| CVE-2026-35674 |
high |
8.8 |
8.8 |
|
|
openclaw |
6d ago |
OpenClaw before 2026.5.18 contains a scope bypass vulnerability in the Gateway chat.send route that allows scoped clients to execute privileged commands. Attackers with operator.write scope can deliv… |
| CVE-2026-35630 |
high |
8.0 |
8.0 |
|
|
openclaw |
6d ago |
OpenClaw before 2026.5.18 contains an authorization bypass vulnerability in QQBot native approval buttons that fails to enforce configured approver identity. Non-approver users can click approval but… |
| CVE-2026-32905 |
high |
8.3 |
8.3 |
|
|
openclaw |
6d ago |
OpenClaw before 2026.5.4 contains an authorization bypass vulnerability in the bundled device-pair plugin that allows non-owner authorized chat senders to issue device-pairing bootstrap codes without… |
| CVE-2026-8305 |
critical |
9.8 |
9.8 |
|
|
openclaw |
23d ago |
A vulnerability was detected in OpenClaw up to 2026.1.24. The impacted element is the function handleBlueBubblesWebhookRequest of the file extensions/bluebubbles/src/monitor.ts of the component blueb… |
| CVE-2026-45006 |
high |
8.8 |
8.8 |
|
|
openclaw |
23d ago |
OpenClaw before 2026.4.23 contains an improper access control vulnerability in the gateway tool's config.apply and config.patch operations that allows compromised models to write unsafe configuration… |
| CVE-2026-45004 |
high |
7.8 |
7.8 |
|
|
openclaw |
23d ago |
OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution |
| CVE-2026-45001 |
high |
7.1 |
7.1 |
|
|
openclaw |
23d ago |
OpenClaw before 2026.4.20 contains a guard bypass vulnerability in the agent-facing gateway config.patch and config.apply endpoints that fails to protect operator-trusted settings including sandbox p… |
| CVE-2026-44995 |
high |
7.3 |
7.3 |
|
|
openclaw |
23d ago |
OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config |
| CVE-2026-44118 |
high |
7.8 |
7.8 |
|
|
openclaw |
28d ago |
OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens |
| CVE-2026-44116 |
high |
8.6 |
8.6 |
|
|
openclaw |
28d ago |
OpenClaw validates Zalo outbound photo URLs through the SSRF guard |
| CVE-2026-44115 |
high |
8.8 |
8.8 |
|
|
openclaw |
28d ago |
OpenClaw before 2026.4.22 contains an exec allowlist analysis vulnerability allowing shell expansion hiding in unquoted heredoc bodies. Attackers can bypass allowlist validation by embedding shell ex… |
| CVE-2026-44114 |
high |
7.8 |
7.8 |
|
|
openclaw |
28d ago |
OpenClaw: Workspace dotenv could override runtime-control environment variables |
| CVE-2026-44113 |
high |
7.7 |
7.7 |
|
|
openclaw |
28d ago |
OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes |
| CVE-2026-44112 |
critical |
9.6 |
9.6 |
|
|
openclaw |
28d ago |
OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root |
| CVE-2026-44110 |
high |
8.8 |
8.8 |
|
|
openclaw |
28d ago |
OpenClaw: Matrix room control-command authorization no longer trusts DM pairing-store entries |
| CVE-2026-44109 |
critical |
9.8 |
9.8 |
|
|
openclaw |
28d ago |
OpenClaw: Feishu webhook and card-action validation now fail closed |
| CVE-2026-43585 |
critical |
9.8 |
9.8 |
|
|
openclaw |
28d ago |
OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation |
| CVE-2026-43584 |
high |
8.8 |
8.8 |
|
|
openclaw |
28d ago |
OpenClaw: Exec environment denylist missed high-risk interpreter startup variables |
| CVE-2026-43581 |
critical |
9.6 |
9.6 |
|
|
openclaw |
28d ago |
OpenClaw before 2026.4.10 contains an improper network binding vulnerability in the sandbox browser CDP relay that exposes Chrome DevTools Protocol on 0.0.0.0. Attackers can access the DevTools proto… |
| CVE-2026-43580 |
high |
7.7 |
7.7 |
|
|
openclaw |
28d ago |
OpenClaw: Browser press/type interaction routes missed complete navigation guard coverage |
| CVE-2026-43578 |
critical |
9.1 |
9.1 |
|
|
openclaw |
28d ago |
OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can… |
| CVE-2026-43576 |
high |
7.7 |
7.7 |
|
|
openclaw |
28d ago |
OpenClaw: CDP /json/version WebSocket URL could pivot to untrusted second-hop targets |
| CVE-2026-43575 |
critical |
9.8 |
9.8 |
|
|
openclaw |
28d ago |
OpenClaw versions 2026.2.21 before 2026.4.10 contain an authentication bypass vulnerability in the sandbox noVNC helper route that exposes interactive browser session credentials. Attackers can acces… |
| CVE-2026-43573 |
high |
7.7 |
7.7 |
|
|
openclaw |
1mo ago |
OpenClaw: Existing-session browser interaction routes bypassed SSRF policy enforcement |
| CVE-2026-43571 |
high |
8.8 |
8.8 |
|
|
openclaw |
1mo ago |
OpenClaw: Channel setup catalog lookups could include untrusted workspace plugin shadows |
| CVE-2026-43569 |
high |
8.8 |
8.8 |
|
|
openclaw |
1mo ago |
OpenClaw: Workspace provider auth choices could auto-enable untrusted provider plugins |
| CVE-2026-43566 |
critical |
9.8 |
9.8 |
|
|
openclaw |
1mo ago |
OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events |
| CVE-2026-43535 |
high |
8.1 |
8.1 |
|
|
openclaw |
1mo ago |
OpenClaw: Collect-mode queue batches could reuse the last sender authorization context |
| CVE-2026-43534 |
critical |
9.8 |
9.8 |
|
|
openclaw |
1mo ago |
OpenClaw: Agent hook events could enqueue trusted system events from unsanitized external input |
| CVE-2026-43533 |
high |
8.6 |
8.6 |
|
|
openclaw |
1mo ago |
OpenClaw: QQBot media tags could read arbitrary local files through reply text |
| CVE-2026-43532 |
high |
7.7 |
7.7 |
|
|
openclaw |
1mo ago |
OpenClaw: Discord event cover images bypassed sandbox media normalization |
| CVE-2026-43531 |
high |
8.8 |
8.8 |
|
|
openclaw |
1mo ago |
OpenClaw: Workspace .env could inject OpenClaw runtime-control variables |
| CVE-2026-43530 |
high |
8.8 |
8.8 |
|
|
openclaw |
1mo ago |
OpenClaw: busybox and toybox applet execution weakened exec approval binding |
| CVE-2026-43527 |
high |
7.7 |
7.7 |
|
|
openclaw |
1mo ago |
OpenClaw: Browser SSRF policy default allowed private-network navigation |
| CVE-2026-43526 |
critical |
9.3 |
9.3 |
|
|
openclaw |
1mo ago |
OpenClaw: QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes |
| CVE-2026-42439 |
high |
8.5 |
8.5 |
|
|
openclaw |
1mo ago |
OpenClaw: Browser tabs action select and close routes bypassed SSRF policy |
| CVE-2026-42438 |
high |
7.7 |
7.7 |
|
|
openclaw |
1mo ago |
OpenClaw: Sender policy bypass in host media attachment reads allows unauthorized local file disclosure |
| CVE-2026-42432 |
high |
7.8 |
7.8 |
|
|
openclaw |
1mo ago |
OpenClaw: Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement |
| CVE-2026-42431 |
high |
8.1 |
8.1 |
|
|
openclaw |
1mo ago |
OpenClaw `node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard |
| CVE-2026-42429 |
high |
7.1 |
7.1 |
|
|
openclaw |
1mo ago |
OpenClaw: Gateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write` |
| CVE-2026-42428 |
high |
7.1 |
7.1 |
|
|
openclaw |
1mo ago |
OpenClaw B-M3: ClawHub package downloads are not enforced with integrity verification |
| CVE-2026-42426 |
high |
8.8 |
8.8 |
|
|
openclaw |
1mo ago |
OpenClaw `node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval |
| CVE-2026-42423 |
high |
7.5 |
7.5 |
|
|
openclaw |
1mo ago |
OpenClaw: strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts |
| CVE-2026-42422 |
high |
8.8 |
8.8 |
|
|
openclaw |
1mo ago |
OpenClaw `device.token.rotate` mints tokens for unapproved roles, bypassing device role-upgrade pairing |
| CVE-2026-41914 |
high |
8.5 |
8.5 |
|
|
openclaw |
1mo ago |
OpenClaw QQ Bot Extension missing SSRF Protection on All Media Fetch Paths |
| CVE-2026-41912 |
high |
7.6 |
7.6 |
|
|
openclaw |
1mo ago |
OpenClaw has Browser SSRF Policy Bypass via Interaction-Triggered Navigation |
| CVE-2026-41405 |
high |
7.5 |
7.5 |
|
|
openclaw |
1mo ago |
OpenClaw: MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion |
| CVE-2026-41404 |
high |
8.8 |
8.8 |
|
|
openclaw |
1mo ago |
OpenClaw: Incomplete scope-clearing fix allows operator.admin escalation via trusted-proxy auth mode |
| CVE-2026-41400 |
high |
7.5 |
7.5 |
|
|
openclaw |
1mo ago |
OpenClaw: Voice-call still parses large WebSocket frames before start validation (Incomplete fix for CVE-2026-32062) |
| CVE-2026-41399 |
high |
7.5 |
7.5 |
|
|
openclaw |
1mo ago |
OpenClaw: Gateway WebSocket Denial of Service via unbounded pre-auth upgrades |
| CVE-2026-41397 |
critical |
9.6 |
9.6 |
|
|
openclaw |
1mo ago |
OpenClaw: OpenShell Mirror Sync — Sandbox Escape via Unrestricted File Sync + Symlink Traversal |
| CVE-2026-41396 |
high |
7.8 |
7.8 |
|
|
openclaw |
1mo ago |
OpenClaw: Workspace `.env` can override the bundled plugin trust root |
| CVE-2026-41395 |
high |
7.5 |
7.5 |
|
|
openclaw |
1mo ago |
OpenClaw: Voice-call Plivo V3 webhook replay key uses unsorted URL, allowing replay via query-parameter reordering |
| CVE-2026-41394 |
high |
8.2 |
8.2 |
|
|
openclaw |
1mo ago |
OpenClaw: Unauthenticated plugin-auth HTTP routes receive operator runtime scopes |
| CVE-2026-41392 |
high |
7.3 |
7.3 |
|
|
openclaw |
1mo ago |
OpenClaw: Shell init-file options could satisfy exec allowlist script matching |
| CVE-2026-41390 |
high |
7.3 |
7.3 |
|
|
openclaw |
1mo ago |
OpenClaw has a gateway exec allowlist allow-always bypass via unregistered /usr/bin/script wrapper |
| CVE-2026-41387 |
high |
7.8 |
7.8 |
|
|
openclaw |
1mo ago |
OpenClaw's incomplete host env sanitization blocklist allows supply-chain redirection via package-manager env overrides |
| CVE-2026-41386 |
critical |
9.8 |
9.8 |
|
|
openclaw |
1mo ago |
OpenClaw: Unbound bootstrap setup codes allow privilege escalation during pairing |
| CVE-2026-41384 |
high |
7.8 |
7.8 |
|
|
openclaw |
1mo ago |
OpenClaw Has Incomplete Fix for CVE-2026-4039: CLI Backend Environment Variable Injection via Workspace Config |
| CVE-2026-41383 |
high |
8.1 |
8.1 |
|
|
openclaw |
1mo ago |
OpenClaw: OpenShell mirror mode could delete arbitrary remote directories when roots were mis-scoped |
| CVE-2026-41380 |
high |
7.3 |
7.3 |
|
|
openclaw |
1mo ago |
OpenClaw gateway exec allow-always over-trusts positional carrier executables |
| CVE-2026-41379 |
high |
7.1 |
7.1 |
|
|
openclaw |
1mo ago |
OpenClaw: Gateway operator.write Can Reach Admin-Class Talk Voice Config Persistence via chat.send |
| CVE-2026-41378 |
high |
8.8 |
8.8 |
|
|
openclaw |
1mo ago |
OpenClaw: Paired node escalates to gateway RCE via unrestricted node.event agent dispatch |
| CVE-2026-41371 |
high |
8.5 |
8.5 |
|
|
openclaw |
1mo ago |
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in chat.send that allows write-scoped gateway callers to trigger admin-only session reset operations. Attackers can rotate targ… |
| CVE-2026-41364 |
high |
8.1 |
8.1 |
|
|
openclaw |
1mo ago |
OpenClaw: SSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host |
| CVE-2026-41361 |
high |
7.1 |
7.1 |
|
|
openclaw |
1mo ago |
OpenClaw before 2026.3.28 contains an SSRF guard bypass vulnerability that fails to block four IPv6 special-use ranges. Attackers can exploit this by crafting URLs targeting internal or non-routable … |
| CVE-2026-41359 |
high |
8.8 |
8.8 |
|
|
openclaw |
1mo ago |
OpenClaw: Gateway operator.write Can Reach Admin-Class Telegram Config and Cron Persistence via send |
| CVE-2026-41355 |
high |
7.3 |
7.3 |
|
|
openclaw |
1mo ago |
OpenClaw: OpenShell `mirror` mode can convert untrusted sandbox files into explicitly enabled workspace hooks and execute them on the host during gateway startup |
| CVE-2026-41353 |
high |
8.1 |
8.1 |
|
|
openclaw |
1mo ago |
OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to circumvent profile restrictions through persistent profile mutation and… |
| CVE-2026-41352 |
high |
8.8 |
8.8 |
|
|
openclaw |
1mo ago |
OpenClaw: Device-Paired Node Skips Node Scope Gate → Host RCE.md |
| CVE-2026-41349 |
high |
8.8 |
8.8 |
|
|
openclaw |
1mo ago |
OpenClaw before 2026.3.28 contains an agentic consent bypass vulnerability allowing LLM agents to silently disable execution approval via config.patch parameter. Remote attackers can exploit this to … |
| CVE-2026-41347 |
high |
7.1 |
7.1 |
|
|
openclaw |
1mo ago |
OpenClaw: HTTP operator endpoints lack browser-origin validation in trusted-proxy mode |
| CVE-2026-41346 |
high |
7.5 |
7.5 |
|
|
openclaw |
1mo ago |
OpenClaw: Pairing pending-request caps were enforced per channel instead of per account |
| CVE-2026-41344 |
high |
8.8 |
8.8 |
|
|
openclaw |
1mo ago |
OpenClaw: Gateway `operator.write` can reach admin-only persisted `verboseLevel` via `chat.send` `/verbose` |
| CVE-2026-41342 |
high |
8.1 |
8.1 |
|
|
openclaw |
1mo ago |
OpenClaw: CLI Remote Onboarding Persists Unauthenticated Discovery Endpoint and Exfiltrates Gateway Credentials |
| CVE-2026-41336 |
high |
7.8 |
7.8 |
|
|
openclaw |
1mo ago |
OpenClaw: Workspace `.env` can override the bundled hooks root and load attacker hook code |
| CVE-2026-6011 |
high |
8.1 |
8.1 |
|
|
openclaw |
2mo ago |
OpenClaw vulnerable to SSRF in src/agents/tools/web-fetch.ts |
| CVE-2026-32846 |
high |
7.5 |
7.5 |
|
|
openclaw |
2mo ago |
OpenClaw is vulnerable to Path Traversal through path validation bypass |
| CVE-2026-32067 |
high |
8.1 |
8.1 |
|
|
openclaw |
3mo ago |
OpenClaw has cross-account DM pairing authorization bypass via unscoped pairing store access |
| CVE-2026-32062 |
high |
7.5 |
7.5 |
|
|
openclaw |
3mo ago |
OpenClaw voice-call media stream validated streams after upgrade, which could allow pre-start unauthenticated sockets to increase resource pressure |
| CVE-2026-28474 |
critical |
9.8 |
9.8 |
|
|
openclaw |
3mo ago |
Nextcloud Talk allowlist bypass via actor.name display name spoofing |
| CVE-2026-28395 |
critical |
9.1 |
9.1 |
|
|
openclaw |
3mo ago |
OpenClaw's Chrome extension relay binds publicly due to wildcard treated as loopback |
