| CVE-2026-32037 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's MSTeams attachment redirect handling could bypass configured media host allowlists |
| CVE-2026-28393 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's hook transform module path allows traversal and arbitrary JavaScript module loading |
| CVE-2026-32000 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw has command injection via Windows shell fallback in Lobster tool execution |
| CVE-2026-31992 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw has allowlist exec-guard bypass via env -S |
| CVE-2026-32016 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: macOS optional allowlist basename matching could bypass path-based policy |
| CVE-2026-32003 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw has system.run shell-wrapper env injection via SHELLOPTS/PS4 can bypass allowlist intent (RCE) |
| CVE-2026-32014 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: Node reconnect metadata spoofing could bypass platform-based node command policy |
| CVE-2026-32024 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's avatar symlink traversal can expose out-of-workspace local files |
| CVE-2026-32038 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw has a sandbox network isolation bypass via docker.network=container:<id> |
| CVE-2026-27545 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: Node system.run approval bypass via parent-symlink cwd rebind |
| CVE-2026-27522 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: Message action attachment hydration bypasses local media root checks when sandboxRoot is unset |
| CVE-2026-32065 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: system.run approval identity mismatch could execute a different binary than displayed |
| CVE-2026-28466 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw Vulnerable to Remote Code Execution via Node Invoke Approval Bypass in Gateway |
| CVE-2026-28486 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw vulnerable to path traversal (Zip Slip) in archive extraction during explicit installation commands |
| CVE-2026-28457 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's sandbox skill mirroring path traversal vulnerability could write outside the sandbox workspace |
| CVE-2026-28464 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw has non-constant-time token comparison in hooks authentication |
| CVE-2026-28475 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: Config writes could persist resolved ${VAR} secrets to disk |
| CVE-2026-28453 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw has Zip Slip path traversal in tar archive extraction |
| CVE-2026-32013 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw gateway agents.files symlink escape allowed out-of-workspace file read/write |
| CVE-2026-32058 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows |
| CVE-2026-32049 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's inbound media downloads could exceed configured byte limits before rejection across multiple channels |
| CVE-2026-22175 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's exec allow-always can be bypassed via unrecognized multiplexer shell wrappers (busybox/toybox sh -c) |
| CVE-2026-29607 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's allow-always wrapper persistence could bypass future approvals and enable command execution |
| CVE-2026-32020 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's Control UI Static File Handler Follows Symlinks and Allows Out-of-Root File Read |
| CVE-2026-32054 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw has browser trace/download path symlink escape in temp output handling |
| CVE-2026-22178 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw has ReDoS and regex injection via unescaped Feishu mention metadata in RegExp construction |
| CVE-2026-31993 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains |
| CVE-2026-22168 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw has Windows system.run approval mismatch on cmd.exe /c trailing arguments |
| CVE-2026-31991 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw has Signal group allowlist authorization bypass via DM pairing-store leakage |
| CVE-2026-31997 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind |
| CVE-2026-31989 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw has web_search citation redirect SSRF via private-network-allowing policy |
| CVE-2026-31999 |
unknown |
— |
— |
|
|
|
3mo ago |
CpenClaw's ACPX Windows wrapper shell fallback allowed cwd injection in specific paths |
| CVE-2026-32048 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw's sandboxed sessions_spawn now enforces sandbox inheritance for cross-agent spawns |
| CVE-2026-32066 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw has unbounded memory growth in Zalo webhook via query-string key churn (unauthenticated DoS) |
| CVE-2026-28461 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw has unbounded memory growth in Zalo webhook via query-string key churn (unauthenticated DoS) |
| CVE-2026-32041 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: Browser control startup could continue unauthenticated after auth bootstrap failure |
| CVE-2026-32898 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata |
| CVE-2026-4039 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: Skill env override host env injection via applySkillConfigEnvOverrides (defense-in-depth) |
| CVE-2026-27576 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs |
| CVE-2026-27488 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw hardened cron webhook delivery against SSRF |
| CVE-2026-27485 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw: Reject symlinks in local skill packaging script |
| CVE-2026-27484 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows |
| CVE-2026-4040 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw safeBins file-existence oracle information disclosure |
| CVE-2026-31996 |
unknown |
— |
— |
|
|
|
3mo ago |
OpenClaw safeBins stdin-only bypass via sort output and recursive grep flags |
| CVE-2026-32060 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw has a path traversal in apply_patch could write/delete files outside the workspace |
| CVE-2026-28479 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw replaced a deprecated sandbox hash algorithm |
| CVE-2026-28394 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw has a Web Fetch DoS via unbounded response parsing |
| CVE-2026-27009 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection |
| CVE-2026-27008 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw hardened the skill download target directory validation |
| CVE-2026-27007 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw's sandbox config hash sorted primitive arrays and suppressed needed container recreation |
| CVE-2026-27004 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw session tool visibility hardening and Telegram webhook secret fallback |
| CVE-2026-27003 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw: Telegram bot token exposure via logs |
| CVE-2026-27002 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw: Docker container escape via unvalidated bind mount config injection |
| CVE-2026-27001 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw: Unsanitized CWD path injection into LLM prompts |
| CVE-2026-28468 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw has an authentication bypass in sandbox browser bridge server |
| CVE-2026-28451 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw has two SSRF via sendMediaFeishu and markdown image fetching in Feishu extension |
| CVE-2026-29611 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw has a LFI in BlueBubbles media path handling |
| CVE-2026-27486 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw: Process Safety - Unvalidated PID Kill via SIGKILL in Process Cleanup |
| CVE-2026-28477 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw Chutes manual OAuth state validation bypass can cause credential substitution |
| CVE-2026-27487 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw: Prevent shell injection in macOS keychain credential write |
| CVE-2026-28462 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw has a path traversal in browser trace/download output paths may allow arbitrary file writes |
| CVE-2026-26972 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw has a Path Traversal in Browser Download Functionality |
| CVE-2026-28456 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw affected by potential code execution via unsafe hook module path handling in Gateway |
| CVE-2026-28482 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw's unsanitized session ID enables path traversal in transcript file operations |
| CVE-2026-29610 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw: Command hijacking via unsafe PATH handling (bootstrapping + node-host PATH overrides) |
| CVE-2026-28476 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw affected by SSRF in optional Tlon (Urbit) extension authentication |
| CVE-2026-29606 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw Twilio voice-call webhook auth bypass when ngrok loopback compatibility is enabled |
| CVE-2026-28480 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw Telegram allowlist authorization accepted mutable usernames |
| CVE-2026-28469 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting |
| CVE-2026-26317 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints |
| CVE-2026-28478 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw affected by denial of service via unbounded webhook request body buffering |
| CVE-2026-28452 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR) |
| CVE-2026-29612 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw: denial of service through large base64 media files allocating large buffers before limit checks |
| CVE-2026-29609 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw affected by denial of service via unbounded URL-backed media fetch |
| CVE-2026-28392 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw Slack: dmPolicy=open allowed any DM sender to run privileged slash commands |
| CVE-2026-28463 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw exec approvals: safeBins could bypass stdin-only constraints via shell expansion |
| CVE-2026-26323 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw has a command injection in maintainer clawtributors updater |
| CVE-2026-26329 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw has a path traversal in browser upload allows local file read |
| CVE-2026-26328 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities |
| CVE-2026-26327 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning |
| CVE-2026-26326 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw skills.status could leak secrets to operator.read clients |
| CVE-2026-26325 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals |
| CVE-2026-26324 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reachable) |
| CVE-2026-26322 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw Gateway tool allowed unrestricted gatewayUrl override |
| CVE-2026-26321 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw has a local file disclosure via sendMediaFeishu in Feishu extension |
| CVE-2026-26320 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw macOS deep link confirmation truncation can conceal executed agent message |
| CVE-2026-26319 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw is Missing Webhook Authentication in Telnyx Provider Allows Unauthenticated Requests |
| CVE-2026-28447 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw has a Path Traversal in Plugin Installation |
| CVE-2026-28473 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw authorization bypass: operator.write can resolve exec approvals via chat.send -> /approve |
| CVE-2026-28481 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw MS Teams inbound attachment downloader leaks bearer tokens to allowlisted suffix domains |
| CVE-2026-28448 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw Twitch allowFrom is not enforced in optional plugin, unauthorized chat users can trigger agent pipeline |
| CVE-2026-28446 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw has an inbound allowlist policy bypass in voice-call extension (empty caller ID + suffix matching) |
| CVE-2026-28454 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw has a potential access-group authorization bypass if channel type lookup fails |
| CVE-2026-28471 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw has a Matrix allowlist bypass via displayName and cross-homeserver localpart matching |
| CVE-2026-26316 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw BlueBubbles webhook auth bypass via loopback proxy trust |
| CVE-2026-28450 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw's unauthenticated Nostr profile HTTP endpoints allow remote profile/config tampering |
| CVE-2026-28467 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw affected by SSRF via attachment/media URL hydration |
| CVE-2026-25474 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass |
| CVE-2026-24764 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw Affected by Remote Code Execution via System Prompt Injection in Slack Channel Descriptions |
| CVE-2026-29613 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw has a webhook auth bypass when gateway is behind a reverse proxy (loopback remoteAddress trust) |
