| CVE-2026-44109 |
critical |
9.8 |
9.8 |
21d ago |
OpenClaw: Feishu webhook and card-action validation now fail closed |
|
| CVE-2026-43585 |
critical |
9.8 |
9.8 |
21d ago |
OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation |
|
| CVE-2026-43566 |
critical |
9.8 |
9.8 |
23d ago |
OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events |
|
| CVE-2026-43534 |
critical |
9.8 |
9.8 |
23d ago |
OpenClaw: Agent hook events could enqueue trusted system events from unsanitized external input |
|
| CVE-2026-41386 |
critical |
9.8 |
9.8 |
1mo ago |
OpenClaw: Unbound bootstrap setup codes allow privilege escalation during pairing |
|
| CVE-2026-44112 |
critical |
9.6 |
9.6 |
21d ago |
OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root |
|
| CVE-2026-41397 |
critical |
9.6 |
9.6 |
1mo ago |
OpenClaw: OpenShell Mirror Sync — Sandbox Escape via Unrestricted File Sync + Symlink Traversal |
|
| CVE-2026-43526 |
critical |
9.3 |
9.3 |
23d ago |
OpenClaw: QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes |
|
| CVE-2026-43583 |
medium |
6.5 |
6.5 |
21d ago |
OpenClaw: Delivery queue recovery could lose group tool-policy context for media replay |
|
| CVE-2026-43574 |
medium |
6.5 |
6.5 |
23d ago |
OpenClaw: Empty approver lists could grant explicit approval authorization |
|
| CVE-2026-43570 |
medium |
6.5 |
6.5 |
23d ago |
OpenClaw contains a symlink traversal vulnerability |
|
| CVE-2026-43568 |
medium |
6.5 |
6.5 |
23d ago |
OpenClaw: Memory dreaming config persistence was reachable from operator.write commands |
|
| CVE-2026-43567 |
medium |
6.5 |
6.5 |
23d ago |
OpenClaw: screen_record outPath bypassed workspace-only filesystem guard |
|
| CVE-2026-43528 |
medium |
6.5 |
6.5 |
23d ago |
OpenClaw: config.get redaction bypass through sourceConfig and runtimeConfig aliases |
|
| CVE-2026-42433 |
medium |
6.5 |
6.5 |
23d ago |
OpenClaw: Matrix profile config persistence was reachable from operator.write message tools |
|
| CVE-2026-42430 |
medium |
6.5 |
6.5 |
1mo ago |
OpenClaw: Strict browser SSRF bypass in Playwright redirect handling leaves private targets reachable |
|
| CVE-2026-42420 |
medium |
6.5 |
6.5 |
1mo ago |
OpenClaw: Multiple Code Paths Missing Base64 Pre-Allocation Size Checks |
|
| CVE-2026-41911 |
medium |
6.5 |
6.5 |
1mo ago |
OpenClaw: Feishu docx upload_file/upload_image Bypasses Workspace-Only Filesystem Policy (GHSA-qf48-qfv4-jjm9 Incomplete Fix) |
|
| CVE-2026-41408 |
medium |
6.5 |
6.5 |
1mo ago |
OpenClaw: Tlon media downloads can bypass core safety limits and exhaust disk |
|
| CVE-2026-41388 |
medium |
6.5 |
6.5 |
1mo ago |
OpenClaw: Tlon Startup Migration Rehydrates Empty-Array Revocations From File Config |
|
| CVE-2026-41385 |
medium |
6.5 |
6.5 |
1mo ago |
OpenClaw Nostr privateKey config redaction bypass leaks plaintext signing key via config.get |
|
| CVE-2026-41376 |
medium |
6.5 |
6.5 |
1mo ago |
OpenClaw: Matrix thread root and reply context bypass sender allowlist |
|
| CVE-2026-41375 |
medium |
6.5 |
6.5 |
1mo ago |
OpenClaw: `/phone arm`/`/phone disarm` Bypasses `operator.admin` Scope Check for External Channels |
|
| CVE-2026-41369 |
medium |
6.5 |
6.5 |
1mo ago |
OpenClaw: Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables |
|
| CVE-2026-41363 |
medium |
6.5 |
6.5 |
1mo ago |
OpenClaw: Feishu extension resolveUploadInput bypasses file-system sandbox and allows arbitrary file reads via upload_image |
|
| CVE-2026-41908 |
medium |
6.5 |
6.5 |
1mo ago |
OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization |
|
| CVE-2026-43582 |
medium |
6.3 |
6.3 |
21d ago |
OpenClaw: Browser SSRF hostname validation could be bypassed by DNS rebinding |
|
| CVE-2026-41915 |
medium |
6.1 |
6.1 |
1mo ago |
OpenClaw: GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant) |
|
| CVE-2026-41391 |
medium |
6.1 |
6.1 |
1mo ago |
OpenClaw: PIP_INDEX_URL and UV_INDEX_URL bypass host exec env sanitization and redirect Python package-index traffic |
|
| CVE-2026-41373 |
medium |
6.1 |
6.1 |
1mo ago |
OpenClaw: Incomplete host-env-security-policy allows untrusted model to substitute compiler binaries via env overrides |
|
| CVE-2026-45005 |
medium |
6.0 |
6.0 |
17d ago |
OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload |
|
| CVE-2026-44117 |
medium |
5.8 |
5.8 |
21d ago |
OpenClaw: QQBot direct media upload skipped URL SSRF validation |
|
| CVE-2026-41372 |
medium |
5.8 |
5.8 |
1mo ago |
OpenClaw: Trailing-dot localhost CDP hosts could bypass remote loopback protections |
|
| CVE-2026-41389 |
medium |
5.8 |
5.8 |
1mo ago |
OpenClaw: Webchat media embedding enforces local-root containment for tool-result files |
|
| CVE-2026-42421 |
medium |
5.4 |
5.4 |
1mo ago |
OpenClaw: Existing WS sessions survive shared gateway token rotation |
|
| CVE-2026-41916 |
medium |
5.4 |
5.4 |
1mo ago |
OpenClaw: resolvedAuth closure becomes stale after config reload |
|
| CVE-2026-41406 |
medium |
5.4 |
5.4 |
1mo ago |
OpenClaw: Feishu thread history and quoted messages bypass sender allowlist |
|
| CVE-2026-41402 |
medium |
5.4 |
5.4 |
1mo ago |
OpenClaw: Zalo webhook replay cache cross-target messageId scope bypass |
|
| CVE-2026-41382 |
medium |
5.4 |
5.4 |
1mo ago |
OpenClaw: Discord voice ingress authorization can be bypassed via channel, name, and stale-role validation gaps |
|
| CVE-2026-41381 |
medium |
5.4 |
5.4 |
1mo ago |
OpenClaw: Discord voice manager bypasses channel-level member access allowlist |
|
| CVE-2026-41365 |
medium |
5.4 |
5.4 |
1mo ago |
OpenClaw: MSTeams thread history bypasses sender allowlist via Graph API |
|
| CVE-2026-41358 |
medium |
5.4 |
5.4 |
1mo ago |
OpenClaw: Slack thread context could include messages from non-allowlisted senders |
|
| CVE-2026-41356 |
medium |
5.4 |
5.4 |
1mo ago |
OpenClaw: Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation |
|
| CVE-2026-41348 |
medium |
5.4 |
5.4 |
1mo ago |
OpenClaw: Discord Slash Commands Bypass Group DM Channel Allowlist |
|
| CVE-2026-41341 |
medium |
5.4 |
5.4 |
1mo ago |
OpenClaw: Discord Component Interaction Misclassifies Group DM as Direct Message |
|
| CVE-2026-45002 |
medium |
5.3 |
5.3 |
17d ago |
OpenClaw: Hook mapping templates could bypass hook session-key opt-in |
|
| CVE-2026-44999 |
medium |
5.3 |
5.3 |
17d ago |
OpenClaw: Isolated cron awareness events were recorded as trusted system events |
|
| CVE-2026-43572 |
medium |
5.3 |
5.3 |
23d ago |
OpenClaw: Microsoft Teams SSO invoke handler missed sender authorization checks |
|
| CVE-2026-42427 |
medium |
5.3 |
5.3 |
1mo ago |
OpenClaw: HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class) |
|
| CVE-2026-41407 |
medium |
5.3 |
5.3 |
1mo ago |
OpenClaw: Shared-secret comparison call sites leaked length information through timing |
|
| CVE-2026-41374 |
medium |
5.3 |
5.3 |
1mo ago |
OpenClaw runs Discord audio preflight transcription before member authorization |
|
| CVE-2026-41354 |
medium |
5.3 |
5.3 |
1mo ago |
OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders |
|
| CVE-2026-41351 |
medium |
5.3 |
5.3 |
1mo ago |
OpenClaw: Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding |
|
| CVE-2026-41343 |
medium |
5.3 |
5.3 |
1mo ago |
OpenClaw: LINE webhook handler lacks shared pre-auth concurrency budget before signature verification |
|
| CVE-2026-41337 |
medium |
5.3 |
5.3 |
1mo ago |
OpenClaw: Voice-call Plivo replay mutates in-process callback origin before replay rejection |
|
| CVE-2026-41335 |
medium |
5.3 |
5.3 |
1mo ago |
OpenClaw Has a Gateway Control Interface Information Disclosure Vulnerability |
|
| CVE-2026-41332 |
medium |
5.3 |
5.3 |
1mo ago |
OpenClaw host-env blocklist missing `GIT_TEMPLATE_DIR` and `AWS_CONFIG_FILE` allows code execution via env override |
|
| CVE-2026-45003 |
medium |
5.0 |
5.0 |
17d ago |
OpenClaw: Workspace dotenv files cannot override connector endpoint hosts |
|
| CVE-2026-44992 |
medium |
5.0 |
5.0 |
17d ago |
OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests |
|
| CVE-2026-42424 |
medium |
5.0 |
5.0 |
1mo ago |
OpenClaw: Shared reply MEDIA - paths are treated as trusted and can trigger cross-channel local file exfiltration |
|
| CVE-2026-41393 |
medium |
4.8 |
4.8 |
1mo ago |
OpenClaw: macOS Tailnet DNS Spoofing & Credential Exfiltration |
|
| CVE-2026-41398 |
medium |
4.6 |
4.6 |
1mo ago |
OpenClaw: iOS A2UI bridge trusted generic local-network pages for agent.request dispatch |
|
| CVE-2026-41377 |
medium |
4.6 |
4.6 |
1mo ago |
OpenClaw: Security Scan Failure Does Not Block Plugin Installation (Fail-Open) |
|
| CVE-2026-44997 |
medium |
4.3 |
4.3 |
17d ago |
OpenClaw's ACP child sessions inherit subagent security envelope constraints |
|
| CVE-2026-41910 |
medium |
4.3 |
4.3 |
1mo ago |
OpenClaw: /allowlist omits owner-only enforcement for cross-channel allowlist writes |
|
| CVE-2026-41339 |
medium |
4.3 |
4.3 |
1mo ago |
OpenClaw: Gateway hello snapshots exposed host config and state paths to non-admin clients |
|
| CVE-2026-44991 |
medium |
4.2 |
4.2 |
17d ago |
OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners |
|
| CVE-2026-41403 |
medium |
4.0 |
4.0 |
1mo ago |
OpenClaw: diffs viewer misclassifies proxied remote requests as loopback when `allowRemoteViewer` is disabled |
|
| CVE-2026-41913 |
low |
3.7 |
3.7 |
1mo ago |
OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths |
|
| CVE-2026-41333 |
low |
3.7 |
3.7 |
1mo ago |
OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting |
|
| CVE-2026-43529 |
low |
2.5 |
2.5 |
23d ago |
OpenClaw: TOCTOU read in exec script preflight |
|