Skip to content

chore(deps): update dependency openclaw to v2026.6.5 [security]#33

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-openclaw-vulnerability
Open

chore(deps): update dependency openclaw to v2026.6.5 [security]#33
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-openclaw-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
openclaw 2026.6.12026.6.5 age confidence

OpenClaw MCP SSE redirects could forward Authorization headers

GHSA-9c3v-684m-579c

More information

Details

Summary

MCP SSE redirects could forward Authorization headers. In affected versions, a lower-trust caller or configured input path could execute or persist actions beyond the caller's intended authorization.

This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed.

Impact

When the affected feature is enabled and reachable, this could execute or persist actions beyond the caller's intended authorization. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path.

Patched Versions

The first stable patched version is 2026.6.5.

Mitigations

Upgrade to a patched OpenClaw release when one is listed. Before upgrading, restrict the affected feature to trusted operators or disable it when it is not needed. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

openclaw/openclaw (openclaw)

v2026.6.5

Compare Source

Highlights
Changes
  • Search/providers: add the Parallel bundled web-search plugin, registration contracts, onboarding integration, and guarded api.parallel.ai/v1/search support. (#​85158) Thanks @​NormallyGaussian and @​vincentkoc.
  • Matrix/channels: add voice-message preflight and thread-aware read/reply behavior. (#​78016, #​90415) Thanks @​frankdierolf.
  • Skills/ClawHub: install ClawHub skills backed by GitHub repositories through the resolved install API, download the pinned GitHub commit, keep install-policy checks, and report install telemetry after success. (#​90478) Thanks @​Patrick-Erichsen, @​vincentkoc, @​itsuzef, and @​mcaxtr.
  • Google Chat/channels: add native approval card actions and click handling so Google Chat approvals use platform-native cards instead of generic message flow.
  • Mobile: Android provider/model screens now surface expiring, unavailable, unresolved, and attention states more clearly, while iOS settings and Talk tabs keep diagnostics, gateway rows, attachment labels, and unavailable Talk controls reachable. Thanks @​joshavant and @​shakkernerd.
  • Memory: QMD search can use the new rerank toggle, and memory adapter status uses the resolved default model identity when checking plain status. (#​61834) Thanks @​kouka-t0yohei and @​vincentkoc.
  • QQBot: add /bot-group-allways on|off slash command (with named-account and default-account support) to toggle whether group messages require an @mention before the bot replies, and clear the runtime config snapshot after the write so the new account-level defaultRequireMention takes effect immediately without restart. (#​91423) Thanks @​cxyhhhhh, @​joshavant, @​vincentkoc, @​itsuzef, @​mcaxtr, and @​jacobtomlinson.
Fixes
Complete contribution record

This audited record covers the complete v2026.6.2-beta.1..v2026.6.5 history: 142 merged PRs. The generation manifest also supplies direct commits as editorial input; the grouped notes above prioritize user impact.

Pull requests

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

🦙 MegaLinter status: ✅ SUCCESS

Descriptor Linter Files Fixed Errors Warnings Elapsed time
✅ COPYPASTE jscpd yes no no 2.0s
✅ EDITORCONFIG editorconfig-checker 1 0 0 0.24s
✅ JSON jsonlint 1 0 0 0.4s
✅ JSON npm-package-json-lint yes no no 0.34s
✅ JSON v8r 1 0 0 7.71s
✅ REPOSITORY git_diff yes no no 0.24s
✅ REPOSITORY secretlint yes no no 0.77s
✅ REPOSITORY syft yes no no 3.57s
✅ REPOSITORY trivy yes no no 11.12s
✅ REPOSITORY trivy-sbom yes no no 1.14s
✅ REPOSITORY trufflehog yes no no 23.38s

See detailed report in MegaLinter reports
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

MegaLinter is graciously provided by OX Security

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants