CRITICAL9.9CVE-2026-22172OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes from 0, < 2026.3.12
CRITICAL9.9CVE-2026-28466OpenClaw Vulnerable to Remote Code Execution via Node Invoke Approval Bypass in Gateway from 0, < 2026.2.14
CRITICAL9.8OpenClaw: Feishu webhook and card-action validation now fail closed
from 0, < 2026.4.15
CRITICAL9.8OpenClaw: Unbound bootstrap setup codes allow privilege escalation during pairing
from 0, < 2026.3.22
CRITICAL9.8OpenClaw: Google Chat and Zalouser group sender allowlist bypass via policy downgrade
from 0, < 2026.3.28
CRITICAL9.8OpenClaw: node.pair.approve missing callerScopes validation allows low-privilege operator to approve malicious nodes
from 0, < 2026.3.28
CRITICAL9.8OpenClaw: Zalo channel downloads media before sender authorization
from 0, < 2026.3.28
CRITICAL9.8OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting
from 0, < 2026.2.14
CRITICAL9.8OpenClaw has a potential access-group authorization bypass if channel type lookup fails
from 0, < 2026.2.1
CRITICAL9.8OpenClaw has an exec allowlist bypass via command substitution/backticks inside double quotes
from 0, < 2026.2.2
CRITICAL9.8OpenClaw's Windows cmd.exe parsing may bypass exec allowlist/approval gating
from 0, < 2026.2.2
CRITICAL9.8OpenClaw's gateway connect could skip device identity checks when auth.token was present but not yet validated
from 0, < 2026.2.2
CRITICAL9.6OpenClaw: OpenShell Mirror Sync — Sandbox Escape via Unrestricted File Sync + Symlink Traversal
from 0, < 2026.3.31
CRITICAL9.6OpenClaw has a CWD `.env` environment variable injection which bypasses host-env policy and allows config takeover
from 0, < 2026.3.28
CRITICAL9.6OpenClaw's incomplete host env sanitization blocklist allows supply-chain redirection via package-manager env overrides
from 0, < 2026.3.22
CRITICAL9.4OpenClaw: Plugin subagent routes could bypass gateway authorization with synthetic admin scopes
>= 2026.3.7, < 2026.3.11
CRITICAL9.4OpenClaw has an inbound allowlist policy bypass in voice-call extension (empty caller ID + suffix matching)
from 0, < 2026.2.2
CRITICAL9.3OpenClaw: fetch-guard forwards custom authorization headers across cross-origin redirects
from 0, < 2026.3.7
CRITICAL9.1OpenClaw: Agent hook events could enqueue trusted system events from unsanitized external input
from 0, < 2026.4.10
CRITICAL9.1OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events
>= 2026.4.7, < 2026.4.14
CRITICAL9.0OpenClaw has a sandbox network isolation bypass via docker.network=container:<id>
from 0, < 2026.2.24
HIGH8.8OpenClaw: busybox and toybox applet execution weakened exec approval binding
>= 2026.2.23, < 2026.4.12
HIGH8.8OpenClaw: Sandboxed agents could escape exec routing via host=node override
>= 2026.4.5, < 2026.4.10
HIGH8.8OpenClaw: Workspace provider auth choices could auto-enable untrusted provider plugins
from 0, < 2026.4.9
HIGH8.8OpenClaw: Channel setup catalog lookups could include untrusted workspace plugin shadows
from 0, < 2026.4.10
HIGH8.8OpenClaw: Workspace .env could inject OpenClaw runtime-control variables
from 0, < 2026.4.9
HIGH8.8OpenClaw: Exec environment denylist missed high-risk interpreter startup variables
from 0, < 2026.4.10
HIGH8.8OpenClaw `node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval
from 0, < 2026.4.8
HIGH8.8OpenClaw `device.token.rotate` mints tokens for unapproved roles, bypassing device role-upgrade pairing
from 0, < 2026.4.8
HIGH8.8OpenClaw: Paired node escalates to gateway RCE via unrestricted node.event agent dispatch
from 0, < 2026.3.31
HIGH8.8OpenClaw: Device-Paired Node Skips Node Scope Gate → Host RCE.md
from 0, < 2026.3.31
HIGH8.8OpenClaw: Discord text `/approve` bypasses `channels.discord.execApprovals.approvers` and allows non-approvers to resolve pending exec approvals
from 0, < 2026.3.28
HIGH8.8OpenClaw: Arbitrary code execution via unvalidated WebView JavascriptInterface
from 0, < 2026.3.22
HIGH8.8OpenClaw's system.run allowlist can be bypassed through an unregistered time dispatch wrapper
from 0, < 2026.3.22
HIGH8.8In OpenClaw, manually adding sort to tools.exec.safeBins could bypass allowlist approval via --compress-program
from 0, < 2026.2.22
HIGH8.8OpenClaw is vulnerable to validation bypass through GNU long-option abbreviations in allowlist mode
from 0, < 2026.2.23
HIGH8.8OpenClaw is vulnerable to validation bypass through GNU long-option abbreviations in allowlist mode
from 0, < 2026.2.23
HIGH8.8OpenClaw's system.run allowlist bypass via shell line-continuation command substitution
from 0, < 2026.2.22
HIGH8.8OpenClaw's config env vars allowed startup env injection into service runtime
from 0, < 2026.2.21
HIGH8.8OpenClaw's dispatch-wrapper depth-cap mismatch can bypass shell-wrapper approval gating in system.run allowlist mode
from 0, < 2026.2.24
HIGH8.8OpenClaw gateway agents.files symlink escape allowed out-of-workspace file read/write
from 0, < 2026.2.25
HIGH8.8OpenClaw has a path traversal in apply_patch could write/delete files outside the workspace
from 0, < 2026.2.14
HIGH8.8OpenClaw: Command hijacking via unsafe PATH handling (bootstrapping + node-host PATH overrides)
from 0, < 2026.2.14
HIGH8.6OpenClaw validates Zalo outbound photo URLs through the SSRF guard
from 0, < 2026.4.22
HIGH8.6OpenClaw has an Arbitrary Malicious Code Execution Vulnerability
from 0, < 2026.3.24
HIGH8.6OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured
from 0, < 2026.3.12
HIGH8.6OpenClaw has two SSRF via sendMediaFeishu and markdown image fetching in Feishu extension
from 0, < 2026.2.14
HIGH8.5OpenClaw: Browser tabs action select and close routes bypassed SSRF policy
from 0, < 2026.4.10
HIGH8.4`OpenClaw: session_status` let sandboxed subagents access parent or sibling session state
from 0, < 2026.3.11
HIGH8.4OpenClaw vulnerable to Unauthenticated Local RCE via WebSocket config.apply
from 0, < 2026.1.20
HIGH8.3OpenClaw affected by SSRF in optional Tlon (Urbit) extension authentication
from 0, < 2026.2.14
HIGH8.2OpenClaw: QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes
from 0, < 2026.4.12
HIGH8.2OpenClaw: Sandbox escape via TOCTOU race in remote FS bridge readFile
from 0, < 2026.3.31
HIGH8.2OpenClaw: Unauthenticated plugin-auth HTTP routes receive operator runtime scopes
from 0, < 2026.3.31
HIGH8.1OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation
from 0, < 2026.4.15
HIGH8.1OpenClaw `node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard
from 0, < 2026.4.8
HIGH8.1OpenClaw: SSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host
from 0, < 2026.3.31
HIGH8.1OpenClaw: `browser.request` still allows `POST /reset-profile` through the `operator.write` surface
from 0, < 2026.3.24
HIGH8.1OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin`
from 0, < 2026.3.28
HIGH8.1OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode
from 0, < 2026.3.11
HIGH8.1OpenClaw has Zip Slip path traversal in tar archive extraction
from 0, < 2026.2.14
HIGH8.1OpenClaw has a Path Traversal in Plugin Installation
>= 2026.1.20, < 2026.2.1
HIGH8.0OpenClaw: Unrecognized script runners could bypass `system.run` approval integrity
from 0, < 2026.3.11
HIGH8.0OpenClaw: Node reconnect metadata spoofing could bypass platform-based node command policy
from 0, < 2026.2.26
HIGH7.8OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution
from 0, < 2026.4.23
HIGH7.8OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens
from 0, < 2026.4.22
HIGH7.8OpenClaw: Workspace dotenv could override runtime-control environment variables
from 0, < 2026.4.20
HIGH7.8OpenClaw: Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement
from 0, < 2026.4.8
HIGH7.8OpenClaw Has Incomplete Fix for CVE-2026-4039: CLI Backend Environment Variable Injection via Workspace Config
from 0, < 2026.3.24
HIGH7.8OpenClaw: Workspace `.env` can override the bundled plugin trust root
from 0, < 2026.3.31
HIGH7.8OpenClaw: Workspace `.env` can override the bundled hooks root and load attacker hook code
from 0, < 2026.3.31
HIGH7.8OpenClaw's `tools.exec.safeBins` PATH-hijack allowed trojan binaries to bypass allowlist checks
>= 2026.1.21, < 2026.2.19
HIGH7.8OpenClaw's shell env fallback trusts unvalidated SHELL path from host environment
from 0, < 2026.2.22
HIGH7.8OpenClaw: macOS optional allowlist basename matching could bypass path-based policy
from 0, < 2026.2.22
HIGH7.7OpenClaw: CDP /json/version WebSocket URL could pivot to untrusted second-hop targets
from 0, < 2026.4.5
HIGH7.7OpenClaw: Browser press/type interaction routes missed complete navigation guard coverage
from 0, < 2026.4.10
HIGH7.7OpenClaw: Existing-session browser interaction routes bypassed SSRF policy enforcement
from 0, < 2026.4.10
HIGH7.7OpenClaw: Browser SSRF policy default allowed private-network navigation
from 0, < 2026.4.14
HIGH7.7OpenClaw: Discord event cover images bypassed sandbox media normalization
>= 2026.4.7, < 2026.4.10
HIGH7.7OpenClaw: Browser snapshot and screenshot routes could expose internal page content after navigation
from 0, < 2026.4.14
HIGH7.7OpenClaw has Sandbox Media Root Bypass via Unnormalized `mediaUrl` / `fileUrl` Parameter Keys (CWE-22)
from 0, < 2026.3.24
HIGH7.7OpenClaw's andbox browser noVNC observer lacked VNC authentication
from 0, < 2026.2.21
HIGH7.6OpenClaw: Marketplace Plugin Download Follows Redirects Without SSRF Protection
from 0, < 2026.3.31
HIGH7.6OpenClaw: workspace path guard bypass on non-existent out-of-root symlink leaf
from 0, < 2026.2.26
HIGH7.6OpenClaw: Prevent shell injection in macOS keychain credential write
from 0, < 2026.2.14
HIGH7.6OpenClaw Gateway tool allowed unrestricted gatewayUrl override
from 0, < 2026.2.14
HIGH7.5OpenClaw: Voice-call realtime WebSocket accepted oversized frames
>= 2026.4.9, < 2026.4.10
HIGH7.5OpenClaw: strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts
from 0, < 2026.4.8
HIGH7.5OpenClaw: MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion
from 0, < 2026.3.31
HIGH7.5OpenClaw's device removal and token revocation do not terminate active WebSocket sessions
from 0, < 2026.3.28
HIGH7.5OpenClaw has Inconsistent Host Exec Environment Override Sanitization
from 0, < 2026.3.22
HIGH7.5OpenClaw is vulnerable to Path Traversal through path validation bypass
from 0, < 2026.03.28
HIGH7.5OpenClaw Telegram webhook request bodies were read before secret validation, enabling unauthenticated resource exhaustion
from 0, < 2026.3.13
HIGH7.5OpenClaw's browser-origin WebSocket auth hardening gap could enable loopback password brute-force chains
from 0, < 2026.2.25
HIGH7.5OpenClaw's shell startup env injection bypasses system.run allowlist intent (RCE class)
from 0, < 2026.2.22
HIGH7.5OpenClaw has a workspace-only sandbox guard mismatch for @-prefixed absolute paths
from 0, < 2026.2.24
HIGH7.5OpenClaw has an opt-in insecure Control UI auth over plaintext HTTP could allow privileged access
from 0, < 2026.2.21
HIGH7.5OpenClaw has pre-auth webhook body parsing that can enable unauthenticated slow-request DoS
from 0, < 2026.3.2
HIGH7.5OpenClaw vulnerable to sensitive file disclosure via stageSandboxMedia
from 0, < 2026.2.19
HIGH7.5OpenClaw voice-call media stream validated streams after upgrade, which could allow pre-start unauthenticated sockets to increase resource pressure
from 0, < 2026.2.22
HIGH7.5OpenClaw has a LFI in BlueBubbles media path handling
from 0, < 2026.2.14
HIGH7.5OpenClaw has a path traversal in browser trace/download output paths may allow arbitrary file writes
from 0, < 2026.2.13
HIGH7.5OpenClaw affected by denial of service via unbounded webhook request body buffering
from 0, < 2026.2.13
HIGH7.5OpenClaw affected by denial of service via unbounded URL-backed media fetch
from 0, < 2026.2.14
HIGH7.5OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reachable)
from 0, < 2026.2.14
HIGH7.5OpenClaw has a local file disclosure via sendMediaFeishu in Feishu extension
from 0, < 2026.2.14
HIGH7.5OpenClaw is Missing Webhook Authentication in Telnyx Provider Allows Unauthenticated Requests
from 0, < 2026.2.14
HIGH7.5OpenClaw BlueBubbles webhook auth bypass via loopback proxy trust
from 0, < 2026.2.13
HIGH7.5OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass
from 0, < 2026.2.1
HIGH7.5OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access
>= 2026.1.20, < 2026.2.1
HIGH7.4OpenClaw: SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476)
from 0, < 2026.3.28
HIGH7.4OpenClaw MS Teams inbound attachment downloader leaks bearer tokens to allowlisted suffix domains
from 0, < 2026.2.1
HIGH7.3OpenClaw: Shell init-file options could satisfy exec allowlist script matching
from 0, < 2026.3.31
HIGH7.3OpenClaw: OpenShell `mirror` mode can convert untrusted sandbox files into explicitly enabled workspace hooks and execute them on the host during gateway startup
from 0, < 2026.3.28
HIGH7.3OpenClaw gateway exec allow-always over-trusts positional carrier executables
from 0, < 2026.3.28
HIGH7.3OpenClaw has a gateway exec allowlist allow-always bypass via unregistered /usr/bin/script wrapper
from 0, < 2026.3.28
HIGH7.3OpenClaw: CLI Remote Onboarding Persists Unauthenticated Discovery Endpoint and Exfiltrates Gateway Credentials
from 0, < 2026.3.28
HIGH7.3OpenClaw: Unbound interpreter and runtime commands could bypass node-host approval integrity
from 0, < 2026.3.11
HIGH7.3OpenClaw Twitch allowFrom is not enforced in optional plugin, unauthorized chat users can trigger agent pipeline
>= 2026.1.29, < 2026.2.1
HIGH7.2OpenClaw affected by potential code execution via unsafe hook module path handling in Gateway
>= 2026.1.5, < 2026.2.14
HIGH7.2OpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals
from 0, < 2026.2.14
HIGH7.2OpenClaw authorization bypass: operator.write can resolve exec approvals via chat.send -> /approve
from 0, < 2026.2.2
HIGH7.1OpenClaw B-M3: ClawHub package downloads are not enforced with integrity verification
from 0, < 2026.4.8
HIGH7.1OpenClaw: Gateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write`
from 0, < 2026.4.8
HIGH7.1OpenClaw: Gateway operator.write Can Reach Admin-Class Telegram Config and Cron Persistence via send
from 0, < 2026.3.28
HIGH7.1OpenClaw: HTTP operator endpoints lack browser-origin validation in trusted-proxy mode
from 0, < 2026.3.31
HIGH7.1OpenClaw: Gateway chat.send ACP-only provenance guard could be bypassed by client identity spoofing
from 0, < 2026.3.28
HIGH7.1OpenClaw: Gateway operator.write Can Reach Admin-Class Channel Allowlist Persistence via chat.send
from 0, < 2026.3.24
HIGH7.1OpenClaw: Symlink Traversal via IDENTITY.md appendFile in agents.create/update (Incomplete Fix for CVE-2026-32013)
from 0, <= 2026.2.22
HIGH7.1OpenClaw: Node-host approvals could show misleading shell payloads instead of the executed argv
from 0, < 2026.3.11
HIGH7.1OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions
from 0, < 2026.2.25
HIGH7.1OpenClaw exec allowlist safeBins short-option bypass could permit arbitrary file write
from 0, < 2026.2.19
HIGH7.1OpenClaw's sandbox skill mirroring path traversal vulnerability could write outside the sandbox workspace
from 0, < 2026.2.14
HIGH7.1OpenClaw has an authentication bypass in sandbox browser bridge server
>= 2026.1.29-beta.1, < 2026.2.14
HIGH7.1OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints
from 0, < 2026.2.14
HIGH7.1OpenClaw has an arbitrary transcript path file write via gateway sessionFile
from 0, < 2026.2.12
MEDIUM6.9OpenClaw: MS Teams Feedback Invocation Bypasses Sender Allowlists and Records Unauthorized Session Feedback
from 0, < 2026.3.28
MEDIUM6.9OpenClaw: Feishu Raw Card Send Surface Can Mint Legacy Card Callbacks That Bypass DM Pairing
from 0, < 2026.3.28
MEDIUM6.9OpenClaw: Browser control startup could continue unauthenticated after auth bootstrap failure
from 0, < 2026.3.1
MEDIUM6.8OpenClaw: Collect-mode queue batches could reuse the last sender authorization context
from 0, < 2026.4.14
MEDIUM6.8OpenClaw: Slack interactive callbacks could skip configured sender checks in some shared-workspace flows
from 0, < 2026.2.25
MEDIUM6.8OpenClaw: Experimental apply_patch may bypass workspace-only checks in opt-in sandbox mounts (off by default)
from 0, < 2026.2.23
MEDIUM6.7OpenClaw's Node system.run approval hardening wrapper semantic drift can execute unintended local scripts
>= 2026.3.1, < 2026.3.2
MEDIUM6.7OpenClaw has a Path Traversal in Browser Download Functionality
>= 2026.1.12, < 2026.2.13
MEDIUM6.6OpenClaw has system.run shell-wrapper env injection via SHELLOPTS/PS4 can bypass allowlist intent (RCE)
from 0, < 2026.2.22
MEDIUM6.5OpenClaw contains a symlink traversal vulnerability
>= 2026.3.22, < 2026.4.5
MEDIUM6.5OpenClaw: Matrix profile config persistence was reachable from operator.write message tools
from 0, < 2026.4.10
MEDIUM6.5OpenClaw: Empty approver lists could grant explicit approval authorization
from 0, < 2026.4.12
MEDIUM6.5OpenClaw: Strict browser SSRF bypass in Playwright redirect handling leaves private targets reachable
from 0, < 2026.4.8
MEDIUM6.5OpenClaw: Tlon media downloads can bypass core safety limits and exhaust disk
from 0, < 2026.3.31
MEDIUM6.5OpenClaw: Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables
from 0, < 2026.3.31
MEDIUM6.5OpenClaw: Matrix thread root and reply context bypass sender allowlist
from 0, < 2026.3.31
MEDIUM6.5OpenClaw Nostr privateKey config redaction bypass leaks plaintext signing key via config.get
from 0, < 2026.3.31
MEDIUM6.5OpenClaw's Nextcloud Talk webhook missing rate limiting on shared secret authentication
from 0, < 2026.3.28
MEDIUM6.5Duplicate Advisory: OpenClaw has Bypass in Webhook Rate Limiting via Pre-Authentication Secret Validation
from 0, < 2026.3.12
MEDIUM6.5OpenClaw: Image Tool `tools.fs.workspaceOnly` Bypass via Sandbox Bridge Mounts
from 0, < 2026.3.2
MEDIUM6.5OpenClaw: Forwarding header spoofing bypasses gateway.trustedProxies origin detection
from 0, < 2026.3.22
MEDIUM6.5OpenClaw: Mattermost callback dispatch allowed non-allowlisted sender actions
from 0, < 2026.3.22
MEDIUM6.5OpenClaw has a Feishu allowFrom authorization bypass via display-name collision
from 0, < 2026.2.22
MEDIUM6.5OpenClaw browser navigation guard allowed non-network URL schemes, enabling authenticated browser-tool users to access file:// local files
from 0, < 2026.2.21
MEDIUM6.5OpenClaw has encoded-path auth bypass in plugin `/api/channels` route classification
from 0, < 2026.3.2
MEDIUM6.5OpenClaw DM pairing-store identities could satisfy group allowlist authorization
from 0, < 2026.2.26
MEDIUM6.5OpenClaw safeBins grep -e File Read Bypass (stdin-only policy bypass)
from 0, < 2026.2.21
MEDIUM6.5OpenClaw has gateway plugin auth bypass via encoded dot-segment traversal in protected /api/channels paths
from 0, < 2026.2.26
MEDIUM6.5Temporary path handling could write outside OpenClaw temp boundary
from 0, < 2026.2.24
MEDIUM6.5OpenClaw has a Web Fetch DoS via unbounded response parsing
from 0, < 2026.2.15
MEDIUM6.5OpenClaw Twilio voice-call webhook auth bypass when ngrok loopback compatibility is enabled
from 0, < 2026.2.14
MEDIUM6.5OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR)
from 0, < 2026.2.14
MEDIUM6.5OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities
from 0, < 2026.2.14
MEDIUM6.5OpenClaw has a Matrix allowlist bypass via displayName and cross-homeserver localpart matching
>= 2026.1.14-1, < 2026.2.2
MEDIUM6.5OpenClaw's Chrome extension relay binds publicly due to wildcard treated as loopback
>= 2026.1.14-1, < 2026.2.12
MEDIUM6.5OpenClaw Vulnerable to Local File Inclusion via MEDIA: Path Extraction
from 0, < 2026.1.30
MEDIUM6.4OpenClaw's non-default safeBins sort configuration can bypass intended allowlist approval constraints
from 0, < 2026.2.22
MEDIUM6.4OpenClaw's allow-always wrapper persistence could bypass future approvals and enable command execution
from 0, < 2026.2.22
MEDIUM6.3OpenClaw: Browser SSRF hostname validation could be bypassed by DNS rebinding
from 0, < 2026.4.10
MEDIUM6.3OpenClaw: SSRF via Unguarded `fetch()` in Marketplace Plugin Download and Ollama Model Discovery
from 0, < 2026.3.31
MEDIUM6.3OpenClaw: Sandbox `writeFile` commit could race outside the validated path
from 0, < 2026.3.11
MEDIUM6.3OpenClaw's system.run approvals did not bind mutable script operands across approval and execution
from 0, < 2026.3.8
MEDIUM6.2OpenClaw's message tool media parameter bypasses tool policy filesystem isolation
from 0, < 2026.3.24
MEDIUM6.2OpenClaw's unauthenticated Nostr profile HTTP endpoints allow remote profile/config tampering
from 0, < 2026.2.12
MEDIUM6.1OpenClaw: Incomplete host-env-security-policy allows untrusted model to substitute compiler binaries via env overrides
from 0, < 2026.3.31
MEDIUM6.1OpenClaw has incomplete Fix for CVE-2026-27486: Unvalidated SIGKILL in `!stop` Chat Command via `shell-utils.ts`
from 0, < 2026.3.24
MEDIUM6.1OpenClaw: Sandboxed /acp spawn requests could initialize host ACP sessions
from 0, < 2026.3.7
MEDIUM6.1OpenClaw: shell-env trusted-prefix fallback allowed attacker-controlled binary execution via $SHELL
>= 2026.2.22, < 2026.2.23
MEDIUM6.1OpenClaw vulnerable to path traversal (Zip Slip) in archive extraction during explicit installation commands
>= 2026.1.16-2, < 2026.2.14
MEDIUM6.0OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload
from 0, < 2026.4.23
MEDIUM6.0OpenClaw's MSTeams attachment redirect handling could bypass configured media host allowlists
from 0, < 2026.2.22
MEDIUM6.0OpenClaw's hook transform module path allows traversal and arbitrary JavaScript module loading
>= 2.0.0-beta3, < 2026.2.14
MEDIUM5.9OpenClaw: Google Chat app-url webhook auth accepted non-deployment add-on principals
from 0, < 2026.3.22
MEDIUM5.9OpenClaw: Synology Chat reply delivery could be rebound through username-based user resolution.
from 0, < 2026.3.22
MEDIUM5.9OpenClaw's typed sender-key matching for toolsBySender prevents identity-collision policy bypass
from 0, < 2026.2.22
MEDIUM5.9OpenClaw: Discord voice transcript owner-flag omission could expose owner-only tools in mixed-trust channels
from 0, < 2026.3.2
MEDIUM5.9OpenClaw has non-constant-time token comparison in hooks authentication
from 0, < 2026.2.12
MEDIUM5.9OpenClaw Chutes manual OAuth state validation bypass can cause credential substitution
from 0, < 2026.2.14
MEDIUM5.9OpenClaw Telegram allowlist authorization accepted mutable usernames
from 0, < 2026.2.14
MEDIUM5.9OpenClaw affected by SSRF via attachment/media URL hydration
from 0, < 2026.2.2
MEDIUM5.9OpenClaw has a webhook auth bypass when gateway is behind a reverse proxy (loopback remoteAddress trust)
from 0, < 2026.2.12
MEDIUM5.8OpenClaw: QQBot direct media upload skipped URL SSRF validation
from 0, < 2026.4.20
MEDIUM5.8OpenClaw: Webchat media embedding enforces local-root containment for tool-result files
>= 2026.4.7, < 2026.4.15
MEDIUM5.8OpenClaw: Trailing-dot localhost CDP hosts could bypass remote loopback protections
from 0, < 2026.4.2
MEDIUM5.8OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection
from 0, < 2026.2.15
MEDIUM5.7OpenClaw: Android accepted cleartext remote gateway endpoints and sent stored credentials over ws://
from 0, < 2026.4.2
MEDIUM5.7OpenClaw's Conflicting Tool Identity Hints Bypass Dangerous-Tool Prompting
from 0, < 2026.3.22
MEDIUM5.7OpenClaw Loopback CDP probe can leak Gateway token to local listener
from 0, < 2026.2.22
MEDIUM5.7OpenClaw: safeBins static default trusted dirs allow writable-dir binary hijack (`jq`)
from 0, < 2026.2.24
MEDIUM5.7OpenClaw exec approvals: safeBins could bypass stdin-only constraints via shell expansion
from 0, < 2026.2.14
MEDIUM5.6OpenClaw vulnerable to SSRF in src/agents/tools/web-fetch.ts
from 0, < 2026.1.29
MEDIUM5.5OpenClaw skills-install-download: tar.bz2 extraction bypassed archive safety parity checks (local DoS)
from 0, < 2026.3.2
MEDIUM5.5OpenClaw's avatar symlink traversal can expose out-of-workspace local files
from 0, < 2026.2.22
MEDIUM5.5OpenClaw's unsanitized session ID enables path traversal in transcript file operations
from 0, < 2026.2.12
MEDIUM5.5OpenClaw: denial of service through large base64 media files allocating large buffers before limit checks
from 0, < 2026.2.14
MEDIUM5.4OpenClaw: Slack thread context could include messages from non-allowlisted senders
from 0, < 2026.4.2
MEDIUM5.4OpenClaw: Read-scoped identity-bearing HTTP clients could kill sessions via /sessions/:sessionKey/kill
from 0, < 2026.4.2
MEDIUM5.4OpenClaw: Discord Component Interaction Misclassifies Group DM as Direct Message
from 0, < 2026.3.31
MEDIUM5.4OpenClaw: Discord Slash Commands Bypass Group DM Channel Allowlist
from 0, < 2026.3.31
MEDIUM5.4OpenClaw: Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation
from 0, < 2026.3.31
MEDIUM5.4OpenClaw: Feishu thread history and quoted messages bypass sender allowlist
from 0, < 2026.3.31
MEDIUM5.4OpenClaw: Gateway `operator.write` can reach admin-only persisted `verboseLevel` via `chat.send` `/verbose`
from 0, < 2026.3.28
MEDIUM5.4OpenClaw: Non-owner command-authorized sender can change the owner-only `/send` session delivery policy
from 0, < 2026.3.24
MEDIUM5.4OpenClaw: Slack system events bypass sender authorization in member and message subtype handlers
from 0, < 2026.2.26
MEDIUM5.4OpenClaw's Node role device-identity bypass allows unauthorized node.event injection
from 0, < 2026.2.22
MEDIUM5.4OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata
from 0, < 2026.2.23
MEDIUM5.4OpenClaw replaced a deprecated sandbox hash algorithm
from 0, < 2026.2.15
MEDIUM5.3OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes
from 0, < 2026.4.22
MEDIUM5.3OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root
from 0, < 2026.4.22
MEDIUM5.3OpenClaw: GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant)
from 0, < 2026.4.8
MEDIUM5.3OpenClaw: Pairing pending-request caps were enforced per channel instead of per account
>= 2026.2.26, < 2026.3.31
MEDIUM5.3OpenClaw: Forged Nostr DMs could create pairing state before signature verification
>= 2026.3.22, < 2026.3.31
MEDIUM5.3OpenClaw's complex interpreter pipelines could skip exec script preflight validation
from 0, < 2026.4.2
MEDIUM5.3OpenClaw: Telegram audio preflight transcription enables resource consumption by unauthorized senders
from 0, < 2026.3.31
MEDIUM5.3OpenClaw: Voice-call still parses large WebSocket frames before start validation (Incomplete fix for CVE-2026-32062)
from 0, < 2026.3.31
MEDIUM5.3OpenClaw: Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding
from 0, < 2026.3.31
MEDIUM5.3OpenClaw runs Discord audio preflight transcription before member authorization
from 0, < 2026.3.31
MEDIUM5.3OpenClaw: LINE webhook handler lacks shared pre-auth concurrency budget before signature verification
from 0, < 2026.3.31
MEDIUM5.3OpenClaw: PIP_INDEX_URL and UV_INDEX_URL bypass host exec env sanitization and redirect Python package-index traffic
from 0, < 2026.3.31
MEDIUM5.3OpenClaw: Voice-call Plivo replay mutates in-process callback origin before replay rejection
from 0, < 2026.3.31
MEDIUM5.3OpenClaw: Feishu extension resolveUploadInput bypasses file-system sandbox and allows arbitrary file reads via upload_image
>= 2026.2.6, < 2026.3.28
MEDIUM5.3OpenClaw has incomplete Fix for CVE-2026-32011: Feishu Webhook Pre-Auth Body Parsing DoS (Slow-Body / Slowloris Variant)
from 0, < 2026.3.24
MEDIUM5.3OpenClaw: Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State
from 0, < 2026.3.28
MEDIUM5.3OpenClaw: system.run wrapper-depth boundary could skip shell approval gating
from 0, < 2026.3.7
MEDIUM5.3OpenClaw's image tool bypasses tools.fs.workspaceOnly on sandbox mount paths and exfiltrates out-of-workspace images
from 0, < 2026.2.23
MEDIUM5.3OpenClaw has incomplete IPv4 special-use SSRF blocking in web fetch guard
from 0, < 2026.2.22
MEDIUM5.3OpenClaw improperly parses X-Forwarded-For behind trusted proxies allows client IP spoofing in security decisions
from 0, < 2026.2.21
MEDIUM5.3OpenClaw: Unified root-bound write hardening for browser output and related path-boundary flows
from 0, < 2026.3.2
MEDIUM5.0OpenClaw: Shared reply MEDIA - paths are treated as trusted and can trigger cross-channel local file exfiltration
from 0, < 2026.4.8
MEDIUM4.9OpenClaw host-env blocklist missing `GIT_TEMPLATE_DIR` and `AWS_CONFIG_FILE` allows code execution via env override
from 0, < 2026.3.28
MEDIUM4.8OpenClaw: Telegram Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Secret
from 0, <= 2026.3.24
MEDIUM4.8OpenClaw: BlueBubbles Webhook Missing Rate Limiting Enables Brute-Force Password Guessing
from 0, <= 2026.3.24
MEDIUM4.8OpenClaw: /api/channels gateway-auth boundary bypass via path canonicalization mismatch
from 0, < 2026.2.26
MEDIUM4.8OpenClaw's serialize sandbox registry writes to prevent races and delete-rollback corruption
from 0, < 2026.2.19
MEDIUM4.8OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback)
from 0, < 2026.2.21
MEDIUM4.8OpenClaw: system.run approval identity mismatch could execute a different binary than displayed
from 0, < 2026.2.25
MEDIUM4.8OpenClaw: Config writes could persist resolved ${VAR} secrets to disk
from 0, < 2026.2.13
MEDIUM4.8OpenClaw Slack: dmPolicy=open allowed any DM sender to run privileged slash commands
from 0, < 2026.2.14
MEDIUM4.6OpenClaw: Security Scan Failure Does Not Block Plugin Installation (Fail-Open)
from 0, < 2026.3.31
MEDIUM4.6OpenClaw: Bonjour/DNS-SD TXT metadata steers CLI routing after failed service resolution
from 0, < 2026.3.22
MEDIUM4.6OpenClaw Vulnerable to HTML injection via unvalidated image MIME type in data-URL interpolation
from 0, < 2026.2.23
MEDIUM4.4OpenClaw: Host exec environment overrides miss proxy, TLS, Docker, and Git TLS controls
from 0, < 2026.3.31
MEDIUM4.4OpenClaw vulnerable to arbitrary file read via $include directive
from 0, < 2026.2.17
MEDIUM4.3OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization
from 0, < 2026.4.20
MEDIUM4.3OpenClaw: Multiple Code Paths Missing Base64 Pre-Allocation Size Checks
from 0, < 2026.4.8
MEDIUM4.3OpenClaw: /allowlist omits owner-only enforcement for cross-channel allowlist writes
from 0, < 2026.4.8
MEDIUM4.3OpenClaw: Gateway hello snapshots exposed host config and state paths to non-admin clients
from 0, < 2026.4.2
MEDIUM4.3OpenClaw has a Gateway HTTP /v1/models Route Bypasses Operator Read Scope
from 0, < 2026.3.24
MEDIUM4.3OpenClaw has ACP CLI approval prompt ANSI escape sequence injection
>= 2026.2.13, < 2026.3.28
MEDIUM4.3OpenClaw leaf subagents can bypass controlScope restrictions to send messages to child sessions
from 0, < 2026.3.22
MEDIUM4.3OpenClaw has a BlueBubbles group allowlist mismatch via DM pairing-store fallback
from 0, < 2026.2.26
MEDIUM4.3OpenClaw's Slack reaction/pin sender-policy consistency issue in non-message ingress
from 0, < 2026.2.25
MEDIUM4.3OpenClaw safeBins file-existence oracle information disclosure
from 0, < 2026.2.19
MEDIUM4.2OpenClaw: Zalo webhook replay cache cross-target messageId scope bypass
from 0, < 2026.3.31
MEDIUM4.2OpenClaw: Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName
from 0, < 2026.3.28
MEDIUM4.2OpenClaw: Nextcloud Talk room allowlist matched colliding room names instead of stable room tokens
from 0, < 2026.3.22
MEDIUM4.0OpenClaw: diffs viewer misclassifies proxied remote requests as loopback when `allowRemoteViewer` is disabled
from 0, < 2026.3.31
LOW3.7OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths
from 0, < 2026.4.4
LOW3.7OpenClaw: Shared-secret comparison call sites leaked length information through timing
from 0, < 2026.4.2
LOW3.7OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting
from 0, < 2026.3.31
LOW3.7OpenClaw may have stale policy enforcement for queued node actions
from 0, < 2026.3.22
LOW3.7OpenClaw has cross-account DM pairing authorization bypass via unscoped pairing store access
from 0, < 2026.2.26
LOW3.7OpenClaw: Discord DM reaction ingress missed dmPolicy/allowFrom checks in restricted setups
from 0, < 2026.2.25
LOW3.7OpenClaw has Signal group allowlist authorization bypass via DM pairing-store leakage
from 0, < 2026.2.26
LOW3.7OpenClaw Affected by Remote Code Execution via System Prompt Injection in Slack Channel Descriptions
from 0, < 2026.2.3
LOW3.6OpenClaw safeBins stdin-only bypass via sort output and recursive grep flags
from 0, < 2026.2.19
LOW3.3OpenClaw's Control UI Static File Handler Follows Symlinks and Allows Out-of-Root File Read
from 0, < 2026.2.22
LOW2.6OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows
from 0, < 2026.2.26
LOW2.5OpenClaw: Unavailable local auth SecretRefs could fall through to remote credentials in local mode
from 0, < 2026.3.11
—OpenClaw: Workspace dotenv files cannot override connector endpoint hosts
from 0, < 2026.4.22
—OpenClaw's ACP child sessions inherit subagent security envelope constraints
from 0, < 2026.4.22
—OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners
from 0, < 2026.4.21
—OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests
>= 2026.4.5, < 2026.4.20
—OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config
from 0, < 2026.4.20
—OpenClaw: Isolated cron awareness events were recorded as trusted system events
from 0, < 2026.4.20
—OpenClaw: Hook mapping templates could bypass hook session-key opt-in
from 0, < 2026.4.20
—OpenClaw: Sender policy bypass in host media attachment reads allows unauthorized local file disclosure
>= 2026.4.9, < 2026.4.10
—OpenClaw: QQBot media tags could read arbitrary local files through reply text
from 0, < 2026.4.10
—OpenClaw: screen_record outPath bypassed workspace-only filesystem guard
from 0, < 2026.4.10
—OpenClaw: Shell-wrapper detection missed env-argv assignment injection forms
>= 2026.2.22, < 2026.4.12
—OpenClaw: Memory dreaming config persistence was reachable from operator.write commands
>= 2026.4.5, < 2026.4.10
—OpenClaw: Microsoft Teams SSO invoke handler missed sender authorization checks
>= 2026.4.10, < 2026.4.14
—OpenClaw: Delivery queue recovery could lose group tool-policy context for media replay
>= 2026.4.10, < 2026.4.14
—OpenClaw: config.get redaction bypass through sourceConfig and runtimeConfig aliases
from 0, < 2026.4.14
—OpenClaw: TOCTOU read in exec script preflight
from 0, < 2026.4.10
—OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects
from 0, < 2026.4.8
—OpenClaw has Browser SSRF Policy Bypass via Interaction-Triggered Navigation
from 0, < 2026.4.8
—OpenClaw: Feishu docx upload_file/upload_image Bypasses Workspace-Only Filesystem Policy (GHSA-qf48-qfv4-jjm9 Incomplete Fix)
from 0, < 2026.4.8
—OpenClaw QQ Bot Extension missing SSRF Protection on All Media Fetch Paths
from 0, < 2026.4.8
—OpenClaw: Existing WS sessions survive shared gateway token rotation
from 0, < 2026.4.8
—OpenClaw: resolvedAuth closure becomes stale after config reload
from 0, < 2026.4.8
—OpenClaw: HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class)
from 0, < 2026.4.8
—OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders
from 0, < 2026.4.2
—OpenClaw: Untrusted workspace channel shadows could execute during built-in channel setup
from 0, < 2026.4.2
—OpenClaw: iOS A2UI bridge trusted generic local-network pages for agent.request dispatch
from 0, < 2026.4.2
—OpenClaw: OpenShell mirror mode could delete arbitrary remote directories when roots were mis-scoped
from 0, < 2026.4.2
—OpenClaw: Gateway operator.write Can Reach Admin-Class Talk Voice Config Persistence via chat.send
from 0, < 2026.3.28
—OpenClaw: `/phone arm`/`/phone disarm` Bypasses `operator.admin` Scope Check for External Channels
from 0, < 2026.3.28
—OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter
from 0, < 2026.4.2
—OpenClaw: Discord voice ingress authorization can be bypassed via channel, name, and stale-role validation gaps
from 0, < 2026.3.31
—OpenClaw: Endpoint persists after trust decline, leaking gateway credentials
from 0, < 2026.3.31
—OpenClaw: macOS Tailnet DNS Spoofing & Credential Exfiltration
from 0, < 2026.3.31
—OpenClaw: Tlon Startup Migration Rehydrates Empty-Array Revocations From File Config
from 0, < 2026.3.31
—OpenClaw: Discord voice manager bypasses channel-level member access allowlist
from 0, < 2026.3.31
—OpenClaw: Incomplete scope-clearing fix allows operator.admin escalation via trusted-proxy auth mode
from 0, < 2026.3.31
—OpenClaw Has a Gateway Control Interface Information Disclosure Vulnerability
from 0, < 2026.3.31
—OpenClaw: MSTeams thread history bypasses sender allowlist via Graph API
from 0, < 2026.3.31
—OpenClaw: Heartbeat context inheritance bypasses sandbox via senderIsOwner escalation
from 0, < 2026.3.31
—OpenClaw affected by SSRF via unguarded image download in fal provider
from 0, < 2026.3.28
—OpenClaw: Gateway WebSocket Denial of Service via unbounded pre-auth upgrades
from 0, < 2026.3.28
—OpenClaw: /pair approve command path omitted caller scope subsetting and reopened device pairing escalation
from 0, < 2026.3.28
—OpenClaw: Voice-call Plivo V3 webhook replay key uses unsorted URL, allowing replay via query-parameter reordering
from 0, < 2026.3.28
—OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token
from 0, < 2026.3.28
—OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation
from 0, < 2026.3.28
—OpenClaw: Gateway HTTP Session History Route Bypasses Operator Read Scope
from 0, < 2026.3.25
—OpenClaw: Matrix Verification Notices Bypass Matrix DM Policy and Reply to Unpaired DM Peers
from 0, <= 2026.3.24
—OpenClaw: Gateway Plugin HTTP Auth Grants Unrestricted operator.admin Runtime Scope to All Callers
from 0, <= 2026.3.24
—OpenClaw: Gateway Backend Reconnect lets Non-Admin Operator Scopes Self-Claim operator.admin
from 0, <= 2026.3.24
—OpenClaw Bypasses DM Policy Separation via Synology Chat Webhook Path Collision
from 0, < 2026.3.22
—OpenClaw Gateway: RCE and Privilege Escalation from operator.pairing to operator.admin via device.pair.approve
from 0, < 2026.3.22
—OpenClaw: Tlon settings empty-allowlist reconciliation bypassed intended revocation
from 0, < 2026.3.22
—OpenClaw: Tlon cite expansion happens before channel and DM authorization is complete
from 0, < 2026.3.22
—OpenClaw is vulnerable to unauthenticated resource exhaustion through its voice call webhook handling
from 0, < 2026.3.22
—OpenClaw: Remote media error responses could trigger unbounded memory allocation before failure
from 0, < 2026.3.22
—OpenClaw: Nostr inbound DMs could trigger unauthenticated crypto work before sender policy enforcement
from 0, < 2026.3.22
—OpenClaw: Windows media loaders accepted remote-host file URLs before local path validation
from 0, < 2026.3.22
—OpenClaw: Gateway agent /reset exposes admin session reset to operator.write callers
from 0, < 2026.3.23
—OpenClaw: Gateway Canvas local-direct requests bypass Canvas HTTP and WebSocket authentication
from 0, < 2026.3.23
—OpenClaw: Plivo V2 verified replay identity drifts on query-only variants
from 0, < 2026.3.23
—OpenClaw session transcript files were created without forced user-only permissions
from 0, < 2026.2.17
—OpenClaw: Zalo webhook rate limiting could be bypassed before secret validation
from 0, < 2026.3.12
—OpenClaw: Workspace plugin auto-discovery allowed code execution from cloned repositories
from 0, < 2026.3.12
—OpenClaw's MS Teams sender allowlist bypass when route allowlist is configured and sender allowlist is empty
from 0, < 2026.3.8
—OpenClaw's skills-install-download can be redirected outside the tools root by rebinding the validated base path
from 0, < 2026.3.8
—OpenClaw: BlueBubbles (optional plugin) pairing/allowlist mismatch when allowFrom is empty
from 0, < 2026.2.22
—OpenClaw has Windows Lobster shell fallback command injection in constrained fallback path
>= 2026.1.21, < 2026.2.19
—OpenClaw's exec allowlist wrapper analysis did not unwrap env/shell dispatch chains
from 0, < 2026.2.22
—OpenClaw's Signal reaction-only status events could, in limited cases, be enqueued before access checks
from 0, < 2026.2.25
—OpenClaw's sandbox bind validation could bypass allowed-root and blocked-path checks via symlink-parent missing-leaf paths
from 0, < 2026.2.24
—OpenClaw's Nextcloud Talk webhook replay could trigger duplicate inbound processing
from 0, < 2026.2.25
—OpenClaw's Synology Chat dmPolicy=allowlist failed open on empty allowedUserIds, allowing unauthorized agent dispatch
>= 2026.2.22, < 2026.2.24
—OpenClaw reuses the gateway auth token in the owner ID prompt hashing fallback
from 0, < 2026.2.22
—OpenClaw's runtime /debug override path accepted prototype-reserved keys
from 0, < 2026.2.21
—OpenClaw Improperly Neutralizes Line Breaks in systemd Unit Generation Enables Local Command Execution (Linux)
from 0, < 2026.2.21
—OpenClaw has a Command Injection via unescaped environment assignments in Windows Scheduled Task script generation
from 0, < 2026.2.19
—OpenClaw has macOS `system.run` allowlist bypass via quoted command substitution
from 0, < 2026.2.22
—OpenClaw unpaired device identity can bypass operator pairing and self-assign operator scopes with shared auth
>= 2026.2.22, < 2026.2.25
—OpenClaw Windows Scheduled Task script generation allowed local command injection via unsafe cmd argument handling
from 0, < 2026.2.19
—OpenClaw: ZIP extraction race could write outside destination via parent symlink rebind
from 0, < 2026.3.2
—OpenClaw's web tools strict URL guard could lose DNS pinning when env proxy is configured
from 0, < 2026.3.2
—OpenClaw: stageSandboxMedia destination symlink traversal can overwrite files outside sandbox workspace
from 0, < 2026.3.2
—OpenClaw's system.run shell-wrapper positional argv carriers could execute hidden commands under misleading approval text
from 0, < 2026.2.24
—OpenClaw's system.run approval TOCTOU via mutable symlink cwd target on node host
from 0, < 2026.2.25
—OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse
from 0, < 2026.2.23
—OpenClaw's gateway tokenless Tailscale auth applied to HTTP routes
from 0, < 2026.2.21
—OpenClaw vulnerable to path traversal in Feishu media temp-file naming allows writes outside os.tmpdir()
from 0, < 2026.2.19
—OpenClaw: Chrome --no-sandbox disabled OS-level browser sandbox in sandbox browser container
from 0, < 2026.2.21
—OpenClaw has command injection via Windows shell fallback in Lobster tool execution
from 0, < 2026.2.19
—OpenClaw has allowlist exec-guard bypass via env -S
from 0, < 2026.2.23
—OpenClaw: Node system.run approval bypass via parent-symlink cwd rebind
from 0, < 2026.2.26
—OpenClaw: Message action attachment hydration bypasses local media root checks when sandboxRoot is unset
from 0, < 2026.2.24
—OpenClaw's inbound media downloads could exceed configured byte limits before rejection across multiple channels
from 0, < 2026.2.22
—OpenClaw's exec allow-always can be bypassed via unrecognized multiplexer shell wrappers (busybox/toybox sh -c)
from 0, < 2026.2.23
—OpenClaw has browser trace/download path symlink escape in temp output handling
from 0, < 2026.2.25
—OpenClaw has ReDoS and regex injection via unescaped Feishu mention metadata in RegExp construction
from 0, < 2026.2.19
—OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains
from 0, < 2026.2.22
—OpenClaw has Windows system.run approval mismatch on cmd.exe /c trailing arguments
from 0, < 2026.2.21
—OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind
from 0, < 2026.3.1
—OpenClaw has web_search citation redirect SSRF via private-network-allowing policy
from 0, < 2026.3.1
—CpenClaw's ACPX Windows wrapper shell fallback allowed cwd injection in specific paths
>= 2026.2.26, < 2026.3.1
—OpenClaw's sandboxed sessions_spawn now enforces sandbox inheritance for cross-agent spawns
from 0, < 2026.3.1
—OpenClaw has unbounded memory growth in Zalo webhook via query-string key churn (unauthenticated DoS)
from 0, < 2026.3.1
—OpenClaw: Skill env override host env injection via applySkillConfigEnvOverrides (defense-in-depth)
from 0, < 2026.2.21
—OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs
from 0, < 2026.2.19
—OpenClaw hardened cron webhook delivery against SSRF
from 0, < 2026.2.19
—OpenClaw: Reject symlinks in local skill packaging script
from 0, < 2026.2.19
—OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows
from 0, < 2026.2.18
—OpenClaw hardened the skill download target directory validation
from 0, < 2026.2.15
—OpenClaw's sandbox config hash sorted primitive arrays and suppressed needed container recreation
from 0, < 2026.2.15
—OpenClaw session tool visibility hardening and Telegram webhook secret fallback
from 0, < 2026.2.15
—OpenClaw: Telegram bot token exposure via logs
from 0, < 2026.2.15
—OpenClaw: Docker container escape via unvalidated bind mount config injection
from 0, < 2026.2.15
—OpenClaw: Unsanitized CWD path injection into LLM prompts
from 0, < 2026.2.15
—OpenClaw: Process Safety - Unvalidated PID Kill via SIGKILL in Process Cleanup
from 0, < 2026.2.14
—OpenClaw has a command injection in maintainer clawtributors updater
>= 2026.1.8, < 2026.2.14
—OpenClaw has a path traversal in browser upload allows local file read
from 0, < 2026.2.14
—OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning
from 0, < 2026.2.14
—OpenClaw skills.status could leak secrets to operator.read clients
from 0, < 2026.2.14
—OpenClaw macOS deep link confirmation truncation can conceal executed agent message
>= 2026.2.6-0, < 2026.2.14