| CVE-2026-42421 |
medium |
5.4 |
5.4 |
29d ago |
OpenClaw: Existing WS sessions survive shared gateway token rotation |
|
| CVE-2026-41916 |
medium |
5.4 |
5.4 |
29d ago |
OpenClaw: resolvedAuth closure becomes stale after config reload |
|
| CVE-2026-41406 |
medium |
5.4 |
5.4 |
29d ago |
OpenClaw: Feishu thread history and quoted messages bypass sender allowlist |
|
| CVE-2026-41402 |
medium |
5.4 |
5.4 |
29d ago |
OpenClaw: Zalo webhook replay cache cross-target messageId scope bypass |
|
| CVE-2026-41382 |
medium |
5.4 |
5.4 |
29d ago |
OpenClaw: Discord voice ingress authorization can be bypassed via channel, name, and stale-role validation gaps |
|
| CVE-2026-41381 |
medium |
5.4 |
5.4 |
29d ago |
OpenClaw: Discord voice manager bypasses channel-level member access allowlist |
|
| CVE-2026-41365 |
medium |
5.4 |
5.4 |
1mo ago |
OpenClaw: MSTeams thread history bypasses sender allowlist via Graph API |
|
| CVE-2026-41358 |
medium |
5.4 |
5.4 |
1mo ago |
OpenClaw: Slack thread context could include messages from non-allowlisted senders |
|
| CVE-2026-41356 |
medium |
5.4 |
5.4 |
1mo ago |
OpenClaw: Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation |
|
| CVE-2026-41348 |
medium |
5.4 |
5.4 |
1mo ago |
OpenClaw: Discord Slash Commands Bypass Group DM Channel Allowlist |
|
| CVE-2026-41341 |
medium |
5.4 |
5.4 |
1mo ago |
OpenClaw: Discord Component Interaction Misclassifies Group DM as Direct Message |
|
| CVE-2026-45002 |
medium |
5.3 |
5.3 |
16d ago |
OpenClaw: Hook mapping templates could bypass hook session-key opt-in |
|
| CVE-2026-44999 |
medium |
5.3 |
5.3 |
16d ago |
OpenClaw: Isolated cron awareness events were recorded as trusted system events |
|
| CVE-2026-43572 |
medium |
5.3 |
5.3 |
23d ago |
OpenClaw: Microsoft Teams SSO invoke handler missed sender authorization checks |
|
| CVE-2026-42427 |
medium |
5.3 |
5.3 |
29d ago |
OpenClaw: HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class) |
|
| CVE-2026-41407 |
medium |
5.3 |
5.3 |
29d ago |
OpenClaw: Shared-secret comparison call sites leaked length information through timing |
|
| CVE-2026-41374 |
medium |
5.3 |
5.3 |
29d ago |
OpenClaw runs Discord audio preflight transcription before member authorization |
|
| CVE-2026-41354 |
medium |
5.3 |
5.3 |
1mo ago |
OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders |
|
| CVE-2026-41351 |
medium |
5.3 |
5.3 |
1mo ago |
OpenClaw: Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding |
|
| CVE-2026-41343 |
medium |
5.3 |
5.3 |
1mo ago |
OpenClaw: LINE webhook handler lacks shared pre-auth concurrency budget before signature verification |
|
| CVE-2026-41337 |
medium |
5.3 |
5.3 |
1mo ago |
OpenClaw: Voice-call Plivo replay mutates in-process callback origin before replay rejection |
|
| CVE-2026-41335 |
medium |
5.3 |
5.3 |
1mo ago |
OpenClaw Has a Gateway Control Interface Information Disclosure Vulnerability |
|
| CVE-2026-41332 |
medium |
5.3 |
5.3 |
1mo ago |
OpenClaw host-env blocklist missing `GIT_TEMPLATE_DIR` and `AWS_CONFIG_FILE` allows code execution via env override |
|
| CVE-2026-45003 |
medium |
5.0 |
5.0 |
16d ago |
OpenClaw: Workspace dotenv files cannot override connector endpoint hosts |
|
| CVE-2026-44992 |
medium |
5.0 |
5.0 |
16d ago |
OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests |
|
| CVE-2026-42424 |
medium |
5.0 |
5.0 |
29d ago |
OpenClaw: Shared reply MEDIA - paths are treated as trusted and can trigger cross-channel local file exfiltration |
|
| CVE-2026-41393 |
medium |
4.8 |
4.8 |
29d ago |
OpenClaw: macOS Tailnet DNS Spoofing & Credential Exfiltration |
|
| CVE-2026-41398 |
medium |
4.6 |
4.6 |
29d ago |
OpenClaw: iOS A2UI bridge trusted generic local-network pages for agent.request dispatch |
|
| CVE-2026-41377 |
medium |
4.6 |
4.6 |
29d ago |
OpenClaw: Security Scan Failure Does Not Block Plugin Installation (Fail-Open) |
|
| CVE-2026-44997 |
medium |
4.3 |
4.3 |
16d ago |
OpenClaw's ACP child sessions inherit subagent security envelope constraints |
|
| CVE-2026-41910 |
medium |
4.3 |
4.3 |
29d ago |
OpenClaw: /allowlist omits owner-only enforcement for cross-channel allowlist writes |
|
| CVE-2026-41339 |
medium |
4.3 |
4.3 |
1mo ago |
OpenClaw: Gateway hello snapshots exposed host config and state paths to non-admin clients |
|
| CVE-2026-44991 |
medium |
4.2 |
4.2 |
16d ago |
OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners |
|
| CVE-2026-41403 |
medium |
4.0 |
4.0 |
29d ago |
OpenClaw: diffs viewer misclassifies proxied remote requests as loopback when `allowRemoteViewer` is disabled |
|
| CVE-2026-41913 |
low |
3.7 |
3.7 |
29d ago |
OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths |
|
| CVE-2026-41333 |
low |
3.7 |
3.7 |
1mo ago |
OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting |
|
| CVE-2026-43529 |
low |
2.5 |
2.5 |
23d ago |
OpenClaw: TOCTOU read in exec script preflight |
|
| CVE-2026-40037 |
unknown |
— |
— |
2mo ago |
OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects |
|
| CVE-2026-40045 |
unknown |
— |
— |
2mo ago |
OpenClaw: Android accepted cleartext remote gateway endpoints and sent stored credentials over ws:// |
|
| CVE-2026-41295 |
unknown |
— |
— |
2mo ago |
OpenClaw: Untrusted workspace channel shadows could execute during built-in channel setup |
|
| CVE-2026-41298 |
unknown |
— |
— |
2mo ago |
OpenClaw: Read-scoped identity-bearing HTTP clients could kill sessions via /sessions/:sessionKey/kill |
|
| CVE-2026-41301 |
unknown |
— |
— |
2mo ago |
OpenClaw: Forged Nostr DMs could create pairing state before signature verification |
|
| CVE-2026-41297 |
unknown |
— |
— |
2mo ago |
OpenClaw: Marketplace Plugin Download Follows Redirects Without SSRF Protection |
|
| CVE-2026-34425 |
unknown |
— |
— |
2mo ago |
OpenClaw's complex interpreter pipelines could skip exec script preflight validation |
|
| CVE-2026-34511 |
unknown |
— |
— |
2mo ago |
OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter |
|
| CVE-2026-41300 |
unknown |
— |
— |
2mo ago |
OpenClaw: Endpoint persists after trust decline, leaking gateway credentials |
|
| CVE-2026-41331 |
unknown |
— |
— |
2mo ago |
OpenClaw: Telegram audio preflight transcription enables resource consumption by unauthorized senders |
|
| CVE-2026-41296 |
unknown |
— |
— |
2mo ago |
OpenClaw: Sandbox escape via TOCTOU race in remote FS bridge readFile |
|
| CVE-2026-41330 |
unknown |
— |
— |
2mo ago |
OpenClaw: Host exec environment overrides miss proxy, TLS, Docker, and Git TLS controls |
|
| CVE-2026-41302 |
unknown |
— |
— |
2mo ago |
OpenClaw: SSRF via Unguarded `fetch()` in Marketplace Plugin Download and Ollama Model Discovery |
|
| CVE-2026-41329 |
unknown |
— |
— |
2mo ago |
OpenClaw: Heartbeat context inheritance bypasses sandbox via senderIsOwner escalation |
|
| CVE-2026-41294 |
unknown |
— |
— |
2mo ago |
OpenClaw has a CWD `.env` environment variable injection which bypasses host-env policy and allows config takeover |
|
| CVE-2026-34504 |
unknown |
— |
— |
2mo ago |
OpenClaw affected by SSRF via unguarded image download in fal provider |
|
| CVE-2026-33578 |
unknown |
— |
— |
2mo ago |
OpenClaw: Google Chat and Zalouser group sender allowlist bypass via policy downgrade |
|
| CVE-2026-33577 |
unknown |
— |
— |
2mo ago |
OpenClaw: node.pair.approve missing callerScopes validation allows low-privilege operator to approve malicious nodes |
|
| CVE-2026-33580 |
unknown |
— |
— |
2mo ago |
OpenClaw's Nextcloud Talk webhook missing rate limiting on shared secret authentication |
|
| CVE-2026-41299 |
unknown |
— |
— |
2mo ago |
OpenClaw: Gateway chat.send ACP-only provenance guard could be bypassed by client identity spoofing |
|
| CVE-2026-33581 |
unknown |
— |
— |
2mo ago |
OpenClaw's message tool media parameter bypasses tool policy filesystem isolation |
|
| CVE-2026-41303 |
unknown |
— |
— |
2mo ago |
OpenClaw: Discord text `/approve` bypasses `channels.discord.execApprovals.approvers` and allows non-approvers to resolve pending exec approvals |
|
| CVE-2026-34503 |
unknown |
— |
— |
2mo ago |
OpenClaw's device removal and token revocation do not terminate active WebSocket sessions |
|
| CVE-2026-33576 |
unknown |
— |
— |
2mo ago |
OpenClaw: Zalo channel downloads media before sender authorization |
|
| CVE-2026-33579 |
unknown |
— |
— |
2mo ago |
OpenClaw: /pair approve command path omitted caller scope subsetting and reopened device pairing escalation |
|
| CVE-2026-34508 |
unknown |
— |
— |
2mo ago |
Duplicate Advisory: OpenClaw has Bypass in Webhook Rate Limiting via Pre-Authentication Secret Validation |
|
| CVE-2026-35620 |
unknown |
— |
— |
2mo ago |
OpenClaw: Non-owner command-authorized sender can change the owner-only `/send` session delivery policy |
|
| CVE-2026-35653 |
unknown |
— |
— |
2mo ago |
OpenClaw: `browser.request` still allows `POST /reset-profile` through the `operator.write` surface |
|
| CVE-2026-35621 |
unknown |
— |
— |
2mo ago |
OpenClaw: Gateway operator.write Can Reach Admin-Class Channel Allowlist Persistence via chat.send |
|
| CVE-2026-35641 |
unknown |
— |
— |
2mo ago |
OpenClaw has an Arbitrary Malicious Code Execution Vulnerability |
|
| CVE-2026-35619 |
unknown |
— |
— |
2mo ago |
OpenClaw has a Gateway HTTP /v1/models Route Bypasses Operator Read Scope |
|
| CVE-2026-35665 |
unknown |
— |
— |
2mo ago |
OpenClaw has incomplete Fix for CVE-2026-32011: Feishu Webhook Pre-Auth Body Parsing DoS (Slow-Body / Slowloris Variant) |
|
| CVE-2026-35668 |
unknown |
— |
— |
2mo ago |
OpenClaw has Sandbox Media Root Bypass via Unnormalized `mediaUrl` / `fileUrl` Parameter Keys (CWE-22) |
|
| CVE-2026-35651 |
unknown |
— |
— |
2mo ago |
OpenClaw has ACP CLI approval prompt ANSI escape sequence injection |
|
| CVE-2026-35661 |
unknown |
— |
— |
2mo ago |
OpenClaw: Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State |
|
| CVE-2026-35646 |
unknown |
— |
— |
2mo ago |
OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token |
|
| CVE-2026-35654 |
unknown |
— |
— |
2mo ago |
OpenClaw: MS Teams Feedback Invocation Bypasses Sender Allowlists and Records Unauthorized Session Feedback |
|
| CVE-2026-35645 |
unknown |
— |
— |
2mo ago |
OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin` |
|
| CVE-2026-35664 |
unknown |
— |
— |
2mo ago |
OpenClaw: Feishu Raw Card Send Surface Can Mint Legacy Card Callbacks That Bypass DM Pairing |
|
| CVE-2026-35640 |
unknown |
— |
— |
2mo ago |
OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation |
|
| CVE-2026-35629 |
unknown |
— |
— |
2mo ago |
OpenClaw: SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476) |
|
| CVE-2026-35617 |
unknown |
— |
— |
2mo ago |
OpenClaw: Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName |
|
| CVE-2026-35657 |
unknown |
— |
— |
2mo ago |
OpenClaw: Gateway HTTP Session History Route Bypasses Operator Read Scope |
|
| CVE-2026-35628 |
unknown |
— |
— |
2mo ago |
OpenClaw: Telegram Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Secret |
|
| CVE-2026-35647 |
unknown |
— |
— |
2mo ago |
OpenClaw: Matrix Verification Notices Bypass Matrix DM Policy and Reply to Unpaired DM Peers |
|
| CVE-2026-35623 |
unknown |
— |
— |
2mo ago |
OpenClaw: BlueBubbles Webhook Missing Rate Limiting Enables Brute-Force Password Guessing |
|
| CVE-2026-35669 |
unknown |
— |
— |
2mo ago |
OpenClaw: Gateway Plugin HTTP Auth Grants Unrestricted operator.admin Runtime Scope to All Callers |
|
| CVE-2026-35663 |
unknown |
— |
— |
2mo ago |
OpenClaw: Gateway Backend Reconnect lets Non-Admin Operator Scopes Self-Claim operator.admin |
|
| CVE-2026-35632 |
unknown |
— |
— |
2mo ago |
OpenClaw: Symlink Traversal via IDENTITY.md appendFile in agents.create/update (Incomplete Fix for CVE-2026-32013) |
|
| CVE-2026-35658 |
unknown |
— |
— |
2mo ago |
OpenClaw: Image Tool `tools.fs.workspaceOnly` Bypass via Sandbox Bridge Mounts |
|
| CVE-2026-35655 |
unknown |
— |
— |
2mo ago |
OpenClaw's Conflicting Tool Identity Hints Bypass Dangerous-Tool Prompting |
|
| CVE-2026-35635 |
unknown |
— |
— |
2mo ago |
OpenClaw Bypasses DM Policy Separation via Synology Chat Webhook Path Collision |
|
| CVE-2026-35662 |
unknown |
— |
— |
2mo ago |
OpenClaw leaf subagents can bypass controlScope restrictions to send messages to child sessions |
|
| CVE-2026-35656 |
unknown |
— |
— |
2mo ago |
OpenClaw: Forwarding header spoofing bypasses gateway.trustedProxies origin detection |
|
| CVE-2026-35639 |
unknown |
— |
— |
2mo ago |
OpenClaw Gateway: RCE and Privilege Escalation from operator.pairing to operator.admin via device.pair.approve |
|
| CVE-2026-35622 |
unknown |
— |
— |
2mo ago |
OpenClaw: Google Chat app-url webhook auth accepted non-deployment add-on principals |
|
| CVE-2026-35624 |
unknown |
— |
— |
2mo ago |
OpenClaw: Nextcloud Talk room allowlist matched colliding room names instead of stable room tokens |
|
| CVE-2026-35649 |
unknown |
— |
— |
2mo ago |
OpenClaw: Tlon settings empty-allowlist reconciliation bypassed intended revocation |
|
| CVE-2026-35637 |
unknown |
— |
— |
2mo ago |
OpenClaw: Tlon cite expansion happens before channel and DM authorization is complete |
|
| CVE-2026-35652 |
unknown |
— |
— |
2mo ago |
OpenClaw: Mattermost callback dispatch allowed non-allowlisted sender actions |
|
| CVE-2026-35648 |
unknown |
— |
— |
2mo ago |
OpenClaw may have stale policy enforcement for queued node actions |
|
| CVE-2026-35650 |
unknown |
— |
— |
2mo ago |
OpenClaw has Inconsistent Host Exec Environment Override Sanitization |
|
| CVE-2026-35626 |
unknown |
— |
— |
2mo ago |
OpenClaw is vulnerable to unauthenticated resource exhaustion through its voice call webhook handling |
|