Home/Product/openclaw
Product

openclaw

467 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-8305
< 2026.2.12
A vulnerability was detected in OpenClaw up to 2026.1.24. The impacted element is the function handleBlueBubblesWebhookRequest of
7.3HIGH
 CVE-2026-45006
< 2026.4.23
OpenClaw before 2026.4.23 contains an improper access control vulnerability in the gateway tool's config.apply and config.patch op
8.8HIGH
 CVE-2026-45005
< 2026.4.23
OpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to remain valid
6.0MEDIUM
 CVE-2026-45004
< 2026.4.23
OpenClaw before 2026.4.23 contains an arbitrary code execution vulnerability in the bundled plugin setup resolver that loads setup
7.8HIGH
 CVE-2026-45003
< 2026.4.22
OpenClaw before 2026.4.22 allows workspace dotenv files to override connector endpoint hosts for Matrix, Mattermost, IRC, and Syno
5.0MEDIUM
 CVE-2026-45002
< 2026.4.20
OpenClaw before 2026.4.20 contains a hook session-key bypass vulnerability that allows attackers to circumvent the hooks.allowRequ
5.3MEDIUM
 CVE-2026-45001
< 2026.4.20
OpenClaw before 2026.4.20 contains a guard bypass vulnerability in the agent-facing gateway config.patch and config.apply endpoint
7.1HIGH
 CVE-2026-45000
< 2026.4.20
OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in browser CDP profile creation that skips strict-m
5.0MEDIUM
 CVE-2026-44999
< 2026.4.20
OpenClaw before 2026.4.20 fails to properly preserve untrusted labels for isolated cron awareness events, allowing webhook-trigger
5.3MEDIUM
 CVE-2026-44998
< 2026.4.20
OpenClaw before 2026.4.20 contains a tool policy bypass vulnerability allowing bundled MCP and LSP tools to circumvent configured
5.4MEDIUM
 CVE-2026-44997
< 2026.4.22
OpenClaw before 2026.4.22 contains a security envelope constraint bypass vulnerability allowing restricted subagents to spawn ACP
4.3MEDIUM
 CVE-2026-44996
< 2026.4.15
OpenClaw before 2026.4.15 contains an arbitrary local file read vulnerability in the webchat audio embedding helper that fails to
3.7LOW
 CVE-2026-44995
< 2026.4.20
OpenClaw before 2026.4.20 contains an improper environment variable validation vulnerability in MCP stdio server configuration tha
7.3HIGH
 CVE-2026-44994
< 2026.4.22
OpenClaw before 2026.4.22 contains an authentication bypass vulnerability in the Control UI bootstrap config endpoint that allows
5.3MEDIUM
 CVE-2026-44993
< 2026.4.20
OpenClaw before 2026.4.20 contains a message classification vulnerability in Feishu card-action callbacks that misclassifies direc
5.4MEDIUM
 CVE-2026-44992
>= 2026.4.5 and < 2026.4.20
OpenClaw versions 2026.4.5 before 2026.4.20 contain an environment variable injection vulnerability allowing workspace dotenv to o
5.0MEDIUM
 CVE-2026-44991
< 2026.4.21
OpenClaw before 2026.4.21 contains an authorization bypass vulnerability in command-auth.ts that allows non-owner senders to execu
4.2MEDIUM
 CVE-2026-44118
< 2026.4.22
OpenClaw before 2026.4.22 derives loopback MCP owner context from spoofable server-issued bearer tokens in request headers. Non-ow
7.8HIGH
 CVE-2026-44117
< 2026.4.20
OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in QQBot direct media upload that skips URL validat
5.8MEDIUM
 CVE-2026-44116
< 2026.4.22
OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails
8.6HIGH
 CVE-2026-44115
< 2026.4.22
OpenClaw before 2026.4.22 contains an exec allowlist analysis vulnerability allowing shell expansion hiding in unquoted heredoc bo
8.8HIGH
 CVE-2026-44114
< 2026.4.20
OpenClaw before 2026.4.20 fails to properly reserve the OPENCLAW_ runtime-control environment namespace in workspace dotenv files,
7.8HIGH
 CVE-2026-44113
< 2026.4.22
OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in the OpenShell filesystem bridge that allows attac
7.7HIGH
 CVE-2026-44112
< 2026.4.22
OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in OpenShell sandbox filesystem writes that allows a
9.6CRITICAL
 CVE-2026-44111
< 2026.4.15
OpenClaw before 2026.4.15 contains an arbitrary file read vulnerability in the QMD backend memory_get function that allows callers
4.3MEDIUM
 CVE-2026-44110
< 2026.4.15
OpenClaw before 2026.4.15 contains an authorization bypass vulnerability in Matrix room control-command authorization that trusts
8.8HIGH
 CVE-2026-44109
< 2026.4.15
OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows
9.8CRITICAL
 CVE-2026-43585
< 2026.4.15
OpenClaw before 2026.4.15 captures resolved bearer-auth configuration at startup, allowing revoked tokens to remain valid after Se
8.1HIGH
 CVE-2026-43584
< 2026.4.10
OpenClaw before 2026.4.10 contains an insufficient environment variable denylist vulnerability in its exec environment policy that
8.8HIGH
 CVE-2026-43583
>= 2026.4.10 and < 2026.4.14
OpenClaw versions 2026.4.10 before 2026.4.14 fail to persist session context during delivery queue recovery for media replay. Atta
5.3MEDIUM
 CVE-2026-43582
< 2026.4.10
OpenClaw before 2026.4.10 contains a server-side request forgery vulnerability in browser navigation policy that allows attackers
6.3MEDIUM
 CVE-2026-43581
< 2026.4.10
OpenClaw before 2026.4.10 contains an improper network binding vulnerability in the sandbox browser CDP relay that exposes Chrome
9.6CRITICAL
 CVE-2026-43580
< 2026.4.10
OpenClaw before 2026.4.10 contains an incomplete navigation guard vulnerability that allows attackers to trigger navigation withou
7.7HIGH
 CVE-2026-43579
< 2026.4.10
OpenClaw before 2026.4.10 contains an insufficient access control vulnerability in Nostr plugin HTTP profile routes that allows op
6.5MEDIUM
 CVE-2026-43578
>= 2026.3.31 and < 2026.4.10
OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detectio
9.1CRITICAL
 CVE-2026-43577
< 2026.4.9
OpenClaw before 2026.4.9 contains a file read vulnerability allowing attackers to bypass navigation guards through browser act/eva
6.5MEDIUM
 CVE-2026-43576
< 2026.4.5
OpenClaw before 2026.4.5 contains a server-side request forgery vulnerability in the CDP /json/version WebSocket endpoint that all
7.7HIGH
 CVE-2026-43575
>= 2026.2.21 and < 2026.4.10
OpenClaw versions 2026.2.21 before 2026.4.10 contain an authentication bypass vulnerability in the sandbox noVNC helper route that
9.8CRITICAL
 CVE-2026-43574
< 2026.4.12
OpenClaw before 2026.4.12 contains an improper authorization vulnerability in helper-backed channels where empty resolved approver
6.5MEDIUM
 CVE-2026-43573
< 2026.4.10
OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in existing-session browser interacti
7.7HIGH
 CVE-2026-43572
>= 2026.4.10 and < 2026.4.14
OpenClaw versions 2026.4.10 before 2026.4.14 contain a missing authorization vulnerability in the Microsoft Teams SSO invoke handl
5.3MEDIUM
 CVE-2026-43571
< 2026.4.10
OpenClaw before 2026.4.10 contains a plugin trust bypass vulnerability that allows channel setup catalog lookups to resolve worksp
8.8HIGH
 CVE-2026-43570
>= 2026.3.22 and < 2026.4.5
OpenClaw versions 2026.3.22 before 2026.4.5 contain a symlink traversal vulnerability in remote marketplace repository path handli
6.5MEDIUM
 CVE-2026-43569
< 2026.4.9
OpenClaw before 2026.4.9 contains an authentication bypass vulnerability allowing untrusted workspace plugins to be auto-enabled d
8.8HIGH
 CVE-2026-43568
>= 2026.4.5 and < 2026.4.10
OpenClaw versions 2026.4.5 before 2026.4.10 contain a privilege escalation vulnerability allowing write-scoped operators to modify
6.5MEDIUM
 CVE-2026-43567
< 2026.4.10
OpenClaw before 2026.4.10 contains a path traversal vulnerability in the screen_record tool's outPath parameter that bypasses work
6.5MEDIUM
 CVE-2026-43566
>= 2026.4.7 and < 2026.4.14
OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic ski
9.1CRITICAL
 CVE-2026-43535
< 2026.4.14
OpenClaw before 2026.4.14 contains an authorization context reuse vulnerability in collect-mode queue batches that allows messages
6.8MEDIUM
 CVE-2026-43534
< 2026.4.10
OpenClaw before 2026.4.10 contains an input validation vulnerability that allows external hook metadata to be enqueued as trusted
9.1CRITICAL
 CVE-2026-43533
< 2026.4.10
OpenClaw before 2026.4.10 contains an arbitrary file read vulnerability in QQBot media tags that allows attackers to reference hos
8.6HIGH
 CVE-2026-43532
>= 2026.4.7 and < 2026.4.10
OpenClaw versions 2026.4.7 before 2026.4.10 fail to normalize Discord event cover image parameters in sandbox media processing. At
7.7HIGH
 CVE-2026-43531
< 2026.4.9
OpenClaw before 2026.4.9 contains an environment variable injection vulnerability allowing malicious workspace .env files to set r
7.3HIGH
 CVE-2026-43530
>= 2026.2.23 and < 2026.4.12
OpenClaw versions 2026.2.23 before 2026.4.12 contain a weakened exec approval binding vulnerability in busybox and toybox applet e
8.8HIGH
 CVE-2026-43529
< 2026.4.10
OpenClaw before 2026.4.10 contains a time-of-check-time-of-use vulnerability in the validateScriptFileForShellBleed function that
2.5LOW
 CVE-2026-43528
< 2026.4.14
OpenClaw before 2026.4.14 contains a redaction bypass vulnerability that allows authenticated gateway clients to receive unredacte
6.5MEDIUM
 CVE-2026-43527
< 2026.4.14
OpenClaw before 2026.4.14 contains a server-side request forgery vulnerability in browser SSRF policy that allows private-network
7.7HIGH
 CVE-2026-43526
< 2026.4.12
OpenClaw before 2026.4.12 contains a server-side request forgery vulnerability in QQBot reply media URL handling that allows attac
8.2HIGH
 CVE-2026-42439
< 2026.4.10
OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in the browser tabs action select and
8.5HIGH
 CVE-2026-42438
all versions
OpenClaw versions 2026.4.9 before 2026.4.10 contain a sender policy bypass vulnerability in the outbound host-media attachment rea
7.7HIGH
 CVE-2026-42432
< 2026.4.8
OpenClaw before 2026.4.8 contains a privilege escalation vulnerability allowing previously paired nodes to reconnect with exec-cap
7.8HIGH
 CVE-2026-42431
< 2026.4.8
OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invoke(browser.proxy) that allows mutation of persistent
8.1HIGH
 CVE-2026-42430
< 2026.4.8
OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in Playwright redirect handling that allows attacker
6.5MEDIUM
 CVE-2026-42429
< 2026.4.8
OpenClaw before 2026.4.8 contains a privilege escalation vulnerability in the gateway plugin HTTP authentication mechanism that es
7.1HIGH
 CVE-2026-42428
< 2026.4.8
OpenClaw versions before 2026.4.8 fail to enforce integrity verification on downloaded plugin archives. Attackers can install mali
7.1HIGH
 CVE-2026-42427
< 2026.4.8
OpenClaw before 2026.4.8 contains a remote code execution vulnerability caused by missing environment variable denylist entries fo
5.3MEDIUM
 CVE-2026-42426
< 2026.4.8
OpenClaw before 2026.4.8 contains an improper authorization vulnerability where the node.pair.approve method accepts operator.writ
8.8HIGH
 CVE-2026-42424
< 2026.4.8
OpenClaw before 2026.4.8 treats shared reply MEDIA paths as trusted, allowing crafted references to trigger cross-channel local fi
5.7MEDIUM
 CVE-2026-42423
< 2026.4.8
OpenClaw before 2026.4.8 contains an approval-timeout fallback mechanism that bypasses strictInlineEval explicit-approval requirem
7.5HIGH
 CVE-2026-42422
< 2026.4.8
OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function that allows minting tokens for u
8.8HIGH
 CVE-2026-42421
< 2026.4.8
OpenClaw before 2026.4.8 contains a session management vulnerability where existing WebSocket sessions survive shared gateway toke
5.4MEDIUM
 CVE-2026-42420
< 2026.4.8
OpenClaw before 2026.4.8 contains improper input validation in base64 decode paths that allocate memory before enforcing decoded-s
4.3MEDIUM
 CVE-2026-41916
< 2026.4.8
OpenClaw before 2026.4.8 contains an authentication state management vulnerability where the resolvedAuth closure becomes stale af
5.4MEDIUM
 CVE-2026-41915
< 2026.4.8
OpenClaw before 2026.4.8 fails to remove git plumbing environment variables from the execution environment before host exec operat
5.3MEDIUM
 CVE-2026-41914
< 2026.4.8
OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in QQ Bot media download paths that bypass SSRF prot
8.5HIGH
 CVE-2026-41913
< 2026.4.4
OpenClaw before 2026.4.4 contains a race condition vulnerability in shared-secret authentication that allows concurrent asynchrono
3.7LOW
 CVE-2026-41912
< 2026.4.8
OpenClaw before 2026.4.8 contains a server-side request forgery policy bypass vulnerability allowing attackers to trigger navigati
7.6HIGH
 CVE-2026-41911
< 2026.4.8
OpenClaw before 2026.4.8 contains a filesystem policy bypass vulnerability in docx upload processing that allows local file reads
6.5MEDIUM
 CVE-2026-41910
< 2026.4.8
OpenClaw before 2026.4.8 omits owner-only enforcement for cross-channel allowlist writes in the /allowlist endpoint. An authorized
4.3MEDIUM
 CVE-2026-41408
< 2026.3.31
OpenClaw before 2026.3.31 contains a resource exhaustion vulnerability in media downloads that bypasses core safety limits for fil
4.3MEDIUM
 CVE-2026-41407
< 2026.4.2
OpenClaw before 2026.4.2 contains a timing side channel vulnerability in shared-secret comparison call sites that use early length
3.7LOW
 CVE-2026-41406
< 2026.3.31
OpenClaw before 2026.3.31 contains a sender allowlist bypass vulnerability that allows remote attackers to access restricted messa
5.4MEDIUM
 CVE-2026-41405
< 2026.3.31
OpenClaw before 2026.3.31 parses MS Teams webhook request bodies before performing JWT validation, allowing unauthenticated attack
7.5HIGH
 CVE-2026-41404
< 2026.3.31
OpenClaw before 2026.3.31 contains an incomplete scope-clearing vulnerability in trusted-proxy authentication mode that allows ope
8.8HIGH
 CVE-2026-41403
< 2026.3.31
OpenClaw before 2026.3.31 misclassifies proxied remote requests as loopback connections in the diffs viewer when allowRemoteViewer
2.9LOW
 CVE-2026-41402
< 2026.3.31
OpenClaw before 2026.3.31 contains a scope bypass vulnerability in webhook replay cache deduplication that allows authenticated at
4.2MEDIUM
 CVE-2026-41400
< 2026.3.31
OpenClaw before 2026.3.31 contains an incomplete fix for CVE-2026-32062 where the voice-call component parses large WebSocket fram
5.3MEDIUM
 CVE-2026-41399
< 2026.3.28
OpenClaw before 2026.3.28 accepts unbounded concurrent unauthenticated WebSocket upgrades without pre-authentication budget alloca
7.5HIGH
 CVE-2026-41398
< 2026.4.2
OpenClaw before 2026.4.2 contains an improper access control vulnerability in the iOS A2UI bridge that treats generic local-networ
4.6MEDIUM
 CVE-2026-41397
< 2026.3.31
OpenClaw before 2026.3.31 contains a sandbox escape vulnerability allowing attackers to traverse directory boundaries through syml
6.8MEDIUM
 CVE-2026-41396
< 2026.3.31
OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_PLUGINS_DIR environment variable, compromis
7.8HIGH
 CVE-2026-41395
< 2026.3.28
OpenClaw before 2026.3.28 contains a webhook replay vulnerability in Plivo V3 signature verification that canonicalizes query orde
7.5HIGH
 CVE-2026-41394
< 2026.3.31
OpenClaw before 2026.3.31 contains an authentication bypass vulnerability where unauthenticated plugin-auth HTTP routes receive op
8.2HIGH
 CVE-2026-41393
< 2026.3.31
OpenClaw before 2026.3.31 contains a wide-area discovery vulnerability allowing arbitrary tailnet peers to be accepted as DNS auth
4.8MEDIUM
 CVE-2026-41392
< 2026.3.31
OpenClaw before 2026.3.31 contains an exec allowlist bypass vulnerability allowing attackers to inherit allowlist trust via shell
6.7MEDIUM
 CVE-2026-41391
< 2026.3.31
OpenClaw before 2026.3.31 fails to properly sanitize PIP_INDEX_URL and UV_INDEX_URL environment variables in host execution contex
5.3MEDIUM
 CVE-2026-41390
< 2026.3.28
OpenClaw before 2026.3.28 contains an exec allowlist bypass vulnerability where allow-always persistence fails to unwrap /usr/bin/
7.3HIGH
 CVE-2026-41388
< 2026.3.31
OpenClaw before 2026.3.31 contains a configuration management vulnerability where startup migration treats empty-array settings as
6.5MEDIUM
 CVE-2026-41387
< 2026.3.22
OpenClaw before 2026.3.22 contains an incomplete host environment variable sanitization vulnerability in host-env-security-policy.
7.8HIGH
 CVE-2026-41386
< 2026.3.22
OpenClaw before 2026.3.22 contains a privilege escalation vulnerability where bootstrap setup codes are not bound to intended devi
9.1CRITICAL
 CVE-2026-41385
< 2026.3.31
OpenClaw before 2026.3.31 stores Nostr privateKey as plaintext in configuration, allowing exposure through config.get method calls
6.5MEDIUM
 CVE-2026-41384
< 2026.3.24
OpenClaw before 2026.3.24 contains an environment variable injection vulnerability in the CLI backend runner that allows attackers
7.8HIGH
 CVE-2026-41383
< 2026.4.2
OpenClaw before 2026.4.2 contains an arbitrary directory deletion vulnerability in mirror mode that allows attackers to delete rem
8.1HIGH
 CVE-2026-41382
< 2026.3.31
OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord voice ingress that allows attackers to bypass
5.4MEDIUM
 CVE-2026-41381
< 2026.3.31
OpenClaw before 2026.3.31 contains an access control bypass vulnerability in the Discord voice manager that allows attackers to by
5.4MEDIUM
 CVE-2026-41380
< 2026.3.28
OpenClaw before 2026.3.28 contains an execution approval vulnerability in exec-approvals-allowlist.ts that allows allow-always per
7.3HIGH
 CVE-2026-41379
< 2026.3.28
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to
7.1HIGH
 CVE-2026-41378
< 2026.3.31
OpenClaw before 2026.3.31 contains a privilege escalation vulnerability allowing paired nodes with role=node to dispatch node.even
8.8HIGH
 CVE-2026-41377
< 2026.3.31
OpenClaw before 2026.3.31 contains a fail-open vulnerability in the plugin installation flow where security scan failures do not b
4.6MEDIUM
 CVE-2026-41376
< 2026.3.31
OpenClaw before 2026.3.31 contains an allowlist bypass vulnerability in Matrix thread root and reply context handling that fails t
5.4MEDIUM
 CVE-2026-41375
< 2026.3.28
OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in the /phone arm and /phone disarm endpoints that fails
6.5MEDIUM
 CVE-2026-41374
< 2026.3.31
OpenClaw before 2026.3.31 performs Discord audio preflight transcription before validating member authorization, allowing unauthen
5.3MEDIUM
 CVE-2026-41373
< 2026.3.31
OpenClaw before 2026.3.31 contains an incomplete host-env-security-policy.json that fails to restrict compiler binary environment
6.1MEDIUM
 CVE-2026-41372
< 2026.4.2
OpenClaw before 2026.4.2 fails to normalize trailing-dot localhost hosts in remote CDP discovery responses, allowing bypass of loo
5.8MEDIUM
 CVE-2026-41371
< 2026.3.28
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in chat.send that allows write-scoped gateway callers to t
8.5HIGH
 CVE-2026-41370
< 2026.3.31
OpenClaw before 2026.3.31 contains a path traversal vulnerability in ACP dispatch that allows attackers to read arbitrary files by
6.5MEDIUM
 CVE-2026-41369
< 2026.3.31
OpenClaw before 2026.3.31 contains insufficient environment variable sanitization in host exec operations, failing to filter packa
6.5MEDIUM
 CVE-2026-41368
< 2026.3.28
OpenClaw before 2026.3.28 contains an environment variable disclosure vulnerability in the jq safe-bin policy that fails to block
6.5MEDIUM
 CVE-2026-41367
>= 2026.2.14 and < 2026.3.28
OpenClaw versions 2026.2.14 through 2026.3.24 fail to consistently apply guild and channel policy gates to Discord button and comp
5.0MEDIUM
 CVE-2026-41366
< 2026.3.31
OpenClaw before 2026.3.31 contains a local roots self-whitelisting vulnerability in appendLocalMediaParentRoots that allows model-
5.5MEDIUM
 CVE-2026-41365
< 2026.3.31
OpenClaw before 2026.3.31 contains a sender allowlist bypass vulnerability in MS Teams thread history fetched via Graph API. Attac
5.4MEDIUM
 CVE-2026-41364
< 2026.3.31
OpenClaw before 2026.3.31 contains a symlink following vulnerability in SSH sandbox tar upload that allows remote attackers to wri
8.1HIGH
 CVE-2026-41363
>= 2026.2.6 and < 2026.3.28
OpenClaw versions 2026.2.6 through 2026.3.24 contain a path traversal vulnerability in the Feishu extension resolveUploadInput fun
5.3MEDIUM
 CVE-2026-41362
>= 2026.2.19 and < 2026.3.31
OpenClaw versions 2026.2.19 before 2026.3.31 contain an improper cache isolation vulnerability in the Zalo webhook replay-dedupe m
4.3MEDIUM
 CVE-2026-41361
< 2026.3.28
OpenClaw before 2026.3.28 contains an SSRF guard bypass vulnerability that fails to block four IPv6 special-use ranges. Attackers
7.1HIGH
 CVE-2026-41360
< 2026.4.2
OpenClaw before 2026.4.2 contains an approval integrity vulnerability in pnpm dlx that fails to bind local script operands consist
6.7MEDIUM
 CVE-2026-41359
< 2026.3.28
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to
7.1HIGH
 CVE-2026-41358
< 2026.4.2
OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non-allowlisted messages to enter agen
5.4MEDIUM
 CVE-2026-41357
< 2026.3.31
OpenClaw before 2026.3.31 contains an environment variable leakage vulnerability in SSH-based sandbox backends that pass unsanitiz
3.3LOW
 CVE-2026-41356
< 2026.3.31
OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously comp
5.4MEDIUM
 CVE-2026-41355
< 2026.3.28
OpenClaw before 2026.3.28 contains an arbitrary code execution vulnerability in mirror mode that converts untrusted sandbox files
7.3HIGH
 CVE-2026-41354
< 2026.4.2
OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate ev
3.7LOW
 CVE-2026-41353
< 2026.3.22
OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to ci
8.1HIGH
 CVE-2026-41352
< 2026.3.31
OpenClaw before 2026.3.31 contains a remote code execution vulnerability where a device-paired node can bypass the node scope gate
8.8HIGH
 CVE-2026-41351
< 2026.3.31
OpenClaw before 2026.3.31 contains a replay detection bypass vulnerability in webhook signature handling that treats Base64 and Ba
5.3MEDIUM
 CVE-2026-41350
< 2026.3.31
OpenClaw before 2026.3.31 contains a session visibility bypass vulnerability where the session_status function fails to enforce co
4.3MEDIUM
 CVE-2026-41349
< 2026.3.28
OpenClaw before 2026.3.28 contains an agentic consent bypass vulnerability allowing LLM agents to silently disable execution appro
8.8HIGH
 CVE-2026-41348
< 2026.3.31
OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord slash command and autocomplete paths that fail
5.4MEDIUM
 CVE-2026-41347
< 2026.3.31
OpenClaw before 2026.3.31 lacks browser-origin validation in HTTP operator endpoints when operating in trusted-proxy mode, allowin
7.1HIGH
 CVE-2026-41346
>= 2026.2.26 and < 2026.3.31
OpenClaw 2026.2.26 before 2026.3.31 enforces pending pairing-request caps per channel file instead of per account, allowing attack
5.3MEDIUM
 CVE-2026-41345
< 2026.3.31
OpenClaw before 2026.3.31 contains a credential exposure vulnerability in media download functionality that forwards Authorization
5.3MEDIUM
 CVE-2026-41344
< 2026.3.28
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the chat.send endpoint that allows write-scoped gateway
5.4MEDIUM
 CVE-2026-41343
< 2026.3.31
OpenClaw before 2026.3.31 lacks a shared pre-auth concurrency budget on the public LINE webhook path, allowing attackers to cause
5.3MEDIUM
 CVE-2026-41342
< 2026.3.28
OpenClaw before 2026.3.28 contains an authentication bypass vulnerability in the remote onboarding component that persists unauthe
7.3HIGH
 CVE-2026-41341
< 2026.3.31
OpenClaw before 2026.3.31 contains a logic error in Discord component interaction routing that misclassifies group direct messages
5.4MEDIUM
 CVE-2026-41340
< 2026.3.31
OpenClaw before 2026.3.31 contains an authentication boundary vulnerability where Telegram legacy allowFrom migration incorrectly
6.5MEDIUM
 CVE-2026-41339
< 2026.4.2
OpenClaw before 2026.4.2 exposes configPath and stateDir metadata in Gateway connect success snapshots to non-admin authenticated
4.3MEDIUM
 CVE-2026-41338
< 2026.3.31
OpenClaw before 2026.3.31 contains a time-of-check-time-of-use vulnerability in sandbox file operations that allows attackers to b
5.0MEDIUM
 CVE-2026-41337
< 2026.3.31
OpenClaw before 2026.3.31 contains a callback origin mutation vulnerability in Plivo voice-call replay that allows attackers to mu
5.3MEDIUM
 CVE-2026-41336
< 2026.3.31
OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_HOOKS_DIR environment variable, enabling lo
7.8HIGH
 CVE-2026-41335
< 2026.3.31
OpenClaw before 2026.3.31 contains an information disclosure vulnerability in the Control Interface bootstrap JSON that exposes ve
5.3MEDIUM
 CVE-2026-41334
< 2026.3.31
OpenClaw before 2026.3.31 contains a decompression bomb vulnerability in image processing that fails to properly enforce pixel-lim
6.5MEDIUM
 CVE-2026-41333
< 2026.3.31
OpenClaw before 2026.3.31 contains an authentication rate limiting bypass vulnerability that allows attackers to circumvent shared
3.7LOW
 CVE-2026-41332
< 2026.3.28
OpenClaw before 2026.3.28 contains an environment variable sanitization vulnerability where GIT_TEMPLATE_DIR and AWS_CONFIG_FILE a
5.3MEDIUM
 CVE-2026-41909
< 2026.4.20
OpenClaw before 2026.4.20 contains an improper authorization vulnerability in paired-device pairing management that allows limited
5.4MEDIUM
 CVE-2026-41908
< 2026.4.20
OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows trusted-proxy
4.3MEDIUM
 CVE-2026-41331
< 2026.3.31
OpenClaw before 2026.3.31 contains a resource consumption vulnerability in Telegram audio preflight transcription that allows unau
5.3MEDIUM
 CVE-2026-41330
< 2026.3.31
OpenClaw before 2026.3.31 contains an environment variable override vulnerability in host exec policy that fails to properly enfor
4.4MEDIUM
 CVE-2026-41329
< 2026.3.31
OpenClaw before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via heartbeat context
9.9CRITICAL
 CVE-2026-41303
< 2026.3.28
OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in Discord text approval commands that allows non-approve
8.8HIGH
 CVE-2026-41302
< 2026.3.31
OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality th
7.6HIGH
 CVE-2026-41301
< 2026.3.31
OpenClaw versions 2026.3.22 before 2026.3.31 contain a signature verification bypass vulnerability in the Nostr DM ingress path th
5.3MEDIUM
 CVE-2026-41300
< 2026.3.31
OpenClaw before 2026.3.31 contains a trust-decline vulnerability that preserves attacker-discovered endpoints in remote onboarding
6.5MEDIUM
 CVE-2026-41299
< 2026.3.28
OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in the chat.send gateway method where ACP-only provenance
7.1HIGH
 CVE-2026-41298
< 2026.4.2
OpenClaw before 2026.4.2 fails to enforce write scopes on the POST /sessions/:sessionKey/kill endpoint in identity-bearing HTTP mo
5.4MEDIUM
 CVE-2026-41297
< 2026.3.31
OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality th
7.6HIGH
 CVE-2026-41296
< 2026.3.31
OpenClaw before 2026.3.31 contains a time-of-check-time-of-use race condition in the remote filesystem bridge readFile function th
8.2HIGH
 CVE-2026-41295
< 2026.4.2
OpenClaw before 2026.4.2 contains an improper trust boundary vulnerability allowing untrusted workspace channel shadows to execute
7.8HIGH
 CVE-2026-41294
< 2026.3.28
OpenClaw before 2026.3.28 loads the current working directory .env file before trusted state-dir configuration, allowing environme
8.6HIGH
 CVE-2026-40045
< 2026.4.2
OpenClaw before 2026.4.2 accepts non-loopback cleartext ws:// gateway endpoints and transmits stored gateway credentials over unen
5.7MEDIUM
 CVE-2026-41389
>= 2026.4.7 and < 2026.4.15
OpenClaw versions 2026.4.7 before 2026.4.15 fail to enforce local-root containment on tool-result media paths, allowing arbitrary
5.8MEDIUM
 CVE-2026-3691
< 2026.2.25
OpenClaw Client PKCE Verifier Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose stored
5.3MEDIUM
 CVE-2026-3690
< 2026.2.19
OpenClaw Canvas Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affect
7.4HIGH
 CVE-2026-3689
< 2026.2.21
OpenClaw Canvas Path Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensit
6.5MEDIUM
 CVE-2026-35670
< 2026.3.22
OpenClaw before 2026.3.22 contains a webhook reply delivery vulnerability that allows attackers to rebind chat replies to unintend
5.9MEDIUM
 CVE-2026-35669
< 2026.3.25
OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in gateway-authenticated plugin HTTP routes that incorrect
8.8HIGH
 CVE-2026-35668
< 2026.3.24
OpenClaw before 2026.3.24 contains a path traversal vulnerability in sandbox enforcement allowing sandboxed agents to read arbitra
7.7HIGH
 CVE-2026-35667
< 2026.3.24
OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-27486 where the !stop chat command uses an unpatched killProcess
6.1MEDIUM
 CVE-2026-35666
< 2026.3.22
OpenClaw before 2026.3.22 contains an allowlist bypass vulnerability in system.run approvals that fails to unwrap /usr/bin/time wr
8.8HIGH
 CVE-2026-35665
< 2026.3.24
OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-32011 where the Feishu webhook handler accepts request bodies wi
5.3MEDIUM
 CVE-2026-35664
< 2026.3.25
OpenClaw before 2026.3.25 contains an authentication bypass vulnerability in raw card send surface that allows unpaired recipients
5.3MEDIUM
 CVE-2026-35663
< 2026.3.25
OpenClaw before 2026.3.25 contains a privilege escalation vulnerability allowing non-admin operators to self-request broader scope
8.8HIGH
 CVE-2026-35662
< 2026.3.22
OpenClaw before 2026.3.22 fails to enforce controlScope restrictions on the send action, allowing leaf subagents to message contro
4.3MEDIUM
 CVE-2026-35661
< 2026.3.25
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Telegram callback query handling that allows attackers
5.3MEDIUM
 CVE-2026-35660
< 2026.3.23
OpenClaw before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent /reset endpoint that allows c
8.1HIGH
 CVE-2026-35659
< 2026.3.22
OpenClaw before 2026.3.22 contains a service discovery vulnerability where TXT metadata from Bonjour and DNS-SD could influence CL
4.6MEDIUM
 CVE-2026-35658
< 2026.3.2
OpenClaw before 2026.3.2 contains a filesystem boundary bypass vulnerability in the image tool that fails to honor tools.fs.worksp
6.5MEDIUM
 CVE-2026-35657
< 2026.3.25
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in the HTTP /sessions/:sessionKey/history route that skip
6.5MEDIUM
 CVE-2026-35656
< 2026.3.22
OpenClaw before 2026.3.22 contains an authentication bypass vulnerability in the X-Forwarded-For header processing when trustedPro
6.5MEDIUM
 CVE-2026-35655
< 2026.3.22
OpenClaw before 2026.3.22 contains an identity spoofing vulnerability in ACP permission resolution that trusts conflicting tool id
5.7MEDIUM
 CVE-2026-35654
< 2026.3.25
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Microsoft Teams feedback invokes that allows unauthori
5.3MEDIUM
 CVE-2026-35653
< 2026.3.24
OpenClaw before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profile endpoint that allows authen
8.1HIGH
 CVE-2026-35652
< 2026.3.22
OpenClaw before 2026.3.22 contains an authorization bypass vulnerability in interactive callback dispatch that allows non-allowlis
6.5MEDIUM
 CVE-2026-35651
>= 2026.2.13 and < 2026.3.25
OpenClaw versions 2026.2.13 through 2026.3.24 contain an ANSI escape sequence injection vulnerability in approval prompts that all
4.3MEDIUM
 CVE-2026-35650
< 2026.3.22
OpenClaw before 2026.3.22 contains an environment variable override handling vulnerability that allows attackers to bypass the sha
7.5HIGH
 CVE-2026-35649
< 2026.3.22
OpenClaw before 2026.3.22 contains a settings reconciliation vulnerability that allows attackers to bypass intended deny-all revoc
6.5MEDIUM
 CVE-2026-35648
< 2026.3.22
OpenClaw before 2026.3.22 contains a policy bypass vulnerability where queued node actions are not revalidated against current com
3.7LOW
 CVE-2026-35647
< 2026.3.25
OpenClaw before 2026.3.25 contains an access control vulnerability where verification notices bypass DM policy checks and reply to
5.3MEDIUM
 CVE-2026-35643
< 2026.3.22
OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary
8.8HIGH
 CVE-2026-35641
< 2026.3.24
OpenClaw before 2026.3.24 contains an arbitrary code execution vulnerability in local plugin and hook installation that allows att
7.8HIGH
 CVE-2026-35621
< 2026.3.24
OpenClaw before 2026.3.24 contains a privilege escalation vulnerability where the /allowlist command fails to re-validate gateway
6.5MEDIUM
 CVE-2026-35620
< 2026.3.24
OpenClaw before 2026.3.24 contains missing authorization vulnerabilities in the /send and /allowlist chat command handlers. The /s
5.4MEDIUM
 CVE-2026-35619
< 2026.3.24
OpenClaw before 2026.3.24 contains an authorization bypass vulnerability in the HTTP /v1/models endpoint that fails to enforce ope
4.3MEDIUM
 CVE-2026-6011
< 2026.1.29
A weakness has been identified in OpenClaw up to 2026.1.26. Affected by this issue is some unknown functionality of the file src/a
5.6MEDIUM
 CVE-2026-35646
< 2026.3.25
OpenClaw before 2026.3.25 contains a pre-authentication rate-limit bypass vulnerability in webhook token validation that allows at
4.8MEDIUM
 CVE-2026-35645
< 2026.3.25
OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in the gateway plugin subagent fallback deleteSession func
8.1HIGH
 CVE-2026-35644
< 2026.3.22
OpenClaw before 2026.3.22 contains an information disclosure vulnerability that allows attackers with operator.read scope to expos
6.5MEDIUM
 CVE-2026-35642
< 2026.3.25
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability where group reaction events bypass the requireMention acc
4.3MEDIUM
 CVE-2026-35640
< 2026.3.25
OpenClaw before 2026.3.25 parses JSON request bodies before validating webhook signatures, allowing unauthenticated attackers to f
5.3MEDIUM
 CVE-2026-35639
< 2026.3.22
OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the device.pair.approve method that allows an operator.
8.8HIGH
 CVE-2026-35638
< 2026.3.22
OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the Control UI that allows unauthenticated sessions to
8.8HIGH
 CVE-2026-35637
< 2026.3.22
OpenClaw before 2026.3.22 performs cite expansion before completing channel and DM authorization checks, allowing cite work and co
7.3HIGH
 CVE-2026-35636
>= 2026.3.11 and < 2026.3.25
OpenClaw versions 2026.3.11 through 2026.3.24 contain a session isolation bypass vulnerability where session_status resolves sessi
6.5MEDIUM
 CVE-2026-35635
< 2026.3.22
OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in the Synology Chat extension that allows attac
4.8MEDIUM
 CVE-2026-35634
< 2026.3.23
OpenClaw before 2026.3.23 contains an authentication bypass vulnerability in the Canvas gateway where authorizeCanvasRequest() unc
5.1MEDIUM
 CVE-2026-35633
< 2026.3.22
OpenClaw before 2026.3.22 contains an unbounded memory allocation vulnerability in remote media HTTP error handling that allows at
5.3MEDIUM
 CVE-2026-35632
<= 2026.2.22
OpenClaw through 2026.2.22 contains a symlink traversal vulnerability in agents.create and agents.update handlers that use fs.appe
7.1HIGH
 CVE-2026-35631
< 2026.3.22
OpenClaw before 2026.3.22 fails to enforce operator.admin scope on mutating internal ACP chat commands, allowing unauthorized modi
6.5MEDIUM
 CVE-2026-35629
< 2026.3.25
OpenClaw before 2026.3.25 contains a server-side request forgery vulnerability in multiple channel extensions that fail to properl
7.4HIGH
 CVE-2026-35628
< 2026.3.25
OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in Telegram webhook authentication that allows attackers
4.8MEDIUM
 CVE-2026-35627
< 2026.3.22
OpenClaw before 2026.3.22 performs cryptographic and dispatch operations on inbound Nostr direct messages before enforcing sender
6.5MEDIUM
 CVE-2026-35626
< 2026.3.22
OpenClaw before 2026.3.22 contains an unauthenticated resource exhaustion vulnerability in voice call webhook handling that buffer
5.3MEDIUM
 CVE-2026-35625
< 2026.3.25
OpenClaw before 2026.3.25 contains a privilege escalation vulnerability where silent local shared-auth reconnects auto-approve sco
7.8HIGH
 CVE-2026-35624
< 2026.3.22
OpenClaw before 2026.3.22 contains a policy confusion vulnerability in room authorization that matches colliding room names instea
4.2MEDIUM
 CVE-2026-35623
< 2026.3.25
OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in webhook authentication that allows attackers to brute-
4.8MEDIUM
 CVE-2026-35622
< 2026.3.22
OpenClaw before 2026.3.22 contains an improper authentication verification vulnerability in Google Chat app-url webhook handling t
5.9MEDIUM
 CVE-2026-35618
< 2026.3.23
OpenClaw before 2026.3.23 contains a replay identity vulnerability in Plivo V2 signature verification that allows attackers to byp
6.5MEDIUM
 CVE-2026-35617
< 2026.3.25
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Google Chat group policy enforcement that relies on mu
4.2MEDIUM
 CVE-2026-34512
< 2026.3.25
OpenClaw before 2026.3.25 contains an improper access control vulnerability in the HTTP /sessions/:sessionKey/kill route that allo
8.1HIGH
 CVE-2026-40037
< 2026.4.8
OpenClaw before 2026.3.31 (patched in 2026.4.8) contains a request body replay vulnerability in fetchWithSsrFGuard that allows uns
6.5MEDIUM
 CVE-2026-34511
< 2026.4.2
OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the r
5.3MEDIUM
 CVE-2026-34426
< 2026.4.2
OpenClaw versions prior to commit b57b680 contain an approval bypass vulnerability due to inconsistent environment variable norma
7.6HIGH
 CVE-2026-34425
< 2026.4.2
OpenClaw versions prior to commit 8aceaf5 contain a preflight validation bypass vulnerability in shell-bleed protection that allow
5.4MEDIUM
 CVE-2026-34510
< 2026.3.22
OpenClaw before 2026.3.22 contains a path traversal vulnerability in Windows media loaders that accepts remote-host file URLs and
5.3MEDIUM
 CVE-2026-34504
< 2026.3.28
OpenClaw before 2026.3.28 contains a server-side request forgery vulnerability in the fal provider image-generation-provider.ts co
8.3HIGH
 CVE-2026-34503
< 2026.3.28
OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers
8.1HIGH
 CVE-2026-33581
< 2026.3.24
OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows attackers to read arbitrary loca
6.5MEDIUM
 CVE-2026-33580
< 2026.3.28
OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication that allows
6.5MEDIUM
 CVE-2026-33579
< 2026.3.28
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward ca
9.9CRITICAL
 CVE-2026-33578
< 2026.3.28
OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where route-lev
4.3MEDIUM
 CVE-2026-33577
< 2026.3.28
OpenClaw before 2026.3.28 contains an insufficient scope validation vulnerability in the node pairing approval path that allows lo
8.1HIGH
 CVE-2026-33576
< 2026.3.28
OpenClaw before 2026.3.28 downloads and stores inbound media from Zalo channels before validating sender authorization. Unauthoriz
6.5MEDIUM
 CVE-2026-34506
< 2026.3.8
OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized s
4.3MEDIUM
 CVE-2026-34505
< 2026.3.12
OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to bypass rate li
6.5MEDIUM
 CVE-2026-32988
< 2026.3.11
OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in fs-bridge staged writes where temporary file creatio
7.5HIGH
 CVE-2026-32982
< 2026.3.13
OpenClaw before 2026.3.13 contains an information disclosure vulnerability in the fetchRemoteMedia function that exposes Telegram
7.5HIGH
 CVE-2026-32977
< 2026.3.11
OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in the fs-bridge writeFile commit step that uses an una
6.3MEDIUM
 CVE-2026-32976
< 2026.3.11
OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing channel commands to mutate protected sibling-acc
6.5MEDIUM
 CVE-2026-32971
< 2026.3.11
OpenClaw before 2026.3.11 contains an approval-integrity vulnerability in node-host system.run approvals that displays extracted s
7.1HIGH
 CVE-2026-32970
< 2026.3.11
OpenClaw before 2026.3.11 contains a credential fallback vulnerability where unavailable local gateway.auth.token and gateway.auth
2.5LOW
 CVE-2026-32921
< 2026.3.8
OpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run where mutable script operands are not bound acros
6.3MEDIUM
 CVE-2026-32920
< 2026.3.12
OpenClaw before 2026.3.12 automatically discovers and loads plugins from .OpenClaw/extensions/ without explicit trust verification
8.4HIGH
 CVE-2026-32917
< 2026.3.13
OpenClaw before 2026.3.13 contains a remote command injection vulnerability in the iMessage attachment staging flow that allows at
9.8CRITICAL
 CVE-2026-32916
>= 2026.3.7 and < 2026.3.11
OpenClaw versions 2026.3.7 before 2026.3.11 contain an authorization bypass vulnerability where plugin subagent routes execute gat
9.4CRITICAL
 CVE-2026-33575
< 2026.3.12
OpenClaw before 2026.3.12 embeds long-lived shared gateway credentials directly in pairing setup codes generated by /pair endpoint
7.5HIGH
 CVE-2026-33574
< 2026.3.8
OpenClaw before 2026.3.8 contains a path traversal vulnerability in the skills download installer that validates the tools root le
6.2MEDIUM
 CVE-2026-33573
< 2026.3.11
OpenClaw before 2026.3.11 contains an authorization bypass vulnerability in the gateway agent RPC that allows authenticated operat
8.8HIGH
 CVE-2026-33572
< 2026.2.17
OpenClaw before 2026.2.17 creates session transcript JSONL files with overly broad default permissions, allowing local users to re
8.4HIGH
 CVE-2026-32987
< 2026.3.13
OpenClaw before 2026.3.13 allows bootstrap setup codes to be replayed during device pairing verification in src/infra/device-boots
9.8CRITICAL
 CVE-2026-32980
< 2026.3.13
OpenClaw before 2026.3.13 reads and buffers Telegram webhook request bodies before validating the x-telegram-bot-api-secret-token
7.5HIGH
 CVE-2026-32979
< 2026.3.11
OpenClaw before 2026.3.11 contains an approval integrity vulnerability allowing attackers to execute rewritten local code by modif
7.3HIGH
 CVE-2026-32978
< 2026.3.11
OpenClaw before 2026.3.11 contains an approval integrity vulnerability where system.run approvals fail to bind mutable file operan
8.0HIGH
 CVE-2026-32975
< 2026.3.12
OpenClaw before 2026.3.12 contains a weak authorization vulnerability in Zalouser allowlist mode that matches mutable group displa
9.8CRITICAL
 CVE-2026-32974
< 2026.3.12
OpenClaw before 2026.3.12 contains an authentication bypass vulnerability in Feishu webhook mode when only verificationToken is co
8.6HIGH
 CVE-2026-32973
< 2026.3.11
OpenClaw before 2026.3.11 contains an exec allowlist bypass vulnerability where matchesExecAllowlistPattern improperly normalizes
9.8CRITICAL
 CVE-2026-32972
< 2026.3.11
OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing authenticated operators with only operator.write
7.1HIGH
 CVE-2026-32924
< 2026.3.12
OpenClaw before 2026.3.12 contains an authorization bypass vulnerability where Feishu reaction events with omitted chat_type are m
9.8CRITICAL
 CVE-2026-32923
< 2026.3.11
OpenClaw before 2026.3.11 contains an authorization bypass vulnerability in Discord guild reaction ingestion that fails to enforce
5.4MEDIUM
 CVE-2026-32922
< 2026.3.11
OpenClaw before 2026.3.11 contains a privilege escalation vulnerability in device.token.rotate that allows callers with operator.p
9.9CRITICAL
 CVE-2026-32919
< 2026.3.11
OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing write-scoped callers to reach admin-only session
6.1MEDIUM
 CVE-2026-32918
< 2026.3.11
OpenClaw before 2026.3.11 contains a session sandbox escape vulnerability in the session_status tool that allows sandboxed subagen
8.4HIGH
 CVE-2026-32915
< 2026.3.11
OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability allowing leaf subagents to access the subagents control
8.8HIGH
 CVE-2026-32914
< 2026.3.12
OpenClaw before 2026.3.12 contains an insufficient access control vulnerability in the /config and /debug command handlers that al
8.8HIGH
 CVE-2026-32846
<= 2026.3.23
OpenClaw before 2026.3.28 contains a path traversal vulnerability in media parsing that allows attackers to read arbitrary files b
7.5HIGH
 CVE-2026-32913
< 2026.3.7
OpenClaw before 2026.3.7 contains an improper header validation vulnerability in fetchWithSsrFGuard that forwards custom authoriza
9.3CRITICAL
 CVE-2026-27646
< 2026.3.7
OpenClaw versions prior to 2026.3.7 contain a sandbox escape vulnerability in the /acp spawn command that allows authorized sandbo
6.1MEDIUM
 CVE-2026-27183
< 2026.3.7
OpenClaw versions prior to 2026.3.7 contain a shell approval gating bypass vulnerability in system.run dispatch-wrapper handling t
5.3MEDIUM
 CVE-2026-32899
< 2026.2.25
OpenClaw versions prior to 2026.2.25 fail to consistently apply sender-policy checks to reaction_ and pin_ non-message events be
4.3MEDIUM
 CVE-2026-32898
< 2026.2.23
OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP client that auto-approves tool calls
5.4MEDIUM
 CVE-2026-32897
< 2026.2.22
OpenClaw versions prior to 2026.2.22 reuse gateway.auth.token as a fallback hash secret for owner-ID prompt obfuscation when comma
3.7LOW
 CVE-2026-32896
< 2026.2.21
The BlueBubbles webhook handler in OpenClaw versions prior to 2026.2.21 contains a passwordless fallback authentication path that
4.8MEDIUM
 CVE-2026-32895
< 2026.2.26
OpenClaw versions prior to 2026.2.26 fail to enforce sender authorization in member and message subtype system event handlers, all
5.4MEDIUM
 CVE-2026-32067
< 2026.2.26
OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability in the pairing-store access control for direct
3.7LOW
 CVE-2026-32065
< 2026.2.25
OpenClaw versions prior to 2026.2.25 contain an approval-integrity bypass vulnerability in system.run where rendered command text
4.8MEDIUM
 CVE-2026-32064
< 2026.2.21
OpenClaw versions prior to 2026.2.21 sandbox browser entrypoint launches x11vnc without authentication for noVNC observer sessions
7.7HIGH
 CVE-2026-32058
< 2026.2.26
OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness in system.run execution flows with host=node tha
2.6LOW
 CVE-2026-32057
< 2026.2.25
OpenClaw versions prior to 2026.2.25 contain an authentication bypass vulnerability in the trusted-proxy Control UI pairing mechan
7.1HIGH
 CVE-2026-32056
< 2026.2.22
OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the system.run funct
7.5HIGH
 CVE-2026-32055
< 2026.2.26
OpenClaw versions prior to 2026.2.26 contain a path traversal vulnerability in workspace boundary validation that allows attackers
7.6HIGH
 CVE-2026-32054
< 2026.2.25
OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in browser trace and download output path handling
6.5MEDIUM
 CVE-2026-32053
< 2026.2.23
OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized event IDs are
6.5MEDIUM
 CVE-2026-32052
< 2026.2.24
OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run shell-wrapper that allows attacke
6.4MEDIUM
 CVE-2026-32051
< 2026.3.1
OpenClaw versions prior to 2026.3.1 contain an authorization mismatch vulnerability that allows authenticated callers with operato
8.8HIGH
 CVE-2026-32050
< 2026.2.25
OpenClaw versions prior to 2026.2.25 contain an access control vulnerability in signal reaction notification handling that allows
3.7LOW
 CVE-2026-32049
< 2026.2.22
OpenClaw versions prior to 2026.2.22 fail to consistently enforce configured inbound media byte limits before buffering remote med
7.5HIGH
 CVE-2026-32048
< 2026.3.1
OpenClaw versions prior to 2026.3.1 fail to enforce sandbox inheritance during cross-agent sessions_spawn operations, allowing san
7.5HIGH
 CVE-2026-32046
< 2026.2.21
OpenClaw versions prior to 2026.2.21 contain an improper sandbox configuration vulnerability that allows attackers to execute arbi
5.3MEDIUM
 CVE-2026-32045
< 2026.2.21
OpenClaw versions prior to 2026.2.21 incorrectly apply tokenless Tailscale header authentication to HTTP gateway routes, allowing
5.9MEDIUM
 CVE-2026-32044
< 2026.3.2
OpenClaw versions prior to 2026.3.2 contain an archive extraction vulnerability in the tar.bz2 installer path that bypasses safety
5.5MEDIUM
 CVE-2026-32043
< 2026.2.25
OpenClaw versions prior to 2026.2.25 contain a time-of-check-time-of-use vulnerability in approval-bound system.run execution wher
6.5MEDIUM
 CVE-2026-32042
>= 2026.2.22 and < 2026.2.25
OpenClaw versions 2026.2.22 prior to 2026.2.25 contain a privilege escalation vulnerability allowing unpaired device identities to
8.8HIGH
 CVE-2026-22172
< 2026.3.12
OpenClaw versions prior to 2026.3.12 contain an authorization bypass vulnerability in the WebSocket connect path that allows share
9.9CRITICAL
 CVE-2026-32041
< 2026.3.1
OpenClaw versions prior to 2026.3.1 fail to properly handle authentication bootstrap errors during startup, allowing browser-contr
6.9MEDIUM
 CVE-2026-32040
< 2026.2.23
OpenClaw versions prior to 2026.2.23 contain an html injection vulnerability in the HTML session exporter that allows attackers to
4.6MEDIUM
 CVE-2026-32039
< 2026.2.22
OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the toolsBySender group policy matching that
5.9MEDIUM
 CVE-2026-32038
< 2026.2.24
OpenClaw before 2026.2.24 contains a sandbox network isolation bypass vulnerability that allows trusted operators to join another
9.8CRITICAL
 CVE-2026-32037
< 2026.2.22
OpenClaw versions prior to 2026.2.22 fail to consistently validate redirect chains against configured mediaAllowHosts allowlists d
6.0MEDIUM
 CVE-2026-32036
< 2026.2.6
OpenClaw gateway plugin versions prior to 2026.2.26 contain a path traversal vulnerability that allows remote attackers to bypass
6.5MEDIUM
 CVE-2026-32035
< 2026.3.2
OpenClaw versions prior to 2026.3.2 fail to pass the senderIsOwner flag when processing Discord voice transcripts in agentCommand,
5.9MEDIUM
 CVE-2026-32034
< 2026.2.21
OpenClaw versions prior to 2026.2.21 contain an authentication bypass vulnerability in the Control UI when allowInsecureAuth is ex
8.1HIGH
 CVE-2026-32033
< 2026.2.24
OpenClaw versions prior to 2026.2.24 contain a path traversal vulnerability where @-prefixed absolute paths bypass workspace-only
6.5MEDIUM
 CVE-2026-32032
< 2026.2.22
OpenClaw versions prior to 2026.2.22 contain an arbitrary shell execution vulnerability in shell environment fallback that trusts
7.8HIGH
 CVE-2026-32031
< 2026.2.26
OpenClaw versions prior to 2026.2.26 server-http contains an authentication bypass vulnerability in gateway authentication for plu
4.8MEDIUM
 CVE-2026-32030
< 2026.2.19
OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the stageSandboxMedia function that accepts arbitra
7.5HIGH
 CVE-2026-32029
< 2026.2.21
OpenClaw versions prior to 2026.2.21 improperly parse the left-most X-Forwarded-For header value when requests originate from conf
5.3MEDIUM
 CVE-2026-32028
< 2026.2.25
OpenClaw versions prior to 2026.2.25 fail to enforce dmPolicy and allowFrom authorization checks on Discord direct-message reactio
5.3MEDIUM
 CVE-2026-32027
< 2026.2.26
OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-store identities are incorrect
6.5MEDIUM
 CVE-2026-32026
< 2026.2.24
OpenClaw versions prior to 2026.2.24 contain an improper path validation vulnerability in sandbox media handling that allows absol
6.5MEDIUM
 CVE-2026-32025
< 2026.2.25
OpenClaw versions prior to 2026.2.25 contain an authentication hardening gap in browser-origin WebSocket clients that allows attac
7.5HIGH
 CVE-2026-32024
< 2026.2.22
OpenClaw versions prior to 2026.2.22 contain a symlink traversal vulnerability in avatar handling that allows attackers to read ar
5.5MEDIUM
 CVE-2026-32023
< 2026.2.24
OpenClaw versions prior to 2026.2.24 contain an approval gating bypass vulnerability in system.run allowlist mode where nested tra
7.1HIGH
 CVE-2026-32022
< 2026.2.21
OpenClaw versions prior to 2026.2.21 contain a stdin-only policy bypass vulnerability in the grep tool within tools.exec.safeBins
6.5MEDIUM
 CVE-2026-32021
< 2026.2.22
OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the Feishu allowFrom allowlist implementatio
6.5MEDIUM
 CVE-2026-32020
< 2026.2.22
OpenClaw versions prior to 2026.2.22 contain a path traversal vulnerability in the static file handler that follows symbolic links
3.3LOW
 CVE-2026-32019
< 2026.2.22
OpenClaw versions prior to 2026.2.22 contain incomplete IPv4 special-use range validation in the isPrivateIpv4() function, allowin
7.4HIGH
 CVE-2026-32018
< 2026.2.19
OpenClaw versions prior to 2026.2.19 contain a race condition vulnerability in concurrent updateRegistry and removeRegistryEntry o
3.6LOW
 CVE-2026-32017
< 2026.2.19
OpenClaw versions prior to 2026.2.19 contain an allowlist bypass vulnerability in the exec safeBins policy that allows attackers t
7.1HIGH
 CVE-2026-32016
< 2026.2.22
OpenClaw versions prior to 2026.2.22 on macOS contain a path validation bypass vulnerability in the exec-approval allowlist mode t
7.8HIGH
 CVE-2026-32015
>= 2026.1.21 and < 2026.2.19
OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a path hijacking vulnerability in tools.exec.safeBins that allows attackers
7.8HIGH
 CVE-2026-32014
< 2026.2.26
OpenClaw versions prior to 2026.2.26 contain a metadata spoofing vulnerability where reconnect platform and deviceFamily fields ar
8.0HIGH
 CVE-2026-32013
< 2026.2.25
OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in the agents.files.get and agents.files.set method
8.8HIGH
 CVE-2026-32011
< 2026.3.2
OpenClaw versions prior to 2026.3.2 contain a denial of service vulnerability in webhook handlers for BlueBubbles and Google Chat
7.5HIGH
 CVE-2026-32010
< 2026.2.22
OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the safe-bin configuration when sort is manually
6.3MEDIUM
 CVE-2026-32009
< 2026.2.24
OpenClaw versions prior to 2026.2.24 contain a policy bypass vulnerability in the safeBins allowlist evaluation that trusts static
5.7MEDIUM
 CVE-2026-32008
< 2026.2.21
OpenClaw versions prior to 2026.2.21 contain an improper URL scheme validation vulnerability in the assertBrowserNavigationAllowed
6.5MEDIUM
 CVE-2026-32007
< 2026.2.23
OpenClaw versions prior to 2026.2.23 contain a path traversal vulnerability in the experimental apply_patch tool that allows attac
6.8MEDIUM
 CVE-2026-32006
< 2026.2.26
OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-store identities are incorrect
3.1LOW
 CVE-2026-32005
< 2026.2.22
OpenClaw versions prior to 2026.2.25 fail to enforce sender authorization checks for interactive callbacks including block_action,
6.8MEDIUM
 CVE-2026-32004
< 2026.3.2
OpenClaw versions prior to 2026.3.2 contain an authentication bypass vulnerability in the /api/channels route classification due t
6.5MEDIUM
 CVE-2026-32003
< 2026.2.22
OpenClaw versions prior to 2026.2.22 contain an environment variable injection vulnerability in the system.run function that allow
6.6MEDIUM
 CVE-2026-32002
< 2026.2.23
OpenClaw versions prior to 2026.2.23 contain a sandbox bypass vulnerability in the sandboxed image tool that fails to enforce tool
5.3MEDIUM
 CVE-2026-32001
< 2026.2.22
OpenClaw versions prior to 2026.2.22 contain an authentication bypass vulnerability that allows clients authenticated with a share
5.4MEDIUM
 CVE-2026-32000
< 2026.2.19
OpenClaw versions prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension tool execution that uses W
7.1HIGH
 CVE-2026-31999
>= 2026.2.26 and < 2026.3.1
OpenClaw versions 2026.2.26 prior to 2026.3.1 on Windows contain a current working directory injection vulnerability in wrapper re
6.3MEDIUM
 CVE-2026-31998
>= 2026.2.22 and < 2026.2.24
OpenClaw versions 2026.2.22 and 2026.2.23 contain an authorization bypass vulnerability in the synology-chat channel plugin where
8.6HIGH
 CVE-2026-31997
< 2026.3.1
OpenClaw versions prior to 2026.3.1 fail to pin executable identity for non-path-like argv[0] tokens in system.run approvals, allo
6.0MEDIUM
 CVE-2026-31996
< 2026.2.19
OpenClaw versions prior to 2026.2.19 tools.exec.safeBins contains an input validation bypass vulnerability that allows attackers t
4.4MEDIUM
 CVE-2026-31995
>= 2026.1.21 and < 2026.2.19
OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's Windows shell
5.3MEDIUM
 CVE-2026-31994
< 2026.2.19
OpenClaw versions prior to 2026.2.19 contain a local command injection vulnerability in Windows scheduled task script generation d
7.1HIGH
 CVE-2026-31993
< 2026.2.22
OpenClaw versions prior to 2026.2.22 contain an allowlist parsing mismatch vulnerability in the macOS companion app that allows au
4.8MEDIUM
 CVE-2026-31992
< 2026.2.23
OpenClaw versions prior to 2026.2.23 contain an allowlist bypass vulnerability in system.run guardrails that allows authenticated
7.1HIGH
 CVE-2026-31991
< 2026.2.26
OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where Signal group allowlist policy incorrectly
3.7LOW
 CVE-2026-31990
< 2026.3.2
OpenClaw versions prior to 2026.3.2 contain a vulnerability in the stageSandboxMedia function in which it fails to validate destin
6.1MEDIUM
 CVE-2026-31989
< 2026.3.1
OpenClaw versions prior to 2026.3.1 contain a server-side request forgery vulnerability in web_search citation redirect resolution
7.4HIGH
 CVE-2026-29608
all versions
OpenClaw 2026.3.1 contains an approval integrity vulnerability in system.run node-host execution where argv rewriting changes comm
6.7MEDIUM
 CVE-2026-29607
< 2026.2.22
OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in allow-always wrapper persistence that allows
6.8MEDIUM
 CVE-2026-28461
< 2026.3.1
OpenClaw versions prior to 2026.3.1 contain an unbounded memory growth vulnerability in the Zalo webhook endpoint that allows unau
7.5HIGH
 CVE-2026-28460
< 2026.2.22
OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run that allows attackers to execute non-
7.1HIGH
 CVE-2026-28449
< 2026.2.25
OpenClaw versions prior to 2026.2.25 lack durable replay state for Nextcloud Talk webhook events, allowing valid signed webhook re
6.5MEDIUM
 CVE-2026-27670
< 2026.3.2
OpenClaw versions prior to 2026.3.2 contain a race condition vulnerability in ZIP extraction that allows local attackers to write
5.3MEDIUM
 CVE-2026-27566
< 2026.2.22
OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run exec analysis that fails to unwrap en
7.1HIGH
 CVE-2026-22176
< 2026.2.19
OpenClaw versions prior to 2026.2.19 contain a command injection vulnerability in Windows Scheduled Task script generation where e
6.1MEDIUM
 CVE-2026-27545
< 2026.2.26
OpenClaw versions prior to 2026.2.26 contain an approval bypass vulnerability in system.run execution that allows attackers to exe
6.1MEDIUM
 CVE-2026-27524
< 2026.2.21
OpenClaw versions prior to 2026.2.21 accept prototype-reserved keys in runtime /debug set override object values, allowing prototy
4.3MEDIUM
 CVE-2026-27523
< 2026.2.24
OpenClaw versions prior to 2026.2.24 contain a sandbox bind validation vulnerability allowing attackers to bypass allowed-root and
6.1MEDIUM
 CVE-2026-27522
< 2026.2.24
OpenClaw versions prior to 2026.2.24 contain a local media root bypass vulnerability in sendAttachment and setGroupIcon message ac
6.5MEDIUM
 CVE-2026-22217
>= 2026.2.22 and < 2026.2.23
OpenClaw version 2026.2.22 prior to 2026.2.23 contains an arbitrary code execution vulnerability in shell-env that allows attacker
6.1MEDIUM
 CVE-2026-22181
< 2026.3.2
OpenClaw versions prior to 2026.3.2 contain a DNS pinning bypass vulnerability in strict URL fetch paths that allows attackers to
7.6HIGH
 CVE-2026-22180
< 2026.3.2
OpenClaw versions prior to 2026.3.2 contain a path-confinement bypass vulnerability in browser output handling that allows writes
5.3MEDIUM
 CVE-2026-22179
< 2026.2.22
OpenClaw versions prior to 2026.2.22 in macOS node-host system.run contain an allowlist bypass vulnerability that allows remote at
7.2HIGH
 CVE-2026-22178
< 2026.2.19
OpenClaw versions prior to 2026.2.19 construct RegExp objects directly from unescaped Feishu mention metadata in the stripBotMenti
6.5MEDIUM
 CVE-2026-22177
< 2026.2.21
OpenClaw versions prior to 2026.2.21 fail to filter dangerous process-control environment variables from config env.vars, allowing
6.1MEDIUM
 CVE-2026-22175
< 2026.2.23
OpenClaw versions prior to 2026.2.23 contain an exec approval bypass vulnerability in allowlist mode where allow-always grants cou
7.1HIGH
 CVE-2026-22174
< 2026.2.22
OpenClaw versions prior to 2026.2.22 inject the x-OpenClaw-relay-token header into Chrome CDP probe traffic on loopback interfaces
6.8MEDIUM
 CVE-2026-22171
< 2026.2.19
OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the Feishu media download flow where untrusted medi
8.2HIGH
 CVE-2026-22170
< 2026.2.22
OpenClaw versions prior to 2026.2.22 with the optional BlueBubbles plugin contain an access control bypass vulnerability where emp
6.5MEDIUM
 CVE-2026-22169
< 2026.2.22
OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the safeBins configuration that allows attackers
6.7MEDIUM
 CVE-2026-22168
< 2026.2.21
OpenClaw versions prior to 2026.2.21 contain an approval-integrity mismatch vulnerability in system.run that allows authenticated
6.5MEDIUM
 CVE-2026-32302
< 2026.3.11
OpenClaw is a personal AI assistant. Prior to 2026.3.11, browser-originated WebSocket connections could bypass origin validation w
8.1HIGH
 CVE-2026-4040
>= 2026.2.0 and < 2026.2.19
A vulnerability was identified in OpenClaw up to 2026.2.17. This issue affects the function tools.exec.safeBins of the component F
3.3LOW
 CVE-2026-4039
< 2026.2.21
A vulnerability was determined in OpenClaw 2026.2.19-2. This vulnerability affects the function applySkillConfigenvOverrides of th
6.3MEDIUM
 CVE-2026-30741
<= 2026.2.6
A remote code execution (RCE) vulnerability in OpenClaw Agent Platform v2026.2.6 allows attackers to execute arbitrary code via a
9.8CRITICAL
 CVE-2026-32063
< 2026.2.21
OpenClaw version 2026.2.19-2 prior to 2026.2.21 contains a command injection vulnerability in systemd unit file generation where a
7.1HIGH
 CVE-2026-32062
< 2026.2.22
OpenClaw versions 2026.2.21-2 up to, but not including, 2026.2.22, and @openclaw/voice-call versions 2026.2.21 up to, but not incl
7.5HIGH
 CVE-2026-32061
< 2026.2.17
OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows readi
4.4MEDIUM
 CVE-2026-32060
< 2026.2.14
OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in apply_patch that allows attackers to write or delet
8.8HIGH
 CVE-2026-32059
< 2026.2.23
OpenClaw version 2026.2.22-2 prior to 2026.2.23 tools.exec.safeBins validation for sort command fails to properly validate GNU lon
8.8HIGH
 CVE-2026-29613
< 2026.2.12
OpenClaw versions prior to 2026.2.12 contain a vulnerability in the BlueBubbles (optional plugin) webhook handler in which it auth
5.9MEDIUM
 CVE-2026-29612
< 2026.2.14
OpenClaw versions prior to 2026.2.14 decode base64-backed media inputs into buffers before enforcing decoded-size budget limits, a
5.5MEDIUM
 CVE-2026-29611
< 2026.2.14
OpenClaw versions prior to 2026.2.14 contain a local file inclusion vulnerability in BlueBubbles extension (must be installed and
7.5HIGH
 CVE-2026-29610
< 2026.2.14
OpenClaw versions prior to 2026.2.14 contain a command hijacking vulnerability that allows attackers to execute unintended binarie
8.8HIGH
 CVE-2026-29609
< 2026.2.14
OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the fetchWithGuard function that allocates entir
7.5HIGH
 CVE-2026-29606
< 2026.2.14
OpenClaw versions prior to 2026.2.14 contain a webhook signature-verification bypass in the voice-call extension that allows unaut
6.5MEDIUM
 CVE-2026-28486
>= 2026.1.20 and < 2026.2.14
OpenClaw versions 2026.1.16-2 prior to 2026.2.14 contain a path traversal vulnerability in archive extraction during installation
6.1MEDIUM
 CVE-2026-28485
<= 2026.1.5
OpenClaw versions 2026.1.5 prior to 2026.2.12 fail to enforce mandatory authentication on the /agent/act browser-control HTTP rout
8.4HIGH
 CVE-2026-28482
< 2026.2.12
OpenClaw versions prior to 2026.2.12 construct transcript file paths using unsanitized sessionId parameters and sessionFile paths
7.1HIGH
 CVE-2026-28481
<= 2026.1.30
OpenClaw versions 2026.1.30 and earlier, contain an information disclosure vulnerability, patched in 2026.2.1, in the MS Teams att
6.5MEDIUM
 CVE-2026-28480
< 2026.2.14
OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram allowlist matching accepts mutab
6.5MEDIUM
 CVE-2026-28479
< 2026.2.15
OpenClaw versions prior to 2026.2.15 use SHA-1 to hash sandbox identifier cache keys for Docker and browser sandbox configurations
7.5HIGH
 CVE-2026-28478
< 2026.2.13
OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies with
7.5HIGH
 CVE-2026-28477
< 2026.2.14
OpenClaw versions prior to 2026.2.14 contain an oauth state validation bypass vulnerability in the manual Chutes login flow that a
7.1HIGH
 CVE-2026-28476
< 2026.2.14
OpenClaw versions prior to 2026.2.14 contain a server-side request forgery vulnerability in the optional Tlon Urbit extension that
8.3HIGH
 CVE-2026-28475
< 2026.2.13
OpenClaw versions prior to 2026.2.13 use non-constant-time string comparison for hook token validation, allowing attackers to infe
4.8MEDIUM
 CVE-2026-28474
< 2026.2.6
OpenClaw's Nextcloud Talk plugin versions prior to 2026.2.6 accept equality matching on the mutable actor.name display name field
9.8CRITICAL
 CVE-2026-28473
< 2026.2.2
OpenClaw versions prior to 2026.2.2 contain an authorization bypass vulnerability where clients with operator.write scope can appr
8.1HIGH
 CVE-2026-28472
< 2026.2.2
OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping
8.1HIGH
 CVE-2026-28471
>= 2026.1.14-1 and < 2026.2.2
OpenClaw version 2026.1.14-1 prior to 2026.2.2, with the Matrix plugin installed and enabled, contain a vulnerability in which DM
5.3MEDIUM
 CVE-2026-28470
< 2026.2.2
OpenClaw versions prior to 2026.2.2 contain an exec approvals (must be enabled) allowlist bypass vulnerability that allows attacke
9.8CRITICAL
 CVE-2026-28469
< 2026.2.14
OpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat monitor component that allows cros
7.5HIGH
 CVE-2026-28468
>= 2026.1.29 and < 2026.2.14
OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.14 contain a vulnerability in the sandbox browser bridge server in which it acc
7.7HIGH
 CVE-2026-28467
< 2026.2.2
OpenClaw versions prior to 2026.2.2 contain a server-side request forgery vulnerability in attachment and media URL hydration that
6.5MEDIUM
 CVE-2026-28466
< 2026.2.14
OpenClaw versions prior to 2026.2.14 contain a vulnerability in the gateway in which it fails to sanitize internal approval fields
9.9CRITICAL
 CVE-2026-28465
< 2026.2.3
OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification tha
5.9MEDIUM
 CVE-2026-28464
< 2026.2.12
OpenClaw versions prior to 2026.2.12 use non-constant-time string comparison for hook token validation, allowing attackers to infe
5.9MEDIUM
 CVE-2026-28463
< 2026.2.14
OpenClaw versions prior to 2026.2.14 contain an arbitrary file read vulnerability in the exec-approvals allowlist validation that
8.4HIGH
 CVE-2026-28462
< 2026.2.13
OpenClaw versions prior to 2026.2.13 contain a vulnerability in the browser control API in which it accepts user-supplied output p
7.5HIGH
 CVE-2026-28459
< 2026.2.12
OpenClaw versions prior to 2026.2.12 fail to validate the sessionFile path parameter, allowing authenticated gateway clients to wr
7.1HIGH
 CVE-2026-28458
>= 2026.1.20 and < 2026.2.1
OpenClaw version 2026.1.20 prior to 2026.2.1 contains a vulnerability in the Browser Relay (extension must be installed and enable
8.1HIGH
 CVE-2026-28457
< 2026.2.14
OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in sandbox skill mirroring (must be enabled) that uses
6.1MEDIUM
 CVE-2026-28456
>= 2026.1.5 and < 2026.2.14
OpenClaw versions 2026.1.5 prior to 2026.2.14 contain a vulnerability in the Gateway in which it does not sufficiently constrain c
7.2HIGH
 CVE-2026-28454
< 2026.2.2
OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode (must be enabled), allowing unauthen
7.5HIGH
 CVE-2026-28453
< 2026.2.14
OpenClaw versions prior to 2026.2.14 fail to validate TAR archive entry paths during extraction, allowing path traversal sequences
7.5HIGH
 CVE-2026-28452
< 2026.2.14
OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the extractArchive function within src/infra/arc
5.5MEDIUM
 CVE-2026-28451
< 2026.2.14
OpenClaw versions prior to 2026.2.14 contain server-side request forgery vulnerabilities in the Feishu extension that allow attack
8.3HIGH
 CVE-2026-28450
< 2026.2.12
OpenClaw versions prior to 2026.2.12 with the optional Nostr plugin enabled expose unauthenticated HTTP endpoints at /api/channels
6.8MEDIUM
 CVE-2026-28448
>= 2026.1.29 and < 2026.2.1
OpenClaw versions 2026.1.29 prior to 2026.2.1 contain a vulnerability in the Twitch plugin (must be installed and enabled) in whic
7.3HIGH
 CVE-2026-28447
>= 2026.1.29 and < 2026.2.1
OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugin installation that allows mal
8.1HIGH
 CVE-2026-28446
< 2026.2.2
OpenClaw versions prior to 2026.2.1 with the voice-call extension installed and enabled contain an authentication bypass vulnerabi
9.4CRITICAL
 CVE-2026-28395
>= 2026.1.14-1 and < 2026.2.12
OpenClaw version 2026.1.14-1 prior to 2026.2.12 contains an improper network binding vulnerability in the Chrome extension (must b
6.5MEDIUM
 CVE-2026-28394
< 2026.2.15
OpenClaw versions prior to 2026.2.15 contain a denial of service vulnerability in the web_fetch tool that allows attackers to cras
6.5MEDIUM
 CVE-2026-28393
>= 2026.1.4 and < 2026.2.14
OpenClaw versions 2.0.0-beta3 prior to 2026.2.14 contain a path traversal vulnerability in hook transform module loading that allo
7.7HIGH
 CVE-2026-28392
< 2026.2.14
OpenClaw versions prior to 2026.2.14 contain a privilege escalation vulnerability in the Slack slash-command handler that incorrec
7.5HIGH
 CVE-2026-28391
< 2026.2.2
OpenClaw versions prior to 2026.2.2 fail to properly validate Windows cmd.exe metacharacters in allowlist-gated exec requests (non
9.8CRITICAL
 CVE-2026-28363
< 2026.2.23
In OpenClaw before 2026.2.23, tools.exec.safeBins validation for sort could be bypassed via GNU long-option abbreviations (such as
9.9CRITICAL
 CVE-2026-27576
<= 2026.2.17
OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the ACP bridge accepts very large prompt text blocks and can
4.0MEDIUM
 CVE-2026-27488
<= 2026.2.17
OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, Cron webhook delivery in src/gateway/server-cron.ts uses fet
7.3HIGH
 CVE-2026-27487
< 2026.2.14
OpenClaw is a personal AI assistant. In versions 2026.2.13 and below, when using macOS, the Claude CLI keychain credential refresh
7.6HIGH
 CVE-2026-27486
< 2026.2.14
OpenClaw is a personal AI assistant. In versions 2026.2.13 and below of the OpenClaw CLI, the process cleanup uses system-wide pro
5.3MEDIUM
 CVE-2026-27485
<= 2026.2.17
OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, skills/skill-creator/scripts/package_skill.py (a local helpe
4.4MEDIUM
 CVE-2026-27484
<= 2026.2.17
OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the Discord moderation action handling (timeout, kick, ban)
4.3MEDIUM
 CVE-2026-27009
< 2026.2.15
OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a atored XSS issue in the OpenClaw Control UI when rendering assi
5.8MEDIUM
 CVE-2026-27008
< 2026.2.15
OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a bug in download skill installation allowed targetDir values
6.7MEDIUM
 CVE-2026-27007
< 2026.2.15
OpenClaw is a personal AI assistant. Prior to version 2026.2.15, normalizeForHash in src/agents/sandbox/config-hash.ts recursi
3.3LOW
 CVE-2026-27004
< 2026.2.15
OpenClaw is a personal AI assistant. Prior to version 2026.2.15, in some shared-agent deployments, OpenClaw session tools (`sessio
5.5MEDIUM
 CVE-2026-27003
< 2026.2.15
OpenClaw is a personal AI assistant. Telegram bot tokens can appear in error messages and stack traces (for example, when request
5.5MEDIUM
 CVE-2026-27002
< 2026.2.15
OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a configuration injection issue in the Docker tool sandbox could
9.8CRITICAL
 CVE-2026-27001
< 2026.2.15
OpenClaw is a personal AI assistant. Prior to version 2026.2.15, OpenClaw embedded the current working directory (workspace path)
7.8HIGH
 CVE-2026-26972
>= 2026.1.12 and < 2026.2.13
OpenClaw is a personal AI assistant. In versions 2026.1.12 through 2026.2.12, OpenClaw browser download helpers accepted an unsani
6.7MEDIUM
 CVE-2026-26329
< 2026.2.14
OpenClaw is a personal AI assistant. Prior to version 2026.2.14, authenticated attackers can read arbitrary files from the Gateway
6.5MEDIUM
 CVE-2026-26328
< 2026.2.14
OpenClaw is a personal AI assistant. Prior to version 2026.2.14, under iMessage groupPolicy=allowlist, group authorization could
6.5MEDIUM
 CVE-2026-26327
< 2026.2.14
OpenClaw is a personal AI assistant. Discovery beacons (Bonjour/mDNS and DNS-SD) include TXT records such as lanHost, `tailnetDn
6.5MEDIUM
 CVE-2026-26326
< 2026.2.14
OpenClaw is a personal AI assistant. Prior to version 2026.2.14, skills.status could disclose secrets to operator.read clients
4.3MEDIUM
 CVE-2026-26325
< 2026.2.14
OpenClaw is a personal AI assistant. Prior to version 2026.2.14, a mismatch between rawCommand and command[] in the node host
7.2HIGH
 CVE-2026-26324
< 2026.2.14
OpenClaw is a personal AI assistant. Prior to version 2026.2.14, OpenClaw's SSRF protection could be bypassed using full-form IPv4
7.5HIGH
 CVE-2026-26323
>= 2026.1.8 and < 2026.2.14
OpenClaw is a personal AI assistant. Versions 2026.1.8 through 2026.2.13 have a command injection in the maintainer/dev script `sc
8.8HIGH
 CVE-2026-26322
< 2026.2.14
OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Gateway tool accepted a tool-supplied gatewayUrl w
7.6HIGH
 CVE-2026-26321
< 2026.2.14
OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Feishu extension previously allowed `sendMediaFeishu
7.5HIGH
 CVE-2026-26320
>= 2026.2.6 and < 2026.2.14
OpenClaw is a personal AI assistant. OpenClaw macOS desktop client registers the openclaw:// URL scheme. For openclaw://agent
6.5MEDIUM
 CVE-2026-26319
< 2026.2.14
OpenClaw is a personal AI assistant. Versions 2026.2.13 and below allow the optional @openclaw/voice-call plugin Telnyx webhook ha
7.5HIGH
 CVE-2026-26317
< 2026.2.14
OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes accepted cross-origin browser re
7.1HIGH
 CVE-2026-26316
< 2026.2.13
OpenClaw is a personal AI assistant. Prior to 2026.2.13, the optional BlueBubbles iMessage channel plugin could accept webhook req
7.5HIGH
 CVE-2026-25474
< 2026.2.1
OpenClaw is a personal AI assistant. In versions 2026.1.30 and below, if channels.telegram.webhookSecret is not set when in Telegr
7.5HIGH
 CVE-2026-24764
< 2026.2.3
OpenClaw (formerly Clawdbot) is a personal AI assistant users run on their own devices. In versions 2026.2.2 and below, when the S
3.7LOW
 CVE-2026-25593
< 2026.1.20
OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use the Gateway WebSocket API to wr
8.4HIGH
 CVE-2026-25475
< 2026.1.30
OpenClaw is a personal AI assistant. Prior to version 2026.1.30, the isValidMedia() function in src/media/parse.ts allows arbitrar
6.5MEDIUM
 CVE-2026-25157
< 2026.1.29
OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vulnerability via the Project Ro
7.7HIGH
 CVE-2026-24763
< 2026.1.29
OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026.1.29, a command injection vuln
8.8HIGH
 CVE-2026-25253
< 2026.1.29
OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSo
8.8HIGH
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin