Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit b14e3d543bd3 · 2026-04-08T19:29:09.000Z
GHSA-8fmp-37rc-p5g7 GHSA-3xxc-pwj6-jgrj GHSA-h259-74h5-4rh9
diff --git a/advisories/github-reviewed/2026/03/GHSA-8fmp-37rc-p5g7/GHSA-8fmp-37rc-p5g7.json b/advisories/github-reviewed/2026/03/GHSA-8fmp-37rc-p5g7/GHSA-8fmp-37rc-p5g7.json
@@ -1,17 +1,21 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8fmp-37rc-p5g7",
-  "modified": "2026-03-19T18:34:44Z",
+  "modified": "2026-04-08T19:26:19Z",
   "published": "2026-03-03T19:53:02Z",
   "aliases": [
     "CVE-2026-22177"
   ],
   "summary": "OpenClaw's config env vars allowed startup env injection into service runtime",
   "details": "### Summary\nOpenClaw allowed dangerous process-control environment variables from `env.vars` (for example `NODE_OPTIONS`, `LD_*`, `DYLD_*`) to flow into gateway service runtime environments, enabling startup-time code execution in the OpenClaw process context.\n\n### Details\n`collectConfigEnvVars()` accepted unfiltered keys from config and those values were merged into the daemon install environment in `buildGatewayInstallPlan()`. Before the fix, startup-control variables were not blocked in this path.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published affected version: `2026.2.19-2` (published February 19, 2026)\n- Affected range (structured): `<=2026.2.19-2 || =2026.2.19`\n- Patched version (pre-set for next release): `>= 2026.2.21`\n\n### Fix Commit(s)\n- `2cdbadee1f8fcaa93302d7debbfc529e19868ea4`\n\n### Release Process Note\n`patched_versions` is pre-set to the planned next release (`2026.2.21`). Once that npm release is published, this advisory is ready to publish without further content edits.\n\nOpenClaw thanks @tdjackey for reporting.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -40,6 +44,10 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8fmp-37rc-p5g7"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w9j9-w4cp-6wgr"
+    },
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22177"
@@ -61,7 +69,7 @@
     "cwe_ids": [
       "CWE-15"
     ],
-    "severity": "HIGH",
+    "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-03T19:53:02Z",
     "nvd_published_at": "2026-03-18T02:16:21Z"
diff --git a/advisories/github-reviewed/2026/04/GHSA-3xxc-pwj6-jgrj/GHSA-3xxc-pwj6-jgrj.json b/advisories/github-reviewed/2026/04/GHSA-3xxc-pwj6-jgrj/GHSA-3xxc-pwj6-jgrj.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3xxc-pwj6-jgrj",
-  "modified": "2026-04-08T15:00:23Z",
+  "modified": "2026-04-08T19:26:29Z",
   "published": "2026-04-08T15:00:23Z",
   "aliases": [
     "CVE-2026-33753"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/trailofbits/rfc3161-client/security/advisories/GHSA-3xxc-pwj6-jgrj"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33753"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/trailofbits/rfc3161-client/commit/4f7d372297b4fba7b0119e9f954e4495ec0592c0"
@@ -63,6 +67,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-08T15:00:23Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-08T16:16:23Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/04/GHSA-h259-74h5-4rh9/GHSA-h259-74h5-4rh9.json b/advisories/github-reviewed/2026/04/GHSA-h259-74h5-4rh9/GHSA-h259-74h5-4rh9.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-h259-74h5-4rh9",
-  "modified": "2026-04-08T15:00:17Z",
+  "modified": "2026-04-08T19:26:25Z",
   "published": "2026-04-08T15:00:17Z",
   "aliases": [
     "CVE-2026-33229"
@@ -97,6 +97,10 @@
       "type": "WEB",
       "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h259-74h5-4rh9"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33229"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/xwiki/xwiki-platform/commit/9fe84da66184c05953df9466cf3a4acd15a46e63"
@@ -121,6 +125,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-08T15:00:17Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-08T16:16:23Z"
   }
 }
