GHSA-2mc2-g238-722j: OpenClaw affected by iMessage remote attachment SCP hardening (strict host-key checks and remoteHost validation)

March 3, 2026

Remote iMessage attachment fetches used SCP with trust-on-first-use host-key behavior and accepted unvalidated remote host tokens.

Before the fix:

SCP used StrictHostKeyChecking=accept-new in the remote attachment path.
channels.imessage.remoteHost was not validated as a strict SSH host token.

References

github.com/advisories/GHSA-2mc2-g238-722j
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/49d0def6d1e88f002026b1d2a35aa615d48a751a
github.com/openclaw/openclaw/security/advisories/GHSA-2mc2-g238-722j

Code Behaviors & Features

Detect and mitigate GHSA-2mc2-g238-722j with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →