Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
OpenClaw allows attackers to intercept iMessage attachments
GHSA-2mc2-g238-722j
Summary
OpenClaw, a tool for sending iMessage attachments, has a security weakness that could allow hackers to intercept and access sensitive data. This is because OpenClaw doesn't properly check the identity of the server it connects to, making it vulnerable to man-in-the-middle attacks. To fix this, the developers will update OpenClaw to require strict verification of the server's identity and reject any suspicious connections. In the meantime, users should be cautious when using OpenClaw and keep their software up to date.
What to do
- Update openclaw to version 2026.2.19.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.17 | 2026.2.19 |
Original title
OpenClaw affected by iMessage remote attachment SCP hardening (strict host-key checks and remoteHost validation)
Original description
## Summary
Remote iMessage attachment fetches used SCP with trust-on-first-use host-key behavior and accepted unvalidated remote host tokens.
Before the fix:
- SCP used `StrictHostKeyChecking=accept-new` in the remote attachment path.
- `channels.imessage.remoteHost` was not validated as a strict SSH host token.
## Impact
In remote iMessage deployments that use SCP attachment fetching, a first-connection MITM/DNS-poisoning scenario could cause the wrong host key to be trusted. Unsafe remote host token values could also alter SCP argument semantics.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version currently affected: `2026.2.17`
- Vulnerable range (structured field): `<= 2026.2.17`
- Patched version (pre-set for next release): `>= 2026.2.19`
## Fix
The fix hardens remote attachment SSH/SCP handling by:
- requiring `StrictHostKeyChecking=yes` for SCP and SSH tunnel paths,
- adding strict `remoteHost` normalization/validation,
- adding `--` argument barrier for SCP remote source parsing,
- validating `channels.imessage.remoteHost` in config schema,
- rejecting unsafe auto-detected host tokens at runtime.
## Fix Commit(s)
- Pushed to `main`: 49d0def6d1e88f002026b1d2a35aa615d48a751a
OpenClaw thanks @allsmog for reporting.
Remote iMessage attachment fetches used SCP with trust-on-first-use host-key behavior and accepted unvalidated remote host tokens.
Before the fix:
- SCP used `StrictHostKeyChecking=accept-new` in the remote attachment path.
- `channels.imessage.remoteHost` was not validated as a strict SSH host token.
## Impact
In remote iMessage deployments that use SCP attachment fetching, a first-connection MITM/DNS-poisoning scenario could cause the wrong host key to be trusted. Unsafe remote host token values could also alter SCP argument semantics.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version currently affected: `2026.2.17`
- Vulnerable range (structured field): `<= 2026.2.17`
- Patched version (pre-set for next release): `>= 2026.2.19`
## Fix
The fix hardens remote attachment SSH/SCP handling by:
- requiring `StrictHostKeyChecking=yes` for SCP and SSH tunnel paths,
- adding strict `remoteHost` normalization/validation,
- adding `--` argument barrier for SCP remote source parsing,
- validating `channels.imessage.remoteHost` in config schema,
- rejecting unsafe auto-detected host tokens at runtime.
## Fix Commit(s)
- Pushed to `main`: 49d0def6d1e88f002026b1d2a35aa615d48a751a
OpenClaw thanks @allsmog for reporting.
ghsa CVSS4.0
5.3
Vulnerability type
CWE-78
OS Command Injection
CWE-295
Improper Certificate Validation
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026