GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
8 advisories
OpenClaw's elevated allowFrom accepted broader identity signals than specified within sender-scoped authorization
Moderate
GHSA-f6h3-846h-2r8w
was published
for
openclaw
(npm)
Mar 4, 2026
OpenClaw's commands.allowFrom sender authorization accepted conversation identifiers via ctx.From
High
GHSA-2ch6-x3g4-7759
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's typed sender-key matching for toolsBySender prevents identity-collision policy bypass
Moderate
CVE-2026-32039
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw has exec allowlist/safeBins policy-runtime mismatch via env -S wrapper interpretation
Moderate
GHSA-796m-2973-wc5q
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw has a Feishu allowFrom authorization bypass via display-name collision
Moderate
CVE-2026-32021
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse
Moderate
CVE-2026-32053
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw voice-call media stream validated streams after upgrade, which could allow pre-start unauthenticated sockets to increase resource pressure
High
CVE-2026-32062
was published
for
@openclaw/voice-call
(npm)
Mar 2, 2026
OpenClaw's exec allow-always can be bypassed via unrecognized multiplexer shell wrappers (busybox/toybox sh -c)
Moderate
CVE-2026-22175
was published
for
openclaw
(npm)
Mar 2, 2026
ProTip!
Advisories are also available from the
GraphQL API