Labs
Short research notes on newly disclosed vulnerabilities: the problem, the payload, and the fix.
- highCVE-2026-35338
CVE-2026-35338: uu_chmod --preserve-root Bypass via Unresolved Path
The Rust rewrite of chmod trusts the raw argument string rather than the resolved filesystem path, so passing '/../' instead of '/' silently bypasses the --preserve-root guard and lets a recursive chm
- criticalCVE-2026-49445
CVE-2026-49445: Cilium Envoy Admin Socket World-Accessible Permission Misconfiguration
When Cilium L7 policies are active, the Envoy admin Unix socket is created with world-accessible permissions, letting any local user on the node read TLS secrets, drain connections, or kill the Envoy
- highCVE-2022-46292
CVE-2022-46292: Open Babel MOPAC Output Parser Out-of-Bounds Write (UNIT CELL TRANSLATION)
Opening a crafted MOPAC output file with Open Babel causes the parser to write past the end of a fixed-size stack array, which can corrupt the stack and lead to arbitrary code execution.
- high
CVE-2026-53833: OpenClaw QQBot Incorrect Authorization on /bot-streaming Command
Any QQBot sender could invoke the /bot-streaming admin command and change OpenClaw streaming configuration, even without being on an explicit trusted-sender allowlist.
- high
CVE-2026-53823: OpenClaw Slack allowFrom Authentication Bypass via Mutable Display Names
OpenClaw's Slack allowlist matched on mutable display names instead of stable user IDs, letting any workspace member rename themselves to impersonate an allowlisted identity and gain agent access.
- high
CVE-2026-53821: openclaw Trusted-Proxy WebSocket Scope Elevation
A restricted or unpaired OpenClaw user on a trusted-proxy deployment could declare admin-level permissions on a WebSocket connection before the server ever verified those permissions, then use that au
- high
CVE-2026-53822: OpenClaw Shell Wrapper Argv TOCTOU Allowlist Bypass
OpenClaw's shell wrapper approval flow could be tricked into checking one command at approval time and running a completely different command at execution time, letting an attacker bypass the operator
- highCVE-2026-53810
CVE-2026-53810: openclaw Marketplace Runtime Extension Metadata Code Injection
A crafted marketplace plugin package can point OpenClaw's runtime extension loader at hidden, unscanned code files, letting an installed plugin run arbitrary logic that was never reviewed during insta
- high
CVE-2026-53832: openclaw Trusted-Proxy Identity Header Forgery via Same-Host Loopback
When OpenClaw's trusted-proxy auth mode was active, any local process on the same host could send a forged identity header directly to the Gateway port and authenticate as an arbitrary operator, bypas
- highCVE-2026-53817
CVE-2026-53817: openclaw Control UI Locality Spoofing to Admin Token Mint
A flaw in how OpenClaw validated the network locality of Control UI pairing requests let an attacker with existing network access forge a loopback identity signal, skip manual approval, and walk away
- highCVE-2026-53814
CVE-2026-53814: openclaw Hook-Triggered CLI Privilege Escalation to Owner MCP Scope
Anyone holding an openclaw hook token can trigger an agent run that silently receives full owner-level MCP tool authority, letting an outsider call tools that should only be available to the instance
- high
CVE-2026-35630: openclaw QQBot Native Approval Button Authorization Bypass
Any QQ user who can see an OpenClaw approval message could tap the native Allow button and authorize a pending exec or plugin action, even if they were not configured as an approver.