| CVE-2026-35674 |
high |
8.8 |
8.8 |
|
|
openclaw |
5d ago |
OpenClaw before 2026.5.18 contains a scope bypass vulnerability in the Gateway chat.send route that allows scoped clients to execute privileged commands. Attackers with operator.write scope can deliv… |
| CVE-2026-35673 |
medium |
6.5 |
6.5 |
|
|
openclaw |
5d ago |
OpenClaw before 2026.4.29 contains an SSRF policy bypass vulnerability in browser debug and export routes that allows reuse of already-open blocked tabs. Attackers with access to these routes can byp… |
| CVE-2026-35630 |
high |
8.0 |
8.0 |
|
|
openclaw |
5d ago |
OpenClaw before 2026.5.18 contains an authorization bypass vulnerability in QQBot native approval buttons that fails to enforce configured approver identity. Non-approver users can click approval but… |
| CVE-2026-34507 |
medium |
5.4 |
5.4 |
|
|
openclaw |
5d ago |
OpenClaw before 2026.4.29 contains a policy bypass vulnerability in QQBot admin commands that allows authenticated senders to skip DM-only and allowFrom policy checks. Attackers can route admin comma… |
| CVE-2026-32906 |
medium |
4.3 |
4.3 |
|
|
openclaw |
5d ago |
OpenClaw before 2026.5.12 contains a privilege escalation vulnerability in Slack plugin approvals that allows exec-authorized users to resolve plugin approvals through the exec approver gate. Attacke… |
| CVE-2026-32905 |
high |
8.3 |
8.3 |
|
|
openclaw |
5d ago |
OpenClaw before 2026.5.4 contains an authorization bypass vulnerability in the bundled device-pair plugin that allows non-owner authorized chat senders to issue device-pairing bootstrap codes without… |
| CVE-2026-8305 |
critical |
9.8 |
9.8 |
|
|
openclaw |
23d ago |
A vulnerability was detected in OpenClaw up to 2026.1.24. The impacted element is the function handleBlueBubblesWebhookRequest of the file extensions/bluebubbles/src/monitor.ts of the component blueb… |
| CVE-2026-45006 |
high |
8.8 |
8.8 |
|
|
openclaw |
23d ago |
OpenClaw before 2026.4.23 contains an improper access control vulnerability in the gateway tool's config.apply and config.patch operations that allows compromised models to write unsafe configuration… |
| CVE-2026-45005 |
medium |
6.0 |
6.0 |
|
|
openclaw |
23d ago |
OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload |
| CVE-2026-45004 |
high |
7.8 |
7.8 |
|
|
openclaw |
23d ago |
OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution |
| CVE-2026-45003 |
medium |
5.0 |
5.0 |
|
|
openclaw |
23d ago |
OpenClaw: Workspace dotenv files cannot override connector endpoint hosts |
| CVE-2026-45002 |
medium |
5.3 |
5.3 |
|
|
openclaw |
23d ago |
OpenClaw: Hook mapping templates could bypass hook session-key opt-in |
| CVE-2026-45001 |
high |
7.1 |
7.1 |
|
|
openclaw |
23d ago |
OpenClaw before 2026.4.20 contains a guard bypass vulnerability in the agent-facing gateway config.patch and config.apply endpoints that fails to protect operator-trusted settings including sandbox p… |
| CVE-2026-45000 |
medium |
5.0 |
5.0 |
|
|
openclaw |
23d ago |
OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in browser CDP profile creation that skips strict-mode SSRF policy checks. Attackers can create stored profiles pointing… |
| CVE-2026-44999 |
medium |
5.3 |
5.3 |
|
|
openclaw |
23d ago |
OpenClaw: Isolated cron awareness events were recorded as trusted system events |
| CVE-2026-44998 |
medium |
5.4 |
5.4 |
|
|
openclaw |
23d ago |
OpenClaw before 2026.4.20 contains a tool policy bypass vulnerability allowing bundled MCP and LSP tools to circumvent configured tool restrictions. Attackers with local agent access can append restr… |
| CVE-2026-44997 |
medium |
4.3 |
4.3 |
|
|
openclaw |
23d ago |
OpenClaw's ACP child sessions inherit subagent security envelope constraints |
| CVE-2026-44996 |
low |
3.7 |
3.7 |
|
|
openclaw |
23d ago |
OpenClaw before 2026.4.15 contains an arbitrary local file read vulnerability in the webchat audio embedding helper that fails to apply local media root containment checks. Attackers can influence ag… |
| CVE-2026-44995 |
high |
7.3 |
7.3 |
|
|
openclaw |
23d ago |
OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config |
| CVE-2026-44994 |
medium |
5.3 |
5.3 |
|
|
openclaw |
23d ago |
OpenClaw before 2026.4.22 contains an authentication bypass vulnerability in the Control UI bootstrap config endpoint that allows unauthenticated attackers to read sensitive configuration fields. Att… |
| CVE-2026-44993 |
medium |
5.4 |
5.4 |
|
|
openclaw |
23d ago |
OpenClaw before 2026.4.20 contains a message classification vulnerability in Feishu card-action callbacks that misclassifies direct messages as group conversations. Attackers can bypass dmPolicy enfo… |
| CVE-2026-44992 |
medium |
5.0 |
5.0 |
|
|
openclaw |
23d ago |
OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests |
| CVE-2026-44991 |
medium |
4.2 |
4.2 |
|
|
openclaw |
23d ago |
OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners |
| CVE-2026-44118 |
high |
7.8 |
7.8 |
|
|
openclaw |
28d ago |
OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens |
| CVE-2026-44117 |
medium |
5.8 |
5.8 |
|
|
openclaw |
28d ago |
OpenClaw: QQBot direct media upload skipped URL SSRF validation |
| CVE-2026-44116 |
high |
8.6 |
8.6 |
|
|
openclaw |
28d ago |
OpenClaw validates Zalo outbound photo URLs through the SSRF guard |
| CVE-2026-44115 |
high |
8.8 |
8.8 |
|
|
openclaw |
28d ago |
OpenClaw before 2026.4.22 contains an exec allowlist analysis vulnerability allowing shell expansion hiding in unquoted heredoc bodies. Attackers can bypass allowlist validation by embedding shell ex… |
| CVE-2026-44114 |
high |
7.8 |
7.8 |
|
|
openclaw |
28d ago |
OpenClaw: Workspace dotenv could override runtime-control environment variables |
| CVE-2026-44113 |
high |
7.7 |
7.7 |
|
|
openclaw |
28d ago |
OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes |
| CVE-2026-44112 |
critical |
9.6 |
9.6 |
|
|
openclaw |
28d ago |
OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root |
| CVE-2026-44111 |
medium |
4.3 |
4.3 |
|
|
openclaw |
28d ago |
OpenClaw before 2026.4.15 contains an arbitrary file read vulnerability in the QMD backend memory_get function that allows callers to read any Markdown files within the workspace root. Attackers with… |
| CVE-2026-44110 |
high |
8.8 |
8.8 |
|
|
openclaw |
28d ago |
OpenClaw: Matrix room control-command authorization no longer trusts DM pairing-store entries |
| CVE-2026-44109 |
critical |
9.8 |
9.8 |
|
|
openclaw |
28d ago |
OpenClaw: Feishu webhook and card-action validation now fail closed |
| CVE-2026-43585 |
critical |
9.8 |
9.8 |
|
|
openclaw |
28d ago |
OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation |
| CVE-2026-43584 |
high |
8.8 |
8.8 |
|
|
openclaw |
28d ago |
OpenClaw: Exec environment denylist missed high-risk interpreter startup variables |
| CVE-2026-43583 |
medium |
6.5 |
6.5 |
|
|
openclaw |
28d ago |
OpenClaw: Delivery queue recovery could lose group tool-policy context for media replay |
| CVE-2026-43582 |
medium |
6.3 |
6.3 |
|
|
openclaw |
28d ago |
OpenClaw: Browser SSRF hostname validation could be bypassed by DNS rebinding |
| CVE-2026-43581 |
critical |
9.6 |
9.6 |
|
|
openclaw |
28d ago |
OpenClaw before 2026.4.10 contains an improper network binding vulnerability in the sandbox browser CDP relay that exposes Chrome DevTools Protocol on 0.0.0.0. Attackers can access the DevTools proto… |
| CVE-2026-43580 |
high |
7.7 |
7.7 |
|
|
openclaw |
28d ago |
OpenClaw: Browser press/type interaction routes missed complete navigation guard coverage |
| CVE-2026-43579 |
medium |
6.5 |
6.5 |
|
|
openclaw |
28d ago |
OpenClaw before 2026.4.10 contains an insufficient access control vulnerability in Nostr plugin HTTP profile routes that allows operators with write permissions to persist profile configuration witho… |
| CVE-2026-43578 |
critical |
9.1 |
9.1 |
|
|
openclaw |
28d ago |
OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can… |
| CVE-2026-43577 |
medium |
6.5 |
6.5 |
|
|
openclaw |
28d ago |
OpenClaw before 2026.4.9 contains a file read vulnerability allowing attackers to bypass navigation guards through browser act/evaluate interactions. Attackers can pivot into the local CDP origin and… |
| CVE-2026-43576 |
high |
7.7 |
7.7 |
|
|
openclaw |
28d ago |
OpenClaw: CDP /json/version WebSocket URL could pivot to untrusted second-hop targets |
| CVE-2026-43575 |
critical |
9.8 |
9.8 |
|
|
openclaw |
28d ago |
OpenClaw versions 2026.2.21 before 2026.4.10 contain an authentication bypass vulnerability in the sandbox noVNC helper route that exposes interactive browser session credentials. Attackers can acces… |
| CVE-2026-43574 |
medium |
6.5 |
6.5 |
|
|
openclaw |
29d ago |
OpenClaw: Empty approver lists could grant explicit approval authorization |
| CVE-2026-43573 |
high |
7.7 |
7.7 |
|
|
openclaw |
29d ago |
OpenClaw: Existing-session browser interaction routes bypassed SSRF policy enforcement |
| CVE-2026-43572 |
medium |
5.3 |
5.3 |
|
|
openclaw |
29d ago |
OpenClaw: Microsoft Teams SSO invoke handler missed sender authorization checks |
| CVE-2026-43571 |
high |
8.8 |
8.8 |
|
|
openclaw |
29d ago |
OpenClaw: Channel setup catalog lookups could include untrusted workspace plugin shadows |
| CVE-2026-43570 |
medium |
6.5 |
6.5 |
|
|
openclaw |
29d ago |
OpenClaw contains a symlink traversal vulnerability |
| CVE-2026-43569 |
high |
8.8 |
8.8 |
|
|
openclaw |
29d ago |
OpenClaw: Workspace provider auth choices could auto-enable untrusted provider plugins |
| CVE-2026-43568 |
medium |
6.5 |
6.5 |
|
|
openclaw |
29d ago |
OpenClaw: Memory dreaming config persistence was reachable from operator.write commands |
| CVE-2026-43567 |
medium |
6.5 |
6.5 |
|
|
openclaw |
29d ago |
OpenClaw: screen_record outPath bypassed workspace-only filesystem guard |
| CVE-2026-43566 |
critical |
9.8 |
9.8 |
|
|
openclaw |
29d ago |
OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events |
| CVE-2026-43535 |
high |
8.1 |
8.1 |
|
|
openclaw |
29d ago |
OpenClaw: Collect-mode queue batches could reuse the last sender authorization context |
| CVE-2026-43534 |
critical |
9.8 |
9.8 |
|
|
openclaw |
29d ago |
OpenClaw: Agent hook events could enqueue trusted system events from unsanitized external input |
| CVE-2026-43533 |
high |
8.6 |
8.6 |
|
|
openclaw |
29d ago |
OpenClaw: QQBot media tags could read arbitrary local files through reply text |
| CVE-2026-43532 |
high |
7.7 |
7.7 |
|
|
openclaw |
29d ago |
OpenClaw: Discord event cover images bypassed sandbox media normalization |
| CVE-2026-43531 |
high |
8.8 |
8.8 |
|
|
openclaw |
29d ago |
OpenClaw: Workspace .env could inject OpenClaw runtime-control variables |
| CVE-2026-43530 |
high |
8.8 |
8.8 |
|
|
openclaw |
29d ago |
OpenClaw: busybox and toybox applet execution weakened exec approval binding |
| CVE-2026-43529 |
low |
2.5 |
2.5 |
|
|
openclaw |
29d ago |
OpenClaw: TOCTOU read in exec script preflight |
| CVE-2026-43528 |
medium |
6.5 |
6.5 |
|
|
openclaw |
29d ago |
OpenClaw: config.get redaction bypass through sourceConfig and runtimeConfig aliases |
| CVE-2026-43527 |
high |
7.7 |
7.7 |
|
|
openclaw |
29d ago |
OpenClaw: Browser SSRF policy default allowed private-network navigation |
| CVE-2026-43526 |
critical |
9.3 |
9.3 |
|
|
openclaw |
29d ago |
OpenClaw: QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes |
| CVE-2026-42439 |
high |
8.5 |
8.5 |
|
|
openclaw |
29d ago |
OpenClaw: Browser tabs action select and close routes bypassed SSRF policy |
| CVE-2026-42438 |
high |
7.7 |
7.7 |
|
|
openclaw |
29d ago |
OpenClaw: Sender policy bypass in host media attachment reads allows unauthorized local file disclosure |
| CVE-2026-42432 |
high |
7.8 |
7.8 |
|
|
openclaw |
1mo ago |
OpenClaw: Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement |
| CVE-2026-42431 |
high |
8.1 |
8.1 |
|
|
openclaw |
1mo ago |
OpenClaw `node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard |
| CVE-2026-42430 |
medium |
6.5 |
6.5 |
|
|
openclaw |
1mo ago |
OpenClaw: Strict browser SSRF bypass in Playwright redirect handling leaves private targets reachable |
| CVE-2026-42429 |
high |
7.1 |
7.1 |
|
|
openclaw |
1mo ago |
OpenClaw: Gateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write` |
| CVE-2026-42428 |
high |
7.1 |
7.1 |
|
|
openclaw |
1mo ago |
OpenClaw B-M3: ClawHub package downloads are not enforced with integrity verification |
| CVE-2026-42427 |
medium |
5.3 |
5.3 |
|
|
openclaw |
1mo ago |
OpenClaw: HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class) |
| CVE-2026-42426 |
high |
8.8 |
8.8 |
|
|
openclaw |
1mo ago |
OpenClaw `node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval |
| CVE-2026-42424 |
medium |
5.0 |
5.0 |
|
|
openclaw |
1mo ago |
OpenClaw: Shared reply MEDIA - paths are treated as trusted and can trigger cross-channel local file exfiltration |
| CVE-2026-42423 |
high |
7.5 |
7.5 |
|
|
openclaw |
1mo ago |
OpenClaw: strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts |
| CVE-2026-42422 |
high |
8.8 |
8.8 |
|
|
openclaw |
1mo ago |
OpenClaw `device.token.rotate` mints tokens for unapproved roles, bypassing device role-upgrade pairing |
| CVE-2026-42421 |
medium |
5.4 |
5.4 |
|
|
openclaw |
1mo ago |
OpenClaw: Existing WS sessions survive shared gateway token rotation |
| CVE-2026-42420 |
medium |
6.5 |
6.5 |
|
|
openclaw |
1mo ago |
OpenClaw: Multiple Code Paths Missing Base64 Pre-Allocation Size Checks |
| CVE-2026-41916 |
medium |
5.4 |
5.4 |
|
|
openclaw |
1mo ago |
OpenClaw: resolvedAuth closure becomes stale after config reload |
| CVE-2026-41915 |
medium |
6.1 |
6.1 |
|
|
openclaw |
1mo ago |
OpenClaw: GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant) |
| CVE-2026-41914 |
high |
8.5 |
8.5 |
|
|
openclaw |
1mo ago |
OpenClaw QQ Bot Extension missing SSRF Protection on All Media Fetch Paths |
| CVE-2026-41913 |
low |
3.7 |
3.7 |
|
|
openclaw |
1mo ago |
OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths |
| CVE-2026-41912 |
high |
7.6 |
7.6 |
|
|
openclaw |
1mo ago |
OpenClaw has Browser SSRF Policy Bypass via Interaction-Triggered Navigation |
| CVE-2026-41911 |
medium |
6.5 |
6.5 |
|
|
openclaw |
1mo ago |
OpenClaw: Feishu docx upload_file/upload_image Bypasses Workspace-Only Filesystem Policy (GHSA-qf48-qfv4-jjm9 Incomplete Fix) |
| CVE-2026-41910 |
medium |
4.3 |
4.3 |
|
|
openclaw |
1mo ago |
OpenClaw: /allowlist omits owner-only enforcement for cross-channel allowlist writes |
| CVE-2026-41408 |
medium |
6.5 |
6.5 |
|
|
openclaw |
1mo ago |
OpenClaw: Tlon media downloads can bypass core safety limits and exhaust disk |
| CVE-2026-41407 |
medium |
5.3 |
5.3 |
|
|
openclaw |
1mo ago |
OpenClaw: Shared-secret comparison call sites leaked length information through timing |
| CVE-2026-41406 |
medium |
5.4 |
5.4 |
|
|
openclaw |
1mo ago |
OpenClaw: Feishu thread history and quoted messages bypass sender allowlist |
| CVE-2026-41405 |
high |
7.5 |
7.5 |
|
|
openclaw |
1mo ago |
OpenClaw: MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion |
| CVE-2026-41404 |
high |
8.8 |
8.8 |
|
|
openclaw |
1mo ago |
OpenClaw: Incomplete scope-clearing fix allows operator.admin escalation via trusted-proxy auth mode |
| CVE-2026-41403 |
medium |
4.0 |
4.0 |
|
|
openclaw |
1mo ago |
OpenClaw: diffs viewer misclassifies proxied remote requests as loopback when `allowRemoteViewer` is disabled |
| CVE-2026-41402 |
medium |
5.4 |
5.4 |
|
|
openclaw |
1mo ago |
OpenClaw: Zalo webhook replay cache cross-target messageId scope bypass |
| CVE-2026-41400 |
high |
7.5 |
7.5 |
|
|
openclaw |
1mo ago |
OpenClaw: Voice-call still parses large WebSocket frames before start validation (Incomplete fix for CVE-2026-32062) |
| CVE-2026-41399 |
high |
7.5 |
7.5 |
|
|
openclaw |
1mo ago |
OpenClaw: Gateway WebSocket Denial of Service via unbounded pre-auth upgrades |
| CVE-2026-41398 |
medium |
4.6 |
4.6 |
|
|
openclaw |
1mo ago |
OpenClaw: iOS A2UI bridge trusted generic local-network pages for agent.request dispatch |
| CVE-2026-41397 |
critical |
9.6 |
9.6 |
|
|
openclaw |
1mo ago |
OpenClaw: OpenShell Mirror Sync — Sandbox Escape via Unrestricted File Sync + Symlink Traversal |
| CVE-2026-41396 |
high |
7.8 |
7.8 |
|
|
openclaw |
1mo ago |
OpenClaw: Workspace `.env` can override the bundled plugin trust root |
| CVE-2026-41395 |
high |
7.5 |
7.5 |
|
|
openclaw |
1mo ago |
OpenClaw: Voice-call Plivo V3 webhook replay key uses unsorted URL, allowing replay via query-parameter reordering |
| CVE-2026-41394 |
high |
8.2 |
8.2 |
|
|
openclaw |
1mo ago |
OpenClaw: Unauthenticated plugin-auth HTTP routes receive operator runtime scopes |
| CVE-2026-41393 |
medium |
4.8 |
4.8 |
|
|
openclaw |
1mo ago |
OpenClaw: macOS Tailnet DNS Spoofing & Credential Exfiltration |
| CVE-2026-41392 |
high |
7.3 |
7.3 |
|
|
openclaw |
1mo ago |
OpenClaw: Shell init-file options could satisfy exec allowlist script matching |
