699261eb60e53"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-400"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-29T15:48:58Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/03/GHSA-4hmj-39m8-jwc7/GHSA-4hmj-39m8-jwc7.json

@@ -0,0 +1,58 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4hmj-39m8-jwc7",
+  "modified": "2026-03-29T15:50:41Z",
+  "published": "2026-03-29T15:50:41Z",
+  "aliases": [],
+  "summary": "OpenClaw has ACP CLI approval prompt ANSI escape sequence injection",
+  "details": "## Summary\n\nACP CLI approval prompt ANSI escape sequence injection\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `>= 2026.2.13, <= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nACP tool titles could previously carry ANSI control sequences into approval prompts and permission logs, letting untrusted tool metadata spoof terminal output. Commit `464e2c10a5edceb380d815adb6ff56e1a4c50f60` sanitizes tool titles at the source and broadens ANSI stripping to full CSI sequences.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `464e2c10a5edceb380d815adb6ff56e1a4c50f60`.\n\n## Fix Commit(s)\n\n- `464e2c10a5edceb380d815adb6ff56e1a4c50f60`",
+  "severity": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2026.2.13"
+            },
+            {
+              "fixed": "2026.3.28"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2026.3.24"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4hmj-39m8-jwc7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/464e2c10a5edceb380d815adb6ff56e1a4c50f60"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-116",
+      "CWE-150"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-29T15:50:41Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/03/GHSA-77w2-crqv-cmv3/GHSA-77w2-crqv-cmv3.json

@@ -0,0 +1,58 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-77w2-crqv-cmv3",
+  "modified": "2026-03-29T15:49:17Z",
+  "published": "2026-03-29T15:49:17Z",
+  "aliases": [],
+  "summary": "OpenClaw: Feishu Raw Card Send Surface Can Mint Legacy Card Callbacks That Bypass DM Pairing",
+  "details": "## Summary\n\nFeishu Raw card Send Surface Can Mint Legacy Card Callbacks That Bypass DM Pairing\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `<= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nFeishu raw card sends could previously mint legacy callback payloads that bypassed DM pairing and let unpaired recipients reach callback handling. Commit `81c45976db532324b5a0918a70decc19520dc354` rejects legacy raw-card command payloads so callbacks stay on the normal paired path.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `81c45976db532324b5a0918a70decc19520dc354`.\n\n## Fix Commit(s)\n\n- `81c45976db532324b5a0918a70decc19520dc354`",
+  "severity": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.3.28"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2026.3.24"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-77w2-crqv-cmv3"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/81c45976db532324b5a0918a70decc19520dc354"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-288",
+      "CWE-863"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-29T15:49:17Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/03/GHSA-h4jx-hjr3-fhgc/GHSA-h4jx-hjr3-fhgc.json

@@ -0,0 +1,58 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-h4jx-hjr3-fhgc",
+  "modified": "2026-03-29T15:49:34Z",
+  "published": "2026-03-29T15:49:34Z",
+  "aliases": [],
+  "summary": "OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin`",
+  "details": "## Summary\n\nGateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin`\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `<= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nGateway plugin subagent fallback `deleteSession` previously dispatched `sessions.delete` with a synthetic `operator.admin` runtime scope when no request-scoped client existed. Commit `b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7` binds deletion to the caller scope instead of minting admin scope.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7`.\n\n## Fix Commit(s)\n\n- `b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7`",
+  "severity": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.3.28"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2026.3.24"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h4jx-hjr3-fhgc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-266",
+      "CWE-863"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-29T15:49:34Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/03/GHSA-j4c9-w69r-cw33/GHSA-j4c9-w69r-cw33.json

@@ -0,0 +1,58 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-j4c9-w69r-cw33",
+  "modified": "2026-03-29T15:50:23Z",
+  "published": "2026-03-29T15:50:23Z",
+  "aliases": [],
+  "summary": "OpenClaw: Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State",
+  "details": "## Summary\n\nTelegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `<= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nTelegram callback queries from direct messages previously used weaker callback-only authorization and could mutate session state without satisfying normal DM pairing. Commit `269282ac69ab6030d5f30d04822668f607f13065` enforces DM authorization for callbacks.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `269282ac69ab6030d5f30d04822668f607f13065`.\n\n## Fix Commit(s)\n\n- `269282ac69ab6030d5f30d04822668f607f13065`",
+  "severity": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.3.28"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2026.3.24"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-j4c9-w69r-cw33"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/269282ac69ab6030d5f30d04822668f607f13065"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-285",
+      "CWE-863"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-29T15:50:23Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/03/GHSA-mf5g-6r6f-ghhm/GHSA-mf5g-6r6f-ghhm.json

@@ -0,0 +1,58 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-mf5g-6r6f-ghhm",
+  "modified": "2026-03-29T15:50:09Z",
+  "published": "2026-03-29T15:50:09Z",
+  "aliases": [],
+  "summary": "OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token",
+  "details": "## Summary\n\nSynology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Weak Webhook Token\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `<= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nSynology Chat webhook auth previously rejected invalid tokens without throttling repeated guesses, allowing brute-force attempts against weak webhook secrets. Commit `0b4d07337467f4d40a0cc1ced83d45ceaec0863c` adds repeated-guess throttling before auth failure responses.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `0b4d07337467f4d40a0cc1ced83d45ceaec0863c`.\n\n## Fix Commit(s)\n\n- `0b4d07337467f4d40a0cc1ced83d45ceaec0863c`",
+  "severity": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.3.28"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2026.3.24"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mf5g-6r6f-ghhm"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/0b4d07337467f4d40a0cc1ced83d45ceaec0863c"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-307",
+      "CWE-521"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-29T15:50:09Z",
+    "nvd_published_at": null
+  }
+}