| CVE-2026-35659 |
unknown |
— |
— |
|
|
|
2mo ago |
OpenClaw: Bonjour/DNS-SD TXT metadata steers CLI routing after failed service resolution |
| CVE-2026-35633 |
unknown |
— |
— |
|
|
|
2mo ago |
OpenClaw: Remote media error responses could trigger unbounded memory allocation before failure |
| CVE-2026-35643 |
unknown |
— |
— |
|
|
|
2mo ago |
OpenClaw: Arbitrary code execution via unvalidated WebView JavascriptInterface |
| CVE-2026-35666 |
unknown |
— |
— |
|
|
|
2mo ago |
OpenClaw's system.run allowlist can be bypassed through an unregistered time dispatch wrapper |
| CVE-2026-35627 |
unknown |
— |
— |
|
|
|
2mo ago |
OpenClaw: Nostr inbound DMs could trigger unauthenticated crypto work before sender policy enforcement |
| CVE-2026-35670 |
unknown |
— |
— |
|
|
|
2mo ago |
OpenClaw: Synology Chat reply delivery could be rebound through username-based user resolution. |
| CVE-2026-34426 |
unknown |
— |
— |
|
|
|
2mo ago |
OpenClaw: Windows media loaders accepted remote-host file URLs before local path validation |
| CVE-2026-35660 |
unknown |
— |
— |
|
|
|
2mo ago |
OpenClaw: Gateway agent /reset exposes admin session reset to operator.write callers |
| CVE-2026-35634 |
unknown |
— |
— |
|
|
|
2mo ago |
OpenClaw: Gateway Canvas local-direct requests bypass Canvas HTTP and WebSocket authentication |
| CVE-2026-35618 |
unknown |
— |
— |
|
|
|
2mo ago |
OpenClaw: Plivo V2 verified replay identity drifts on query-only variants |
| CVE-2026-33572 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw session transcript files were created without forced user-only permissions |
| CVE-2026-32980 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw Telegram webhook request bodies were read before secret validation, enabling unauthenticated resource exhaustion |
| CVE-2026-34505 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: Zalo webhook rate limiting could be bypassed before secret validation |
| CVE-2026-32974 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured |
| CVE-2026-22172 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes |
| CVE-2026-32918 |
unknown |
— |
— |
|
|
|
3mo ago |
`OpenClaw: session_status` let sandboxed subagents access parent or sibling session state |
| CVE-2026-32920 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: Workspace plugin auto-discovery allowed code execution from cloned repositories |
| CVE-2026-32970 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: Unavailable local auth SecretRefs could fall through to remote credentials in local mode |
| CVE-2026-32978 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: Unrecognized script runners could bypass `system.run` approval integrity |
| CVE-2026-32971 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: Node-host approvals could show misleading shell payloads instead of the executed argv |
| CVE-2026-32979 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: Unbound interpreter and runtime commands could bypass node-host approval integrity |
| CVE-2026-32916 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: Plugin subagent routes could bypass gateway authorization with synthetic admin scopes |
| CVE-2026-32977 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: Sandbox `writeFile` commit could race outside the validated path |
| CVE-2026-32302 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode |
| CVE-2026-32031 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: /api/channels gateway-auth boundary bypass via path canonicalization mismatch |
| CVE-2026-32895 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: Slack system events bypass sender authorization in member and message subtype handlers |
| CVE-2026-32055 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: workspace path guard bypass on non-existent out-of-root symlink leaf |
| CVE-2026-34506 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's MS Teams sender allowlist bypass when route allowlist is configured and sender allowlist is empty |
| CVE-2026-33574 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's skills-install-download can be redirected outside the tools root by rebinding the validated base path |
| CVE-2026-32921 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's system.run approvals did not bind mutable script operands across approval and execution |
| CVE-2026-27646 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: Sandboxed /acp spawn requests could initialize host ACP sessions |
| CVE-2026-27183 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: system.run wrapper-depth boundary could skip shell approval gating |
| CVE-2026-32913 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: fetch-guard forwards custom authorization headers across cross-origin redirects |
| CVE-2026-22170 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: BlueBubbles (optional plugin) pairing/allowlist mismatch when allowFrom is empty |
| CVE-2026-32002 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's image tool bypasses tools.fs.workspaceOnly on sandbox mount paths and exfiltrates out-of-workspace images |
| CVE-2026-32019 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw has incomplete IPv4 special-use SSRF blocking in web fetch guard |
| CVE-2026-32005 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: Slack interactive callbacks could skip configured sender checks in some shared-workspace flows |
| CVE-2026-32018 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's serialize sandbox registry writes to prevent races and delete-rollback corruption |
| CVE-2026-32001 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's Node role device-identity bypass allows unauthorized node.event injection |
| CVE-2026-31995 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw has Windows Lobster shell fallback command injection in constrained fallback path |
| CVE-2026-27566 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's exec allowlist wrapper analysis did not unwrap env/shell dispatch chains |
| CVE-2026-32039 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's typed sender-key matching for toolsBySender prevents identity-collision policy bypass |
| CVE-2026-32050 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's Signal reaction-only status events could, in limited cases, be enqueued before access checks |
| CVE-2026-27523 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's sandbox bind validation could bypass allowed-root and blocked-path checks via symlink-parent missing-leaf paths |
| CVE-2026-28449 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's Nextcloud Talk webhook replay could trigger duplicate inbound processing |
| CVE-2026-31998 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's Synology Chat dmPolicy=allowlist failed open on empty allowedUserIds, allowing unauthorized agent dispatch |
| CVE-2026-32897 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw reuses the gateway auth token in the owner ID prompt hashing fallback |
| CVE-2026-32010 |
unknown |
— |
— |
|
|
|
3mo ago |
In OpenClaw, manually adding sort to tools.exec.safeBins could bypass allowlist approval via --compress-program |
| CVE-2026-32006 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw has a BlueBubbles group allowlist mismatch via DM pairing-store fallback |
| CVE-2026-32025 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's browser-origin WebSocket auth hardening gap could enable loopback password brute-force chains |
| CVE-2026-32029 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw improperly parses X-Forwarded-For behind trusted proxies allows client IP spoofing in security decisions |
| CVE-2026-32056 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's shell startup env injection bypasses system.run allowlist intent (RCE class) |
| CVE-2026-27524 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's runtime /debug override path accepted prototype-reserved keys |
| CVE-2026-32033 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw has a workspace-only sandbox guard mismatch for @-prefixed absolute paths |
| CVE-2026-32015 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's `tools.exec.safeBins` PATH-hijack allowed trojan binaries to bypass allowlist checks |
| CVE-2026-32063 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw Improperly Neutralizes Line Breaks in systemd Unit Generation Enables Local Command Execution (Linux) |
| CVE-2026-32057 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions |
| CVE-2026-22174 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw Loopback CDP probe can leak Gateway token to local listener |
| CVE-2026-22176 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw has a Command Injection via unescaped environment assignments in Windows Scheduled Task script generation |
| CVE-2026-32034 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw has an opt-in insecure Control UI auth over plaintext HTTP could allow privileged access |
| CVE-2026-32017 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw exec allowlist safeBins short-option bypass could permit arbitrary file write |
| CVE-2026-32059 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw is vulnerable to validation bypass through GNU long-option abbreviations in allowlist mode |
| CVE-2026-28363 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw is vulnerable to validation bypass through GNU long-option abbreviations in allowlist mode |
| CVE-2026-32021 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw has a Feishu allowFrom authorization bypass via display-name collision |
| CVE-2026-22179 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw has macOS `system.run` allowlist bypass via quoted command substitution |
| CVE-2026-32042 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw unpaired device identity can bypass operator pairing and self-assign operator scopes with shared auth |
| CVE-2026-32008 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw browser navigation guard allowed non-network URL schemes, enabling authenticated browser-tool users to access file:// local files |
| CVE-2026-31994 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw Windows Scheduled Task script generation allowed local command injection via unsafe cmd argument handling |
| CVE-2026-32007 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: Experimental apply_patch may bypass workspace-only checks in opt-in sandbox mounts (off by default) |
| CVE-2026-32009 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: safeBins static default trusted dirs allow writable-dir binary hijack (`jq`) |
| CVE-2026-32044 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw skills-install-download: tar.bz2 extraction bypassed archive safety parity checks (local DoS) |
| CVE-2026-32035 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: Discord voice transcript owner-flag omission could expose owner-only tools in mixed-trust channels |
| CVE-2026-32004 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw has encoded-path auth bypass in plugin `/api/channels` route classification |
| CVE-2026-32028 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: Discord DM reaction ingress missed dmPolicy/allowFrom checks in restricted setups |
| CVE-2026-27670 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: ZIP extraction race could write outside destination via parent symlink rebind |
| CVE-2026-28483 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: ZIP extraction race could write outside destination via parent symlink rebind |
| CVE-2026-22180 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: Unified root-bound write hardening for browser output and related path-boundary flows |
| CVE-2026-22181 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's web tools strict URL guard could lose DNS pinning when env proxy is configured |
| CVE-2026-29608 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's Node system.run approval hardening wrapper semantic drift can execute unintended local scripts |
| CVE-2026-32011 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw has pre-auth webhook body parsing that can enable unauthenticated slow-request DoS |
| CVE-2026-31990 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: stageSandboxMedia destination symlink traversal can overwrite files outside sandbox workspace |
| CVE-2026-32030 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw vulnerable to sensitive file disclosure via stageSandboxMedia |
| CVE-2026-32061 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw vulnerable to arbitrary file read via $include directive |
| CVE-2026-28460 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's system.run allowlist bypass via shell line-continuation command substitution |
| CVE-2026-22177 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's config env vars allowed startup env injection into service runtime |
| CVE-2026-32032 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's shell env fallback trusts unvalidated SHELL path from host environment |
| CVE-2026-32899 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's Slack reaction/pin sender-policy consistency issue in non-message ingress |
| CVE-2026-32052 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's system.run shell-wrapper positional argv carriers could execute hidden commands under misleading approval text |
| CVE-2026-32043 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's system.run approval TOCTOU via mutable symlink cwd target on node host |
| CVE-2026-32064 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's andbox browser noVNC observer lacked VNC authentication |
| CVE-2026-32027 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw DM pairing-store identities could satisfy group allowlist authorization |
| CVE-2026-32023 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's dispatch-wrapper depth-cap mismatch can bypass shell-wrapper approval gating in system.run allowlist mode |
| CVE-2026-32053 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse |
| CVE-2026-22169 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's non-default safeBins sort configuration can bypass intended allowlist approval constraints |
| CVE-2026-32036 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw has gateway plugin auth bypass via encoded dot-segment traversal in protected /api/channels paths |
| CVE-2026-32045 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's gateway tokenless Tailscale auth applied to HTTP routes |
| CVE-2026-22171 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw vulnerable to path traversal in Feishu media temp-file naming allows writes outside os.tmpdir() |
| CVE-2026-32040 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw Vulnerable to HTML injection via unvalidated image MIME type in data-URL interpolation |
| CVE-2026-32026 |
unknown |
— |
— |
|
|
|
3mo ago |
Temporary path handling could write outside OpenClaw temp boundary |
| CVE-2026-32046 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: Chrome --no-sandbox disabled OS-level browser sandbox in sandbox browser container |
