This archive includes all published incident pages. Page 11 of 16.
Each page is intended to help a security team answer three questions quickly: why the issue is AI-relevant, what part of the workflow may be exposed, and what actions should happen first.
Selection criteria and correction policy are documented in Methodology & Editorial Policy.
Incident date: February 18, 2026 | Published: February 25, 2026
Summary Multiple webhook handlers accepted and buffered request bodies without a strict unified byte/time limit. A remote unauthenticated attacker could send oversized payloads and cause memory pressure, degrading availability.
Incident date: February 18, 2026 | Published: February 25, 2026
Summary Archive extraction lacked strict resource budgets, allowing high-expansion ZIP/TAR archives to consume excessive CPU/memory/disk during install/update flows. ## Affected Packages / Versions - openclaw (npm): <= 2026.2.
Incident date: February 18, 2026 | Published: February 25, 2026
Summary Base64-backed media inputs could be decoded into Buffers before enforcing decoded-size budgets. An attacker supplying oversized base64 payloads can force large allocations, causing memory pressure and denial of service.
Incident date: February 18, 2026 | Published: February 25, 2026
Summary OpenClaw's exec-approvals allowlist supports a small set of "safe bins" intended to be stdin-only (no positional file arguments) when running tools.exec.host=gateway|node with security=allowlist .
Incident date: February 18, 2026 | Published: February 25, 2026
Summary Command injection in the maintainer/dev script scripts/update-clawtributors.ts . ### Impact Affects contributors/maintainers (or CI) who run bun scripts/update-clawtributors.
Incident date: February 17, 2026 | Published: February 25, 2026
Summary Google Chat allowlisting supports matching by sender email in addition to immutable sender resource name ( users/ ). This weakens identity binding if a deployment assumes allowlists are strictly keyed by immutable principals.
Incident date: February 17, 2026 | Published: February 25, 2026
Summary A mismatch between rawCommand and command[] in the node host system.run handler could cause allowlist/approval evaluation to be performed on one command while executing a different argv.
Incident date: February 17, 2026 | Published: February 25, 2026
Summary The Feishu extension previously allowed sendMediaFeishu to treat attacker-controlled mediaUrl values as local filesystem paths and read them directly. ### Affected versions - = 2026.2.
Incident date: February 17, 2026 | Published: February 25, 2026
Summary OpenClaw macOS desktop client registers the openclaw:// URL scheme. For openclaw://agent deep links without an unattended key , the app shows a confirmation dialog that previously displayed only the first 240 characters of the...
Incident date: February 17, 2026 | Published: February 25, 2026
Summary In the optional Twitch channel plugin ( extensions/twitch ), allowFrom is documented as a hard allowlist of Twitch user IDs, but it was not enforced as a hard gate.