| CVE-2026-41387 |
high |
7.8 |
7.8 |
|
|
openclaw |
1mo ago |
OpenClaw's incomplete host env sanitization blocklist allows supply-chain redirection via package-manager env overrides |
| CVE-2026-41386 |
critical |
9.8 |
9.8 |
|
|
openclaw |
1mo ago |
OpenClaw: Unbound bootstrap setup codes allow privilege escalation during pairing |
| CVE-2026-41385 |
medium |
6.5 |
6.5 |
|
|
openclaw |
1mo ago |
OpenClaw Nostr privateKey config redaction bypass leaks plaintext signing key via config.get |
| CVE-2026-41384 |
high |
7.8 |
7.8 |
|
|
openclaw |
1mo ago |
OpenClaw Has Incomplete Fix for CVE-2026-4039: CLI Backend Environment Variable Injection via Workspace Config |
| CVE-2026-41383 |
high |
8.1 |
8.1 |
|
|
openclaw |
1mo ago |
OpenClaw: OpenShell mirror mode could delete arbitrary remote directories when roots were mis-scoped |
| CVE-2026-41382 |
medium |
5.4 |
5.4 |
|
|
openclaw |
1mo ago |
OpenClaw: Discord voice ingress authorization can be bypassed via channel, name, and stale-role validation gaps |
| CVE-2026-41381 |
medium |
5.4 |
5.4 |
|
|
openclaw |
1mo ago |
OpenClaw: Discord voice manager bypasses channel-level member access allowlist |
| CVE-2026-41380 |
high |
7.3 |
7.3 |
|
|
openclaw |
1mo ago |
OpenClaw gateway exec allow-always over-trusts positional carrier executables |
| CVE-2026-41379 |
high |
7.1 |
7.1 |
|
|
openclaw |
1mo ago |
OpenClaw: Gateway operator.write Can Reach Admin-Class Talk Voice Config Persistence via chat.send |
| CVE-2026-41378 |
high |
8.8 |
8.8 |
|
|
openclaw |
1mo ago |
OpenClaw: Paired node escalates to gateway RCE via unrestricted node.event agent dispatch |
| CVE-2026-41377 |
medium |
4.6 |
4.6 |
|
|
openclaw |
1mo ago |
OpenClaw: Security Scan Failure Does Not Block Plugin Installation (Fail-Open) |
| CVE-2026-41376 |
medium |
6.5 |
6.5 |
|
|
openclaw |
1mo ago |
OpenClaw: Matrix thread root and reply context bypass sender allowlist |
| CVE-2026-41375 |
medium |
6.5 |
6.5 |
|
|
openclaw |
1mo ago |
OpenClaw: `/phone arm`/`/phone disarm` Bypasses `operator.admin` Scope Check for External Channels |
| CVE-2026-41374 |
medium |
5.3 |
5.3 |
|
|
openclaw |
1mo ago |
OpenClaw runs Discord audio preflight transcription before member authorization |
| CVE-2026-41373 |
medium |
6.1 |
6.1 |
|
|
openclaw |
1mo ago |
OpenClaw: Incomplete host-env-security-policy allows untrusted model to substitute compiler binaries via env overrides |
| CVE-2026-41372 |
medium |
5.8 |
5.8 |
|
|
openclaw |
1mo ago |
OpenClaw: Trailing-dot localhost CDP hosts could bypass remote loopback protections |
| CVE-2026-41371 |
high |
8.5 |
8.5 |
|
|
openclaw |
1mo ago |
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in chat.send that allows write-scoped gateway callers to trigger admin-only session reset operations. Attackers can rotate targ… |
| CVE-2026-41370 |
medium |
6.5 |
6.5 |
|
|
openclaw |
1mo ago |
OpenClaw before 2026.3.31 contains a path traversal vulnerability in ACP dispatch that allows attackers to read arbitrary files by manipulating inbound channel attachment paths. Remote attackers can … |
| CVE-2026-41369 |
medium |
6.5 |
6.5 |
|
|
openclaw |
1mo ago |
OpenClaw: Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables |
| CVE-2026-41368 |
medium |
6.5 |
6.5 |
|
|
openclaw |
1mo ago |
OpenClaw before 2026.3.28 contains an environment variable disclosure vulnerability in the jq safe-bin policy that fails to block the $ENV filter. Attackers can bypass safe-bin restrictions by using … |
| CVE-2026-41367 |
medium |
5.0 |
5.0 |
|
|
openclaw |
1mo ago |
OpenClaw versions 2026.2.14 through 2026.3.24 fail to consistently apply guild and channel policy gates to Discord button and component interactions. Attackers can trigger privileged component action… |
| CVE-2026-41366 |
medium |
5.5 |
5.5 |
|
|
openclaw |
1mo ago |
OpenClaw before 2026.3.31 contains a local roots self-whitelisting vulnerability in appendLocalMediaParentRoots that allows model-initiated arbitrary host file read. Attackers can exploit improper me… |
| CVE-2026-41365 |
medium |
5.4 |
5.4 |
|
|
openclaw |
1mo ago |
OpenClaw: MSTeams thread history bypasses sender allowlist via Graph API |
| CVE-2026-41364 |
high |
8.1 |
8.1 |
|
|
openclaw |
1mo ago |
OpenClaw: SSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host |
| CVE-2026-41363 |
medium |
6.5 |
6.5 |
|
|
openclaw |
1mo ago |
OpenClaw: Feishu extension resolveUploadInput bypasses file-system sandbox and allows arbitrary file reads via upload_image |
| CVE-2026-41362 |
medium |
4.3 |
4.3 |
|
|
openclaw |
1mo ago |
OpenClaw versions 2026.2.19 before 2026.3.31 contain an improper cache isolation vulnerability in the Zalo webhook replay-dedupe mechanism that is shared across authenticated webhook targets. Attacke… |
| CVE-2026-41361 |
high |
7.1 |
7.1 |
|
|
openclaw |
1mo ago |
OpenClaw before 2026.3.28 contains an SSRF guard bypass vulnerability that fails to block four IPv6 special-use ranges. Attackers can exploit this by crafting URLs targeting internal or non-routable … |
| CVE-2026-41360 |
medium |
6.7 |
6.7 |
|
|
openclaw |
1mo ago |
OpenClaw before 2026.4.2 contains an approval integrity vulnerability in pnpm dlx that fails to bind local script operands consistently with pnpm exec flows. Attackers can replace approved local scri… |
| CVE-2026-41359 |
high |
8.8 |
8.8 |
|
|
openclaw |
1mo ago |
OpenClaw: Gateway operator.write Can Reach Admin-Class Telegram Config and Cron Persistence via send |
| CVE-2026-41358 |
medium |
5.4 |
5.4 |
|
|
openclaw |
1mo ago |
OpenClaw: Slack thread context could include messages from non-allowlisted senders |
| CVE-2026-41356 |
medium |
5.4 |
5.4 |
|
|
openclaw |
1mo ago |
OpenClaw: Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation |
| CVE-2026-41355 |
high |
7.3 |
7.3 |
|
|
openclaw |
1mo ago |
OpenClaw: OpenShell `mirror` mode can convert untrusted sandbox files into explicitly enabled workspace hooks and execute them on the host during gateway startup |
| CVE-2026-41354 |
medium |
5.3 |
5.3 |
|
|
openclaw |
1mo ago |
OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders |
| CVE-2026-41353 |
high |
8.1 |
8.1 |
|
|
openclaw |
1mo ago |
OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to circumvent profile restrictions through persistent profile mutation and… |
| CVE-2026-41352 |
high |
8.8 |
8.8 |
|
|
openclaw |
1mo ago |
OpenClaw: Device-Paired Node Skips Node Scope Gate → Host RCE.md |
| CVE-2026-41351 |
medium |
5.3 |
5.3 |
|
|
openclaw |
1mo ago |
OpenClaw: Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding |
| CVE-2026-41350 |
medium |
4.3 |
4.3 |
|
|
openclaw |
1mo ago |
OpenClaw before 2026.3.31 contains a session visibility bypass vulnerability where the session_status function fails to enforce configured tools.sessions.visibility restrictions for unsandboxed invoc… |
| CVE-2026-41349 |
high |
8.8 |
8.8 |
|
|
openclaw |
1mo ago |
OpenClaw before 2026.3.28 contains an agentic consent bypass vulnerability allowing LLM agents to silently disable execution approval via config.patch parameter. Remote attackers can exploit this to … |
| CVE-2026-41348 |
medium |
5.4 |
5.4 |
|
|
openclaw |
1mo ago |
OpenClaw: Discord Slash Commands Bypass Group DM Channel Allowlist |
| CVE-2026-41347 |
high |
7.1 |
7.1 |
|
|
openclaw |
1mo ago |
OpenClaw: HTTP operator endpoints lack browser-origin validation in trusted-proxy mode |
| CVE-2026-41346 |
high |
7.5 |
7.5 |
|
|
openclaw |
1mo ago |
OpenClaw: Pairing pending-request caps were enforced per channel instead of per account |
| CVE-2026-41345 |
medium |
5.3 |
5.3 |
|
|
openclaw |
1mo ago |
OpenClaw before 2026.3.31 contains a credential exposure vulnerability in media download functionality that forwards Authorization headers across cross-origin redirects. Attackers can exploit this by… |
| CVE-2026-41344 |
high |
8.8 |
8.8 |
|
|
openclaw |
1mo ago |
OpenClaw: Gateway `operator.write` can reach admin-only persisted `verboseLevel` via `chat.send` `/verbose` |
| CVE-2026-41343 |
medium |
5.3 |
5.3 |
|
|
openclaw |
1mo ago |
OpenClaw: LINE webhook handler lacks shared pre-auth concurrency budget before signature verification |
| CVE-2026-41342 |
high |
8.1 |
8.1 |
|
|
openclaw |
1mo ago |
OpenClaw: CLI Remote Onboarding Persists Unauthenticated Discovery Endpoint and Exfiltrates Gateway Credentials |
| CVE-2026-41341 |
medium |
5.4 |
5.4 |
|
|
openclaw |
1mo ago |
OpenClaw: Discord Component Interaction Misclassifies Group DM as Direct Message |
| CVE-2026-41340 |
medium |
6.5 |
6.5 |
|
|
openclaw |
1mo ago |
OpenClaw before 2026.3.31 contains an authentication boundary vulnerability where Telegram legacy allowFrom migration incorrectly fans default-account trust into all named accounts. Attackers can exp… |
| CVE-2026-41339 |
medium |
4.3 |
4.3 |
|
|
openclaw |
1mo ago |
OpenClaw: Gateway hello snapshots exposed host config and state paths to non-admin clients |
| CVE-2026-41338 |
medium |
5.0 |
5.0 |
|
|
openclaw |
1mo ago |
OpenClaw before 2026.3.31 contains a time-of-check-time-of-use vulnerability in sandbox file operations that allows attackers to bypass fd-based defenses. Attackers can exploit check-then-act pattern… |
| CVE-2026-41337 |
medium |
5.3 |
5.3 |
|
|
openclaw |
1mo ago |
OpenClaw: Voice-call Plivo replay mutates in-process callback origin before replay rejection |
| CVE-2026-41336 |
high |
7.8 |
7.8 |
|
|
openclaw |
1mo ago |
OpenClaw: Workspace `.env` can override the bundled hooks root and load attacker hook code |
| CVE-2026-41335 |
medium |
5.3 |
5.3 |
|
|
openclaw |
1mo ago |
OpenClaw Has a Gateway Control Interface Information Disclosure Vulnerability |
| CVE-2026-41334 |
medium |
6.5 |
6.5 |
|
|
openclaw |
1mo ago |
OpenClaw before 2026.3.31 contains a decompression bomb vulnerability in image processing that fails to properly enforce pixel-limit guards on sips. Attackers can exploit this by uploading oversized … |
| CVE-2026-41332 |
medium |
5.3 |
5.3 |
|
|
openclaw |
1mo ago |
OpenClaw host-env blocklist missing `GIT_TEMPLATE_DIR` and `AWS_CONFIG_FILE` allows code execution via env override |
| CVE-2026-41909 |
medium |
5.4 |
5.4 |
|
|
openclaw |
1mo ago |
OpenClaw before 2026.4.20 contains an improper authorization vulnerability in paired-device pairing management that allows limited-scope sessions to enumerate and act on pairing requests. Attackers w… |
| CVE-2026-41908 |
medium |
6.5 |
6.5 |
|
|
openclaw |
1mo ago |
OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization |
| CVE-2026-41389 |
medium |
5.8 |
5.8 |
|
|
openclaw |
2mo ago |
OpenClaw: Webchat media embedding enforces local-root containment for tool-result files |
| CVE-2026-35667 |
medium |
6.1 |
6.1 |
|
|
openclaw |
2mo ago |
OpenClaw has incomplete Fix for CVE-2026-27486: Unvalidated SIGKILL in `!stop` Chat Command via `shell-utils.ts` |
| CVE-2026-6011 |
high |
8.1 |
8.1 |
|
|
openclaw |
2mo ago |
OpenClaw vulnerable to SSRF in src/agents/tools/web-fetch.ts |
| CVE-2026-32846 |
high |
7.5 |
7.5 |
|
|
openclaw |
2mo ago |
OpenClaw is vulnerable to Path Traversal through path validation bypass |
| CVE-2026-32896 |
medium |
6.5 |
6.5 |
|
|
openclaw |
3mo ago |
OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback) |
| CVE-2026-32067 |
high |
8.1 |
8.1 |
|
|
openclaw |
3mo ago |
OpenClaw has cross-account DM pairing authorization bypass via unscoped pairing store access |
| CVE-2026-32022 |
medium |
6.5 |
6.5 |
|
|
openclaw |
3mo ago |
OpenClaw safeBins grep -e File Read Bypass (stdin-only policy bypass) |
| CVE-2026-22217 |
medium |
6.1 |
6.1 |
|
|
openclaw |
3mo ago |
OpenClaw: shell-env trusted-prefix fallback allowed attacker-controlled binary execution via $SHELL |
| CVE-2026-32062 |
high |
7.5 |
7.5 |
|
|
openclaw |
3mo ago |
OpenClaw voice-call media stream validated streams after upgrade, which could allow pre-start unauthenticated sockets to increase resource pressure |
| CVE-2026-28474 |
critical |
9.8 |
9.8 |
|
|
openclaw |
3mo ago |
Nextcloud Talk allowlist bypass via actor.name display name spoofing |
| CVE-2026-28395 |
critical |
9.1 |
9.1 |
|
|
openclaw |
3mo ago |
OpenClaw's Chrome extension relay binds publicly due to wildcard treated as loopback |
