Files
wehub-resource-sync 4ce4204b6c
CI / Lint (push) Failing after 2s
CI / Build (push) Has been skipped
SDK CI / PHP SDK (push) Failing after 1s
Split PHP SDK / PHP SDK tests (push) Failing after 1s
CI / Test (push) Failing after 1s
CI / Dashboard (push) Failing after 0s
SDK CI / JavaScript SDK (push) Failing after 0s
SDK CI / Python SDK (push) Failing after 2s
SDK CI / Java SDK (push) Failing after 1s
Split PHP SDK / Mirror sdk/php -> rmyndharis/openwa-php (push) Has been skipped
CI / Test (PostgreSQL migrations) (push) Failing after 7m47s
CI / Docker Build (push) Has been skipped
chore: import upstream snapshot with attribution
2026-07-13 12:24:08 +08:00

2.0 KiB

Security Policy

OpenWA is a self-hosted WhatsApp API gateway. It handles API-key authentication, WhatsApp session credentials, message data, and — optionally — access to the Docker socket. Security matters here, and we appreciate responsible disclosure.

Supported versions

Security fixes land on the latest minor release. Please upgrade older deployments.

Version Supported
0.8.x
< 0.8

Reporting a vulnerability

Please do not open a public issue, discussion, or PR for a security vulnerability.

Report it privately through either channel:

Please include, where possible:

  • A description of the issue and its impact
  • Steps to reproduce or a proof of concept
  • Affected version(s) and deployment details (Docker / bare metal, database, engine)

What to expect

  • An acknowledgement, typically within a few days
  • An assessment, and — where applicable — a coordinated fix and release
  • Credit in the advisory / release notes, unless you'd prefer to remain anonymous

Hardening notes for operators

OpenWA already ships several hardening measures: API-key auth with roles (ADMIN / OPERATOR / VIEWER), optional outbound webhook SSRF protection, a production CORS policy (wildcard origins refused in production), request body-size limits, a least-privilege Docker socket-proxy with a non-root container, and path-containment checks on storage import/export.

When exposing OpenWA, please review the security-relevant configuration documented in the README and docs/ — in particular CORS_ORIGINS, ALLOW_DEV_API_KEY, ENABLE_SWAGGER, WEBHOOK_SSRF_PROTECT, BODY_SIZE_LIMIT, and the Docker proxy setup. Never expose the dashboard/API to the public internet with the development API key enabled.