CRITICAL9.9CVE-2026-22172OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes from 0, < 2026.3.12
CRITICAL9.9CVE-2026-28466OpenClaw Vulnerable to Remote Code Execution via Node Invoke Approval Bypass in Gateway from 0, < 2026.2.14
CRITICAL9.8CVE-2026-44109OpenClaw: Feishu webhook and card-action validation now fail closed from 0, < 2026.4.15
CRITICAL9.8OpenClaw: Unbound bootstrap setup codes allow privilege escalation during pairing
from 0, < 2026.3.22
CRITICAL9.8OpenClaw: Google Chat and Zalouser group sender allowlist bypass via policy downgrade
from 0, < 2026.3.28
CRITICAL9.8OpenClaw: node.pair.approve missing callerScopes validation allows low-privilege operator to approve malicious nodes
from 0, < 2026.3.28
CRITICAL9.8OpenClaw: Zalo channel downloads media before sender authorization
from 0, < 2026.3.28
CRITICAL9.8OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting
from 0, < 2026.2.14
CRITICAL9.8OpenClaw has a potential access-group authorization bypass if channel type lookup fails
from 0, < 2026.2.1
CRITICAL9.8OpenClaw has an exec allowlist bypass via command substitution/backticks inside double quotes
from 0, < 2026.2.2
CRITICAL9.8OpenClaw's Windows cmd.exe parsing may bypass exec allowlist/approval gating
from 0, < 2026.2.2
CRITICAL9.8OpenClaw's gateway connect could skip device identity checks when auth.token was present but not yet validated
from 0, < 2026.2.2
CRITICAL9.6OpenClaw: OpenShell Mirror Sync — Sandbox Escape via Unrestricted File Sync + Symlink Traversal
from 0, < 2026.3.31
CRITICAL9.6OpenClaw has a CWD `.env` environment variable injection which bypasses host-env policy and allows config takeover
from 0, < 2026.3.28
CRITICAL9.6OpenClaw's incomplete host env sanitization blocklist allows supply-chain redirection via package-manager env overrides
from 0, < 2026.3.22
CRITICAL9.4OpenClaw: Plugin subagent routes could bypass gateway authorization with synthetic admin scopes
>= 2026.3.7, < 2026.3.11
CRITICAL9.4OpenClaw has an inbound allowlist policy bypass in voice-call extension (empty caller ID + suffix matching)
from 0, < 2026.2.2
CRITICAL9.3OpenClaw: fetch-guard forwards custom authorization headers across cross-origin redirects
from 0, < 2026.3.7
CRITICAL9.1OpenClaw: Agent hook events could enqueue trusted system events from unsanitized external input
from 0, < 2026.4.10
CRITICAL9.1OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events
>= 2026.4.7, < 2026.4.14
CRITICAL9.0OpenClaw has a sandbox network isolation bypass via docker.network=container:<id>
from 0, < 2026.2.24
HIGH8.8OpenClaw: busybox and toybox applet execution weakened exec approval binding
>= 2026.2.23, < 2026.4.12
HIGH8.8OpenClaw: Sandboxed agents could escape exec routing via host=node override
>= 2026.4.5, < 2026.4.10
HIGH8.8OpenClaw: Workspace provider auth choices could auto-enable untrusted provider plugins
from 0, < 2026.4.9
HIGH8.8OpenClaw: Channel setup catalog lookups could include untrusted workspace plugin shadows
from 0, < 2026.4.10
HIGH8.8OpenClaw: Workspace .env could inject OpenClaw runtime-control variables
from 0, < 2026.4.9
HIGH8.8OpenClaw: Exec environment denylist missed high-risk interpreter startup variables
from 0, < 2026.4.10
HIGH8.8OpenClaw `node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval
from 0, < 2026.4.8
HIGH8.8OpenClaw `device.token.rotate` mints tokens for unapproved roles, bypassing device role-upgrade pairing
from 0, < 2026.4.8
HIGH8.8OpenClaw: Paired node escalates to gateway RCE via unrestricted node.event agent dispatch
from 0, < 2026.3.31
HIGH8.8OpenClaw: Device-Paired Node Skips Node Scope Gate → Host RCE.md
from 0, < 2026.3.31
HIGH8.8OpenClaw: Discord text `/approve` bypasses `channels.discord.execApprovals.approvers` and allows non-approvers to resolve pending exec approvals
from 0, < 2026.3.28
HIGH8.8OpenClaw: Arbitrary code execution via unvalidated WebView JavascriptInterface
from 0, < 2026.3.22
HIGH8.8OpenClaw's system.run allowlist can be bypassed through an unregistered time dispatch wrapper
from 0, < 2026.3.22
HIGH8.8In OpenClaw, manually adding sort to tools.exec.safeBins could bypass allowlist approval via --compress-program
from 0, < 2026.2.22
HIGH8.8OpenClaw is vulnerable to validation bypass through GNU long-option abbreviations in allowlist mode
from 0, < 2026.2.23
HIGH8.8OpenClaw is vulnerable to validation bypass through GNU long-option abbreviations in allowlist mode
from 0, < 2026.2.23
HIGH8.8OpenClaw's system.run allowlist bypass via shell line-continuation command substitution
from 0, < 2026.2.22
HIGH8.8OpenClaw's config env vars allowed startup env injection into service runtime
from 0, < 2026.2.21
HIGH8.8OpenClaw's dispatch-wrapper depth-cap mismatch can bypass shell-wrapper approval gating in system.run allowlist mode
from 0, < 2026.2.24
HIGH8.8OpenClaw gateway agents.files symlink escape allowed out-of-workspace file read/write
from 0, < 2026.2.25
HIGH8.8OpenClaw has a path traversal in apply_patch could write/delete files outside the workspace
from 0, < 2026.2.14
HIGH8.8OpenClaw: Command hijacking via unsafe PATH handling (bootstrapping + node-host PATH overrides)
from 0, < 2026.2.14
HIGH8.6OpenClaw validates Zalo outbound photo URLs through the SSRF guard
from 0, < 2026.4.22
HIGH8.6OpenClaw has an Arbitrary Malicious Code Execution Vulnerability
from 0, < 2026.3.24
HIGH8.6OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured
from 0, < 2026.3.12
HIGH8.6OpenClaw has two SSRF via sendMediaFeishu and markdown image fetching in Feishu extension
from 0, < 2026.2.14
HIGH8.5OpenClaw: Browser tabs action select and close routes bypassed SSRF policy
from 0, < 2026.4.10
HIGH8.4`OpenClaw: session_status` let sandboxed subagents access parent or sibling session state
from 0, < 2026.3.11
HIGH8.4OpenClaw vulnerable to Unauthenticated Local RCE via WebSocket config.apply
from 0, < 2026.1.20
HIGH8.3OpenClaw affected by SSRF in optional Tlon (Urbit) extension authentication
from 0, < 2026.2.14
HIGH8.2OpenClaw: QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes
from 0, < 2026.4.12
HIGH8.2OpenClaw: Sandbox escape via TOCTOU race in remote FS bridge readFile
from 0, < 2026.3.31
HIGH8.2OpenClaw: Unauthenticated plugin-auth HTTP routes receive operator runtime scopes
from 0, < 2026.3.31
HIGH8.1OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation
from 0, < 2026.4.15
HIGH8.1OpenClaw `node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard
from 0, < 2026.4.8
HIGH8.1OpenClaw: SSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host
from 0, < 2026.3.31
HIGH8.1OpenClaw: `browser.request` still allows `POST /reset-profile` through the `operator.write` surface
from 0, < 2026.3.24
HIGH8.1OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin`
from 0, < 2026.3.28
HIGH8.1OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode
from 0, < 2026.3.11
HIGH8.1OpenClaw has Zip Slip path traversal in tar archive extraction
from 0, < 2026.2.14
HIGH8.1OpenClaw has a Path Traversal in Plugin Installation
>= 2026.1.20, < 2026.2.1
HIGH8.0OpenClaw: Unrecognized script runners could bypass `system.run` approval integrity
from 0, < 2026.3.11
HIGH8.0OpenClaw: Node reconnect metadata spoofing could bypass platform-based node command policy
from 0, < 2026.2.26
HIGH7.8OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution
from 0, < 2026.4.23
HIGH7.8OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens
from 0, < 2026.4.22
HIGH7.8OpenClaw: Workspace dotenv could override runtime-control environment variables
from 0, < 2026.4.20
HIGH7.8OpenClaw: Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement
from 0, < 2026.4.8
HIGH7.8OpenClaw Has Incomplete Fix for CVE-2026-4039: CLI Backend Environment Variable Injection via Workspace Config
from 0, < 2026.3.24
HIGH7.8OpenClaw: Workspace `.env` can override the bundled plugin trust root
from 0, < 2026.3.31
HIGH7.8OpenClaw: Workspace `.env` can override the bundled hooks root and load attacker hook code
from 0, < 2026.3.31
HIGH7.8OpenClaw's `tools.exec.safeBins` PATH-hijack allowed trojan binaries to bypass allowlist checks
>= 2026.1.21, < 2026.2.19
HIGH7.8OpenClaw's shell env fallback trusts unvalidated SHELL path from host environment
from 0, < 2026.2.22
HIGH7.8OpenClaw: macOS optional allowlist basename matching could bypass path-based policy
from 0, < 2026.2.22
HIGH7.7OpenClaw: CDP /json/version WebSocket URL could pivot to untrusted second-hop targets
from 0, < 2026.4.5
HIGH7.7OpenClaw: Browser press/type interaction routes missed complete navigation guard coverage
from 0, < 2026.4.10
HIGH7.7OpenClaw: Existing-session browser interaction routes bypassed SSRF policy enforcement
from 0, < 2026.4.10
HIGH7.7OpenClaw: Browser SSRF policy default allowed private-network navigation
from 0, < 2026.4.14
HIGH7.7OpenClaw: Discord event cover images bypassed sandbox media normalization
>= 2026.4.7, < 2026.4.10
HIGH7.7OpenClaw: Browser snapshot and screenshot routes could expose internal page content after navigation
from 0, < 2026.4.14
HIGH7.7OpenClaw has Sandbox Media Root Bypass via Unnormalized `mediaUrl` / `fileUrl` Parameter Keys (CWE-22)
from 0, < 2026.3.24
HIGH7.7OpenClaw's andbox browser noVNC observer lacked VNC authentication
from 0, < 2026.2.21
HIGH7.6OpenClaw: Marketplace Plugin Download Follows Redirects Without SSRF Protection
from 0, < 2026.3.31
HIGH7.6OpenClaw: workspace path guard bypass on non-existent out-of-root symlink leaf
from 0, < 2026.2.26
HIGH7.6OpenClaw: Prevent shell injection in macOS keychain credential write
from 0, < 2026.2.14
HIGH7.6OpenClaw Gateway tool allowed unrestricted gatewayUrl override
from 0, < 2026.2.14
HIGH7.5OpenClaw: Voice-call realtime WebSocket accepted oversized frames
>= 2026.4.9, < 2026.4.10
HIGH7.5OpenClaw: strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts
from 0, < 2026.4.8
HIGH7.5OpenClaw: MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion
from 0, < 2026.3.31
HIGH7.5OpenClaw's device removal and token revocation do not terminate active WebSocket sessions
from 0, < 2026.3.28
HIGH7.5OpenClaw has Inconsistent Host Exec Environment Override Sanitization
from 0, < 2026.3.22
HIGH7.5OpenClaw is vulnerable to Path Traversal through path validation bypass
from 0, < 2026.03.28
HIGH7.5OpenClaw Telegram webhook request bodies were read before secret validation, enabling unauthenticated resource exhaustion
from 0, < 2026.3.13
HIGH7.5OpenClaw's browser-origin WebSocket auth hardening gap could enable loopback password brute-force chains
from 0, < 2026.2.25
HIGH7.5OpenClaw's shell startup env injection bypasses system.run allowlist intent (RCE class)
from 0, < 2026.2.22
HIGH7.5OpenClaw has a workspace-only sandbox guard mismatch for @-prefixed absolute paths
from 0, < 2026.2.24
HIGH7.5OpenClaw has an opt-in insecure Control UI auth over plaintext HTTP could allow privileged access
from 0, < 2026.2.21
HIGH7.5OpenClaw has pre-auth webhook body parsing that can enable unauthenticated slow-request DoS
from 0, < 2026.3.2
HIGH7.5OpenClaw vulnerable to sensitive file disclosure via stageSandboxMedia
from 0, < 2026.2.19
HIGH7.5OpenClaw voice-call media stream validated streams after upgrade, which could allow pre-start unauthenticated sockets to increase resource pressure
from 0, < 2026.2.22