github
diff --git a/‎advisories/github-reviewed/2026/03/GHSA-35cq-wv6v-88xf/GHSA-35cq-wv6v-88xf.json‎
Lines changed: 68 additions & 0 deletions b/‎advisories/github-reviewed/2026/03/GHSA-35cq-wv6v-88xf/GHSA-35cq-wv6v-88xf.json‎
Lines changed: 68 additions & 0 deletions
diff --git a/‎advisories/github-reviewed/2026/03/GHSA-6q2v-vfwp-pvwh/GHSA-6q2v-vfwp-pvwh.json‎
Lines changed: 68 additions & 0 deletions b/‎advisories/github-reviewed/2026/03/GHSA-6q2v-vfwp-pvwh/GHSA-6q2v-vfwp-pvwh.json‎
Lines changed: 68 additions & 0 deletions
diff --git a/‎…-9q8j-chc7-wpgp/GHSA-9q8j-chc7-wpgp.json‎ ‎…-9q8j-chc7-wpgp/GHSA-9q8j-chc7-wpgp.json‎advisories/unreviewed/2026/03/GHSA-9q8j-chc7-wpgp/GHSA-9q8j-chc7-wpgp.json renamed to advisories/github-reviewed/2026/03/GHSA-9q8j-chc7-wpgp/GHSA-9q8j-chc7-wpgp.json
Lines changed: 28 additions & 8 deletions b/‎…-9q8j-chc7-wpgp/GHSA-9q8j-chc7-wpgp.json‎ ‎…-9q8j-chc7-wpgp/GHSA-9q8j-chc7-wpgp.json‎advisories/unreviewed/2026/03/GHSA-9q8j-chc7-wpgp/GHSA-9q8j-chc7-wpgp.json renamed to advisories/github-reviewed/2026/03/GHSA-9q8j-chc7-wpgp/GHSA-9q8j-chc7-wpgp.json
Lines changed: 28 additions & 8 deletions
diff --git a/‎advisories/github-reviewed/2026/03/GHSA-g7cr-9h7q-4qxq/GHSA-g7cr-9h7q-4qxq.json‎
Lines changed: 12 additions & 2 deletions b/‎advisories/github-reviewed/2026/03/GHSA-g7cr-9h7q-4qxq/GHSA-g7cr-9h7q-4qxq.json‎
Lines changed: 12 additions & 2 deletions
diff --git a/‎advisories/github-reviewed/2026/03/GHSA-vhwf-4x96-vqx2/GHSA-vhwf-4x96-vqx2.json‎
Lines changed: 12 additions & 2 deletions b/‎advisories/github-reviewed/2026/03/GHSA-vhwf-4x96-vqx2/GHSA-vhwf-4x96-vqx2.json‎
Lines changed: 12 additions & 2 deletions
diff --git a/‎advisories/github-reviewed/2026/03/GHSA-vr7j-g7jv-h5mp/GHSA-vr7j-g7jv-h5mp.json‎
Lines changed: 12 additions & 2 deletions b/‎advisories/github-reviewed/2026/03/GHSA-vr7j-g7jv-h5mp/GHSA-vr7j-g7jv-h5mp.json‎
Lines changed: 12 additions & 2 deletions
diff --git a/‎advisories/github-reviewed/2026/03/GHSA-xg59-f45v-9r9j/GHSA-xg59-f45v-9r9j.json‎
Lines changed: 68 additions & 0 deletions b/‎advisories/github-reviewed/2026/03/GHSA-xg59-f45v-9r9j/GHSA-xg59-f45v-9r9j.json‎
Lines changed: 68 additions & 0 deletions
@@ -0,0 +1,68 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-35cq-wv6v-88xf",
+  "modified": "2026-04-06T22:45:57Z",
+  "published": "2026-03-31T15:31:56Z",
+  "withdrawn": "2026-04-06T22:45:57Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: OpenClaw affected by SSRF via unguarded image download in fal provider",
+  "details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-qxgf-hmcj-3xw3. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.28 contains a server-side request forgery vulnerability in the fal provider image-generation-provider.ts component that allows attackers to fetch internal URLs. A malicious or compromised fal relay can exploit unguarded image download fetches to expose internal service metadata and responses through the image pipeline.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.3.28"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qxgf-hmcj-3xw3"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34504"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/80d1e8a11a2ac118c7f7a70bba9c862b6141d928"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-unguarded-image-download-in-fal-provider"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-06T22:45:57Z",
+    "nvd_published_at": "2026-03-31T15:16:19Z"
+  }
+}
@@ -0,0 +1,68 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6q2v-vfwp-pvwh",
+  "modified": "2026-04-06T22:46:34Z",
+  "published": "2026-03-29T15:30:20Z",
+  "withdrawn": "2026-04-06T22:46:34Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: OpenClaw's skills-install-download can be redirected outside the tools root by rebinding the validated base path",
+  "details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-vhwf-4x96-vqx2. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.8 contains a path traversal vulnerability in the skills download installer that validates the tools root lexically but reuses the mutable path during archive download and copy operations. A local attacker can rebind the tools-root path between validation and final write to redirect the installer outside the intended tools directory.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.3.8"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vhwf-4x96-vqx2"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33574"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/9abf014f3502009faf9c73df5ca2cff719e54639"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-path-traversal-via-tools-root-rebinding-in-skills-download"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-367"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-06T22:46:34Z",
+    "nvd_published_at": "2026-03-29T13:17:03Z"
+  }
+}
@@ -1,12 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9q8j-chc7-wpgp",
-  "modified": "2026-03-29T15:30:20Z",
+  "modified": "2026-04-06T22:46:20Z",
   "published": "2026-03-29T15:30:20Z",
-  "aliases": [
-    "CVE-2026-33572"
-  ],
-  "details": "OpenClaw before 2026.2.17 creates session transcript JSONL files with overly broad default permissions, allowing local users to read transcript contents. Attackers with local access can read transcript files to extract sensitive information including secrets from tool output.",
+  "withdrawn": "2026-04-06T22:46:19Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: OpenClaw session transcript files were created without forced user-only permissions",
+  "details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-vr7j-g7jv-h5mp. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.2.17 creates session transcript JSONL files with overly broad default permissions, allowing local users to read transcript contents. Attackers with local access can read transcript files to extract sensitive information including secrets from tool output.",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -17,7 +17,27 @@
       "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.2.17"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "WEB",
@@ -41,8 +61,8 @@
       "CWE-378"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-06T22:46:19Z",
     "nvd_published_at": "2026-03-29T13:17:02Z"
   }
 }
@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-g7cr-9h7q-4qxq",
-  "modified": "2026-03-12T14:21:35Z",
+  "modified": "2026-04-06T22:45:49Z",
   "published": "2026-03-12T14:21:35Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-34506"
+  ],
   "summary": "OpenClaw's MS Teams sender allowlist bypass when route allowlist is configured and sender allowlist is empty",
   "details": "OpenClaw's Microsoft Teams plugin widened group sender authorization when a team/channel route allowlist was configured but `groupAllowFrom` was empty. Before the fix, a matching route allowlist entry could cause the message handler to synthesize wildcard sender authorization for that route, allowing any sender in the matched team/channel to bypass the intended `groupPolicy: \"allowlist\"` sender check.\n\nThis does not affect default unauthenticated access, but it does weaken a documented Teams group authorization boundary and can allow unauthorized group senders to trigger replies in allowlisted Teams routes.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Latest published vulnerable version: `2026.3.7`\n- Affected range: `<= 2026.3.7`\n- Fixed in released version: `2026.3.8`\n\n## Fix Commit(s)\n\n- `88aee9161e0e6d32e810a25711e32a808a1777b2`\n\n## Release Verification\n\n- Verified fixed in GitHub release `v2026.3.8` published on March 9, 2026.\n- Verified `npm view openclaw version` resolves to `2026.3.8`.\n- Verified the release contains the regression test covering the Teams route-allowlist sender-bypass case and that the test passes against the `v2026.3.8` tree.\n\nThanks @zpbrent for reporting.",
   "severity": [
@@ -41,13 +43,21 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g7cr-9h7q-4qxq"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34506"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/88aee9161e0e6d32e810a25711e32a808a1777b2"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-sender-allowlist-bypass-in-microsoft-teams-plugin-via-route-allowlist-configuration"
     }
   ],
   "database_specific": {
 
@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-vhwf-4x96-vqx2",
-  "modified": "2026-03-12T14:21:32Z",
+  "modified": "2026-04-06T22:46:40Z",
   "published": "2026-03-12T14:21:32Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-33574"
+  ],
   "summary": "OpenClaw's skills-install-download can be redirected outside the tools root by rebinding the validated base path",
   "details": "OpenClaw's skills download installer validated the intended per-skill tools root lexically, but later reused that mutable path while downloading and copying the archive into place. If a local attacker could rebind that tools-root path between validation and the final write, the installer could be redirected to write outside the intended tools directory.\n\nThe fix pins the canonical per-skill tools root immediately after validation and derives later download/copy paths from that canonical root, so rebinding the lexical path fails closed instead of redirecting the write.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Latest published vulnerable version: `2026.3.7`\n- Affected range: `<= 2026.3.7`\n- Fixed in released version: `2026.3.8`\n\n## Fix Commit(s)\n\n- `9abf014f3502009faf9c73df5ca2cff719e54639`\n\n## Release Verification\n\n- Verified fixed in GitHub release `v2026.3.8` published on March 9, 2026.\n- Verified `npm view openclaw version` resolves to `2026.3.8`.\n- Verified the release contains the regression test covering tools-root rebinding and that the test passes against the `v2026.3.8` tree.\n\nThanks @tdjackey for reporting.",
   "severity": [
@@ -41,13 +43,21 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vhwf-4x96-vqx2"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33574"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/9abf014f3502009faf9c73df5ca2cff719e54639"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-path-traversal-via-tools-root-rebinding-in-skills-download"
     }
   ],
   "database_specific": {
 
@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-vr7j-g7jv-h5mp",
-  "modified": "2026-03-16T20:41:51Z",
+  "modified": "2026-04-06T22:46:26Z",
   "published": "2026-03-16T20:41:51Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-33572"
+  ],
   "summary": "OpenClaw session transcript files were created without forced user-only permissions",
   "details": "`openclaw` created new session transcript JSONL files with overly broad default permissions in affected releases. On multi-user hosts, other local users or processes could read transcript contents, including secrets that might appear in tool output.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (`npm`)\n- Affected versions: `<= 2026.2.15`\n- First fixed version: `2026.2.17`\n- Current latest npm release checked during verification: `2026.3.13` (not affected)\n\n## Impact\n\nSession transcript JSONL files are created under the local OpenClaw session store. In affected releases, newly created transcript files did not force user-only permissions, so transcript contents could be readable by other local users depending on the host environment and umask behavior.\n\n## Fix\n\nNew transcript files are now created with `0o600` permissions. Existing transcript permission drift is also remediated by the security audit fix flow.\n\nVerified in code:\n\n- `src/config/sessions/transcript.ts:82` writes new transcript files with `mode: 0o600`\n- `src/config/sessions/sessions.test.ts:303` includes regression coverage asserting `0o600`\n\n## Fix Commit(s)\n\n- `095d522099653367e1b76fa5bb09d4ddf7c8a57c`\n\n## Release Note\n\nThis fix first shipped in `2026.2.17` and is present in the current npm release `2026.3.13`.",
   "severity": [
@@ -41,13 +43,21 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vr7j-g7jv-h5mp"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33572"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/095d522099653367e1b76fa5bb09d4ddf7c8a57c"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-insufficient-file-permissions-in-session-transcript-files"
     }
   ],
   "database_specific": {
 
@@ -0,0 +1,68 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-xg59-f45v-9r9j",
+  "modified": "2026-04-06T22:45:43Z",
+  "published": "2026-03-31T12:31:36Z",
+  "withdrawn": "2026-04-06T22:45:43Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: OpenClaw's MS Teams sender allowlist bypass when route allowlist is configured and sender allowlist is empty",
+  "details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-g7cr-9h7q-4qxq. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message handler synthesizes wildcard sender authorization, permitting any sender in the matched team/channel to trigger replies in allowlisted Teams routes.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.3.8"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g7cr-9h7q-4qxq"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34506"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/88aee9161e0e6d32e810a25711e32a808a1777b2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-sender-allowlist-bypass-in-microsoft-teams-plugin-via-route-allowlist-configuration"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-863"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-06T22:45:43Z",
+    "nvd_published_at": "2026-03-31T12:16:30Z"
+  }
+}