Known vulnerabilities in MCP servers, tracked via OSV.dev. Scanned daily. Scoring methodology is open source.
Last scan: Jun 8, 2026, 04:55 PM UTC
Computed against the 5,818 servers (23.0% of the catalog) whose tool manifests were successfully fetched. Counts exclude servers without a live endpoint — the true surface is likely larger.
99.7% of servers have no open CVEs
25,276 of 25,350 tracked servers are clean. 74 servers have open vulnerabilities.
CVE-2026-52830fixedyesterdayfast-mcp-telegram: Bearer token path traversal bypasses reserved Telegram session protection
## Summary fast-mcp-telegram validates HTTP Bearer tokens by joining the raw token string into a session-file path. The verifier rejects the exact reserved token `telegram`, but it does not reject path separators or normalize the path before checking whether the session file exists. A remote HTTP client can therefore authenticate as the default legacy session with a token such as `../fast-mcp-telegram/telegram` when the documented default session file `~/.config/fast-mcp-telegram/telegram.sessi
CVE-2026-50027fixedyesterdaymcp-memory-service: Missing Authentication on Document API Endpoints Allows Unauthenticated Memory Read/Write/Delete
## Missing Authentication on Document API Endpoints Allows Unauthenticated Memory Read/Write/Delete ### Summary All HTTP routes under `/api/documents/*` in `mcp-memory-service` are served without any authentication dependency, even when the server is configured with an API key (`MCP_API_KEY`) or OAuth. An unauthenticated remote attacker can upload arbitrary content into the memory store (write), retrieve stored document content (read), and permanently delete memories belonging to authenticated
Vulnerability data sourced from OSV.dev(Google's open-source vulnerability database). Covers npm and PyPI ecosystems. Scanned daily at 5:00 UTC. How we score security →
>= 010.67.1CVE-2026-55447fixed4d agoLangflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit
### Summary All components based on `BaseFileComponent` are vulnerable to the following vulnerability: 1. Docling (`DoclingInlineComponent`) 2. Docling Serve (`DoclingRemoteComponent`) 3. Read File (`FileComponent`) 4. NVIDIA Retriever Extraction (`NvidiaIngestComponent`) 5. Video File (`VideoFileComponent`) 6. Unstructured API (`UnstructuredComponent`) For clarity, from now on I'll only refer to Read File component. The Read File node processes user-controlled files. Example scenario is a RAG
CVE-2026-49257fixed4d agomcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind
## Resolution Fixed in [v3.1.0](https://github.com/startreedata/mcp-pinot/releases/tag/v3.1.0), released 2026-05-25. The fix was merged in [PR #95](https://github.com/startreedata/mcp-pinot/pull/95) at commit [`1c7d3f9`](https://github.com/startreedata/mcp-pinot/commit/1c7d3f9cd384854bf72c127d230bdb32299475ad). The fix changes the default HTTP bind host to `127.0.0.1`, refuses non-loopback HTTP/HTTPS exposure unless OAuth is enabled, makes Helm exposure opt-in and OAuth-gated, and adds parser
CVE-2025-61492open4d agoterminal-controller-mcp vulnerable to Command Injection
A command injection vulnerability in the execute_command function of terminal-controller-mcp 0.1.7 allows attackers to execute arbitrary commands via a crafted input.
CVE-2026-22778fixed4d agovLLM has RCE In Video Processing
## Summary **A chain of vulnerabilities in vLLM allow Remote Code Execution (RCE):** 1. **Info Leak** - PIL error messages expose memory addresses, bypassing ASLR 2. **Heap Overflow** - JPEG2000 decoder in OpenCV/FFmpeg has a heap overflow that lets us hijack code execution **Result:** Send a malicious video URL to vLLM Completions or Invocations **for a video model** -> Execute arbitrary commands on the server Completely default vLLM instance directly from pip, or docker, does not have auth
CVE-2026-22778fixed4d agovLLM has RCE In Video Processing
## Summary **A chain of vulnerabilities in vLLM allow Remote Code Execution (RCE):** 1. **Info Leak** - PIL error messages expose memory addresses, bypassing ASLR 2. **Heap Overflow** - JPEG2000 decoder in OpenCV/FFmpeg has a heap overflow that lets us hijack code execution **Result:** Send a malicious video URL to vLLM Completions or Invocations **for a video model** -> Execute arbitrary commands on the server Completely default vLLM instance directly from pip, or docker, does not have auth
CVE-2026-27966open4d agoLangflow has Remote Code Execution in CSV Agent
# 1. Summary The CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes LangChain’s Python REPL tool (`python_repl_ast`). As a result, an attacker can execute arbitrary Python and OS commands on the server via prompt injection, leading to full Remote Code Execution (RCE). # 2. Description ## 2.1 Intended Functionality When building a flow such as *ChatInput → CSVAgent → ChatOutput*, users can attach an LLM and specify a CSV file path. The CSV Agent th
CVE-2026-47392fixed4d agoPraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subprocess mode)
## Summary `execute_code()` in `praisonaiagents/tools/python_tools.py` (v1.6.37, subprocess sandbox mode) can be fully bypassed using `print.__self__` to retrieve the real Python `builtins` module, from which `__import__` can be extracted via `vars()` and runtime string construction. This achieves arbitrary OS command execution on the host, completely defeating the sandbox. This is a **novel bypass** that survives all patches for CVE-2026-39888 (frame traversal), CVE-2026-34938 (str subclass),
CVE-2026-53811fixedyesterdayOpenClaw: Matrix allowFrom could bind to mutable display names
### Summary Matrix allowFrom could bind to mutable display names. In affected versions, a Matrix account able to change display name metadata could match a policy entry through mutable display metadata. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth bound
CVE-2026-53811fixedyesterdayOpenClaw: Matrix allowFrom could bind to mutable display names
### Summary Matrix allowFrom could bind to mutable display names. In affected versions, a Matrix account able to change display name metadata could match a policy entry through mutable display metadata. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth bound
CVE-2026-53816fixedyesterdayOpenClaw: Paired nodes could forge exec lifecycle events without system.run provenance
### Summary OpenClaw nodes send lifecycle events back to the gateway. In affected releases, a paired node could send an exec lifecycle event that was accepted without enough provenance tying it to an authorized `system.run` request. This issue affects the node event boundary. It does not allow an unauthenticated caller to reach the gateway; the attacker must already control a paired node connection. ### Affected configurations This affects deployments with a paired node where that node can s
CVE-2026-53816fixedyesterdayOpenClaw: Paired nodes could forge exec lifecycle events without system.run provenance
### Summary OpenClaw nodes send lifecycle events back to the gateway. In affected releases, a paired node could send an exec lifecycle event that was accepted without enough provenance tying it to an authorized `system.run` request. This issue affects the node event boundary. It does not allow an unauthenticated caller to reach the gateway; the attacker must already control a paired node connection. ### Affected configurations This affects deployments with a paired node where that node can s
>= 0Fixed in 2026.5.18Jul 2, 2026source →CVE-2026-53806fixedyesterdayOpenClaw: Combined POSIX shell options could confuse exec revalidation
### Summary Combined POSIX shell options could confuse exec revalidation. In affected versions, a command request using combined shell flags could parse approval-time and execution-time shell options differently. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or
CVE-2026-53806fixedyesterdayOpenClaw: Combined POSIX shell options could confuse exec revalidation
### Summary Combined POSIX shell options could confuse exec revalidation. In affected versions, a command request using combined shell flags could parse approval-time and execution-time shell options differently. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or
>= 0Fixed in 2026.5.12Jul 2, 2026source →CVE-2026-53813fixedyesterdayOpenClaw: Fake package roots could influence memory-core artifact loading
### Summary Fake package roots could influence memory-core artifact loading. In affected versions, a local package root resolution path influenced by workspace state could select a package root that was not the intended bundled artifact root. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, app
>= 0Fixed in 2026.4.25Jul 2, 2026source →CVE-2026-53813fixedyesterdayOpenClaw: Fake package roots could influence memory-core artifact loading
### Summary Fake package roots could influence memory-core artifact loading. In affected versions, a local package root resolution path influenced by workspace state could select a package root that was not the intended bundled artifact root. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, app
CVE-2026-53819fixedyesterdayOpenClaw: Workspace .env could override Homebrew executable selection for skill install flows
### Summary Workspace .env could override Homebrew executable selection for skill install flows. In affected versions, a workspace `.env` in a repository opened by a trusted operator could override the Homebrew executable used by the install helper. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate poli
>= 0Fixed in 2026.5.27Jul 2, 2026source →CVE-2026-53819fixedyesterdayOpenClaw: Workspace .env could override Homebrew executable selection for skill install flows
### Summary Workspace .env could override Homebrew executable selection for skill install flows. In affected versions, a workspace `.env` in a repository opened by a trusted operator could override the Homebrew executable used by the install helper. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate poli
GHSA-xr4f-mjxj-w6w5fixedyesterdayOpenClaw: Non-owner chat senders could issue device-pairing bootstrap codes
### Summary The bundled device-pair plugin exposed `/pair` on normal chat command surfaces. In affected releases, authorized non-owner chat senders could issue device-pairing bootstrap codes without having owner, admin, or pairing scope. This issue does not affect unauthenticated users. The caller must already be allowed to send commands to the agent through a configured chat channel. ### Affected configurations This affects deployments where the bundled device-pair plugin is enabled and a n
GHSA-xr4f-mjxj-w6w5fixedyesterdayOpenClaw: Non-owner chat senders could issue device-pairing bootstrap codes
### Summary The bundled device-pair plugin exposed `/pair` on normal chat command surfaces. In affected releases, authorized non-owner chat senders could issue device-pairing bootstrap codes without having owner, admin, or pairing scope. This issue does not affect unauthenticated users. The caller must already be allowed to send commands to the agent through a configured chat channel. ### Affected configurations This affects deployments where the bundled device-pair plugin is enabled and a n
GHSA-qjpc-qf9m-xwmrfixedyesterdayOpenClaw: Trusted-proxy Control UI WebSocket accepted client-declared scopes before pairing
### Summary In trusted-proxy Control UI mode, OpenClaw accepted a WebSocket client's declared operator scopes before those scopes were bound to a server-approved pairing or trusted-proxy authorization baseline. This issue affects trusted-proxy Control UI deployments. It does not apply to shared-secret Control UI sessions, which are treated as trusted operator sessions by design. ### Affected configurations This affects deployments using `gateway.auth.mode: "trusted-proxy"` for Control UI acc
>= 0Fixed in 2026.5.18Jul 2, 2026source →GHSA-qjpc-qf9m-xwmrfixedyesterdayOpenClaw: Trusted-proxy Control UI WebSocket accepted client-declared scopes before pairing
### Summary In trusted-proxy Control UI mode, OpenClaw accepted a WebSocket client's declared operator scopes before those scopes were bound to a server-approved pairing or trusted-proxy authorization baseline. This issue affects trusted-proxy Control UI deployments. It does not apply to shared-secret Control UI sessions, which are treated as trusted operator sessions by design. ### Affected configurations This affects deployments using `gateway.auth.mode: "trusted-proxy"` for Control UI acc
GHSA-hw9r-h9mr-4jfffixedyesterdayOpenClaw: Scoped chat.send route inheritance could bypass admin command scope gates
### Summary Some internal command handlers require `operator.approvals` or `operator.admin` scopes. In affected releases, a scoped Gateway `chat.send` request delivered through an inherited external route could be evaluated as an external-channel command while still carrying the lower Gateway client scopes. This issue affects scoped Gateway clients. It does not apply to shared-secret bearer HTTP compatibility endpoints, which are documented as full operator surfaces under OpenClaw's trust mode
GHSA-hw9r-h9mr-4jfffixedyesterdayOpenClaw: Scoped chat.send route inheritance could bypass admin command scope gates
### Summary Some internal command handlers require `operator.approvals` or `operator.admin` scopes. In affected releases, a scoped Gateway `chat.send` request delivered through an inherited external route could be evaluated as an external-channel command while still carrying the lower Gateway client scopes. This issue affects scoped Gateway clients. It does not apply to shared-secret bearer HTTP compatibility endpoints, which are documented as full operator surfaces under OpenClaw's trust mode
>= 0Fixed in 2026.5.18Jul 2, 2026source →GHSA-mhq8-78pj-5j79fixedyesterdayOpenClaw's POSIX node system.run safe-bin allowlist could be widened by shell expansion
### Summary On POSIX nodes, OpenClaw's `system.run` safe-bin checks could approve a command before shell expansion changed how the command was interpreted. A value that appeared to be a safe-bin argument could expand into additional shell words and become a file operand. This issue is limited to paired POSIX node execution through `system.run` with safe-bin or allowlist-style auto-approval. It is not an unauthenticated node takeover. ### Affected configurations This affects deployments where
>= 0Fixed in 2026.5.18Jul 2, 2026source →GHSA-mhq8-78pj-5j79fixedyesterdayOpenClaw's POSIX node system.run safe-bin allowlist could be widened by shell expansion
### Summary On POSIX nodes, OpenClaw's `system.run` safe-bin checks could approve a command before shell expansion changed how the command was interpreted. A value that appeared to be a safe-bin argument could expand into additional shell words and become a file operand. This issue is limited to paired POSIX node execution through `system.run` with safe-bin or allowlist-style auto-approval. It is not an unauthenticated node takeover. ### Affected configurations This affects deployments where
CVE-2026-35630fixedyesterdayOpenClaw: QQBot native approval buttons did not enforce configured approver identity
### Summary OpenClaw's QQBot channel can deliver native approval buttons for exec and plugin approvals. In affected releases, the button callback path resolved approvals without enforcing the configured QQBot approver identity. The text command approval path used the authorization check; the issue was specific to native QQBot approval buttons. ### Affected configurations This affects deployments where QQBot native approval buttons are enabled and an approval message is visible to a QQ user w
CVE-2026-35630fixedyesterdayOpenClaw: QQBot native approval buttons did not enforce configured approver identity
### Summary OpenClaw's QQBot channel can deliver native approval buttons for exec and plugin approvals. In affected releases, the button callback path resolved approvals without enforcing the configured QQBot approver identity. The text command approval path used the authorization check; the issue was specific to native QQBot approval buttons. ### Affected configurations This affects deployments where QQBot native approval buttons are enabled and an approval message is visible to a QQ user w
>= 0Fixed in 2026.5.18Jul 2, 2026source →CVE-2026-53814fixedyesterdayOpenClaw: Hook-triggered CLI runs could receive owner MCP tool authority
### Summary OpenClaw hook ingress can start automated agent runs using a configured hook token. In affected releases, a hook-triggered run could select a bundled CLI backend that received owner-scoped MCP loopback authority instead of a scope appropriate for hook ingress. This issue affects the boundary between hook-token automation and owner-only MCP tools. It does not affect deployments with hooks disabled. ### Affected configurations This affects deployments where hooks are enabled, `/hoo
>= 0Fixed in 2026.5.20Jul 2, 2026source →CVE-2026-53814fixedyesterdayOpenClaw: Hook-triggered CLI runs could receive owner MCP tool authority
### Summary OpenClaw hook ingress can start automated agent runs using a configured hook token. In affected releases, a hook-triggered run could select a bundled CLI backend that received owner-scoped MCP loopback authority instead of a scope appropriate for hook ingress. This issue affects the boundary between hook-token automation and owner-only MCP tools. It does not affect deployments with hooks disabled. ### Affected configurations This affects deployments where hooks are enabled, `/hoo
CVE-2026-53817fixedyesterdayOpenClaw: Control UI locality spoofing could mint a durable admin device token
### Summary In affected LAN/shared-token Control UI deployments, a caller could spoof locality information used during Control UI pairing and obtain a durable admin-capable device token. This issue is limited to deployments where the caller already has the network/authentication foothold needed to reach the Control UI pairing path. It is not an unauthenticated internet exposure issue. ### Affected configurations This affects configurations such as LAN-bound gateways or shared-token Control U
>= 0Fixed in 2026.5.22Jul 2, 2026source →CVE-2026-53817fixedyesterdayOpenClaw: Control UI locality spoofing could mint a durable admin device token
### Summary In affected LAN/shared-token Control UI deployments, a caller could spoof locality information used during Control UI pairing and obtain a durable admin-capable device token. This issue is limited to deployments where the caller already has the network/authentication foothold needed to reach the Control UI pairing path. It is not an unauthenticated internet exposure issue. ### Affected configurations This affects configurations such as LAN-bound gateways or shared-token Control U
CVE-2026-53810fixedyesterdayOpenClaw's marketplace runtime extension metadata could point at unscanned payloads
### Summary Marketplace runtime extension metadata could point at unscanned payloads. In affected versions, a package selected for installation by a trusted operator could redirect runtime loading toward hidden package content that was not scanned as expected. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a se
>= 0Fixed in 2026.5.18Jul 2, 2026source →CVE-2026-53810fixedyesterdayOpenClaw's marketplace runtime extension metadata could point at unscanned payloads
### Summary Marketplace runtime extension metadata could point at unscanned payloads. In affected versions, a package selected for installation by a trusted operator could redirect runtime loading toward hidden package content that was not scanned as expected. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a se
CVE-2026-53812fixedyesterdayOpenClaw's browser act interactions could bypass private-network navigation checks
### Summary OpenClaw's browser control SSRF checks blocked direct navigation to private or loopback URLs, but some Playwright `act` interactions could trigger navigation after the initial check. A later browser evaluation could then read from the page reached by that action-triggered navigation. This issue is specific to browser control actions and private-network navigation policy. Browser evaluation remains an intentional trusted-operator feature when it is used on pages that policy allowed
CVE-2026-53812fixedyesterdayOpenClaw's browser act interactions could bypass private-network navigation checks
### Summary OpenClaw's browser control SSRF checks blocked direct navigation to private or loopback URLs, but some Playwright `act` interactions could trigger navigation after the initial check. A later browser evaluation could then read from the page reached by that action-triggered navigation. This issue is specific to browser control actions and private-network navigation policy. Browser evaluation remains an intentional trusted-operator feature when it is used on pages that policy allowed
>= 0Fixed in 2026.5.18Jul 2, 2026source →GHSA-xww8-gqvh-92x9fixedyesterdayOpenClaw: Exec approval display truncation could hide the command being approved
### Summary OpenClaw exec approvals could show a shortened command in the approval UI while keeping the full original command for execution. For very long commands, an approver could see and approve a benign-looking prefix while a hidden suffix remained part of the command that would run after approval. This issue affects the approval display and binding for oversized exec commands. It does not make exec available to unauthenticated users, and it does not change OpenClaw's local-first trust mo
>= 0Fixed in 2026.5.18Jul 2, 2026source →GHSA-xww8-gqvh-92x9fixedyesterdayOpenClaw: Exec approval display truncation could hide the command being approved
### Summary OpenClaw exec approvals could show a shortened command in the approval UI while keeping the full original command for execution. For very long commands, an approver could see and approve a benign-looking prefix while a hidden suffix remained part of the command that would run after approval. This issue affects the approval display and binding for oversized exec commands. It does not make exec available to unauthenticated users, and it does not change OpenClaw's local-first trust mo
CVE-2026-50143fixed2d agoApify Model Context Protocol (MCP) server: Actor MCP path authority injection leaks Apify token
## Actor MCP path authority injection leaks Apify token ### Summary `@apify/actors-mcp-server` version `0.10.7` builds Actor standby URLs by directly concatenating a trusted base URL with an attacker-controlled `webServerMcpPath` value taken from an Actor definition returned by the Apify API. An attacker who publishes a malicious Actor with a crafted `webServerMcpPath` (e.g., `@attacker.example/mcp`) can cause the MCP client to resolve the final URL to an entirely different host. Because the M
CVE-2026-50143fixed2d agoApify Model Context Protocol (MCP) server: Actor MCP path authority injection leaks Apify token
## Actor MCP path authority injection leaks Apify token ### Summary `@apify/actors-mcp-server` version `0.10.7` builds Actor standby URLs by directly concatenating a trusted base URL with an attacker-controlled `webServerMcpPath` value taken from an Actor definition returned by the Apify API. An attacker who publishes a malicious Actor with a crafted `webServerMcpPath` (e.g., `@attacker.example/mcp`) can cause the MCP client to resolve the final URL to an entirely different host. Because the M
CVE-2026-50143fixed2d agoApify Model Context Protocol (MCP) server: Actor MCP path authority injection leaks Apify token
## Actor MCP path authority injection leaks Apify token ### Summary `@apify/actors-mcp-server` version `0.10.7` builds Actor standby URLs by directly concatenating a trusted base URL with an attacker-controlled `webServerMcpPath` value taken from an Actor definition returned by the Apify API. An attacker who publishes a malicious Actor with a crafted `webServerMcpPath` (e.g., `@attacker.example/mcp`) can cause the MCP client to resolve the final URL to an entirely different host. Because the M
CVE-2026-50143fixed2d agoApify Model Context Protocol (MCP) server: Actor MCP path authority injection leaks Apify token
## Actor MCP path authority injection leaks Apify token ### Summary `@apify/actors-mcp-server` version `0.10.7` builds Actor standby URLs by directly concatenating a trusted base URL with an attacker-controlled `webServerMcpPath` value taken from an Actor definition returned by the Apify API. An attacker who publishes a malicious Actor with a crafted `webServerMcpPath` (e.g., `@attacker.example/mcp`) can cause the MCP client to resolve the final URL to an entirely different host. Because the M
CVE-2026-49987fixed2d agorepomix Vulnerable to Command Injection (RCE) via `--remote-branch` Argument Injection
### Vulnerability Metadata | Field | Detail | | --- | --- | | **Affected Component** | `src/core/git/gitCommand.ts` (`execGitShallowClone`) | | **Impact** | Arbitrary Command Execution / Security Control Bypass | ### Summary The `--remote-branch` CLI option in `repomix` is vulnerable to argument injection. User-supplied input is passed directly to `git fetch` and `git checkout` subprocesses via `child_process.execFileAsync` without sanitization, `--` delimiters, or validation. An attacker ca
CVE-2026-12243open4d agoPYSEC-2026-597
NLTK version 3.9.4 is vulnerable to a path traversal attack due to an incomplete fix for GitHub Issue #3504. The `_UNSAFE_NO_PROTOCOL_RE` regex in `nltk/data.py` checks for literal `../` sequences but fails to account for percent-encoded traversal sequences such as `..%2f`. The `url2pathname()` function decodes these sequences after the validation step, allowing an attacker to bypass the protection. This vulnerability enables an attacker to read arbitrary files accessible to the Python process b
CVE-2026-53818fixedyesterdayOpenClaw: MCP loopback could skip owner-only tool policy for non-owner callers
### Summary MCP loopback could skip owner-only tool policy for non-owner callers. In affected versions, a non-owner caller reaching the affected loopback path could skip owner-only tool policy and before-tool-call hooks. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sand
>= 0Fixed in 2026.4.24Jul 2, 2026source →CVE-2026-53818fixedyesterdayOpenClaw: MCP loopback could skip owner-only tool policy for non-owner callers
### Summary MCP loopback could skip owner-only tool policy for non-owner callers. In affected versions, a non-owner caller reaching the affected loopback path could skip owner-only tool policy and before-tool-call hooks. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sand
GHSA-hcm3-8f6r-6xwgfixedyesterdayOpenClaw: Browser debug/export routes could reuse already-open blocked tabs
### Summary Browser debug/export routes could reuse already-open blocked tabs. In affected versions, a caller that can reference an already-open browser tab could reuse blocked private-network tabs without reapplying the expected SSRF policy. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, app
GHSA-hcm3-8f6r-6xwgfixedyesterdayOpenClaw: Browser debug/export routes could reuse already-open blocked tabs
### Summary Browser debug/export routes could reuse already-open blocked tabs. In affected versions, a caller that can reference an already-open browser tab could reuse blocked private-network tabs without reapplying the expected SSRF policy. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, app
>= 0Fixed in 2026.4.29Jul 2, 2026source →GHSA-cqwv-9qjx-vxw2fixedyesterdayOpenClaw: Skill Workshop apply flow could override pending approval
### Summary Skill Workshop apply flow could override pending approval. In affected versions, an agent tool call reaching the affected Skill Workshop apply path could set `apply: true` despite `approvalPolicy: pending`. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbo
GHSA-cqwv-9qjx-vxw2fixedyesterdayOpenClaw: Skill Workshop apply flow could override pending approval
### Summary Skill Workshop apply flow could override pending approval. In affected versions, an agent tool call reaching the affected Skill Workshop apply path could set `apply: true` despite `approvalPolicy: pending`. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbo
GHSA-p2fh-f5fc-44hrfixedyesterdayOpenClaw: memory-wiki ingest could read local files with operator.write scope
### Summary memory-wiki ingest could read local files with operator.write scope. In affected versions, a Gateway caller with `operator.write` access to the plugin tool could read arbitrary local file paths instead of staying within the intended ingest sources. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a se
GHSA-p2fh-f5fc-44hrfixedyesterdayOpenClaw: memory-wiki ingest could read local files with operator.write scope
### Summary memory-wiki ingest could read local files with operator.write scope. In affected versions, a Gateway caller with `operator.write` access to the plugin tool could read arbitrary local file paths instead of staying within the intended ingest sources. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a se
>= 0Fixed in 2026.5.12Jul 2, 2026source →CVE-2026-53815fixedyesterdayOpenClaw: Message read actions could skip channel allowlist checks
### Summary Message read actions could skip channel allowlist checks. In affected versions, a lower-trust caller with access to the affected message read action could request messages without the same channel allowlist check used by normal delivery. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate poli
CVE-2026-53815fixedyesterdayOpenClaw: Message read actions could skip channel allowlist checks
### Summary Message read actions could skip channel allowlist checks. In affected versions, a lower-trust caller with access to the affected message read action could request messages without the same channel allowlist check used by normal delivery. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate poli
>= 0Fixed in 2026.5.19Jul 2, 2026source →GHSA-9c3v-684m-579cfixed2d agoOpenClaw MCP SSE redirects could forward Authorization headers
### Summary MCP SSE redirects could forward Authorization headers. In affected versions, a lower-trust caller or configured input path could execute or persist actions beyond the caller's intended authorization. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or a
GHSA-9c3v-684m-579cfixed2d agoOpenClaw MCP SSE redirects could forward Authorization headers
### Summary MCP SSE redirects could forward Authorization headers. In affected versions, a lower-trust caller or configured input path could execute or persist actions beyond the caller's intended authorization. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or a
GHSA-3wqp-prf6-2m72fixedyesterdayOpenClaw: Feishu dynamic-agent bindings could miss configWrites enforcement
### Summary Feishu dynamic-agent bindings could miss configWrites enforcement. In affected versions, a Feishu sender using dynamic-agent binding behavior could create or update bindings without honoring the configured config-write control. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approv
GHSA-3wqp-prf6-2m72fixedyesterdayOpenClaw: Feishu dynamic-agent bindings could miss configWrites enforcement
### Summary Feishu dynamic-agent bindings could miss configWrites enforcement. In affected versions, a Feishu sender using dynamic-agent binding behavior could create or update bindings without honoring the configured config-write control. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approv
CVE-2026-53809fixedyesterdayOpenClaw: Embedded runner policy could be confused by provider aliases
### Summary Embedded runner policy could be confused by provider aliases. In affected versions, a request using provider aliases could compare policy against an alias instead of the canonical provider identity. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or au
CVE-2026-53809fixedyesterdayOpenClaw: Embedded runner policy could be confused by provider aliases
### Summary Embedded runner policy could be confused by provider aliases. In affected versions, a request using provider aliases could compare policy against an alias instead of the canonical provider identity. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or au
>= 0Fixed in 2026.4.25Jul 2, 2026source →GHSA-p73f-w79w-jqr5fixedyesterdayOpenClaw: Native command authorization could skip owner-command enforcement
### Summary Native command authorization could skip owner-command enforcement. In affected versions, a sender able to trigger native command handling could authorize a native command without enforcing the configured owner-only command policy. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, app
GHSA-p73f-w79w-jqr5fixedyesterdayOpenClaw: Native command authorization could skip owner-command enforcement
### Summary Native command authorization could skip owner-command enforcement. In affected versions, a sender able to trigger native command handling could authorize a native command without enforcing the configured owner-only command policy. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, app
GHSA-j472-gf56-x589fixedyesterdayOpenClaw: PowerShell encoded-command aliases could miss exec allowlist checks
### Summary PowerShell encoded-command aliases could miss exec allowlist checks. In affected versions, a command request using abbreviated encoded-command flags could use an alias form not recognized by the allowlist parser. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist,
GHSA-j472-gf56-x589fixedyesterdayOpenClaw: PowerShell encoded-command aliases could miss exec allowlist checks
### Summary PowerShell encoded-command aliases could miss exec allowlist checks. In affected versions, a command request using abbreviated encoded-command flags could use an alias form not recognized by the allowlist parser. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist,
>= 0Fixed in 2026.5.12Jul 2, 2026source →GHSA-77q5-rr5v-x43qfixedyesterdayOpenClaw: Trusted retry endpoint checks could match hostname prefixes
### Summary Trusted retry endpoint checks could match hostname prefixes. In affected versions, a retry endpoint URL chosen by lower-trust input could pass validation by using a hostname prefix that resembled a trusted host. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, s
GHSA-77q5-rr5v-x43qfixedyesterdayOpenClaw: Trusted retry endpoint checks could match hostname prefixes
### Summary Trusted retry endpoint checks could match hostname prefixes. In affected versions, a retry endpoint URL chosen by lower-trust input could pass validation by using a hostname prefix that resembled a trusted host. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, s
GHSA-w5ww-7chg-mxcqfixedyesterdayOpenClaw: Telegram interactive callbacks could skip commands.allowFrom
### Summary Telegram interactive callbacks could skip commands.allowFrom. In affected versions, a Telegram user able to invoke an affected callback could mark the callback as an authorized sender before applying `commands.allowFrom`. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, al
GHSA-w5ww-7chg-mxcqfixedyesterdayOpenClaw: Telegram interactive callbacks could skip commands.allowFrom
### Summary Telegram interactive callbacks could skip commands.allowFrom. In affected versions, a Telegram user able to invoke an affected callback could mark the callback as an authorized sender before applying `commands.allowFrom`. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, al
GHSA-4m3v-q747-pc6hfixedyesterdayOpenClaw: Mattermost slash token revocation could lag until monitor refresh
### Summary Mattermost slash token revocation could lag until monitor refresh. In affected versions, a caller with an old Mattermost slash token during the refresh window could continue accepting the old token until the monitor refreshed. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approva
>= 0Fixed in 2026.4.24Jul 2, 2026source →GHSA-4m3v-q747-pc6hfixedyesterdayOpenClaw: Mattermost slash token revocation could lag until monitor refresh
### Summary Mattermost slash token revocation could lag until monitor refresh. In affected versions, a caller with an old Mattermost slash token during the refresh window could continue accepting the old token until the monitor refreshed. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approva
GHSA-275c-xpvc-jgfwfixedyesterdayOpenClaw: Slack and Zalo webhook secrets could remain active after secrets.reload
### Summary Slack and Zalo webhook secrets could remain active after secrets.reload. In affected versions, a caller with an old webhook secret during the stale-secret window could keep accepting the previous secret after `secrets.reload`. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approva
>= 0Fixed in 2026.4.22Jul 2, 2026source →GHSA-275c-xpvc-jgfwfixedyesterdayOpenClaw: Slack and Zalo webhook secrets could remain active after secrets.reload
### Summary Slack and Zalo webhook secrets could remain active after secrets.reload. In affected versions, a caller with an old webhook secret during the stale-secret window could keep accepting the previous secret after `secrets.reload`. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approva
GHSA-6c4r-g249-wv3cfixedyesterdayOpenClaw: Sandboxed session spawn could expose the real workspace path to child prompts
### Summary Sandboxed session spawn could expose the real workspace path to child prompts. In affected versions, a child session spawned from a sandboxed parent could forward the host workspace path into the child session prompt. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowl
GHSA-6c4r-g249-wv3cfixedyesterdayOpenClaw: Sandboxed session spawn could expose the real workspace path to child prompts
### Summary Sandboxed session spawn could expose the real workspace path to child prompts. In affected versions, a child session spawned from a sandboxed parent could forward the host workspace path into the child session prompt. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowl
>= 0Fixed in 2026.4.26Jul 2, 2026source →GHSA-77pv-3w4q-vrj5fixedyesterdayOpenClaw: QQBot pre-dispatch slash commands could skip allowFrom checks
### Summary QQBot pre-dispatch slash commands could skip allowFrom checks. In affected versions, a QQBot sender able to invoke slash commands could dispatch the command before applying the configured allowFrom policy. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox
GHSA-77pv-3w4q-vrj5fixedyesterdayOpenClaw: QQBot pre-dispatch slash commands could skip allowFrom checks
### Summary QQBot pre-dispatch slash commands could skip allowFrom checks. In affected versions, a QQBot sender able to invoke slash commands could dispatch the command before applying the configured allowFrom policy. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox
>= 0Fixed in 2026.4.27Jul 2, 2026source →GHSA-grc3-2j34-p6gmfixedyesterdayOpenClaw: message.action forwarding could send Gateway credentials to model-supplied loopback URLs
### Summary message.action forwarding could send Gateway credentials to model-supplied loopback URLs. In affected versions, model-controlled action metadata that selects a loopback Gateway URL could forward the action payload with Gateway credentials to the supplied loopback URL. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain
GHSA-grc3-2j34-p6gmfixedyesterdayOpenClaw: message.action forwarding could send Gateway credentials to model-supplied loopback URLs
### Summary message.action forwarding could send Gateway credentials to model-supplied loopback URLs. In affected versions, model-controlled action metadata that selects a loopback Gateway URL could forward the action payload with Gateway credentials to the supplied loopback URL. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain
GHSA-w4v6-g3wm-w36cfixedyesterdayOpenClaw: QQBot admin commands could skip DM-only and allowFrom policy
### Summary QQBot admin commands could skip DM-only and allowFrom policy. In affected versions, a QQBot sender able to trigger the exported command could route admin commands without the QQBot-specific DM-only and allowFrom checks. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allo
GHSA-w4v6-g3wm-w36cfixedyesterdayOpenClaw: QQBot admin commands could skip DM-only and allowFrom policy
### Summary QQBot admin commands could skip DM-only and allowFrom policy. In affected versions, a QQBot sender able to trigger the exported command could route admin commands without the QQBot-specific DM-only and allowFrom checks. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allo
>= 0Fixed in 2026.4.29Jul 2, 2026source →GHSA-gp79-m99v-gjmhfixedyesterdayOpenClaw: Mattermost handlers could fall open when channel type was missing
### Summary Mattermost handlers could fall open when channel type was missing. In affected versions, a Mattermost event missing channel type metadata could continue without applying the intended DM policy decision. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, o
GHSA-gp79-m99v-gjmhfixedyesterdayOpenClaw: Mattermost handlers could fall open when channel type was missing
### Summary Mattermost handlers could fall open when channel type was missing. In affected versions, a Mattermost event missing channel type metadata could continue without applying the intended DM policy decision. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, o
GHSA-c29c-2q9c-pc86fixedyesterdayOpenClaw: Slack allowFrom could bind to mutable display names
### Summary Slack allowFrom could bind to mutable display names. In affected versions, a Slack account able to change display name metadata could match a policy entry through mutable display metadata. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundar
GHSA-c29c-2q9c-pc86fixedyesterdayOpenClaw: Slack allowFrom could bind to mutable display names
### Summary Slack allowFrom could bind to mutable display names. In affected versions, a Slack account able to change display name metadata could match a policy entry through mutable display metadata. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundar
GHSA-jvm4-4j77-39p6fixedyesterdayOpenClaw: QQBot streaming command could mutate config without explicit allowFrom
### Summary QQBot streaming command could mutate config without explicit allowFrom. In affected versions, a QQBot sender reaching the affected command could change configuration without requiring an explicit non-wildcard allowlist entry. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval
>= 0Fixed in 2026.4.29Jul 2, 2026source →GHSA-jvm4-4j77-39p6fixedyesterdayOpenClaw: QQBot streaming command could mutate config without explicit allowFrom
### Summary QQBot streaming command could mutate config without explicit allowFrom. In affected versions, a QQBot sender reaching the affected command could change configuration without requiring an explicit non-wildcard allowlist entry. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval
GHSA-83w9-h5wv-j9xmfixedyesterdayOpenClaw: Node pairing reconnection could confuse approval scope state
### Summary Node pairing reconnection could confuse approval scope state. In affected versions, a paired or reconnecting node session could mutate pairing state in a way that changed the approval scope decision. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or a
>= 0Fixed in 2026.5.27Jul 2, 2026source →GHSA-83w9-h5wv-j9xmfixedyesterdayOpenClaw: Node pairing reconnection could confuse approval scope state
### Summary Node pairing reconnection could confuse approval scope state. In affected versions, a paired or reconnecting node session could mutate pairing state in a way that changed the approval scope decision. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or a
GHSA-wv26-j37q-2g7pfixedyesterdayOpenClaw's Slack plugin approvals used the exec approver gate for plugin actions
### Summary Slack plugin approvals used the exec approver gate for plugin actions. In affected versions, a Slack user authorized only for exec approvals could resolve a plugin approval through the exec approver gate. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox,
GHSA-wv26-j37q-2g7pfixedyesterdayOpenClaw's Slack plugin approvals used the exec approver gate for plugin actions
### Summary Slack plugin approvals used the exec approver gate for plugin actions. In affected versions, a Slack user authorized only for exec approvals could resolve a plugin approval through the exec approver gate. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox,
>= 0Fixed in 2026.5.12Jul 2, 2026source →GHSA-rggc-m335-3wvjfixedyesterdayOpenClaw: Same-host trusted-proxy deployments could accept local forged identity headers
### Summary Same-host trusted-proxy deployments could accept local forged identity headers. In affected versions, a local same-host caller that can reach the proxy-facing Gateway port could supply identity headers normally reserved for the trusted proxy. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate
>= 0Fixed in 2026.5.18Jul 2, 2026source →GHSA-rggc-m335-3wvjfixedyesterdayOpenClaw: Same-host trusted-proxy deployments could accept local forged identity headers
### Summary Same-host trusted-proxy deployments could accept local forged identity headers. In affected versions, a local same-host caller that can reach the proxy-facing Gateway port could supply identity headers normally reserved for the trusted proxy. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate
GHSA-qh2f-99mv-mrcffixedyesterdayOpenClaw: Bundle MCP loopback could miss its exec denylist on session spawn
### Summary Bundle MCP loopback could miss its exec denylist on session spawn. In affected versions, a caller that can reach the affected bundled MCP session-spawn path could bypass the denylist that was intended for that loopback MCP entry point. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy
>= 0Fixed in 2026.5.12Jul 2, 2026source →GHSA-qh2f-99mv-mrcffixedyesterdayOpenClaw: Bundle MCP loopback could miss its exec denylist on session spawn
### Summary Bundle MCP loopback could miss its exec denylist on session spawn. In affected versions, a caller that can reach the affected bundled MCP session-spawn path could bypass the denylist that was intended for that loopback MCP entry point. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy
CVE-2026-49988fixed2d agorepomix: attach_packed_output can bypass file-read secret scanning for supported local files
# `attach_packed_output` can register arbitrary `.json/.txt/.md/.xml` files and bypass the MCP file-read safety check ## Summary Repomix's MCP server exposes a normal `file_system_read_file` tool that reads absolute paths only after running the project's secret check. However, the `attach_packed_output` plus `read_repomix_output` flow can read arbitrary local `.json`, `.txt`, `.md`, or `.xml` files without the same safety check and without verifying that the file is actually a Repomix packed o
CVE-2026-49468fixed4d agoLiteLLM: Authentication Bypass via Host Header Injection
### Impact A Host-header parsing flaw in the LiteLLM proxy could, under specific conditions, allow unauthenticated access to protected management routes. The auth layer derived the effective route from `request.url.path` in `litellm/proxy/auth/auth_utils.py::get_request_route()`, which Starlette reconstructs from the `Host` header. A crafted `Host` could therefore make the auth gate evaluate a different route from the one FastAPI dispatched. **Most deployments are not affected.** The bypass
CVE-2026-49468fixed4d agoLiteLLM: Authentication Bypass via Host Header Injection
### Impact A Host-header parsing flaw in the LiteLLM proxy could, under specific conditions, allow unauthenticated access to protected management routes. The auth layer derived the effective route from `request.url.path` in `litellm/proxy/auth/auth_utils.py::get_request_route()`, which Starlette reconstructs from the `Host` header. A crafted `Host` could therefore make the auth gate evaluate a different route from the one FastAPI dispatched. **Most deployments are not affected.** The bypass
CVE-2026-47708fixed4d agoMCP-for-Stata: Command injection via log_file_name parameter in Stata command wrapper
### Summary The `log_file_name` parameter in the `stata_do` API and CLI is directly interpolated into a Stata command string without sanitization. The security guard (`GuardValidator`) only scans the do-file content but does not validate this parameter. An attacker can inject arbitrary Stata commands (including `shell`, `python`, `erase`, etc.) by crafting a malicious `log_file_name` containing quotes, newlines, or Stata command separators. ### Details In `src/stata_mcp/stata/stata_do/do.py`,
CVE-2026-48797fixed4d agoBackpropagate: backprop ui --auth and backprop ui --share do not enforce authentication
## Summary In `backpropagate >= 1.1.0`, the optional Reflex web UI (`pip install backpropagate[ui]`, launched via `backprop ui`) exposes a training control plane: dataset upload, model load, training start/stop, multi-run orchestration, GGUF export, and HuggingFace Hub push. The CLI accepts two operator-facing flags intended as security controls: - `--auth user:pass` — documented as "require HTTP Basic authentication on every request to the UI." - `--share` — documented as "expose the UI on a