Over 60 Security Vulnerabilities Resolved in AI Assistant OpenClaw

OpenClaw, the open-source AI assistant capable of independently installing software, operating email programs, and controlling browser sessions, has patched more than 60 security vulnerabilities across its platform. 

The flaws, catalogued by CERT Bund from Germany's BSI as totaling 67 security issues, range in severity from low to critical and affect the openclaw and clawdbot npm packages as well as several optional extension plugins. Due to the extensive system privileges OpenClaw requires to function, successful exploitation of the most severe vulnerabilities could lead to complete compromise of workstations, CI runners, and servers running the node host. 

Users are strongly urged to upgrade to version 2026.2.14 or later, as all fixes have been incorporated into the latest release cycle.

Critical Severity Vulnerabilities

• Remote Code Execution via Node Invoke Approval Bypass in Gateway (GHSA-gv46-4xfq-jv58, CVSS score 9.9), remote code execution vulnerability in the gateway-to-node invocation path allowed an authenticated gateway client to bypass node-host exec approvals by injecting internal control fields into node.invoke parameters. This can lead to arbitrary command execution on connected node hosts and full compromise of developer workstations, CI runners, and servers. No CVE has been assigned.
• Inbound Allowlist Policy Bypass in Voice-Call Extension (GHSA-4rj2-gpmh-qq5x, CVSS score 9.8) authentication bypass in the optional voice-call extension allowed unapproved or anonymous callers to reach the voice-call agent when inbound policy was set to allowlist or pairing. The flaw resulted from suffix-based matching and acceptance of empty caller IDs after normalization, enabling two distinct bypass paths. No CVE has been assigned.
• Path Traversal in Plugin Installation (GHSA-qrq5-wjgg-rvqw, CVSS score 9.3), path traversal issue in OpenClaw plugin installation allowed a malicious plugin package name to escape the intended extensions directory and write files outside of it. Exploitation required the victim to run the plugin install command on attacker-controlled content. No CVE has been assigned.
• Two SSRF vulnerabilities (GHSA-x22m-j5qq-j49m, CVSS score 9.3) via sendMediaFeishu and markdown image fetching in Feishu extension. No CVE assigned

High Severity Vulnerabilities

The majority of the remaining vulnerabilities are classified as high severity and span a wide range of attack vectors including shell injection, SSRF, path traversal, authentication bypass, and authorization escalation. The following high-severity flaws have been addressed:

• CVE-2026-26317 (CVSS score 7.1) Cross-Site Request Forgery (CSRF) through loopback browser mutation endpoints, allowing malicious websites to trigger unauthorized state changes against a victim's local OpenClaw browser control plane
• CVE-2026-26319 (CVSS score 7.5) Missing webhook authentication in the Telnyx voice-call provider, allowing unauthenticated callers to forge Telnyx events when the public key was not configured
• CVE-2026-26320 (CVSS score High) macOS deep link confirmation truncation that could conceal the executed agent message, enabling social-engineering mediated arbitrary command execution
• CVE-2026-26322 (CVSS score 7.6)  Gateway tool accepted unrestricted gatewayUrl overrides, enabling SSRF via outbound WebSocket connections to user-specified targets
• CVE-2026-26324 (CVSS score 7.5)  SSRF guard bypass via full-form IPv4-mapped IPv6 literals, allowing requests to loopback, private network, and link-local metadata endpoints to pass SSRF protections
• CVE-2026-26325 (CVSS score 7.2) Node host system.run rawCommand/command mismatch could bypass allowlist and approval enforcement
• CVE-2026-26327 (CVSS score High) Unauthenticated discovery TXT records could steer routing and TLS pinning on shared/untrusted LANs
• CVE-2026-26329 (CVSS score High) Path traversal in browser upload allowing arbitrary local file reads from the Gateway host
• CVE-2026-25474 (CVSS score 7.5) Telegram webhook requests accepted without verifying secret token when webhookSecret was missing
• CVE-2026-26316 (CVSS score 7.5)  BlueBubbles webhook authentication bypass via loopback proxy trust
• Exec allowlist bypass via command substitution/backticks inside double quotes (GHSA-3hcm-ggvf-rch5, CVSS score High)  No CVE assigned
• Shell injection in macOS keychain credential write (GHSA-4564-pvr2-qq4h, CVSS score High)  No CVE assigned
• SSRF in Image Tool remote fetch (GHSA-56f2-hvwg-5743, CVSS score 7.6)  No CVE assigned
• Arbitrary transcript path file write via gateway sessionFile (GHSA-64qx-vpxx-mvqf, CVSS score 7.1) No CVE assigned
• Gateway /tools/invoke tool escalation and ACP permission auto-approval (GHSA-943q-mwmv-hhvh, CVSS score 8.8) No CVE assigned
• MS Teams inbound attachment downloader leaking bearer tokens to allowlisted suffix domains (GHSA-7vwx-582j-j332, CVSS score 7.4), No CVE assigned
• Potential access-group authorization bypass / Telegram webhook forgery (GHSA-fhvm-j76f-qmjv, CVSS score High), No CVE assigned
• Gateway connect skipping device identity checks when auth.token was present but not yet validated (GHSA-rv39-79c4-7459, CVSS score High), No CVE assigned
• Windows cmd.exe parsing bypass of exec allowlist/approval gating (GHSA-qj77-c3c8-9c3q, CVSS score High), No CVE assigned
• Authorization bypass allowing operator.write to resolve exec approvals via /approve command (GHSA-mqpw-46fh-299h, CVSS score 7.2), No CVE assigned
• Browser Relay /cdp WebSocket missing authentication enabling cross-tab cookie access (GHSA-mr32-vwc2-5j6h, CVSS score High), No CVE assigned
• Unauthenticated Nostr profile HTTP endpoints allowing remote profile/config tampering (GHSA-mv9j-6xhh-g383, CVSS score High), No CVE assigned
• Zip Slip path traversal in TAR archive extraction (GHSA-p25h-9q54-ffvw, CVSS score 8.1), No CVE assigned
• Path traversal in browser trace/download output paths allowing arbitrary file writes (GHSA-gq9c-wg68-gwj2, CVSS score 7.5), No CVE assigned
• Hook session key override enabling targeted cross-session routing (GHSA-hv93-r4j3-q65f, CVSS score 7.1), No CVE assigned
• Denial of service via unbounded URL-backed media fetch causing memory exhaustion (GHSA-j27p-hq53-9wgc, CVSS score 7.5), No CVE assigned
• Command hijacking via unsafe PATH handling in bootstrapping and node-host PATH overrides (GHSA-jqpq-mgvm-f9r6, CVSS score 8.8), No CVE assigned
• Missing authentication for local browser-control endpoints (GHSA-qpjj-47vm-64pj, CVSS score 7.7), No CVE assigned
• Authentication bypass in sandbox browser bridge server (GHSA-h9g4-589h-68xv, CVSS score 7.1), No CVE assigned
• Denial of service via unbounded webhook request body buffering (GHSA-q447-rj3r-2cgh, CVSS score 7.5), No CVE assigned
• Nextcloud Talk allowlist bypass via actor.name display name spoofing (GHSA-r5h9-vjqc-hq3r, CVSS score High), No CVE assigned
• LFI in BlueBubbles media path handling allowing arbitrary local file exfiltration (GHSA-rwj8-p9vq-25gv, CVSS score 7.5), No CVE assigned
• Potential code execution via unsafe hook module path handling in Gateway (GHSA-v6c6-vqqg-w888, CVSS score 7.2), No CVE assigned
• Path traversal (Zip Slip) in archive extraction during explicit installation commands (GHSA-v892-hwpg-jwqp, CVSS score High), No CVE assigned
• Sandbox skill mirroring path traversal writing outside the sandbox workspace (GHSA-xw4p-pw82-hqr7, CVSS score 7.7), No CVE assigned
• Google Chat shared-path webhook target ambiguity allowing cross-account policy-context misrouting (GHSA-rq6g-px6m-c248, CVSS score High), No CVE assigned

Moderate and Low Severity Vulnerabilities

In addition to the critical and high-severity issues, the update also addresses approximately 20 moderate and low severity vulnerabilities. These include:

• CVE-2026-24764 (CVSS score Low)  Slack integration allowing channel metadata to influence system prompts (prompt injection surface)
• CVE-2026-26326 (CVSS score Moderate)  skills.status leaking secrets to operator.read clients
• CVE-2026-26328 (CVSS score Moderate)  iMessage group allowlist authorization inheriting DM pairing-store identities
• CVE-2026-26323 (CVSS score Moderate)  Command injection in the maintainer clawtributors updater script
• CVE-2026-26972 (CVSS score Moderate)  Path traversal in browser download functionality
• Voice-call webhook verification bypass behind certain proxy configurations (GHSA-3m3q-x3gj-f79x)  No CVE assigned
• Config writes persisting resolved secrets to disk / non-constant-time token comparison (GHSA-47q7-97xp-m272), No CVE assigned
• Unsanitized session ID enabling path traversal in transcript file operations (GHSA-5xfq-5mr7-426q), No CVE assigned
• Hook transform module path traversal allowing arbitrary JavaScript module loading (GHSA-7xhj-55q9-pc3m), No CVE assigned
• Chutes manual OAuth state validation bypass causing credential substitution (GHSA-7rcp-mxpq-72pj), No CVE assigned
• Twilio voice-call webhook auth bypass when ngrok loopback compatibility is enabled (GHSA-c37p-4qqg-3p76), No CVE assigned
• Google Chat spoofing access with allowlist authorized mutable email principal (GHSA-chm2-m3w2-wcxm), No CVE assigned
• Non-constant-time token comparison in hooks authentication (GHSA-jmm5-fvh5-gf4p), No CVE assigned
• Telegram allowlist authorization accepting mutable usernames (GHSA-mj5r-hh7j-4gxf), No CVE assigned
• Matrix allowlist bypass via displayName and cross-homeserver localpart matching (GHSA-rmxw-jxxx-4cpc), No CVE assigned
• SSRF via attachment/media URL hydration (GHSA-wfp2-v9c7-fh79), No CVE assigned
• Webhook auth bypass when gateway is behind a reverse proxy via loopback remoteAddress trust (GHSA-xc7w-v5x6-cc87), No CVE assigned
• Chrome extension relay binding publicly due to wildcard treated as loopback (GHSA-qw99-grcx-4pvm), No CVE assigned
• Denial of service through unguarded archive extraction via high expansion ZIP/TAR (GHSA-h89v-j3x9-8wqj), No CVE assigned
• Denial of service through large base64 media files allocating buffers before limit checks (GHSA-w2cg-vxx6-5xjg), No CVE assigned
• Inter-session prompts treated as direct user instructions (GHSA-w5c7-9qqw-6645), No CVE assigned
• Exec approvals safeBins bypassing stdin-only constraints via shell expansion (GHSA-xvhf-x56f-2hpp), No CVE assigned
• Slack dmPolicy=open allowing any DM sender to run privileged slash commands (GHSA-v773-r54f-q32w), No CVE assigned
• Log poisoning via WebSocket headers enabling indirect prompt injection (GHSA-g27f-9qjv-22pm), No CVE assigned
• Unvalidated PID kill via SIGKILL in process cleanup (GHSA-jfv4-h8mc-jcp8), No CVE assigned
• SSRF in optional Tlon (Urbit) extension authentication (GHSA-pg2v-8xwh-qhcc), No CVE assigned

OpenClaw has patched these vulnerabilities in its latest releases. 

The majority of fixes ship in version 2026.2.14, and some earlier fixes are available in versions 2026.2.1, 2026.2.2, 2026.2.12, and 2026.2.13 depending on the specific vulnerability. 

Users should upgrade to at least version 2026.2.14 to ensure all disclosed vulnerabilities are addressed. As a mitigating measure, users who can't immediately upgrade should keep the Gateway bound to loopback only, avoid exposing it to untrusted networks, rotate any potentially compromised tokens and credentials, and disable optional extensions (voice-call, BlueBubbles, Nostr, Tlon, MS Teams, Feishu) that are not actively in use.