Package impact

NPM / openclaw

CVE	Severity	CVSS	Risk	Published	Description
CVE-2026-44109	critical	9.8	9.8	22d ago	OpenClaw: Feishu webhook and card-action validation now fail closed
CVE-2026-43585	critical	9.8	9.8	22d ago	OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation
CVE-2026-43566	critical	9.8	9.8	23d ago	OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events
CVE-2026-43534	critical	9.8	9.8	23d ago	OpenClaw: Agent hook events could enqueue trusted system events from unsanitized external input
CVE-2026-41386	critical	9.8	9.8	1mo ago	OpenClaw: Unbound bootstrap setup codes allow privilege escalation during pairing
CVE-2026-44112	critical	9.6	9.6	22d ago	OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root
CVE-2026-41397	critical	9.6	9.6	1mo ago	OpenClaw: OpenShell Mirror Sync — Sandbox Escape via Unrestricted File Sync + Symlink Traversal
CVE-2026-43526	critical	9.3	9.3	23d ago	OpenClaw: QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes
CVE-2026-41913	low	3.7	3.7	1mo ago	OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths
CVE-2026-41333	low	3.7	3.7	1mo ago	OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting
CVE-2026-43529	low	2.5	2.5	23d ago	OpenClaw: TOCTOU read in exec script preflight