pkg:npm/openclaw

共 405 筆 CVECRITICAL21HIGH111MEDIUM135LOW12

✅ 檢查你的版本

所有已知漏洞

CRITICAL9.9CVE-2026-22172OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes
from 0, < 2026.3.12
CRITICAL9.9CVE-2026-28466OpenClaw Vulnerable to Remote Code Execution via Node Invoke Approval Bypass in Gateway
from 0, < 2026.2.14
CRITICAL9.8CVE-2026-44109OpenClaw: Feishu webhook and card-action validation now fail closed
from 0, < 2026.4.15
CRITICAL9.8CVE-2026-41386OpenClaw: Unbound bootstrap setup codes allow privilege escalation during pairing
from 0, < 2026.3.22
CRITICAL9.8CVE-2026-33578OpenClaw: Google Chat and Zalouser group sender allowlist bypass via policy downgrade
from 0, < 2026.3.28
CRITICAL9.8CVE-2026-33577OpenClaw: node.pair.approve missing callerScopes validation allows low-privilege operator to approve malicious nodes
from 0, < 2026.3.28
CRITICAL9.8CVE-2026-33576OpenClaw: Zalo channel downloads media before sender authorization
from 0, < 2026.3.28
CRITICAL9.8CVE-2026-28469OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting
from 0, < 2026.2.14
CRITICAL9.8CVE-2026-28454OpenClaw has a potential access-group authorization bypass if channel type lookup fails
from 0, < 2026.2.1
CRITICAL9.8CVE-2026-28470OpenClaw has an exec allowlist bypass via command substitution/backticks inside double quotes
from 0, < 2026.2.2
CRITICAL9.8CVE-2026-28391OpenClaw's Windows cmd.exe parsing may bypass exec allowlist/approval gating
from 0, < 2026.2.2
CRITICAL9.8CVE-2026-28472OpenClaw's gateway connect could skip device identity checks when auth.token was present but not yet validated
from 0, < 2026.2.2
CRITICAL9.6CVE-2026-41397OpenClaw: OpenShell Mirror Sync — Sandbox Escape via Unrestricted File Sync + Symlink Traversal
from 0, < 2026.3.31
CRITICAL9.6CVE-2026-41294OpenClaw has a CWD `.env` environment variable injection which bypasses host-env policy and allows config takeover
from 0, < 2026.3.28
CRITICAL9.6CVE-2026-41387OpenClaw's incomplete host env sanitization blocklist allows supply-chain redirection via package-manager env overrides
from 0, < 2026.3.22
CRITICAL9.4CVE-2026-32916OpenClaw: Plugin subagent routes could bypass gateway authorization with synthetic admin scopes
>= 2026.3.7, < 2026.3.11
CRITICAL9.4CVE-2026-28446OpenClaw has an inbound allowlist policy bypass in voice-call extension (empty caller ID + suffix matching)
from 0, < 2026.2.2
CRITICAL9.3CVE-2026-32913OpenClaw: fetch-guard forwards custom authorization headers across cross-origin redirects
from 0, < 2026.3.7
CRITICAL9.1CVE-2026-43534OpenClaw: Agent hook events could enqueue trusted system events from unsanitized external input
from 0, < 2026.4.10
CRITICAL9.1CVE-2026-43566OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events
>= 2026.4.7, < 2026.4.14
CRITICAL9.0CVE-2026-32038OpenClaw has a sandbox network isolation bypass via docker.network=container:<id>
from 0, < 2026.2.24
HIGH8.8CVE-2026-43530OpenClaw: busybox and toybox applet execution weakened exec approval binding
>= 2026.2.23, < 2026.4.12
HIGH8.8CVE-2026-42434OpenClaw: Sandboxed agents could escape exec routing via host=node override
>= 2026.4.5, < 2026.4.10
HIGH8.8CVE-2026-43569OpenClaw: Workspace provider auth choices could auto-enable untrusted provider plugins
from 0, < 2026.4.9
HIGH8.8CVE-2026-43571OpenClaw: Channel setup catalog lookups could include untrusted workspace plugin shadows
from 0, < 2026.4.10
HIGH8.8CVE-2026-43531OpenClaw: Workspace .env could inject OpenClaw runtime-control variables
from 0, < 2026.4.9
HIGH8.8CVE-2026-43584OpenClaw: Exec environment denylist missed high-risk interpreter startup variables
from 0, < 2026.4.10
HIGH8.8CVE-2026-42426OpenClaw `node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval
from 0, < 2026.4.8
HIGH8.8CVE-2026-42422OpenClaw `device.token.rotate` mints tokens for unapproved roles, bypassing device role-upgrade pairing
from 0, < 2026.4.8
HIGH8.8CVE-2026-41378OpenClaw: Paired node escalates to gateway RCE via unrestricted node.event agent dispatch
from 0, < 2026.3.31
HIGH8.8CVE-2026-41352OpenClaw: Device-Paired Node Skips Node Scope Gate → Host RCE.md
from 0, < 2026.3.31
HIGH8.8CVE-2026-41303OpenClaw: Discord text `/approve` bypasses `channels.discord.execApprovals.approvers` and allows non-approvers to resolve pending exec approvals
from 0, < 2026.3.28
HIGH8.8CVE-2026-35643OpenClaw: Arbitrary code execution via unvalidated WebView JavascriptInterface
from 0, < 2026.3.22
HIGH8.8CVE-2026-35666OpenClaw's system.run allowlist can be bypassed through an unregistered time dispatch wrapper
from 0, < 2026.3.22
HIGH8.8CVE-2026-32010In OpenClaw, manually adding sort to tools.exec.safeBins could bypass allowlist approval via --compress-program
from 0, < 2026.2.22
HIGH8.8CVE-2026-28363OpenClaw is vulnerable to validation bypass through GNU long-option abbreviations in allowlist mode
from 0, < 2026.2.23
HIGH8.8CVE-2026-28363OpenClaw is vulnerable to validation bypass through GNU long-option abbreviations in allowlist mode
from 0, < 2026.2.23
HIGH8.8CVE-2026-28460OpenClaw's system.run allowlist bypass via shell line-continuation command substitution
from 0, < 2026.2.22
HIGH8.8CVE-2026-22177OpenClaw's config env vars allowed startup env injection into service runtime
from 0, < 2026.2.21
HIGH8.8CVE-2026-32023OpenClaw's dispatch-wrapper depth-cap mismatch can bypass shell-wrapper approval gating in system.run allowlist mode
from 0, < 2026.2.24
HIGH8.8CVE-2026-32013OpenClaw gateway agents.files symlink escape allowed out-of-workspace file read/write
from 0, < 2026.2.25
HIGH8.8CVE-2026-32060OpenClaw has a path traversal in apply_patch could write/delete files outside the workspace
from 0, < 2026.2.14
HIGH8.8CVE-2026-29610OpenClaw: Command hijacking via unsafe PATH handling (bootstrapping + node-host PATH overrides)
from 0, < 2026.2.14
HIGH8.6CVE-2026-44116OpenClaw validates Zalo outbound photo URLs through the SSRF guard
from 0, < 2026.4.22
HIGH8.6CVE-2026-35641OpenClaw has an Arbitrary Malicious Code Execution Vulnerability
from 0, < 2026.3.24
HIGH8.6CVE-2026-32974OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured
from 0, < 2026.3.12
HIGH8.6CVE-2026-28451OpenClaw has two SSRF via sendMediaFeishu and markdown image fetching in Feishu extension
from 0, < 2026.2.14
HIGH8.5CVE-2026-42439OpenClaw: Browser tabs action select and close routes bypassed SSRF policy
from 0, < 2026.4.10
HIGH8.4CVE-2026-32918`OpenClaw: session_status` let sandboxed subagents access parent or sibling session state
from 0, < 2026.3.11
HIGH8.4CVE-2026-25593OpenClaw vulnerable to Unauthenticated Local RCE via WebSocket config.apply
from 0, < 2026.1.20
HIGH8.3CVE-2026-28476OpenClaw affected by SSRF in optional Tlon (Urbit) extension authentication
from 0, < 2026.2.14
HIGH8.2CVE-2026-43526OpenClaw: QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes
from 0, < 2026.4.12
HIGH8.2CVE-2026-41296OpenClaw: Sandbox escape via TOCTOU race in remote FS bridge readFile
from 0, < 2026.3.31
HIGH8.2CVE-2026-41394OpenClaw: Unauthenticated plugin-auth HTTP routes receive operator runtime scopes
from 0, < 2026.3.31
HIGH8.1CVE-2026-43585OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation
from 0, < 2026.4.15
HIGH8.1CVE-2026-42431OpenClaw `node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard
from 0, < 2026.4.8
HIGH8.1CVE-2026-41364OpenClaw: SSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host
from 0, < 2026.3.31
HIGH8.1CVE-2026-35653OpenClaw: `browser.request` still allows `POST /reset-profile` through the `operator.write` surface
from 0, < 2026.3.24
HIGH8.1CVE-2026-35645OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin`
from 0, < 2026.3.28
HIGH8.1CVE-2026-32302OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode
from 0, < 2026.3.11
HIGH8.1CVE-2026-28453OpenClaw has Zip Slip path traversal in tar archive extraction
from 0, < 2026.2.14
HIGH8.1CVE-2026-28447OpenClaw has a Path Traversal in Plugin Installation
>= 2026.1.20, < 2026.2.1
HIGH8.0CVE-2026-32978OpenClaw: Unrecognized script runners could bypass `system.run` approval integrity
from 0, < 2026.3.11
HIGH8.0CVE-2026-32014OpenClaw: Node reconnect metadata spoofing could bypass platform-based node command policy
from 0, < 2026.2.26
HIGH7.8CVE-2026-45004OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution
from 0, < 2026.4.23
HIGH7.8CVE-2026-44118OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens
from 0, < 2026.4.22
HIGH7.8CVE-2026-44114OpenClaw: Workspace dotenv could override runtime-control environment variables
from 0, < 2026.4.20
HIGH7.8CVE-2026-41384OpenClaw Has Incomplete Fix for CVE-2026-4039: CLI Backend Environment Variable Injection via Workspace Config
from 0, < 2026.3.24
HIGH7.8CVE-2026-41396OpenClaw: Workspace `.env` can override the bundled plugin trust root
from 0, < 2026.3.31
HIGH7.8CVE-2026-41336OpenClaw: Workspace `.env` can override the bundled hooks root and load attacker hook code
from 0, < 2026.3.31
HIGH7.8CVE-2026-32015OpenClaw's `tools.exec.safeBins` PATH-hijack allowed trojan binaries to bypass allowlist checks
>= 2026.1.21, < 2026.2.19
HIGH7.8CVE-2026-32032OpenClaw's shell env fallback trusts unvalidated SHELL path from host environment
from 0, < 2026.2.22
HIGH7.8CVE-2026-32016OpenClaw: macOS optional allowlist basename matching could bypass path-based policy
from 0, < 2026.2.22
HIGH7.7CVE-2026-43576OpenClaw: CDP /json/version WebSocket URL could pivot to untrusted second-hop targets
from 0, < 2026.4.5
HIGH7.7CVE-2026-43580OpenClaw: Browser press/type interaction routes missed complete navigation guard coverage
from 0, < 2026.4.10
HIGH7.7CVE-2026-43573OpenClaw: Existing-session browser interaction routes bypassed SSRF policy enforcement
from 0, < 2026.4.10
HIGH7.7CVE-2026-43527OpenClaw: Browser SSRF policy default allowed private-network navigation
from 0, < 2026.4.14
HIGH7.7CVE-2026-43532OpenClaw: Discord event cover images bypassed sandbox media normalization
>= 2026.4.7, < 2026.4.10
HIGH7.7CVE-2026-42436OpenClaw: Browser snapshot and screenshot routes could expose internal page content after navigation
from 0, < 2026.4.14
HIGH7.7CVE-2026-35668OpenClaw has Sandbox Media Root Bypass via Unnormalized `mediaUrl` / `fileUrl` Parameter Keys (CWE-22)
from 0, < 2026.3.24
HIGH7.7CVE-2026-32064OpenClaw's andbox browser noVNC observer lacked VNC authentication
from 0, < 2026.2.21
HIGH7.6CVE-2026-41297OpenClaw: Marketplace Plugin Download Follows Redirects Without SSRF Protection
from 0, < 2026.3.31
HIGH7.6CVE-2026-32055OpenClaw: workspace path guard bypass on non-existent out-of-root symlink leaf
from 0, < 2026.2.26
HIGH7.6CVE-2026-27487OpenClaw: Prevent shell injection in macOS keychain credential write
from 0, < 2026.2.14
HIGH7.6CVE-2026-26322OpenClaw Gateway tool allowed unrestricted gatewayUrl override
from 0, < 2026.2.14
HIGH7.5CVE-2026-42423OpenClaw: strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts
from 0, < 2026.4.8
HIGH7.5CVE-2026-41405OpenClaw: MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion
from 0, < 2026.3.31
HIGH7.5CVE-2026-34503OpenClaw's device removal and token revocation do not terminate active WebSocket sessions
from 0, < 2026.3.28
HIGH7.5CVE-2026-35650OpenClaw has Inconsistent Host Exec Environment Override Sanitization
from 0, < 2026.3.22
HIGH7.5CVE-2026-32980OpenClaw Telegram webhook request bodies were read before secret validation, enabling unauthenticated resource exhaustion
from 0, < 2026.3.13
HIGH7.5CVE-2026-32025OpenClaw's browser-origin WebSocket auth hardening gap could enable loopback password brute-force chains
from 0, < 2026.2.25
HIGH7.5CVE-2026-32056OpenClaw's shell startup env injection bypasses system.run allowlist intent (RCE class)
from 0, < 2026.2.22
HIGH7.5CVE-2026-32033OpenClaw has a workspace-only sandbox guard mismatch for @-prefixed absolute paths
from 0, < 2026.2.24
HIGH7.5CVE-2026-32034OpenClaw has an opt-in insecure Control UI auth over plaintext HTTP could allow privileged access
from 0, < 2026.2.21
HIGH7.5CVE-2026-32011OpenClaw has pre-auth webhook body parsing that can enable unauthenticated slow-request DoS
from 0, < 2026.3.2
HIGH7.5CVE-2026-32030OpenClaw vulnerable to sensitive file disclosure via stageSandboxMedia
from 0, < 2026.2.19
HIGH7.5CVE-2026-32062OpenClaw voice-call media stream validated streams after upgrade, which could allow pre-start unauthenticated sockets to increase resource pressure
from 0, < 2026.2.22
HIGH7.5CVE-2026-29611OpenClaw has a LFI in BlueBubbles media path handling
from 0, < 2026.2.14
HIGH7.5CVE-2026-28462OpenClaw has a path traversal in browser trace/download output paths may allow arbitrary file writes
from 0, < 2026.2.13
HIGH7.5CVE-2026-28478OpenClaw affected by denial of service via unbounded webhook request body buffering
from 0, < 2026.2.13
HIGH7.5CVE-2026-29609OpenClaw affected by denial of service via unbounded URL-backed media fetch
from 0, < 2026.2.14
HIGH7.5CVE-2026-26324OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reachable)
from 0, < 2026.2.14
HIGH7.5CVE-2026-26321OpenClaw has a local file disclosure via sendMediaFeishu in Feishu extension
from 0, < 2026.2.14
HIGH7.5CVE-2026-26319OpenClaw is Missing Webhook Authentication in Telnyx Provider Allows Unauthenticated Requests
from 0, < 2026.2.14
HIGH7.5CVE-2026-26316OpenClaw BlueBubbles webhook auth bypass via loopback proxy trust
from 0, < 2026.2.13
HIGH7.5CVE-2026-25474OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass
from 0, < 2026.2.1
HIGH7.5CVE-2026-28458OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access
>= 2026.1.20, < 2026.2.1
HIGH7.4CVE-2026-35629OpenClaw: SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476)
from 0, < 2026.3.28
HIGH7.4CVE-2026-28481OpenClaw MS Teams inbound attachment downloader leaks bearer tokens to allowlisted suffix domains
from 0, < 2026.2.1
HIGH7.3CVE-2026-41392OpenClaw: Shell init-file options could satisfy exec allowlist script matching
from 0, < 2026.3.31
HIGH7.3CVE-2026-41355OpenClaw: OpenShell `mirror` mode can convert untrusted sandbox files into explicitly enabled workspace hooks and execute them on the host during gateway startup
from 0, < 2026.3.28
HIGH7.3CVE-2026-41380OpenClaw gateway exec allow-always over-trusts positional carrier executables
from 0, < 2026.3.28
HIGH7.3CVE-2026-41390OpenClaw has a gateway exec allowlist allow-always bypass via unregistered /usr/bin/script wrapper
from 0, < 2026.3.28
HIGH7.3CVE-2026-41342OpenClaw: CLI Remote Onboarding Persists Unauthenticated Discovery Endpoint and Exfiltrates Gateway Credentials
from 0, < 2026.3.28
HIGH7.3CVE-2026-32979OpenClaw: Unbound interpreter and runtime commands could bypass node-host approval integrity
from 0, < 2026.3.11
HIGH7.3CVE-2026-28448OpenClaw Twitch allowFrom is not enforced in optional plugin, unauthorized chat users can trigger agent pipeline
>= 2026.1.29, < 2026.2.1
HIGH7.2CVE-2026-28456OpenClaw affected by potential code execution via unsafe hook module path handling in Gateway
>= 2026.1.5, < 2026.2.14
HIGH7.2CVE-2026-26325OpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals
from 0, < 2026.2.14
HIGH7.2CVE-2026-28473OpenClaw authorization bypass: operator.write can resolve exec approvals via chat.send -> /approve
from 0, < 2026.2.2
HIGH7.1CVE-2026-42428OpenClaw B-M3: ClawHub package downloads are not enforced with integrity verification
from 0, < 2026.4.8
HIGH7.1CVE-2026-41359OpenClaw: Gateway operator.write Can Reach Admin-Class Telegram Config and Cron Persistence via send
from 0, < 2026.3.28
HIGH7.1CVE-2026-41347OpenClaw: HTTP operator endpoints lack browser-origin validation in trusted-proxy mode
from 0, < 2026.3.31
HIGH7.1CVE-2026-41299OpenClaw: Gateway chat.send ACP-only provenance guard could be bypassed by client identity spoofing
from 0, < 2026.3.28
HIGH7.1CVE-2026-35621OpenClaw: Gateway operator.write Can Reach Admin-Class Channel Allowlist Persistence via chat.send
from 0, < 2026.3.24
HIGH7.1CVE-2026-35632OpenClaw: Symlink Traversal via IDENTITY.md appendFile in agents.create/update (Incomplete Fix for CVE-2026-32013)
from 0, <= 2026.2.22
HIGH7.1CVE-2026-32971OpenClaw: Node-host approvals could show misleading shell payloads instead of the executed argv
from 0, < 2026.3.11
HIGH7.1CVE-2026-32057OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions
from 0, < 2026.2.25
HIGH7.1CVE-2026-32017OpenClaw exec allowlist safeBins short-option bypass could permit arbitrary file write
from 0, < 2026.2.19
HIGH7.1CVE-2026-28457OpenClaw's sandbox skill mirroring path traversal vulnerability could write outside the sandbox workspace
from 0, < 2026.2.14
HIGH7.1CVE-2026-28468OpenClaw has an authentication bypass in sandbox browser bridge server
>= 2026.1.29-beta.1, < 2026.2.14
HIGH7.1CVE-2026-26317OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints
from 0, < 2026.2.14
HIGH7.1CVE-2026-28459OpenClaw has an arbitrary transcript path file write via gateway sessionFile
from 0, < 2026.2.12
MEDIUM6.9CVE-2026-35654OpenClaw: MS Teams Feedback Invocation Bypasses Sender Allowlists and Records Unauthorized Session Feedback
from 0, < 2026.3.28
MEDIUM6.9CVE-2026-35664OpenClaw: Feishu Raw Card Send Surface Can Mint Legacy Card Callbacks That Bypass DM Pairing
from 0, < 2026.3.28
MEDIUM6.9CVE-2026-32041OpenClaw: Browser control startup could continue unauthenticated after auth bootstrap failure
from 0, < 2026.3.1
MEDIUM6.8CVE-2026-43535OpenClaw: Collect-mode queue batches could reuse the last sender authorization context
from 0, < 2026.4.14
MEDIUM6.8CVE-2026-32005OpenClaw: Slack interactive callbacks could skip configured sender checks in some shared-workspace flows
from 0, < 2026.2.25
MEDIUM6.8CVE-2026-32007OpenClaw: Experimental apply_patch may bypass workspace-only checks in opt-in sandbox mounts (off by default)
from 0, < 2026.2.23
MEDIUM6.7CVE-2026-29608OpenClaw's Node system.run approval hardening wrapper semantic drift can execute unintended local scripts
>= 2026.3.1, < 2026.3.2
MEDIUM6.7CVE-2026-26972OpenClaw has a Path Traversal in Browser Download Functionality
>= 2026.1.12, < 2026.2.13
MEDIUM6.6CVE-2026-32003OpenClaw has system.run shell-wrapper env injection via SHELLOPTS/PS4 can bypass allowlist intent (RCE)
from 0, < 2026.2.22
MEDIUM6.5CVE-2026-43570OpenClaw contains a symlink traversal vulnerability
>= 2026.3.22, < 2026.4.5
MEDIUM6.5CVE-2026-42433OpenClaw: Matrix profile config persistence was reachable from operator.write message tools
from 0, < 2026.4.10
MEDIUM6.5CVE-2026-43574OpenClaw: Empty approver lists could grant explicit approval authorization
from 0, < 2026.4.12
MEDIUM6.5CVE-2026-42430OpenClaw: Strict browser SSRF bypass in Playwright redirect handling leaves private targets reachable
from 0, < 2026.4.8
MEDIUM6.5CVE-2026-41408OpenClaw: Tlon media downloads can bypass core safety limits and exhaust disk
from 0, < 2026.3.31
MEDIUM6.5CVE-2026-41369OpenClaw: Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables
from 0, < 2026.3.31
MEDIUM6.5CVE-2026-41376OpenClaw: Matrix thread root and reply context bypass sender allowlist
from 0, < 2026.3.31
MEDIUM6.5CVE-2026-41385OpenClaw Nostr privateKey config redaction bypass leaks plaintext signing key via config.get
from 0, < 2026.3.31
MEDIUM6.5CVE-2026-33580OpenClaw's Nextcloud Talk webhook missing rate limiting on shared secret authentication
from 0, < 2026.3.28
MEDIUM6.5CVE-2026-34508Duplicate Advisory: OpenClaw has Bypass in Webhook Rate Limiting via Pre-Authentication Secret Validation
from 0, < 2026.3.12
MEDIUM6.5CVE-2026-35658OpenClaw: Image Tool `tools.fs.workspaceOnly` Bypass via Sandbox Bridge Mounts
from 0, < 2026.3.2
MEDIUM6.5CVE-2026-35656OpenClaw: Forwarding header spoofing bypasses gateway.trustedProxies origin detection
from 0, < 2026.3.22
MEDIUM6.5CVE-2026-35652OpenClaw: Mattermost callback dispatch allowed non-allowlisted sender actions
from 0, < 2026.3.22
MEDIUM6.5CVE-2026-32021OpenClaw has a Feishu allowFrom authorization bypass via display-name collision
from 0, < 2026.2.22
MEDIUM6.5CVE-2026-32008OpenClaw browser navigation guard allowed non-network URL schemes, enabling authenticated browser-tool users to access file:// local files
from 0, < 2026.2.21
MEDIUM6.5CVE-2026-32004OpenClaw has encoded-path auth bypass in plugin `/api/channels` route classification
from 0, < 2026.3.2
MEDIUM6.5CVE-2026-32027OpenClaw DM pairing-store identities could satisfy group allowlist authorization
from 0, < 2026.2.26
MEDIUM6.5CVE-2026-32036OpenClaw has gateway plugin auth bypass via encoded dot-segment traversal in protected /api/channels paths
from 0, < 2026.2.26
MEDIUM6.5CVE-2026-32026Temporary path handling could write outside OpenClaw temp boundary
from 0, < 2026.2.24
MEDIUM6.5CVE-2026-28394OpenClaw has a Web Fetch DoS via unbounded response parsing
from 0, < 2026.2.15
MEDIUM6.5CVE-2026-29606OpenClaw Twilio voice-call webhook auth bypass when ngrok loopback compatibility is enabled
from 0, < 2026.2.14
MEDIUM6.5CVE-2026-28452OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR)
from 0, < 2026.2.14
MEDIUM6.5CVE-2026-26328OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities
from 0, < 2026.2.14
MEDIUM6.5CVE-2026-28471OpenClaw has a Matrix allowlist bypass via displayName and cross-homeserver localpart matching
>= 2026.1.14-1, < 2026.2.2
MEDIUM6.5CVE-2026-28395OpenClaw's Chrome extension relay binds publicly due to wildcard treated as loopback
>= 2026.1.14-1, < 2026.2.12
MEDIUM6.5CVE-2026-25475OpenClaw Vulnerable to Local File Inclusion via MEDIA: Path Extraction
from 0, < 2026.1.30
MEDIUM6.4CVE-2026-22169OpenClaw's non-default safeBins sort configuration can bypass intended allowlist approval constraints
from 0, < 2026.2.22
MEDIUM6.4CVE-2026-29607OpenClaw's allow-always wrapper persistence could bypass future approvals and enable command execution
from 0, < 2026.2.22
MEDIUM6.3CVE-2026-43582OpenClaw: Browser SSRF hostname validation could be bypassed by DNS rebinding
from 0, < 2026.4.10
MEDIUM6.3CVE-2026-41302OpenClaw: SSRF via Unguarded `fetch()` in Marketplace Plugin Download and Ollama Model Discovery
from 0, < 2026.3.31
MEDIUM6.3CVE-2026-32977OpenClaw: Sandbox `writeFile` commit could race outside the validated path
from 0, < 2026.3.11
MEDIUM6.3CVE-2026-32921OpenClaw's system.run approvals did not bind mutable script operands across approval and execution
from 0, < 2026.3.8
MEDIUM6.2CVE-2026-33581OpenClaw's message tool media parameter bypasses tool policy filesystem isolation
from 0, < 2026.3.24
MEDIUM6.2CVE-2026-28450OpenClaw's unauthenticated Nostr profile HTTP endpoints allow remote profile/config tampering
from 0, < 2026.2.12
MEDIUM6.1CVE-2026-41373OpenClaw: Incomplete host-env-security-policy allows untrusted model to substitute compiler binaries via env overrides
from 0, < 2026.3.31
MEDIUM6.1CVE-2026-35667OpenClaw has incomplete Fix for CVE-2026-27486: Unvalidated SIGKILL in `!stop` Chat Command via `shell-utils.ts`
from 0, < 2026.3.24
MEDIUM6.1CVE-2026-27646OpenClaw: Sandboxed /acp spawn requests could initialize host ACP sessions
from 0, < 2026.3.7
MEDIUM6.1CVE-2026-28486OpenClaw vulnerable to path traversal (Zip Slip) in archive extraction during explicit installation commands
>= 2026.1.16-2, < 2026.2.14
MEDIUM6.0CVE-2026-45005OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload
from 0, < 2026.4.23
MEDIUM6.0CVE-2026-32037OpenClaw's MSTeams attachment redirect handling could bypass configured media host allowlists
from 0, < 2026.2.22
MEDIUM6.0CVE-2026-28393OpenClaw's hook transform module path allows traversal and arbitrary JavaScript module loading
>= 2.0.0-beta3, < 2026.2.14
MEDIUM5.9CVE-2026-35622OpenClaw: Google Chat app-url webhook auth accepted non-deployment add-on principals
from 0, < 2026.3.22
MEDIUM5.9CVE-2026-35670OpenClaw: Synology Chat reply delivery could be rebound through username-based user resolution.
from 0, < 2026.3.22
MEDIUM5.9CVE-2026-32039OpenClaw's typed sender-key matching for toolsBySender prevents identity-collision policy bypass
from 0, < 2026.2.22
MEDIUM5.9CVE-2026-32035OpenClaw: Discord voice transcript owner-flag omission could expose owner-only tools in mixed-trust channels
from 0, < 2026.3.2
MEDIUM5.9CVE-2026-28464OpenClaw has non-constant-time token comparison in hooks authentication
from 0, < 2026.2.12
MEDIUM5.9CVE-2026-28477OpenClaw Chutes manual OAuth state validation bypass can cause credential substitution
from 0, < 2026.2.14
MEDIUM5.9CVE-2026-28480OpenClaw Telegram allowlist authorization accepted mutable usernames
from 0, < 2026.2.14
MEDIUM5.9CVE-2026-28467OpenClaw affected by SSRF via attachment/media URL hydration
from 0, < 2026.2.2
MEDIUM5.9CVE-2026-29613OpenClaw has a webhook auth bypass when gateway is behind a reverse proxy (loopback remoteAddress trust)
from 0, < 2026.2.12
MEDIUM5.8CVE-2026-44117OpenClaw: QQBot direct media upload skipped URL SSRF validation
from 0, < 2026.4.20
MEDIUM5.8CVE-2026-41389OpenClaw: Webchat media embedding enforces local-root containment for tool-result files
>= 2026.4.7, < 2026.4.15
MEDIUM5.8CVE-2026-41372OpenClaw: Trailing-dot localhost CDP hosts could bypass remote loopback protections
from 0, < 2026.4.2
MEDIUM5.8CVE-2026-27009OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection
from 0, < 2026.2.15
MEDIUM5.7CVE-2026-40045OpenClaw: Android accepted cleartext remote gateway endpoints and sent stored credentials over ws://
from 0, < 2026.4.2
MEDIUM5.7CVE-2026-35655OpenClaw's Conflicting Tool Identity Hints Bypass Dangerous-Tool Prompting
from 0, < 2026.3.22
MEDIUM5.7CVE-2026-22174OpenClaw Loopback CDP probe can leak Gateway token to local listener
from 0, < 2026.2.22
MEDIUM5.7CVE-2026-32009OpenClaw: safeBins static default trusted dirs allow writable-dir binary hijack (`jq`)
from 0, < 2026.2.24
MEDIUM5.7CVE-2026-28463OpenClaw exec approvals: safeBins could bypass stdin-only constraints via shell expansion
from 0, < 2026.2.14
MEDIUM5.6CVE-2026-6011OpenClaw vulnerable to SSRF in src/agents/tools/web-fetch.ts
from 0, < 2026.1.29
MEDIUM5.5CVE-2026-32044OpenClaw skills-install-download: tar.bz2 extraction bypassed archive safety parity checks (local DoS)
from 0, < 2026.3.2
MEDIUM5.5CVE-2026-32024OpenClaw's avatar symlink traversal can expose out-of-workspace local files
from 0, < 2026.2.22
MEDIUM5.5CVE-2026-28482OpenClaw's unsanitized session ID enables path traversal in transcript file operations
from 0, < 2026.2.12
MEDIUM5.5CVE-2026-29612OpenClaw: denial of service through large base64 media files allocating large buffers before limit checks
from 0, < 2026.2.14
MEDIUM5.4CVE-2026-41358OpenClaw: Slack thread context could include messages from non-allowlisted senders
from 0, < 2026.4.2
MEDIUM5.4CVE-2026-41298OpenClaw: Read-scoped identity-bearing HTTP clients could kill sessions via /sessions/:sessionKey/kill
from 0, < 2026.4.2
MEDIUM5.4CVE-2026-41341OpenClaw: Discord Component Interaction Misclassifies Group DM as Direct Message
from 0, < 2026.3.31
MEDIUM5.4CVE-2026-41348OpenClaw: Discord Slash Commands Bypass Group DM Channel Allowlist
from 0, < 2026.3.31
MEDIUM5.4CVE-2026-41356OpenClaw: Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation
from 0, < 2026.3.31
MEDIUM5.4CVE-2026-41406OpenClaw: Feishu thread history and quoted messages bypass sender allowlist
from 0, < 2026.3.31
MEDIUM5.4CVE-2026-41344OpenClaw: Gateway `operator.write` can reach admin-only persisted `verboseLevel` via `chat.send` `/verbose`
from 0, < 2026.3.28
MEDIUM5.4CVE-2026-35620OpenClaw: Non-owner command-authorized sender can change the owner-only `/send` session delivery policy
from 0, < 2026.3.24
MEDIUM5.4CVE-2026-32895OpenClaw: Slack system events bypass sender authorization in member and message subtype handlers
from 0, < 2026.2.26
MEDIUM5.4CVE-2026-32001OpenClaw's Node role device-identity bypass allows unauthorized node.event injection
from 0, < 2026.2.22
MEDIUM5.4CVE-2026-32898OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata
from 0, < 2026.2.23
MEDIUM5.4CVE-2026-28479OpenClaw replaced a deprecated sandbox hash algorithm
from 0, < 2026.2.15
MEDIUM5.3CVE-2026-44113OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes
from 0, < 2026.4.22
MEDIUM5.3CVE-2026-44112OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root
from 0, < 2026.4.22
MEDIUM5.3CVE-2026-41915OpenClaw: GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant)
from 0, < 2026.4.8
MEDIUM5.3CVE-2026-41346OpenClaw: Pairing pending-request caps were enforced per channel instead of per account
>= 2026.2.26, < 2026.3.31
MEDIUM5.3CVE-2026-41301OpenClaw: Forged Nostr DMs could create pairing state before signature verification
>= 2026.3.22, < 2026.3.31
MEDIUM5.3CVE-2026-34425OpenClaw's complex interpreter pipelines could skip exec script preflight validation
from 0, < 2026.4.2
MEDIUM5.3CVE-2026-41331OpenClaw: Telegram audio preflight transcription enables resource consumption by unauthorized senders
from 0, < 2026.3.31
MEDIUM5.3CVE-2026-41400OpenClaw: Voice-call still parses large WebSocket frames before start validation (Incomplete fix for CVE-2026-32062)
from 0, < 2026.3.31
MEDIUM5.3CVE-2026-41351OpenClaw: Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding
from 0, < 2026.3.31
MEDIUM5.3CVE-2026-41374OpenClaw runs Discord audio preflight transcription before member authorization
from 0, < 2026.3.31
MEDIUM5.3CVE-2026-41343OpenClaw: LINE webhook handler lacks shared pre-auth concurrency budget before signature verification
from 0, < 2026.3.31
MEDIUM5.3CVE-2026-41391OpenClaw: PIP_INDEX_URL and UV_INDEX_URL bypass host exec env sanitization and redirect Python package-index traffic
from 0, < 2026.3.31
MEDIUM5.3CVE-2026-41337OpenClaw: Voice-call Plivo replay mutates in-process callback origin before replay rejection
from 0, < 2026.3.31
MEDIUM5.3CVE-2026-41363OpenClaw: Feishu extension resolveUploadInput bypasses file-system sandbox and allows arbitrary file reads via upload_image
>= 2026.2.6, < 2026.3.28
MEDIUM5.3CVE-2026-35665OpenClaw has incomplete Fix for CVE-2026-32011: Feishu Webhook Pre-Auth Body Parsing DoS (Slow-Body / Slowloris Variant)
from 0, < 2026.3.24
MEDIUM5.3CVE-2026-35661OpenClaw: Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State
from 0, < 2026.3.28
MEDIUM5.3CVE-2026-27183OpenClaw: system.run wrapper-depth boundary could skip shell approval gating
from 0, < 2026.3.7
MEDIUM5.3CVE-2026-32002OpenClaw's image tool bypasses tools.fs.workspaceOnly on sandbox mount paths and exfiltrates out-of-workspace images
from 0, < 2026.2.23
MEDIUM5.3CVE-2026-32019OpenClaw has incomplete IPv4 special-use SSRF blocking in web fetch guard
from 0, < 2026.2.22
MEDIUM5.3CVE-2026-32029OpenClaw improperly parses X-Forwarded-For behind trusted proxies allows client IP spoofing in security decisions
from 0, < 2026.2.21
MEDIUM5.3CVE-2026-22180OpenClaw: Unified root-bound write hardening for browser output and related path-boundary flows
from 0, < 2026.3.2
MEDIUM5.0CVE-2026-42424OpenClaw: Shared reply MEDIA - paths are treated as trusted and can trigger cross-channel local file exfiltration
from 0, < 2026.4.8
MEDIUM4.9CVE-2026-41332OpenClaw host-env blocklist missing `GIT_TEMPLATE_DIR` and `AWS_CONFIG_FILE` allows code execution via env override
from 0, < 2026.3.28
MEDIUM4.8CVE-2026-35628OpenClaw: Telegram Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Secret
from 0, <= 2026.3.24
MEDIUM4.8CVE-2026-35623OpenClaw: BlueBubbles Webhook Missing Rate Limiting Enables Brute-Force Password Guessing
from 0, <= 2026.3.24
MEDIUM4.8CVE-2026-32031OpenClaw: /api/channels gateway-auth boundary bypass via path canonicalization mismatch
from 0, < 2026.2.26
MEDIUM4.8CVE-2026-32018OpenClaw's serialize sandbox registry writes to prevent races and delete-rollback corruption
from 0, < 2026.2.19
MEDIUM4.8CVE-2026-32896OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback)
from 0, < 2026.2.21
MEDIUM4.8CVE-2026-32065OpenClaw: system.run approval identity mismatch could execute a different binary than displayed
from 0, < 2026.2.25
MEDIUM4.8CVE-2026-28475OpenClaw: Config writes could persist resolved ${VAR} secrets to disk
from 0, < 2026.2.13
MEDIUM4.8CVE-2026-28392OpenClaw Slack: dmPolicy=open allowed any DM sender to run privileged slash commands
from 0, < 2026.2.14
MEDIUM4.6CVE-2026-41377OpenClaw: Security Scan Failure Does Not Block Plugin Installation (Fail-Open)
from 0, < 2026.3.31
MEDIUM4.6CVE-2026-35659OpenClaw: Bonjour/DNS-SD TXT metadata steers CLI routing after failed service resolution
from 0, < 2026.3.22
MEDIUM4.6CVE-2026-32040OpenClaw Vulnerable to HTML injection via unvalidated image MIME type in data-URL interpolation
from 0, < 2026.2.23
MEDIUM4.4CVE-2026-41330OpenClaw: Host exec environment overrides miss proxy, TLS, Docker, and Git TLS controls
from 0, < 2026.3.31
MEDIUM4.4CVE-2026-32061OpenClaw vulnerable to arbitrary file read via $include directive
from 0, < 2026.2.17
MEDIUM4.3CVE-2026-41908OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization
from 0, < 2026.4.20
MEDIUM4.3CVE-2026-42420OpenClaw: Multiple Code Paths Missing Base64 Pre-Allocation Size Checks
from 0, < 2026.4.8
MEDIUM4.3CVE-2026-41910OpenClaw: /allowlist omits owner-only enforcement for cross-channel allowlist writes
from 0, < 2026.4.8
MEDIUM4.3CVE-2026-41339OpenClaw: Gateway hello snapshots exposed host config and state paths to non-admin clients
from 0, < 2026.4.2
MEDIUM4.3CVE-2026-35619OpenClaw has a Gateway HTTP /v1/models Route Bypasses Operator Read Scope
from 0, < 2026.3.24
MEDIUM4.3CVE-2026-35651OpenClaw has ACP CLI approval prompt ANSI escape sequence injection
>= 2026.2.13, < 2026.3.28
MEDIUM4.3CVE-2026-35662OpenClaw leaf subagents can bypass controlScope restrictions to send messages to child sessions
from 0, < 2026.3.22
MEDIUM4.3CVE-2026-32006OpenClaw has a BlueBubbles group allowlist mismatch via DM pairing-store fallback
from 0, < 2026.2.26
MEDIUM4.3CVE-2026-32899OpenClaw's Slack reaction/pin sender-policy consistency issue in non-message ingress
from 0, < 2026.2.25
MEDIUM4.3CVE-2026-4040OpenClaw safeBins file-existence oracle information disclosure
from 0, < 2026.2.19
MEDIUM4.2CVE-2026-41402OpenClaw: Zalo webhook replay cache cross-target messageId scope bypass
from 0, < 2026.3.31
MEDIUM4.2CVE-2026-35617OpenClaw: Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName
from 0, < 2026.3.28
MEDIUM4.2CVE-2026-35624OpenClaw: Nextcloud Talk room allowlist matched colliding room names instead of stable room tokens
from 0, < 2026.3.22
MEDIUM4.0CVE-2026-41403OpenClaw: diffs viewer misclassifies proxied remote requests as loopback when `allowRemoteViewer` is disabled
from 0, < 2026.3.31
LOW3.7CVE-2026-41913OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths
from 0, < 2026.4.4
LOW3.7CVE-2026-41407OpenClaw: Shared-secret comparison call sites leaked length information through timing
from 0, < 2026.4.2
LOW3.7CVE-2026-41333OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting
from 0, < 2026.3.31
LOW3.7CVE-2026-35648OpenClaw may have stale policy enforcement for queued node actions
from 0, < 2026.3.22
LOW3.7CVE-2026-32067OpenClaw has cross-account DM pairing authorization bypass via unscoped pairing store access
from 0, < 2026.2.26
LOW3.7CVE-2026-32028OpenClaw: Discord DM reaction ingress missed dmPolicy/allowFrom checks in restricted setups
from 0, < 2026.2.25
LOW3.7CVE-2026-31991OpenClaw has Signal group allowlist authorization bypass via DM pairing-store leakage
from 0, < 2026.2.26
LOW3.7CVE-2026-24764OpenClaw Affected by Remote Code Execution via System Prompt Injection in Slack Channel Descriptions
from 0, < 2026.2.3
LOW3.6CVE-2026-31996OpenClaw safeBins stdin-only bypass via sort output and recursive grep flags
from 0, < 2026.2.19
LOW3.3CVE-2026-32020OpenClaw's Control UI Static File Handler Follows Symlinks and Allows Out-of-Root File Read
from 0, < 2026.2.22
LOW2.6CVE-2026-32058OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows
from 0, < 2026.2.26
LOW2.5CVE-2026-32970OpenClaw: Unavailable local auth SecretRefs could fall through to remote credentials in local mode
from 0, < 2026.3.11
—CVE-2026-45003OpenClaw: Workspace dotenv files cannot override connector endpoint hosts
from 0, < 2026.4.22
—CVE-2026-44997OpenClaw's ACP child sessions inherit subagent security envelope constraints
from 0, < 2026.4.22
—CVE-2026-44991OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners
from 0, < 2026.4.21
—CVE-2026-44992OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests
>= 2026.4.5, < 2026.4.20
—CVE-2026-44995OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config
from 0, < 2026.4.20
—CVE-2026-44999OpenClaw: Isolated cron awareness events were recorded as trusted system events
from 0, < 2026.4.20
—CVE-2026-45002OpenClaw: Hook mapping templates could bypass hook session-key opt-in
from 0, < 2026.4.20
—CVE-2026-42438OpenClaw: Sender policy bypass in host media attachment reads allows unauthorized local file disclosure
>= 2026.4.9, < 2026.4.10
—CVE-2026-43533OpenClaw: QQBot media tags could read arbitrary local files through reply text
from 0, < 2026.4.10
—CVE-2026-43567OpenClaw: screen_record outPath bypassed workspace-only filesystem guard
from 0, < 2026.4.10
—CVE-2026-42435OpenClaw: Shell-wrapper detection missed env-argv assignment injection forms
>= 2026.2.22, < 2026.4.12
—CVE-2026-43568OpenClaw: Memory dreaming config persistence was reachable from operator.write commands
>= 2026.4.5, < 2026.4.10
—CVE-2026-43572OpenClaw: Microsoft Teams SSO invoke handler missed sender authorization checks
>= 2026.4.10, < 2026.4.14
—CVE-2026-43583OpenClaw: Delivery queue recovery could lose group tool-policy context for media replay
>= 2026.4.10, < 2026.4.14
—CVE-2026-42437OpenClaw: Voice-call realtime WebSocket accepted oversized frames
>= 2026.4.9, < 2026.4.10
—CVE-2026-43528OpenClaw: config.get redaction bypass through sourceConfig and runtimeConfig aliases
from 0, < 2026.4.14
—CVE-2026-43529OpenClaw: TOCTOU read in exec script preflight
from 0, < 2026.4.10
—CVE-2026-40037OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects
from 0, < 2026.4.8
—CVE-2026-42429OpenClaw: Gateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write`
from 0, < 2026.4.8
—CVE-2026-41912OpenClaw has Browser SSRF Policy Bypass via Interaction-Triggered Navigation
from 0, < 2026.4.8
—CVE-2026-41911OpenClaw: Feishu docx upload_file/upload_image Bypasses Workspace-Only Filesystem Policy (GHSA-qf48-qfv4-jjm9 Incomplete Fix)
from 0, < 2026.4.8
—CVE-2026-41914OpenClaw QQ Bot Extension missing SSRF Protection on All Media Fetch Paths
from 0, < 2026.4.8
—CVE-2026-42421OpenClaw: Existing WS sessions survive shared gateway token rotation
from 0, < 2026.4.8
—CVE-2026-42432OpenClaw: Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement
from 0, < 2026.4.8
—CVE-2026-41916OpenClaw: resolvedAuth closure becomes stale after config reload
from 0, < 2026.4.8
—CVE-2026-42427OpenClaw: HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class)
from 0, < 2026.4.8
—CVE-2026-41354OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders
from 0, < 2026.4.2
—CVE-2026-41295OpenClaw: Untrusted workspace channel shadows could execute during built-in channel setup
from 0, < 2026.4.2
—CVE-2026-41398OpenClaw: iOS A2UI bridge trusted generic local-network pages for agent.request dispatch
from 0, < 2026.4.2
—CVE-2026-41383OpenClaw: OpenShell mirror mode could delete arbitrary remote directories when roots were mis-scoped
from 0, < 2026.4.2
—CVE-2026-41379OpenClaw: Gateway operator.write Can Reach Admin-Class Talk Voice Config Persistence via chat.send
from 0, < 2026.3.28
—CVE-2026-41375OpenClaw: `/phone arm`/`/phone disarm` Bypasses `operator.admin` Scope Check for External Channels
from 0, < 2026.3.28
—CVE-2026-34511OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter
from 0, < 2026.4.2
—CVE-2026-41382OpenClaw: Discord voice ingress authorization can be bypassed via channel, name, and stale-role validation gaps
from 0, < 2026.3.31
—CVE-2026-41300OpenClaw: Endpoint persists after trust decline, leaking gateway credentials
from 0, < 2026.3.31
—CVE-2026-41393OpenClaw: macOS Tailnet DNS Spoofing & Credential Exfiltration
from 0, < 2026.3.31
—CVE-2026-41388OpenClaw: Tlon Startup Migration Rehydrates Empty-Array Revocations From File Config
from 0, < 2026.3.31
—CVE-2026-41381OpenClaw: Discord voice manager bypasses channel-level member access allowlist
from 0, < 2026.3.31
—CVE-2026-41404OpenClaw: Incomplete scope-clearing fix allows operator.admin escalation via trusted-proxy auth mode
from 0, < 2026.3.31
—CVE-2026-41335OpenClaw Has a Gateway Control Interface Information Disclosure Vulnerability
from 0, < 2026.3.31
—CVE-2026-41365OpenClaw: MSTeams thread history bypasses sender allowlist via Graph API
from 0, < 2026.3.31
—CVE-2026-41329OpenClaw: Heartbeat context inheritance bypasses sandbox via senderIsOwner escalation
from 0, < 2026.3.31
—CVE-2026-34504OpenClaw affected by SSRF via unguarded image download in fal provider
from 0, < 2026.3.28
—CVE-2026-41399OpenClaw: Gateway WebSocket Denial of Service via unbounded pre-auth upgrades
from 0, < 2026.3.28
—CVE-2026-33579OpenClaw: /pair approve command path omitted caller scope subsetting and reopened device pairing escalation
from 0, < 2026.3.28
—CVE-2026-41395OpenClaw: Voice-call Plivo V3 webhook replay key uses unsorted URL, allowing replay via query-parameter reordering
from 0, < 2026.3.28
—CVE-2026-35646OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token
from 0, < 2026.3.28
—CVE-2026-35640OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation
from 0, < 2026.3.28
—CVE-2026-35657OpenClaw: Gateway HTTP Session History Route Bypasses Operator Read Scope
from 0, < 2026.3.25
—CVE-2026-35647OpenClaw: Matrix Verification Notices Bypass Matrix DM Policy and Reply to Unpaired DM Peers
from 0, <= 2026.3.24
—CVE-2026-35669OpenClaw: Gateway Plugin HTTP Auth Grants Unrestricted operator.admin Runtime Scope to All Callers
from 0, <= 2026.3.24
—CVE-2026-35663OpenClaw: Gateway Backend Reconnect lets Non-Admin Operator Scopes Self-Claim operator.admin
from 0, <= 2026.3.24
—CVE-2026-35635OpenClaw Bypasses DM Policy Separation via Synology Chat Webhook Path Collision
from 0, < 2026.3.22
—CVE-2026-35639OpenClaw Gateway: RCE and Privilege Escalation from operator.pairing to operator.admin via device.pair.approve
from 0, < 2026.3.22
—CVE-2026-35649OpenClaw: Tlon settings empty-allowlist reconciliation bypassed intended revocation
from 0, < 2026.3.22
—CVE-2026-35637OpenClaw: Tlon cite expansion happens before channel and DM authorization is complete
from 0, < 2026.3.22
—CVE-2026-35626OpenClaw is vulnerable to unauthenticated resource exhaustion through its voice call webhook handling
from 0, < 2026.3.22
—CVE-2026-35633OpenClaw: Remote media error responses could trigger unbounded memory allocation before failure
from 0, < 2026.3.22
—CVE-2026-35627OpenClaw: Nostr inbound DMs could trigger unauthenticated crypto work before sender policy enforcement
from 0, < 2026.3.22
—CVE-2026-34426OpenClaw: Windows media loaders accepted remote-host file URLs before local path validation
from 0, < 2026.3.22
—CVE-2026-35660OpenClaw: Gateway agent /reset exposes admin session reset to operator.write callers
from 0, < 2026.3.23
—CVE-2026-35634OpenClaw: Gateway Canvas local-direct requests bypass Canvas HTTP and WebSocket authentication
from 0, < 2026.3.23
—CVE-2026-35618OpenClaw: Plivo V2 verified replay identity drifts on query-only variants
from 0, < 2026.3.23
—CVE-2026-32846OpenClaw is vulnerable to Path Traversal through path validation bypass
from 0, < 2026.03.28
—CVE-2026-33572OpenClaw session transcript files were created without forced user-only permissions
from 0, < 2026.2.17
—CVE-2026-34505OpenClaw: Zalo webhook rate limiting could be bypassed before secret validation
from 0, < 2026.3.12
—CVE-2026-32920OpenClaw: Workspace plugin auto-discovery allowed code execution from cloned repositories
from 0, < 2026.3.12
—CVE-2026-34506OpenClaw's MS Teams sender allowlist bypass when route allowlist is configured and sender allowlist is empty
from 0, < 2026.3.8
—CVE-2026-33574OpenClaw's skills-install-download can be redirected outside the tools root by rebinding the validated base path
from 0, < 2026.3.8
—CVE-2026-22170OpenClaw: BlueBubbles (optional plugin) pairing/allowlist mismatch when allowFrom is empty
from 0, < 2026.2.22
—CVE-2026-31995OpenClaw has Windows Lobster shell fallback command injection in constrained fallback path
>= 2026.1.21, < 2026.2.19
—CVE-2026-27566OpenClaw's exec allowlist wrapper analysis did not unwrap env/shell dispatch chains
from 0, < 2026.2.22
—CVE-2026-32050OpenClaw's Signal reaction-only status events could, in limited cases, be enqueued before access checks
from 0, < 2026.2.25
—CVE-2026-27523OpenClaw's sandbox bind validation could bypass allowed-root and blocked-path checks via symlink-parent missing-leaf paths
from 0, < 2026.2.24
—CVE-2026-28449OpenClaw's Nextcloud Talk webhook replay could trigger duplicate inbound processing
from 0, < 2026.2.25
—CVE-2026-31998OpenClaw's Synology Chat dmPolicy=allowlist failed open on empty allowedUserIds, allowing unauthorized agent dispatch
>= 2026.2.22, < 2026.2.24
—CVE-2026-32897OpenClaw reuses the gateway auth token in the owner ID prompt hashing fallback
from 0, < 2026.2.22
—CVE-2026-27524OpenClaw's runtime /debug override path accepted prototype-reserved keys
from 0, < 2026.2.21
—CVE-2026-32063OpenClaw Improperly Neutralizes Line Breaks in systemd Unit Generation Enables Local Command Execution (Linux)
from 0, < 2026.2.21
—CVE-2026-22176OpenClaw has a Command Injection via unescaped environment assignments in Windows Scheduled Task script generation
from 0, < 2026.2.19
—CVE-2026-22179OpenClaw has macOS `system.run` allowlist bypass via quoted command substitution
from 0, < 2026.2.22
—CVE-2026-32042OpenClaw unpaired device identity can bypass operator pairing and self-assign operator scopes with shared auth
>= 2026.2.22, < 2026.2.25
—CVE-2026-31994OpenClaw Windows Scheduled Task script generation allowed local command injection via unsafe cmd argument handling
from 0, < 2026.2.19
—CVE-2026-22217OpenClaw: shell-env trusted-prefix fallback allowed attacker-controlled binary execution via $SHELL
>= 2026.2.22, < 2026.2.23
—CVE-2026-27670OpenClaw: ZIP extraction race could write outside destination via parent symlink rebind
from 0, < 2026.3.2
—CVE-2026-22181OpenClaw's web tools strict URL guard could lose DNS pinning when env proxy is configured
from 0, < 2026.3.2
—CVE-2026-31990OpenClaw: stageSandboxMedia destination symlink traversal can overwrite files outside sandbox workspace
from 0, < 2026.3.2
—CVE-2026-32052OpenClaw's system.run shell-wrapper positional argv carriers could execute hidden commands under misleading approval text
from 0, < 2026.2.24
—CVE-2026-32043OpenClaw's system.run approval TOCTOU via mutable symlink cwd target on node host
from 0, < 2026.2.25
—CVE-2026-32053OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse
from 0, < 2026.2.23
—CVE-2026-32022OpenClaw safeBins grep -e File Read Bypass (stdin-only policy bypass)
from 0, < 2026.2.21
—CVE-2026-32045OpenClaw's gateway tokenless Tailscale auth applied to HTTP routes
from 0, < 2026.2.21
—CVE-2026-22171OpenClaw vulnerable to path traversal in Feishu media temp-file naming allows writes outside os.tmpdir()
from 0, < 2026.2.19
—CVE-2026-32046OpenClaw: Chrome --no-sandbox disabled OS-level browser sandbox in sandbox browser container
from 0, < 2026.2.21
—CVE-2026-32000OpenClaw has command injection via Windows shell fallback in Lobster tool execution
from 0, < 2026.2.19
—CVE-2026-31992OpenClaw has allowlist exec-guard bypass via env -S
from 0, < 2026.2.23
—CVE-2026-27545OpenClaw: Node system.run approval bypass via parent-symlink cwd rebind
from 0, < 2026.2.26
—CVE-2026-27522OpenClaw: Message action attachment hydration bypasses local media root checks when sandboxRoot is unset
from 0, < 2026.2.24
—CVE-2026-32049OpenClaw's inbound media downloads could exceed configured byte limits before rejection across multiple channels
from 0, < 2026.2.22
—CVE-2026-22175OpenClaw's exec allow-always can be bypassed via unrecognized multiplexer shell wrappers (busybox/toybox sh -c)
from 0, < 2026.2.23
—CVE-2026-32054OpenClaw has browser trace/download path symlink escape in temp output handling
from 0, < 2026.2.25
—CVE-2026-22178OpenClaw has ReDoS and regex injection via unescaped Feishu mention metadata in RegExp construction
from 0, < 2026.2.19
—CVE-2026-31993OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains
from 0, < 2026.2.22
—CVE-2026-22168OpenClaw has Windows system.run approval mismatch on cmd.exe /c trailing arguments
from 0, < 2026.2.21
—CVE-2026-31997OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind
from 0, < 2026.3.1
—CVE-2026-31989OpenClaw has web_search citation redirect SSRF via private-network-allowing policy
from 0, < 2026.3.1
—CVE-2026-31999CpenClaw's ACPX Windows wrapper shell fallback allowed cwd injection in specific paths
>= 2026.2.26, < 2026.3.1
—CVE-2026-32048OpenClaw's sandboxed sessions_spawn now enforces sandbox inheritance for cross-agent spawns
from 0, < 2026.3.1
—CVE-2026-28461OpenClaw has unbounded memory growth in Zalo webhook via query-string key churn (unauthenticated DoS)
from 0, < 2026.3.1
—CVE-2026-4039OpenClaw: Skill env override host env injection via applySkillConfigEnvOverrides (defense-in-depth)
from 0, < 2026.2.21
—CVE-2026-27576OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs
from 0, < 2026.2.19
—CVE-2026-27488OpenClaw hardened cron webhook delivery against SSRF
from 0, < 2026.2.19
—CVE-2026-27485OpenClaw: Reject symlinks in local skill packaging script
from 0, < 2026.2.19
—CVE-2026-27484OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows
from 0, < 2026.2.18
—CVE-2026-27008OpenClaw hardened the skill download target directory validation
from 0, < 2026.2.15
—CVE-2026-27007OpenClaw's sandbox config hash sorted primitive arrays and suppressed needed container recreation
from 0, < 2026.2.15
—CVE-2026-27004OpenClaw session tool visibility hardening and Telegram webhook secret fallback
from 0, < 2026.2.15
—CVE-2026-27003OpenClaw: Telegram bot token exposure via logs
from 0, < 2026.2.15
—CVE-2026-27002OpenClaw: Docker container escape via unvalidated bind mount config injection
from 0, < 2026.2.15
—CVE-2026-27001OpenClaw: Unsanitized CWD path injection into LLM prompts
from 0, < 2026.2.15
—CVE-2026-27486OpenClaw: Process Safety - Unvalidated PID Kill via SIGKILL in Process Cleanup
from 0, < 2026.2.14
—CVE-2026-26323OpenClaw has a command injection in maintainer clawtributors updater
>= 2026.1.8, < 2026.2.14
—CVE-2026-26329OpenClaw has a path traversal in browser upload allows local file read
from 0, < 2026.2.14
—CVE-2026-26327OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning
from 0, < 2026.2.14
—CVE-2026-26326OpenClaw skills.status could leak secrets to operator.read clients
from 0, < 2026.2.14
—CVE-2026-26320OpenClaw macOS deep link confirmation truncation can conceal executed agent message
>= 2026.2.6-0, < 2026.2.14