Package impact

npm / openclaw

critical high medium low unknown

0

KEV Has exploit

CVE	Severity	CVSS	Risk	Published	Description	Impact
CVE-2026-32037	unknown	—	—	3mo ago	OpenClaw's MSTeams attachment redirect handling could bypass configured media host allowlists
CVE-2026-28393	unknown	—	—	3mo ago	OpenClaw's hook transform module path allows traversal and arbitrary JavaScript module loading
CVE-2026-32000	unknown	—	—	3mo ago	OpenClaw has command injection via Windows shell fallback in Lobster tool execution
CVE-2026-31992	unknown	—	—	3mo ago	OpenClaw has allowlist exec-guard bypass via env -S
CVE-2026-32016	unknown	—	—	3mo ago	OpenClaw: macOS optional allowlist basename matching could bypass path-based policy
CVE-2026-32003	unknown	—	—	3mo ago	OpenClaw has system.run shell-wrapper env injection via SHELLOPTS/PS4 can bypass allowlist intent (RCE)
CVE-2026-32014	unknown	—	—	3mo ago	OpenClaw: Node reconnect metadata spoofing could bypass platform-based node command policy
CVE-2026-32024	unknown	—	—	3mo ago	OpenClaw's avatar symlink traversal can expose out-of-workspace local files
CVE-2026-32038	unknown	—	—	3mo ago	OpenClaw has a sandbox network isolation bypass via docker.network=container:<id>
CVE-2026-27545	unknown	—	—	3mo ago	OpenClaw: Node system.run approval bypass via parent-symlink cwd rebind
CVE-2026-27522	unknown	—	—	3mo ago	OpenClaw: Message action attachment hydration bypasses local media root checks when sandboxRoot is unset
CVE-2026-32065	unknown	—	—	3mo ago	OpenClaw: system.run approval identity mismatch could execute a different binary than displayed
CVE-2026-28466	unknown	—	—	3mo ago	OpenClaw Vulnerable to Remote Code Execution via Node Invoke Approval Bypass in Gateway
CVE-2026-28486	unknown	—	—	3mo ago	OpenClaw vulnerable to path traversal (Zip Slip) in archive extraction during explicit installation commands
CVE-2026-28457	unknown	—	—	3mo ago	OpenClaw's sandbox skill mirroring path traversal vulnerability could write outside the sandbox workspace
CVE-2026-28464	unknown	—	—	3mo ago	OpenClaw has non-constant-time token comparison in hooks authentication
CVE-2026-28475	unknown	—	—	3mo ago	OpenClaw: Config writes could persist resolved ${VAR} secrets to disk
CVE-2026-28453	unknown	—	—	3mo ago	OpenClaw has Zip Slip path traversal in tar archive extraction
CVE-2026-32013	unknown	—	—	3mo ago	OpenClaw gateway agents.files symlink escape allowed out-of-workspace file read/write
CVE-2026-32058	unknown	—	—	3mo ago	OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows
CVE-2026-32049	unknown	—	—	3mo ago	OpenClaw's inbound media downloads could exceed configured byte limits before rejection across multiple channels
CVE-2026-22175	unknown	—	—	3mo ago	OpenClaw's exec allow-always can be bypassed via unrecognized multiplexer shell wrappers (busybox/toybox sh -c)
CVE-2026-29607	unknown	—	—	3mo ago	OpenClaw's allow-always wrapper persistence could bypass future approvals and enable command execution
CVE-2026-32020	unknown	—	—	3mo ago	OpenClaw's Control UI Static File Handler Follows Symlinks and Allows Out-of-Root File Read
CVE-2026-32054	unknown	—	—	3mo ago	OpenClaw has browser trace/download path symlink escape in temp output handling
CVE-2026-22178	unknown	—	—	3mo ago	OpenClaw has ReDoS and regex injection via unescaped Feishu mention metadata in RegExp construction
CVE-2026-31993	unknown	—	—	3mo ago	OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains
CVE-2026-22168	unknown	—	—	3mo ago	OpenClaw has Windows system.run approval mismatch on cmd.exe /c trailing arguments
CVE-2026-31991	unknown	—	—	3mo ago	OpenClaw has Signal group allowlist authorization bypass via DM pairing-store leakage
CVE-2026-31997	unknown	—	—	3mo ago	OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind
CVE-2026-31989	unknown	—	—	3mo ago	OpenClaw has web_search citation redirect SSRF via private-network-allowing policy
CVE-2026-31999	unknown	—	—	3mo ago	CpenClaw's ACPX Windows wrapper shell fallback allowed cwd injection in specific paths
CVE-2026-32048	unknown	—	—	3mo ago	OpenClaw's sandboxed sessions_spawn now enforces sandbox inheritance for cross-agent spawns
CVE-2026-32066	unknown	—	—	3mo ago	OpenClaw has unbounded memory growth in Zalo webhook via query-string key churn (unauthenticated DoS)
CVE-2026-28461	unknown	—	—	3mo ago	OpenClaw has unbounded memory growth in Zalo webhook via query-string key churn (unauthenticated DoS)
CVE-2026-32041	unknown	—	—	3mo ago	OpenClaw: Browser control startup could continue unauthenticated after auth bootstrap failure
CVE-2026-32898	unknown	—	—	3mo ago	OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata
CVE-2026-4039	unknown	—	—	3mo ago	OpenClaw: Skill env override host env injection via applySkillConfigEnvOverrides (defense-in-depth)
CVE-2026-27576	unknown	—	—	3mo ago	OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs
CVE-2026-27488	unknown	—	—	3mo ago	OpenClaw hardened cron webhook delivery against SSRF
CVE-2026-27485	unknown	—	—	3mo ago	OpenClaw: Reject symlinks in local skill packaging script
CVE-2026-27484	unknown	—	—	3mo ago	OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows
CVE-2026-4040	unknown	—	—	3mo ago	OpenClaw safeBins file-existence oracle information disclosure
CVE-2026-31996	unknown	—	—	3mo ago	OpenClaw safeBins stdin-only bypass via sort output and recursive grep flags
CVE-2026-32060	unknown	—	—	3mo ago	OpenClaw has a path traversal in apply_patch could write/delete files outside the workspace
CVE-2026-28479	unknown	—	—	3mo ago	OpenClaw replaced a deprecated sandbox hash algorithm
CVE-2026-28394	unknown	—	—	3mo ago	OpenClaw has a Web Fetch DoS via unbounded response parsing
CVE-2026-27009	unknown	—	—	3mo ago	OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection
CVE-2026-27008	unknown	—	—	3mo ago	OpenClaw hardened the skill download target directory validation
CVE-2026-27007	unknown	—	—	3mo ago	OpenClaw's sandbox config hash sorted primitive arrays and suppressed needed container recreation
CVE-2026-27004	unknown	—	—	3mo ago	OpenClaw session tool visibility hardening and Telegram webhook secret fallback
CVE-2026-27003	unknown	—	—	3mo ago	OpenClaw: Telegram bot token exposure via logs
CVE-2026-27002	unknown	—	—	3mo ago	OpenClaw: Docker container escape via unvalidated bind mount config injection
CVE-2026-27001	unknown	—	—	3mo ago	OpenClaw: Unsanitized CWD path injection into LLM prompts
CVE-2026-28468	unknown	—	—	3mo ago	OpenClaw has an authentication bypass in sandbox browser bridge server
CVE-2026-28451	unknown	—	—	3mo ago	OpenClaw has two SSRF via sendMediaFeishu and markdown image fetching in Feishu extension
CVE-2026-29611	unknown	—	—	3mo ago	OpenClaw has a LFI in BlueBubbles media path handling
CVE-2026-27486	unknown	—	—	3mo ago	OpenClaw: Process Safety - Unvalidated PID Kill via SIGKILL in Process Cleanup
CVE-2026-28477	unknown	—	—	3mo ago	OpenClaw Chutes manual OAuth state validation bypass can cause credential substitution
CVE-2026-27487	unknown	—	—	3mo ago	OpenClaw: Prevent shell injection in macOS keychain credential write
CVE-2026-28462	unknown	—	—	3mo ago	OpenClaw has a path traversal in browser trace/download output paths may allow arbitrary file writes
CVE-2026-26972	unknown	—	—	3mo ago	OpenClaw has a Path Traversal in Browser Download Functionality
CVE-2026-28456	unknown	—	—	3mo ago	OpenClaw affected by potential code execution via unsafe hook module path handling in Gateway
CVE-2026-28482	unknown	—	—	3mo ago	OpenClaw's unsanitized session ID enables path traversal in transcript file operations
CVE-2026-29610	unknown	—	—	3mo ago	OpenClaw: Command hijacking via unsafe PATH handling (bootstrapping + node-host PATH overrides)
CVE-2026-28476	unknown	—	—	3mo ago	OpenClaw affected by SSRF in optional Tlon (Urbit) extension authentication
CVE-2026-29606	unknown	—	—	3mo ago	OpenClaw Twilio voice-call webhook auth bypass when ngrok loopback compatibility is enabled
CVE-2026-28480	unknown	—	—	3mo ago	OpenClaw Telegram allowlist authorization accepted mutable usernames
CVE-2026-28469	unknown	—	—	3mo ago	OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting
CVE-2026-26317	unknown	—	—	3mo ago	OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints
CVE-2026-28478	unknown	—	—	3mo ago	OpenClaw affected by denial of service via unbounded webhook request body buffering
CVE-2026-28452	unknown	—	—	3mo ago	OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR)
CVE-2026-29612	unknown	—	—	3mo ago	OpenClaw: denial of service through large base64 media files allocating large buffers before limit checks
CVE-2026-29609	unknown	—	—	3mo ago	OpenClaw affected by denial of service via unbounded URL-backed media fetch
CVE-2026-28392	unknown	—	—	3mo ago	OpenClaw Slack: dmPolicy=open allowed any DM sender to run privileged slash commands
CVE-2026-28463	unknown	—	—	3mo ago	OpenClaw exec approvals: safeBins could bypass stdin-only constraints via shell expansion
CVE-2026-26323	unknown	—	—	3mo ago	OpenClaw has a command injection in maintainer clawtributors updater
CVE-2026-26329	unknown	—	—	3mo ago	OpenClaw has a path traversal in browser upload allows local file read
CVE-2026-26328	unknown	—	—	3mo ago	OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities
CVE-2026-26327	unknown	—	—	3mo ago	OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning
CVE-2026-26326	unknown	—	—	3mo ago	OpenClaw skills.status could leak secrets to operator.read clients
CVE-2026-26325	unknown	—	—	3mo ago	OpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals
CVE-2026-26324	unknown	—	—	3mo ago	OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reachable)
CVE-2026-26322	unknown	—	—	3mo ago	OpenClaw Gateway tool allowed unrestricted gatewayUrl override
CVE-2026-26321	unknown	—	—	3mo ago	OpenClaw has a local file disclosure via sendMediaFeishu in Feishu extension
CVE-2026-26320	unknown	—	—	3mo ago	OpenClaw macOS deep link confirmation truncation can conceal executed agent message
CVE-2026-26319	unknown	—	—	3mo ago	OpenClaw is Missing Webhook Authentication in Telnyx Provider Allows Unauthenticated Requests
CVE-2026-28447	unknown	—	—	3mo ago	OpenClaw has a Path Traversal in Plugin Installation
CVE-2026-28473	unknown	—	—	3mo ago	OpenClaw authorization bypass: operator.write can resolve exec approvals via chat.send -> /approve
CVE-2026-28481	unknown	—	—	3mo ago	OpenClaw MS Teams inbound attachment downloader leaks bearer tokens to allowlisted suffix domains
CVE-2026-28448	unknown	—	—	3mo ago	OpenClaw Twitch allowFrom is not enforced in optional plugin, unauthorized chat users can trigger agent pipeline
CVE-2026-28446	unknown	—	—	3mo ago	OpenClaw has an inbound allowlist policy bypass in voice-call extension (empty caller ID + suffix matching)
CVE-2026-28454	unknown	—	—	3mo ago	OpenClaw has a potential access-group authorization bypass if channel type lookup fails
CVE-2026-28471	unknown	—	—	3mo ago	OpenClaw has a Matrix allowlist bypass via displayName and cross-homeserver localpart matching
CVE-2026-26316	unknown	—	—	3mo ago	OpenClaw BlueBubbles webhook auth bypass via loopback proxy trust
CVE-2026-28450	unknown	—	—	3mo ago	OpenClaw's unauthenticated Nostr profile HTTP endpoints allow remote profile/config tampering
CVE-2026-28467	unknown	—	—	3mo ago	OpenClaw affected by SSRF via attachment/media URL hydration
CVE-2026-25474	unknown	—	—	3mo ago	OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass
CVE-2026-24764	unknown	—	—	3mo ago	OpenClaw Affected by Remote Code Execution via System Prompt Injection in Slack Channel Descriptions
CVE-2026-29613	unknown	—	—	3mo ago	OpenClaw has a webhook auth bypass when gateway is behind a reverse proxy (loopback remoteAddress trust)