Vulnerabilities

OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows reading arbitrary local files outside the config directory boundary. Attackers with config modification capabilities can exploit this by specifying absolute paths, traversal sequences, or symlinks to access sensitive files readable by the OpenClaw process user, including API keys and credentials.

OpenClaw versions2026.2.21-2 prior to 2026.2.22 and @openclaw/voice-call versions 2026.2.21 prior to 2026.2.22 accept media-stream WebSocket upgrades before stream validation, allowing unauthenticated clients to establish connections. Remote attackers can hold idle pre-authenticated sockets open to consume connection resources and degrade service availability for legitimate streams.

The JetBooking plugin for WordPress is vulnerable to SQL Injection via the 'check_in_date' parameter in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

OpenClaw version 2026.2.22-2 prior to 2026.2.23 tools.exec.safeBins validation for sort command fails to properly validate GNU long-option abbreviations, allowing attackers to bypass denied-flag checks via abbreviated options. Remote attackers can execute sort commands with abbreviated long options to skip approval requirements in allowlist mode.

OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in apply_patch that allows attackers to write or delete files outside the configured workspace directory. When apply_patch is enabled without filesystem sandbox containment, attackers can exploit crafted paths including directory traversal sequences or absolute paths to escape workspace boundaries and modify arbitrary files.

A vulnerability was determined in itsourcecode University Management System 1.0. This vulnerability affects unknown code of the file /att_add.php. This manipulation of the argument Name causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized.

A vulnerability was found in H3C ACG1000-AK230 up to 20260227. This affects an unknown part of the file /webui/?aaa_portal_auth_local_submit. The manipulation of the argument suffix results in command injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name_directory_name' parameter in all versions up to, and including, 1.32.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in versions 1.30.3 and 1.32.1.

When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer<br /> performs a redirect to a second URL, curl could leak that token to the second<br /> hostname under some circumstances.<br /> <br /> If the hostname that the first request is redirected to has information in the<br /> used .netrc file, with either of the `machine` or `default` keywords, curl<br /> would pass on the bearer token set for the first host also to the second one.

curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a<br /> server, even if the new request uses different credentials for the HTTP proxy.<br /> The proper behavior is to create or use a separate connection.

When doing a second SMB request to the same host again, curl would wrongly use<br /> a data pointer pointing into already freed memory.

libcurl can in some circumstances reuse the wrong connection when asked to do<br /> an Negotiate-authenticated HTTP or HTTPS request.<br /> <br /> libcurl features a pool of recent connections so that subsequent requests can<br /> reuse an existing connection to avoid overhead.<br /> <br /> When reusing a connection a range of criterion must first be met. Due to a<br /> logical error in the code, a request that was issued by an application could<br /> wrongfully reuse an existing connection to the same server that was<br /> authenticated using different credentials. One underlying reason being that<br /> Negotiate sometimes authenticates *connections* and not *requests*, contrary<br /> to how HTTP is designed to work.<br /> <br /> An application that allows Negotiate authentication to a server (that responds<br /> wanting Negotiate) with `user1:password1` and then does another operation to<br /> the same server also using Negotiate but with `user2:password2` (while the<br /> previous connection is still alive) - the second request wrongly reused the<br /> same connection and since it then sees that the Negotiate negotiation is<br /> already made, it just sends the request over that connection thinking it uses<br /> the user2 credentials when it is in fact still using the connection<br /> authenticated for user1...<br /> <br /> The set of authentication methods to use is set with `CURLOPT_HTTPAUTH`.<br /> <br /> Applications can disable libcurl&amp;#39;s reuse of connections and thus mitigate this<br /> problem, by using one of the following libcurl options to alter how<br /> connections are or are not reused: `CURLOPT_FRESH_CONNECT`,<br /> `CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the<br /> curl_multi API).