| CVE-2026-43584 |
high |
8.8 |
8.8 |
|
|
|
29d ago |
OpenClaw: Exec environment denylist missed high-risk interpreter startup variables |
| CVE-2026-43571 |
high |
8.8 |
8.8 |
|
|
|
1mo ago |
OpenClaw: Channel setup catalog lookups could include untrusted workspace plugin shadows |
| CVE-2026-43569 |
high |
8.8 |
8.8 |
|
|
|
1mo ago |
OpenClaw: Workspace provider auth choices could auto-enable untrusted provider plugins |
| CVE-2026-43531 |
high |
8.8 |
8.8 |
|
|
|
1mo ago |
OpenClaw: Workspace .env could inject OpenClaw runtime-control variables |
| CVE-2026-43530 |
high |
8.8 |
8.8 |
|
|
|
1mo ago |
OpenClaw: busybox and toybox applet execution weakened exec approval binding |
| CVE-2026-42435 |
high |
8.8 |
8.8 |
|
|
|
1mo ago |
OpenClaw: Shell-wrapper detection missed env-argv assignment injection forms |
| CVE-2026-42434 |
high |
8.8 |
8.8 |
|
|
|
1mo ago |
OpenClaw: Sandboxed agents could escape exec routing via host=node override |
| CVE-2026-42426 |
high |
8.8 |
8.8 |
|
|
|
1mo ago |
OpenClaw `node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval |
| CVE-2026-42422 |
high |
8.8 |
8.8 |
|
|
|
1mo ago |
OpenClaw `device.token.rotate` mints tokens for unapproved roles, bypassing device role-upgrade pairing |
| CVE-2026-41404 |
high |
8.8 |
8.8 |
|
|
|
1mo ago |
OpenClaw: Incomplete scope-clearing fix allows operator.admin escalation via trusted-proxy auth mode |
| CVE-2026-41378 |
high |
8.8 |
8.8 |
|
|
|
1mo ago |
OpenClaw: Paired node escalates to gateway RCE via unrestricted node.event agent dispatch |
| CVE-2026-41359 |
high |
8.8 |
8.8 |
|
|
|
1mo ago |
OpenClaw: Gateway operator.write Can Reach Admin-Class Telegram Config and Cron Persistence via send |
| CVE-2026-41352 |
high |
8.8 |
8.8 |
|
|
|
1mo ago |
OpenClaw: Device-Paired Node Skips Node Scope Gate → Host RCE.md |
| CVE-2026-41344 |
high |
8.8 |
8.8 |
|
|
|
1mo ago |
OpenClaw: Gateway `operator.write` can reach admin-only persisted `verboseLevel` via `chat.send` `/verbose` |
| CVE-2026-44116 |
high |
8.6 |
8.6 |
|
|
|
29d ago |
OpenClaw validates Zalo outbound photo URLs through the SSRF guard |
| CVE-2026-43533 |
high |
8.6 |
8.6 |
|
|
|
1mo ago |
OpenClaw: QQBot media tags could read arbitrary local files through reply text |
| CVE-2026-42439 |
high |
8.5 |
8.5 |
|
|
|
1mo ago |
OpenClaw: Browser tabs action select and close routes bypassed SSRF policy |
| CVE-2026-41914 |
high |
8.5 |
8.5 |
|
|
|
1mo ago |
OpenClaw QQ Bot Extension missing SSRF Protection on All Media Fetch Paths |
| CVE-2026-41394 |
high |
8.2 |
8.2 |
|
|
|
1mo ago |
OpenClaw: Unauthenticated plugin-auth HTTP routes receive operator runtime scopes |
| CVE-2026-43535 |
high |
8.1 |
8.1 |
|
|
|
1mo ago |
OpenClaw: Collect-mode queue batches could reuse the last sender authorization context |
| CVE-2026-42431 |
high |
8.1 |
8.1 |
|
|
|
1mo ago |
OpenClaw `node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard |
| CVE-2026-41383 |
high |
8.1 |
8.1 |
|
|
|
1mo ago |
OpenClaw: OpenShell mirror mode could delete arbitrary remote directories when roots were mis-scoped |
| CVE-2026-41364 |
high |
8.1 |
8.1 |
|
|
|
1mo ago |
OpenClaw: SSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host |
| CVE-2026-41342 |
high |
8.1 |
8.1 |
|
|
|
1mo ago |
OpenClaw: CLI Remote Onboarding Persists Unauthenticated Discovery Endpoint and Exfiltrates Gateway Credentials |
| CVE-2026-6011 |
high |
8.1 |
8.1 |
|
|
|
2mo ago |
OpenClaw vulnerable to SSRF in src/agents/tools/web-fetch.ts |
| CVE-2026-32067 |
high |
8.1 |
8.1 |
|
|
|
3mo ago |
OpenClaw has cross-account DM pairing authorization bypass via unscoped pairing store access |
| CVE-2026-45004 |
high |
7.8 |
7.8 |
|
|
|
24d ago |
OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution |
| CVE-2026-44118 |
high |
7.8 |
7.8 |
|
|
|
29d ago |
OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens |
| CVE-2026-44114 |
high |
7.8 |
7.8 |
|
|
|
29d ago |
OpenClaw: Workspace dotenv could override runtime-control environment variables |
| CVE-2026-42432 |
high |
7.8 |
7.8 |
|
|
|
1mo ago |
OpenClaw: Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement |
| CVE-2026-41396 |
high |
7.8 |
7.8 |
|
|
|
1mo ago |
OpenClaw: Workspace `.env` can override the bundled plugin trust root |
| CVE-2026-41387 |
high |
7.8 |
7.8 |
|
|
|
1mo ago |
OpenClaw's incomplete host env sanitization blocklist allows supply-chain redirection via package-manager env overrides |
| CVE-2026-41384 |
high |
7.8 |
7.8 |
|
|
|
1mo ago |
OpenClaw Has Incomplete Fix for CVE-2026-4039: CLI Backend Environment Variable Injection via Workspace Config |
| CVE-2026-41336 |
high |
7.8 |
7.8 |
|
|
|
1mo ago |
OpenClaw: Workspace `.env` can override the bundled hooks root and load attacker hook code |
| CVE-2026-44113 |
high |
7.7 |
7.7 |
|
|
|
29d ago |
OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes |
| CVE-2026-43580 |
high |
7.7 |
7.7 |
|
|
|
29d ago |
OpenClaw: Browser press/type interaction routes missed complete navigation guard coverage |
| CVE-2026-43576 |
high |
7.7 |
7.7 |
|
|
|
29d ago |
OpenClaw: CDP /json/version WebSocket URL could pivot to untrusted second-hop targets |
| CVE-2026-43573 |
high |
7.7 |
7.7 |
|
|
|
1mo ago |
OpenClaw: Existing-session browser interaction routes bypassed SSRF policy enforcement |
| CVE-2026-43532 |
high |
7.7 |
7.7 |
|
|
|
1mo ago |
OpenClaw: Discord event cover images bypassed sandbox media normalization |
| CVE-2026-43527 |
high |
7.7 |
7.7 |
|
|
|
1mo ago |
OpenClaw: Browser SSRF policy default allowed private-network navigation |
| CVE-2026-42438 |
high |
7.7 |
7.7 |
|
|
|
1mo ago |
OpenClaw: Sender policy bypass in host media attachment reads allows unauthorized local file disclosure |
| CVE-2026-42436 |
high |
7.7 |
7.7 |
|
|
|
1mo ago |
OpenClaw: Browser snapshot and screenshot routes could expose internal page content after navigation |
| CVE-2026-41912 |
high |
7.6 |
7.6 |
|
|
|
1mo ago |
OpenClaw has Browser SSRF Policy Bypass via Interaction-Triggered Navigation |
| CVE-2026-42437 |
high |
7.5 |
7.5 |
|
|
|
1mo ago |
OpenClaw: Voice-call realtime WebSocket accepted oversized frames |
| CVE-2026-42423 |
high |
7.5 |
7.5 |
|
|
|
1mo ago |
OpenClaw: strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts |
| CVE-2026-41405 |
high |
7.5 |
7.5 |
|
|
|
1mo ago |
OpenClaw: MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion |
| CVE-2026-41400 |
high |
7.5 |
7.5 |
|
|
|
1mo ago |
OpenClaw: Voice-call still parses large WebSocket frames before start validation (Incomplete fix for CVE-2026-32062) |
| CVE-2026-41399 |
high |
7.5 |
7.5 |
|
|
|
1mo ago |
OpenClaw: Gateway WebSocket Denial of Service via unbounded pre-auth upgrades |
| CVE-2026-41395 |
high |
7.5 |
7.5 |
|
|
|
1mo ago |
OpenClaw: Voice-call Plivo V3 webhook replay key uses unsorted URL, allowing replay via query-parameter reordering |
| CVE-2026-41346 |
high |
7.5 |
7.5 |
|
|
|
1mo ago |
OpenClaw: Pairing pending-request caps were enforced per channel instead of per account |
| CVE-2026-32846 |
high |
7.5 |
7.5 |
|
|
|
2mo ago |
OpenClaw is vulnerable to Path Traversal through path validation bypass |
| CVE-2026-32062 |
high |
7.5 |
7.5 |
|
|
|
3mo ago |
OpenClaw voice-call media stream validated streams after upgrade, which could allow pre-start unauthenticated sockets to increase resource pressure |
| CVE-2026-44995 |
high |
7.3 |
7.3 |
|
|
|
24d ago |
OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config |
| CVE-2026-41392 |
high |
7.3 |
7.3 |
|
|
|
1mo ago |
OpenClaw: Shell init-file options could satisfy exec allowlist script matching |
| CVE-2026-41390 |
high |
7.3 |
7.3 |
|
|
|
1mo ago |
OpenClaw has a gateway exec allowlist allow-always bypass via unregistered /usr/bin/script wrapper |
| CVE-2026-41380 |
high |
7.3 |
7.3 |
|
|
|
1mo ago |
OpenClaw gateway exec allow-always over-trusts positional carrier executables |
| CVE-2026-41355 |
high |
7.3 |
7.3 |
|
|
|
1mo ago |
OpenClaw: OpenShell `mirror` mode can convert untrusted sandbox files into explicitly enabled workspace hooks and execute them on the host during gateway startup |
| CVE-2026-42429 |
high |
7.1 |
7.1 |
|
|
|
1mo ago |
OpenClaw: Gateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write` |
| CVE-2026-42428 |
high |
7.1 |
7.1 |
|
|
|
1mo ago |
OpenClaw B-M3: ClawHub package downloads are not enforced with integrity verification |
| CVE-2026-41379 |
high |
7.1 |
7.1 |
|
|
|
1mo ago |
OpenClaw: Gateway operator.write Can Reach Admin-Class Talk Voice Config Persistence via chat.send |
| CVE-2026-41347 |
high |
7.1 |
7.1 |
|
|
|
1mo ago |
OpenClaw: HTTP operator endpoints lack browser-origin validation in trusted-proxy mode |
| CVE-2026-41913 |
low |
3.7 |
3.7 |
|
|
|
1mo ago |
OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths |
| CVE-2026-41333 |
low |
3.7 |
3.7 |
|
|
|
1mo ago |
OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting |
| CVE-2026-43529 |
low |
2.5 |
2.5 |
|
|
|
1mo ago |
OpenClaw: TOCTOU read in exec script preflight |
