安全公告
腾讯朱雀实验室历史披露的漏洞(CVE / GHSA)汇总。 查看 JSON 格式open_in_new
-
open_in_new高危 CVE-2026-42427 CWE-78/CWE-184
OpenClaw: HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class)
deployed_code 影响范围:openclaw < 2026.4.8 calendar_today 发布日期:2026年4月9日 -
open_in_new中危 CVE-2026-42422 CWE-863
OpenClaw `device.token.rotate` mints tokens for unapproved roles, bypassing device role-upgrade pairing
deployed_code 影响范围:openclaw < 2026.4.8 calendar_today 发布日期:2026年4月9日 -
open_in_new中危 CVE-2026-42431 CWE-863
OpenClaw `node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard
deployed_code 影响范围:openclaw < 2026.4.8 calendar_today 发布日期:2026年4月9日 -
open_in_new中危 CVE-2026-41916 CWE-613
OpenClaw: resolvedAuth closure becomes stale after config reload
deployed_code 影响范围:openclaw < 2026.4.8 calendar_today 发布日期:2026年4月9日 -
open_in_new中危 CVE-2026-42421 CWE-613
OpenClaw: Existing WS sessions survive shared gateway token rotation
deployed_code 影响范围:openclaw < 2026.4.8 calendar_today 发布日期:2026年4月9日 -
open_in_new中危 CVE-2026-42426 CWE-269/CWE-863
OpenClaw `node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval
deployed_code 影响范围:openclaw < 2026.4.8 calendar_today 发布日期:2026年4月9日 -
open_in_new中危 CVE-2026-42428 CWE-353
OpenClaw B-M3: ClawHub package downloads are not enforced with integrity verification
deployed_code 影响范围:openclaw < 2026.4.8 calendar_today 发布日期:2026年4月9日 -
open_in_new低危 CVE-2026-41915 CWE-78/CWE-184
OpenClaw: GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant)
deployed_code 影响范围:openclaw < 2026.4.8 calendar_today 发布日期:2026年4月9日 -
open_in_new中危 GHSA-846p-hgpv-vphc CWE-22
OpenClaw: QQ Bot structured payloads could read arbitrary local files
deployed_code 影响范围:openclaw <= 2026.4.1 calendar_today 发布日期:2026年4月7日 -
open_in_new中危 CVE-2026-41407 CWE-208
OpenClaw: Shared-secret comparison call sites leaked length information through timing
deployed_code 影响范围:openclaw <= 2026.4.1 calendar_today 发布日期:2026年4月7日
每页
