| CVE-2026-35673 |
medium |
6.5 |
6.5 |
|
|
openclaw |
5d ago |
OpenClaw before 2026.4.29 contains an SSRF policy bypass vulnerability in browser debug and export routes that allows reuse of already-open blocked tabs. Attackers with access to these routes can byp… |
| CVE-2026-34507 |
medium |
5.4 |
5.4 |
|
|
openclaw |
5d ago |
OpenClaw before 2026.4.29 contains a policy bypass vulnerability in QQBot admin commands that allows authenticated senders to skip DM-only and allowFrom policy checks. Attackers can route admin comma… |
| CVE-2026-32906 |
medium |
4.3 |
4.3 |
|
|
openclaw |
5d ago |
OpenClaw before 2026.5.12 contains a privilege escalation vulnerability in Slack plugin approvals that allows exec-authorized users to resolve plugin approvals through the exec approver gate. Attacke… |
| CVE-2026-8305 |
critical |
9.8 |
9.8 |
|
|
openclaw |
23d ago |
A vulnerability was detected in OpenClaw up to 2026.1.24. The impacted element is the function handleBlueBubblesWebhookRequest of the file extensions/bluebubbles/src/monitor.ts of the component blueb… |
| CVE-2026-45005 |
medium |
6.0 |
6.0 |
|
|
openclaw |
23d ago |
OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload |
| CVE-2026-45003 |
medium |
5.0 |
5.0 |
|
|
openclaw |
23d ago |
OpenClaw: Workspace dotenv files cannot override connector endpoint hosts |
| CVE-2026-45002 |
medium |
5.3 |
5.3 |
|
|
openclaw |
23d ago |
OpenClaw: Hook mapping templates could bypass hook session-key opt-in |
| CVE-2026-45000 |
medium |
5.0 |
5.0 |
|
|
openclaw |
23d ago |
OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in browser CDP profile creation that skips strict-mode SSRF policy checks. Attackers can create stored profiles pointing… |
| CVE-2026-44999 |
medium |
5.3 |
5.3 |
|
|
openclaw |
23d ago |
OpenClaw: Isolated cron awareness events were recorded as trusted system events |
| CVE-2026-44998 |
medium |
5.4 |
5.4 |
|
|
openclaw |
23d ago |
OpenClaw before 2026.4.20 contains a tool policy bypass vulnerability allowing bundled MCP and LSP tools to circumvent configured tool restrictions. Attackers with local agent access can append restr… |
| CVE-2026-44997 |
medium |
4.3 |
4.3 |
|
|
openclaw |
23d ago |
OpenClaw's ACP child sessions inherit subagent security envelope constraints |
| CVE-2026-44996 |
low |
3.7 |
3.7 |
|
|
openclaw |
23d ago |
OpenClaw before 2026.4.15 contains an arbitrary local file read vulnerability in the webchat audio embedding helper that fails to apply local media root containment checks. Attackers can influence ag… |
| CVE-2026-44994 |
medium |
5.3 |
5.3 |
|
|
openclaw |
23d ago |
OpenClaw before 2026.4.22 contains an authentication bypass vulnerability in the Control UI bootstrap config endpoint that allows unauthenticated attackers to read sensitive configuration fields. Att… |
| CVE-2026-44993 |
medium |
5.4 |
5.4 |
|
|
openclaw |
23d ago |
OpenClaw before 2026.4.20 contains a message classification vulnerability in Feishu card-action callbacks that misclassifies direct messages as group conversations. Attackers can bypass dmPolicy enfo… |
| CVE-2026-44992 |
medium |
5.0 |
5.0 |
|
|
openclaw |
23d ago |
OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests |
| CVE-2026-44991 |
medium |
4.2 |
4.2 |
|
|
openclaw |
23d ago |
OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners |
| CVE-2026-44117 |
medium |
5.8 |
5.8 |
|
|
openclaw |
28d ago |
OpenClaw: QQBot direct media upload skipped URL SSRF validation |
| CVE-2026-44112 |
critical |
9.6 |
9.6 |
|
|
openclaw |
28d ago |
OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root |
| CVE-2026-44111 |
medium |
4.3 |
4.3 |
|
|
openclaw |
28d ago |
OpenClaw before 2026.4.15 contains an arbitrary file read vulnerability in the QMD backend memory_get function that allows callers to read any Markdown files within the workspace root. Attackers with… |
| CVE-2026-44109 |
critical |
9.8 |
9.8 |
|
|
openclaw |
28d ago |
OpenClaw: Feishu webhook and card-action validation now fail closed |
| CVE-2026-43585 |
critical |
9.8 |
9.8 |
|
|
openclaw |
28d ago |
OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation |
| CVE-2026-43583 |
medium |
6.5 |
6.5 |
|
|
openclaw |
28d ago |
OpenClaw: Delivery queue recovery could lose group tool-policy context for media replay |
| CVE-2026-43582 |
medium |
6.3 |
6.3 |
|
|
openclaw |
28d ago |
OpenClaw: Browser SSRF hostname validation could be bypassed by DNS rebinding |
| CVE-2026-43581 |
critical |
9.6 |
9.6 |
|
|
openclaw |
28d ago |
OpenClaw before 2026.4.10 contains an improper network binding vulnerability in the sandbox browser CDP relay that exposes Chrome DevTools Protocol on 0.0.0.0. Attackers can access the DevTools proto… |
| CVE-2026-43579 |
medium |
6.5 |
6.5 |
|
|
openclaw |
28d ago |
OpenClaw before 2026.4.10 contains an insufficient access control vulnerability in Nostr plugin HTTP profile routes that allows operators with write permissions to persist profile configuration witho… |
| CVE-2026-43578 |
critical |
9.1 |
9.1 |
|
|
openclaw |
28d ago |
OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can… |
| CVE-2026-43577 |
medium |
6.5 |
6.5 |
|
|
openclaw |
28d ago |
OpenClaw before 2026.4.9 contains a file read vulnerability allowing attackers to bypass navigation guards through browser act/evaluate interactions. Attackers can pivot into the local CDP origin and… |
| CVE-2026-43575 |
critical |
9.8 |
9.8 |
|
|
openclaw |
28d ago |
OpenClaw versions 2026.2.21 before 2026.4.10 contain an authentication bypass vulnerability in the sandbox noVNC helper route that exposes interactive browser session credentials. Attackers can acces… |
| CVE-2026-43574 |
medium |
6.5 |
6.5 |
|
|
openclaw |
1mo ago |
OpenClaw: Empty approver lists could grant explicit approval authorization |
| CVE-2026-43572 |
medium |
5.3 |
5.3 |
|
|
openclaw |
1mo ago |
OpenClaw: Microsoft Teams SSO invoke handler missed sender authorization checks |
| CVE-2026-43570 |
medium |
6.5 |
6.5 |
|
|
openclaw |
1mo ago |
OpenClaw contains a symlink traversal vulnerability |
| CVE-2026-43568 |
medium |
6.5 |
6.5 |
|
|
openclaw |
1mo ago |
OpenClaw: Memory dreaming config persistence was reachable from operator.write commands |
| CVE-2026-43567 |
medium |
6.5 |
6.5 |
|
|
openclaw |
1mo ago |
OpenClaw: screen_record outPath bypassed workspace-only filesystem guard |
| CVE-2026-43566 |
critical |
9.8 |
9.8 |
|
|
openclaw |
1mo ago |
OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events |
| CVE-2026-43534 |
critical |
9.8 |
9.8 |
|
|
openclaw |
1mo ago |
OpenClaw: Agent hook events could enqueue trusted system events from unsanitized external input |
| CVE-2026-43529 |
low |
2.5 |
2.5 |
|
|
openclaw |
1mo ago |
OpenClaw: TOCTOU read in exec script preflight |
| CVE-2026-43528 |
medium |
6.5 |
6.5 |
|
|
openclaw |
1mo ago |
OpenClaw: config.get redaction bypass through sourceConfig and runtimeConfig aliases |
| CVE-2026-43526 |
critical |
9.3 |
9.3 |
|
|
openclaw |
1mo ago |
OpenClaw: QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes |
| CVE-2026-42430 |
medium |
6.5 |
6.5 |
|
|
openclaw |
1mo ago |
OpenClaw: Strict browser SSRF bypass in Playwright redirect handling leaves private targets reachable |
| CVE-2026-42427 |
medium |
5.3 |
5.3 |
|
|
openclaw |
1mo ago |
OpenClaw: HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class) |
| CVE-2026-42424 |
medium |
5.0 |
5.0 |
|
|
openclaw |
1mo ago |
OpenClaw: Shared reply MEDIA - paths are treated as trusted and can trigger cross-channel local file exfiltration |
| CVE-2026-42421 |
medium |
5.4 |
5.4 |
|
|
openclaw |
1mo ago |
OpenClaw: Existing WS sessions survive shared gateway token rotation |
| CVE-2026-42420 |
medium |
6.5 |
6.5 |
|
|
openclaw |
1mo ago |
OpenClaw: Multiple Code Paths Missing Base64 Pre-Allocation Size Checks |
| CVE-2026-41916 |
medium |
5.4 |
5.4 |
|
|
openclaw |
1mo ago |
OpenClaw: resolvedAuth closure becomes stale after config reload |
| CVE-2026-41915 |
medium |
6.1 |
6.1 |
|
|
openclaw |
1mo ago |
OpenClaw: GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant) |
| CVE-2026-41913 |
low |
3.7 |
3.7 |
|
|
openclaw |
1mo ago |
OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths |
| CVE-2026-41911 |
medium |
6.5 |
6.5 |
|
|
openclaw |
1mo ago |
OpenClaw: Feishu docx upload_file/upload_image Bypasses Workspace-Only Filesystem Policy (GHSA-qf48-qfv4-jjm9 Incomplete Fix) |
| CVE-2026-41910 |
medium |
4.3 |
4.3 |
|
|
openclaw |
1mo ago |
OpenClaw: /allowlist omits owner-only enforcement for cross-channel allowlist writes |
| CVE-2026-41408 |
medium |
6.5 |
6.5 |
|
|
openclaw |
1mo ago |
OpenClaw: Tlon media downloads can bypass core safety limits and exhaust disk |
| CVE-2026-41407 |
medium |
5.3 |
5.3 |
|
|
openclaw |
1mo ago |
OpenClaw: Shared-secret comparison call sites leaked length information through timing |
| CVE-2026-41406 |
medium |
5.4 |
5.4 |
|
|
openclaw |
1mo ago |
OpenClaw: Feishu thread history and quoted messages bypass sender allowlist |
| CVE-2026-41403 |
medium |
4.0 |
4.0 |
|
|
openclaw |
1mo ago |
OpenClaw: diffs viewer misclassifies proxied remote requests as loopback when `allowRemoteViewer` is disabled |
| CVE-2026-41402 |
medium |
5.4 |
5.4 |
|
|
openclaw |
1mo ago |
OpenClaw: Zalo webhook replay cache cross-target messageId scope bypass |
| CVE-2026-41398 |
medium |
4.6 |
4.6 |
|
|
openclaw |
1mo ago |
OpenClaw: iOS A2UI bridge trusted generic local-network pages for agent.request dispatch |
| CVE-2026-41397 |
critical |
9.6 |
9.6 |
|
|
openclaw |
1mo ago |
OpenClaw: OpenShell Mirror Sync — Sandbox Escape via Unrestricted File Sync + Symlink Traversal |
| CVE-2026-41393 |
medium |
4.8 |
4.8 |
|
|
openclaw |
1mo ago |
OpenClaw: macOS Tailnet DNS Spoofing & Credential Exfiltration |
| CVE-2026-41391 |
medium |
6.1 |
6.1 |
|
|
openclaw |
1mo ago |
OpenClaw: PIP_INDEX_URL and UV_INDEX_URL bypass host exec env sanitization and redirect Python package-index traffic |
| CVE-2026-41388 |
medium |
6.5 |
6.5 |
|
|
openclaw |
1mo ago |
OpenClaw: Tlon Startup Migration Rehydrates Empty-Array Revocations From File Config |
| CVE-2026-41386 |
critical |
9.8 |
9.8 |
|
|
openclaw |
1mo ago |
OpenClaw: Unbound bootstrap setup codes allow privilege escalation during pairing |
| CVE-2026-41385 |
medium |
6.5 |
6.5 |
|
|
openclaw |
1mo ago |
OpenClaw Nostr privateKey config redaction bypass leaks plaintext signing key via config.get |
| CVE-2026-41382 |
medium |
5.4 |
5.4 |
|
|
openclaw |
1mo ago |
OpenClaw: Discord voice ingress authorization can be bypassed via channel, name, and stale-role validation gaps |
| CVE-2026-41381 |
medium |
5.4 |
5.4 |
|
|
openclaw |
1mo ago |
OpenClaw: Discord voice manager bypasses channel-level member access allowlist |
| CVE-2026-41377 |
medium |
4.6 |
4.6 |
|
|
openclaw |
1mo ago |
OpenClaw: Security Scan Failure Does Not Block Plugin Installation (Fail-Open) |
| CVE-2026-41376 |
medium |
6.5 |
6.5 |
|
|
openclaw |
1mo ago |
OpenClaw: Matrix thread root and reply context bypass sender allowlist |
| CVE-2026-41375 |
medium |
6.5 |
6.5 |
|
|
openclaw |
1mo ago |
OpenClaw: `/phone arm`/`/phone disarm` Bypasses `operator.admin` Scope Check for External Channels |
| CVE-2026-41374 |
medium |
5.3 |
5.3 |
|
|
openclaw |
1mo ago |
OpenClaw runs Discord audio preflight transcription before member authorization |
| CVE-2026-41373 |
medium |
6.1 |
6.1 |
|
|
openclaw |
1mo ago |
OpenClaw: Incomplete host-env-security-policy allows untrusted model to substitute compiler binaries via env overrides |
| CVE-2026-41372 |
medium |
5.8 |
5.8 |
|
|
openclaw |
1mo ago |
OpenClaw: Trailing-dot localhost CDP hosts could bypass remote loopback protections |
| CVE-2026-41370 |
medium |
6.5 |
6.5 |
|
|
openclaw |
1mo ago |
OpenClaw before 2026.3.31 contains a path traversal vulnerability in ACP dispatch that allows attackers to read arbitrary files by manipulating inbound channel attachment paths. Remote attackers can … |
| CVE-2026-41369 |
medium |
6.5 |
6.5 |
|
|
openclaw |
1mo ago |
OpenClaw: Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables |
| CVE-2026-41368 |
medium |
6.5 |
6.5 |
|
|
openclaw |
1mo ago |
OpenClaw before 2026.3.28 contains an environment variable disclosure vulnerability in the jq safe-bin policy that fails to block the $ENV filter. Attackers can bypass safe-bin restrictions by using … |
| CVE-2026-41367 |
medium |
5.0 |
5.0 |
|
|
openclaw |
1mo ago |
OpenClaw versions 2026.2.14 through 2026.3.24 fail to consistently apply guild and channel policy gates to Discord button and component interactions. Attackers can trigger privileged component action… |
| CVE-2026-41366 |
medium |
5.5 |
5.5 |
|
|
openclaw |
1mo ago |
OpenClaw before 2026.3.31 contains a local roots self-whitelisting vulnerability in appendLocalMediaParentRoots that allows model-initiated arbitrary host file read. Attackers can exploit improper me… |
| CVE-2026-41365 |
medium |
5.4 |
5.4 |
|
|
openclaw |
1mo ago |
OpenClaw: MSTeams thread history bypasses sender allowlist via Graph API |
| CVE-2026-41363 |
medium |
6.5 |
6.5 |
|
|
openclaw |
1mo ago |
OpenClaw: Feishu extension resolveUploadInput bypasses file-system sandbox and allows arbitrary file reads via upload_image |
| CVE-2026-41362 |
medium |
4.3 |
4.3 |
|
|
openclaw |
1mo ago |
OpenClaw versions 2026.2.19 before 2026.3.31 contain an improper cache isolation vulnerability in the Zalo webhook replay-dedupe mechanism that is shared across authenticated webhook targets. Attacke… |
| CVE-2026-41360 |
medium |
6.7 |
6.7 |
|
|
openclaw |
1mo ago |
OpenClaw before 2026.4.2 contains an approval integrity vulnerability in pnpm dlx that fails to bind local script operands consistently with pnpm exec flows. Attackers can replace approved local scri… |
| CVE-2026-41358 |
medium |
5.4 |
5.4 |
|
|
openclaw |
1mo ago |
OpenClaw: Slack thread context could include messages from non-allowlisted senders |
| CVE-2026-41357 |
low |
3.3 |
3.3 |
|
|
openclaw |
1mo ago |
OpenClaw before 2026.3.31 contains an environment variable leakage vulnerability in SSH-based sandbox backends that pass unsanitized process.env to child processes. Attackers can exploit this by leve… |
| CVE-2026-41356 |
medium |
5.4 |
5.4 |
|
|
openclaw |
1mo ago |
OpenClaw: Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation |
| CVE-2026-41354 |
medium |
5.3 |
5.3 |
|
|
openclaw |
1mo ago |
OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders |
| CVE-2026-41351 |
medium |
5.3 |
5.3 |
|
|
openclaw |
1mo ago |
OpenClaw: Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding |
| CVE-2026-41350 |
medium |
4.3 |
4.3 |
|
|
openclaw |
1mo ago |
OpenClaw before 2026.3.31 contains a session visibility bypass vulnerability where the session_status function fails to enforce configured tools.sessions.visibility restrictions for unsandboxed invoc… |
| CVE-2026-41348 |
medium |
5.4 |
5.4 |
|
|
openclaw |
1mo ago |
OpenClaw: Discord Slash Commands Bypass Group DM Channel Allowlist |
| CVE-2026-41345 |
medium |
5.3 |
5.3 |
|
|
openclaw |
1mo ago |
OpenClaw before 2026.3.31 contains a credential exposure vulnerability in media download functionality that forwards Authorization headers across cross-origin redirects. Attackers can exploit this by… |
| CVE-2026-41343 |
medium |
5.3 |
5.3 |
|
|
openclaw |
1mo ago |
OpenClaw: LINE webhook handler lacks shared pre-auth concurrency budget before signature verification |
| CVE-2026-41341 |
medium |
5.4 |
5.4 |
|
|
openclaw |
1mo ago |
OpenClaw: Discord Component Interaction Misclassifies Group DM as Direct Message |
| CVE-2026-41340 |
medium |
6.5 |
6.5 |
|
|
openclaw |
1mo ago |
OpenClaw before 2026.3.31 contains an authentication boundary vulnerability where Telegram legacy allowFrom migration incorrectly fans default-account trust into all named accounts. Attackers can exp… |
| CVE-2026-41339 |
medium |
4.3 |
4.3 |
|
|
openclaw |
1mo ago |
OpenClaw: Gateway hello snapshots exposed host config and state paths to non-admin clients |
| CVE-2026-41338 |
medium |
5.0 |
5.0 |
|
|
openclaw |
1mo ago |
OpenClaw before 2026.3.31 contains a time-of-check-time-of-use vulnerability in sandbox file operations that allows attackers to bypass fd-based defenses. Attackers can exploit check-then-act pattern… |
| CVE-2026-41337 |
medium |
5.3 |
5.3 |
|
|
openclaw |
1mo ago |
OpenClaw: Voice-call Plivo replay mutates in-process callback origin before replay rejection |
| CVE-2026-41335 |
medium |
5.3 |
5.3 |
|
|
openclaw |
1mo ago |
OpenClaw Has a Gateway Control Interface Information Disclosure Vulnerability |
| CVE-2026-41334 |
medium |
6.5 |
6.5 |
|
|
openclaw |
1mo ago |
OpenClaw before 2026.3.31 contains a decompression bomb vulnerability in image processing that fails to properly enforce pixel-limit guards on sips. Attackers can exploit this by uploading oversized … |
| CVE-2026-41333 |
low |
3.7 |
3.7 |
|
|
openclaw |
1mo ago |
OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting |
| CVE-2026-41332 |
medium |
5.3 |
5.3 |
|
|
openclaw |
1mo ago |
OpenClaw host-env blocklist missing `GIT_TEMPLATE_DIR` and `AWS_CONFIG_FILE` allows code execution via env override |
| CVE-2026-41909 |
medium |
5.4 |
5.4 |
|
|
openclaw |
1mo ago |
OpenClaw before 2026.4.20 contains an improper authorization vulnerability in paired-device pairing management that allows limited-scope sessions to enumerate and act on pairing requests. Attackers w… |
| CVE-2026-41908 |
medium |
6.5 |
6.5 |
|
|
openclaw |
1mo ago |
OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization |
| CVE-2026-41389 |
medium |
5.8 |
5.8 |
|
|
openclaw |
1mo ago |
OpenClaw: Webchat media embedding enforces local-root containment for tool-result files |
| CVE-2026-35667 |
medium |
6.1 |
6.1 |
|
|
openclaw |
2mo ago |
OpenClaw has incomplete Fix for CVE-2026-27486: Unvalidated SIGKILL in `!stop` Chat Command via `shell-utils.ts` |
| CVE-2026-32896 |
medium |
6.5 |
6.5 |
|
|
openclaw |
3mo ago |
OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback) |
