Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
Fickling is a tool that checks whether pickle files (serialized Python objects) are safe to open. Researchers found that Fickling incorrectly marked dangerous pickle files as safe when they used network protocol constructors like SMTP, IMAP, FTP, POP3, Telnet, and NNTP, which establish outbound TCP connections during deserialization. The vulnerability has two causes: an incomplete blocklist of unsafe imports, and a logic flaw in the unused variable detector that fails to catch suspicious code patterns.
Fix: The incomplete blocklist issue is fixed in PR #233, which adds the six network-protocol modules (smtplib, imaplib, ftplib, poplib, telnetlib, and nntplib) to the UNSAFE_IMPORTS blocklist. The second root cause (the logic flaw in unused_assignments() function) is noted as unpatched in the source text.
GitHub Advisory DatabaseOpenClaw is a personal AI assistant with a macOS desktop client that can be triggered through deep links (special URLs that open apps). In versions 2026.2.6 through 2026.2.13, attackers could hide malicious commands by padding messages with whitespace, so users would see only a harmless preview but the full hidden command would execute when they clicked 'Run'. This works because the app only displayed the first 240 characters in the confirmation dialog before executing the entire message.
SillyTavern is a locally installed interface for interacting with text generation AI models and other AI tools. Versions before 1.16.0 had an SSRF vulnerability (server-side request forgery, where an attacker can make the server send requests to internal networks or services it shouldn't access), allowing authenticated users to read responses from internal services and private network resources through the asset download feature.
OpenClaw, an npm package, used SHA-1 (an outdated hashing algorithm with known weaknesses) to create identifiers for Docker and browser sandbox configurations. An attacker could exploit hash collisions (two different configurations producing the same hash) to trick the system into reusing the wrong sandbox, leading to cache poisoning (corrupting stored data) and unsafe sandbox reuse.
Microsoft's Semantic Kernel Python SDK has an RCE vulnerability (remote code execution, where an attacker can run commands on a system they don't own) in the `InMemoryVectorStore` filter functionality, which allows attackers to execute arbitrary code. The vulnerability affects the library used for building AI applications with vector storage (a database that stores AI embeddings, which are numerical representations of data).
CVE-2026-25338 is a missing authorization vulnerability in the Ays Pro AI ChatBot plugin (versions up to 2.7.4), meaning the software fails to properly check whether users have permission to access certain features. This security flaw allows attackers to exploit incorrectly configured access controls (the rules that decide who can do what in the software).
OpenClaw's sandbox configuration had a bug where the `normalizeForHash` function (a process that converts configuration settings into a unique identifier) was sorting arrays containing simple values, causing different array orders to produce identical hashes. This meant that sandbox containers (isolated software environments) weren't being recreated when only the order of configuration settings like DNS or file bindings changed, potentially leaving stale containers in use.
OpenClaw, a session management tool, had a visibility issue in shared multi-user environments where session tools (like `sessions_list` and `sessions_history`) could give users access to other people's session data when they shouldn't have it. Additionally, Telegram webhook mode didn't properly use account-level secret settings as a fallback. The risk is mainly in environments where multiple people share the same agent and don't fully trust each other.
OpenClaw, an npm package, had a vulnerability where Telegram bot tokens (the credentials used to access Telegram's bot API) could leak into logs and error messages because the package didn't hide them when logging. An attacker who obtained a leaked token could impersonate the bot and take control of its API access.
OpenClaw, a Docker sandbox tool, has a configuration injection vulnerability that could let attackers escape the container (a sandboxed computing environment) or access sensitive host data by injecting dangerous Docker options like bind mounts (attaching host directories into the container) or disabling security profiles. The issue affects versions 2026.2.14 and earlier.
OpenClaw, an AI agent tool, had a vulnerability where the current working directory (the folder path where the software is running) was inserted into the AI's instructions without cleaning it first. An attacker could use special characters in folder names, like line breaks or hidden Unicode characters, to break the instruction structure and inject malicious commands, potentially causing the AI to misuse its tools or leak sensitive information.
A query injection vulnerability exists in the `@langchain/langgraph-checkpoint-redis` package, where user-provided filter values are not properly escaped when constructing RediSearch queries (a search system built on Redis). Attackers can inject RediSearch syntax characters (like the OR operator `|`) into filter values to bypass thread isolation controls and access checkpoint data from other users or threads they shouldn't be able to see.
FFmpeg's TensorFlow backend has a bug where a task object gets freed twice in certain error situations, causing a double-free condition (a memory safety error where the same memory is released multiple times). This can crash FFmpeg or programs using it when processing TensorFlow-based DNN models (deep neural network models), resulting in a denial-of-service attack, but it does not allow attackers to run arbitrary code.
The Feishu extension in OpenClaw had two SSRF vulnerabilities (SSRF is server-side request forgery, where an attacker tricks a server into making requests to internal systems it shouldn't access) that allowed attackers to fetch attacker-controlled URLs without protection. An attacker who could influence tool calls, including through prompt injection (tricking an AI by hiding instructions in its input), could potentially access internal services and re-upload responses as media.
OpenClaw's manual OAuth login flow (a way to securely connect accounts using a third-party service) had a vulnerability where it didn't properly validate a security token called 'state', which could allow attackers to trick users into logging in with the wrong account. The automatic login flow was not affected by this issue.
The Claude CLI tool on macOS had a shell injection vulnerability (a security flaw where attackers can run arbitrary commands) in how it stored authentication tokens in the system keychain. The problem occurred because user-controlled OAuth tokens were directly inserted into shell commands without proper protection, allowing an attacker to break out of the intended command and execute malicious code.
OpenClaw, a browser download tool, had a path traversal vulnerability (a security flaw where an attacker could use special characters like `../` to write files outside the intended folder) in its download feature because it didn't validate the output file path. This vulnerability only affected users with authenticated access to the CLI or gateway RPC token (a special permission token), not regular AI agent users.
A vulnerability called server-side request forgery (SSRF, where an attacker tricks a server into making unwanted web requests) was found in Hugging Face's smolagents version 1.24.0, specifically in the LocalPythonExecutor component's requests.get and requests.post functions. An attacker can exploit this remotely, and the vulnerability has been publicly disclosed, though the vendor did not respond when contacted.
The Feishu extension in OpenClaw had a vulnerability where the `sendMediaFeishu` function could be tricked into reading files directly from a computer's filesystem by treating attacker-controlled file paths as input. An attacker who could influence how the tool behaves (either directly or through prompt injection, where hidden instructions are hidden in the AI's input) could steal sensitive files like `/etc/passwd`.
Fix: The issue is fixed in version 2026.2.14. The source also mentions mitigations: do not approve unexpected 'Run OpenClaw agent?' prompts triggered while browsing untrusted websites, and use deep links only with a valid authentication key for trusted personal automations.
NVD/CVE DatabaseFix: The vulnerability has been patched in version 1.16.0 by introducing a whitelist domain check for asset download requests. It can be reviewed and customized by editing the `whitelistImportDomains` array in the `config.yaml` file.
NVD/CVE DatabaseFix: Update to version 2026.2.15 or later. The fix replaces SHA-1 with SHA-256 (a stronger hashing algorithm with better collision resistance) for generating these sandbox identifiers.
GitHub Advisory DatabaseFix: Upgrade to python-1.39.4 or higher. As a temporary workaround, avoid using `InMemoryVectorStore` for production scenarios.
GitHub Advisory DatabaseFix: Update OpenClaw to version 2026.2.15 or later. The fix preserves array ordering during hash normalization, so only object key ordering remains normalized. This ensures that configuration changes affecting array order are properly detected and containers are recreated as needed.
GitHub Advisory DatabaseFix: Update to OpenClaw version 2026.2.15 or later. The fix implements: (1) Add and enforce `tools.sessions.visibility` configuration with options `self`, `tree`, `agent`, or `all`, defaulting to `tree` to limit what sessions users can see. (2) Keep sandbox clamping behavior to restrict sandboxed runs to spawned/session-tree visibility. (3) Resolve Telegram webhook secret from account config fallback in monitor webhook startup. See commit `c6c53437f7da033b94a01d492e904974e7bda74c`.
GitHub Advisory DatabaseFix: Upgrade to openclaw >= 2026.2.15 when released. Additionally, rotate the Telegram bot token if it may have been exposed.
GitHub Advisory DatabaseFix: Upgrade to OpenClaw version 2026.2.15 or later. The fix includes runtime enforcement when building Docker arguments, validation of dangerous settings like `network=host` and `unconfined` security profiles, and security audits to detect dangerous sandbox Docker configurations.
GitHub Advisory DatabaseFix: Update to OpenClaw version 2026.2.15 or later. The fix sanitizes the workspace path by stripping Unicode control/format characters and explicit line/paragraph separators before embedding it into any LLM prompt output, and applies the same sanitization during workspace path resolution as an additional defensive measure.
GitHub Advisory DatabaseFix: The 1.0.2 patch introduces an `escapeRediSearchTagValue()` function that properly escapes all RediSearch special characters (- . < > { } [ ] " ' : ; ! @ # $ % ^ & * ( ) + = ~ | \ ? /) by prefixing them with backslashes, and applies this escaping to all filter keys used in query construction.
GitHub Advisory DatabaseFix: Upgrade to OpenClaw version 2026.2.14 or newer. The fix routes Feishu remote media fetching through hardened runtime helpers that enforce SSRF policies and size limits.
GitHub Advisory DatabaseFix: The manual flow now requires the full redirect URL (must include both the authorization code and state parameter), validates the returned state against the expected value, and rejects code-only pastes. This fix is available in openclaw version 2026.2.14 and later (commit a99ad11a4107ba8eac58f54a3c1a8a0cf5686f47).
GitHub Advisory DatabaseFix: Update to version 2026.2.14 or later. The fix avoids invoking a shell by using `execFileSync("security", argv)` and passing the updated keychain payload as a literal argument instead of constructing a shell command string.
GitHub Advisory DatabaseFix: Upgrade to `openclaw` version 2026.2.13 or later. The fix restricts the `path` parameter to the default download directory using `resolvePathWithinRoot` in the gateway browser control routes `/wait/download` and `/download`.
GitHub Advisory DatabaseGitLab has a server-side request forgery vulnerability (SSRF, a flaw that allows attackers to make requests to internal networks on behalf of the server) that can be triggered when webhook functionality is enabled. This vulnerability is actively being exploited by attackers in the wild.
Fix: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA Known Exploited VulnerabilitiesFix: Upgrade to OpenClaw version 2026.2.14 or newer. The fix removes direct local file reads and routes media loading through hardened helpers that enforce local-root restrictions.
GitHub Advisory Database