| CVE-2026-44109 |
critical |
9.8 |
9.8 |
|
|
|
22d ago |
OpenClaw: Feishu webhook and card-action validation now fail closed |
| CVE-2026-43585 |
critical |
9.8 |
9.8 |
|
|
|
22d ago |
OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation |
| CVE-2026-43566 |
critical |
9.8 |
9.8 |
|
|
|
23d ago |
OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events |
| CVE-2026-43534 |
critical |
9.8 |
9.8 |
|
|
|
23d ago |
OpenClaw: Agent hook events could enqueue trusted system events from unsanitized external input |
| CVE-2026-41386 |
critical |
9.8 |
9.8 |
|
|
|
1mo ago |
OpenClaw: Unbound bootstrap setup codes allow privilege escalation during pairing |
| CVE-2026-44112 |
critical |
9.6 |
9.6 |
|
|
|
22d ago |
OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root |
| CVE-2026-41397 |
critical |
9.6 |
9.6 |
|
|
|
1mo ago |
OpenClaw: OpenShell Mirror Sync — Sandbox Escape via Unrestricted File Sync + Symlink Traversal |
| CVE-2026-43526 |
critical |
9.3 |
9.3 |
|
|
|
23d ago |
OpenClaw: QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes |
| CVE-2026-28395 |
critical |
9.1 |
9.1 |
|
|
|
3mo ago |
OpenClaw's Chrome extension relay binds publicly due to wildcard treated as loopback |
| CVE-2026-43584 |
high |
8.8 |
8.8 |
|
|
|
22d ago |
OpenClaw: Exec environment denylist missed high-risk interpreter startup variables |
| CVE-2026-43571 |
high |
8.8 |
8.8 |
|
|
|
23d ago |
OpenClaw: Channel setup catalog lookups could include untrusted workspace plugin shadows |
| CVE-2026-43569 |
high |
8.8 |
8.8 |
|
|
|
23d ago |
OpenClaw: Workspace provider auth choices could auto-enable untrusted provider plugins |
| CVE-2026-43531 |
high |
8.8 |
8.8 |
|
|
|
23d ago |
OpenClaw: Workspace .env could inject OpenClaw runtime-control variables |
| CVE-2026-43530 |
high |
8.8 |
8.8 |
|
|
|
23d ago |
OpenClaw: busybox and toybox applet execution weakened exec approval binding |
| CVE-2026-42435 |
high |
8.8 |
8.8 |
|
|
|
23d ago |
OpenClaw: Shell-wrapper detection missed env-argv assignment injection forms |
| CVE-2026-42434 |
high |
8.8 |
8.8 |
|
|
|
23d ago |
OpenClaw: Sandboxed agents could escape exec routing via host=node override |
| CVE-2026-42426 |
high |
8.8 |
8.8 |
|
|
|
1mo ago |
OpenClaw `node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval |
| CVE-2026-42422 |
high |
8.8 |
8.8 |
|
|
|
1mo ago |
OpenClaw `device.token.rotate` mints tokens for unapproved roles, bypassing device role-upgrade pairing |
| CVE-2026-41404 |
high |
8.8 |
8.8 |
|
|
|
1mo ago |
OpenClaw: Incomplete scope-clearing fix allows operator.admin escalation via trusted-proxy auth mode |
| CVE-2026-41378 |
high |
8.8 |
8.8 |
|
|
|
1mo ago |
OpenClaw: Paired node escalates to gateway RCE via unrestricted node.event agent dispatch |
| CVE-2026-41359 |
high |
8.8 |
8.8 |
|
|
|
1mo ago |
OpenClaw: Gateway operator.write Can Reach Admin-Class Telegram Config and Cron Persistence via send |
| CVE-2026-41352 |
high |
8.8 |
8.8 |
|
|
|
1mo ago |
OpenClaw: Device-Paired Node Skips Node Scope Gate → Host RCE.md |
| CVE-2026-41344 |
high |
8.8 |
8.8 |
|
|
|
1mo ago |
OpenClaw: Gateway `operator.write` can reach admin-only persisted `verboseLevel` via `chat.send` `/verbose` |
| CVE-2026-44116 |
high |
8.6 |
8.6 |
|
|
|
22d ago |
OpenClaw validates Zalo outbound photo URLs through the SSRF guard |
| CVE-2026-43533 |
high |
8.6 |
8.6 |
|
|
|
23d ago |
OpenClaw: QQBot media tags could read arbitrary local files through reply text |
| CVE-2026-42439 |
high |
8.5 |
8.5 |
|
|
|
23d ago |
OpenClaw: Browser tabs action select and close routes bypassed SSRF policy |
| CVE-2026-41914 |
high |
8.5 |
8.5 |
|
|
|
1mo ago |
OpenClaw QQ Bot Extension missing SSRF Protection on All Media Fetch Paths |
| CVE-2026-41394 |
high |
8.2 |
8.2 |
|
|
|
1mo ago |
OpenClaw: Unauthenticated plugin-auth HTTP routes receive operator runtime scopes |
| CVE-2026-43535 |
high |
8.1 |
8.1 |
|
|
|
23d ago |
OpenClaw: Collect-mode queue batches could reuse the last sender authorization context |
| CVE-2026-42431 |
high |
8.1 |
8.1 |
|
|
|
1mo ago |
OpenClaw `node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard |
| CVE-2026-41383 |
high |
8.1 |
8.1 |
|
|
|
1mo ago |
OpenClaw: OpenShell mirror mode could delete arbitrary remote directories when roots were mis-scoped |
| CVE-2026-41364 |
high |
8.1 |
8.1 |
|
|
|
1mo ago |
OpenClaw: SSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host |
| CVE-2026-41342 |
high |
8.1 |
8.1 |
|
|
|
1mo ago |
OpenClaw: CLI Remote Onboarding Persists Unauthenticated Discovery Endpoint and Exfiltrates Gateway Credentials |
| CVE-2026-6011 |
high |
8.1 |
8.1 |
|
|
|
2mo ago |
OpenClaw vulnerable to SSRF in src/agents/tools/web-fetch.ts |
| CVE-2026-32067 |
high |
8.1 |
8.1 |
|
|
|
2mo ago |
OpenClaw has cross-account DM pairing authorization bypass via unscoped pairing store access |
| CVE-2026-45004 |
high |
7.8 |
7.8 |
|
|
|
17d ago |
OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution |
| CVE-2026-44118 |
high |
7.8 |
7.8 |
|
|
|
22d ago |
OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens |
| CVE-2026-44114 |
high |
7.8 |
7.8 |
|
|
|
22d ago |
OpenClaw: Workspace dotenv could override runtime-control environment variables |
| CVE-2026-42432 |
high |
7.8 |
7.8 |
|
|
|
1mo ago |
OpenClaw: Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement |
| CVE-2026-41396 |
high |
7.8 |
7.8 |
|
|
|
1mo ago |
OpenClaw: Workspace `.env` can override the bundled plugin trust root |
| CVE-2026-41387 |
high |
7.8 |
7.8 |
|
|
|
1mo ago |
OpenClaw's incomplete host env sanitization blocklist allows supply-chain redirection via package-manager env overrides |
| CVE-2026-41384 |
high |
7.8 |
7.8 |
|
|
|
1mo ago |
OpenClaw Has Incomplete Fix for CVE-2026-4039: CLI Backend Environment Variable Injection via Workspace Config |
| CVE-2026-41336 |
high |
7.8 |
7.8 |
|
|
|
1mo ago |
OpenClaw: Workspace `.env` can override the bundled hooks root and load attacker hook code |
| CVE-2026-44113 |
high |
7.7 |
7.7 |
|
|
|
22d ago |
OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes |
| CVE-2026-43580 |
high |
7.7 |
7.7 |
|
|
|
22d ago |
OpenClaw: Browser press/type interaction routes missed complete navigation guard coverage |
| CVE-2026-43576 |
high |
7.7 |
7.7 |
|
|
|
22d ago |
OpenClaw: CDP /json/version WebSocket URL could pivot to untrusted second-hop targets |
| CVE-2026-43573 |
high |
7.7 |
7.7 |
|
|
|
23d ago |
OpenClaw: Existing-session browser interaction routes bypassed SSRF policy enforcement |
| CVE-2026-43532 |
high |
7.7 |
7.7 |
|
|
|
23d ago |
OpenClaw: Discord event cover images bypassed sandbox media normalization |
| CVE-2026-43527 |
high |
7.7 |
7.7 |
|
|
|
23d ago |
OpenClaw: Browser SSRF policy default allowed private-network navigation |
| CVE-2026-42438 |
high |
7.7 |
7.7 |
|
|
|
23d ago |
OpenClaw: Sender policy bypass in host media attachment reads allows unauthorized local file disclosure |
| CVE-2026-42436 |
high |
7.7 |
7.7 |
|
|
|
23d ago |
OpenClaw: Browser snapshot and screenshot routes could expose internal page content after navigation |
| CVE-2026-41912 |
high |
7.6 |
7.6 |
|
|
|
1mo ago |
OpenClaw has Browser SSRF Policy Bypass via Interaction-Triggered Navigation |
| CVE-2026-42437 |
high |
7.5 |
7.5 |
|
|
|
23d ago |
OpenClaw: Voice-call realtime WebSocket accepted oversized frames |
| CVE-2026-42423 |
high |
7.5 |
7.5 |
|
|
|
1mo ago |
OpenClaw: strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts |
| CVE-2026-41405 |
high |
7.5 |
7.5 |
|
|
|
1mo ago |
OpenClaw: MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion |
| CVE-2026-41400 |
high |
7.5 |
7.5 |
|
|
|
1mo ago |
OpenClaw: Voice-call still parses large WebSocket frames before start validation (Incomplete fix for CVE-2026-32062) |
| CVE-2026-41399 |
high |
7.5 |
7.5 |
|
|
|
1mo ago |
OpenClaw: Gateway WebSocket Denial of Service via unbounded pre-auth upgrades |
| CVE-2026-41395 |
high |
7.5 |
7.5 |
|
|
|
1mo ago |
OpenClaw: Voice-call Plivo V3 webhook replay key uses unsorted URL, allowing replay via query-parameter reordering |
| CVE-2026-41346 |
high |
7.5 |
7.5 |
|
|
|
1mo ago |
OpenClaw: Pairing pending-request caps were enforced per channel instead of per account |
| CVE-2026-32846 |
high |
7.5 |
7.5 |
|
|
|
2mo ago |
OpenClaw is vulnerable to Path Traversal through path validation bypass |
| CVE-2026-32062 |
high |
7.5 |
7.5 |
|
|
|
3mo ago |
OpenClaw voice-call media stream validated streams after upgrade, which could allow pre-start unauthenticated sockets to increase resource pressure |
| CVE-2026-44995 |
high |
7.3 |
7.3 |
|
|
|
17d ago |
OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config |
| CVE-2026-41392 |
high |
7.3 |
7.3 |
|
|
|
1mo ago |
OpenClaw: Shell init-file options could satisfy exec allowlist script matching |
| CVE-2026-41390 |
high |
7.3 |
7.3 |
|
|
|
1mo ago |
OpenClaw has a gateway exec allowlist allow-always bypass via unregistered /usr/bin/script wrapper |
| CVE-2026-41380 |
high |
7.3 |
7.3 |
|
|
|
1mo ago |
OpenClaw gateway exec allow-always over-trusts positional carrier executables |
| CVE-2026-41355 |
high |
7.3 |
7.3 |
|
|
|
1mo ago |
OpenClaw: OpenShell `mirror` mode can convert untrusted sandbox files into explicitly enabled workspace hooks and execute them on the host during gateway startup |
| CVE-2026-42429 |
high |
7.1 |
7.1 |
|
|
|
1mo ago |
OpenClaw: Gateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write` |
| CVE-2026-42428 |
high |
7.1 |
7.1 |
|
|
|
1mo ago |
OpenClaw B-M3: ClawHub package downloads are not enforced with integrity verification |
| CVE-2026-41379 |
high |
7.1 |
7.1 |
|
|
|
1mo ago |
OpenClaw: Gateway operator.write Can Reach Admin-Class Talk Voice Config Persistence via chat.send |
| CVE-2026-41347 |
high |
7.1 |
7.1 |
|
|
|
1mo ago |
OpenClaw: HTTP operator endpoints lack browser-origin validation in trusted-proxy mode |
| CVE-2026-43583 |
medium |
6.5 |
6.5 |
|
|
|
22d ago |
OpenClaw: Delivery queue recovery could lose group tool-policy context for media replay |
| CVE-2026-43574 |
medium |
6.5 |
6.5 |
|
|
|
23d ago |
OpenClaw: Empty approver lists could grant explicit approval authorization |
| CVE-2026-43570 |
medium |
6.5 |
6.5 |
|
|
|
23d ago |
OpenClaw contains a symlink traversal vulnerability |
| CVE-2026-43568 |
medium |
6.5 |
6.5 |
|
|
|
23d ago |
OpenClaw: Memory dreaming config persistence was reachable from operator.write commands |
| CVE-2026-43567 |
medium |
6.5 |
6.5 |
|
|
|
23d ago |
OpenClaw: screen_record outPath bypassed workspace-only filesystem guard |
| CVE-2026-43528 |
medium |
6.5 |
6.5 |
|
|
|
23d ago |
OpenClaw: config.get redaction bypass through sourceConfig and runtimeConfig aliases |
| CVE-2026-42433 |
medium |
6.5 |
6.5 |
|
|
|
23d ago |
OpenClaw: Matrix profile config persistence was reachable from operator.write message tools |
| CVE-2026-42430 |
medium |
6.5 |
6.5 |
|
|
|
1mo ago |
OpenClaw: Strict browser SSRF bypass in Playwright redirect handling leaves private targets reachable |
| CVE-2026-42420 |
medium |
6.5 |
6.5 |
|
|
|
1mo ago |
OpenClaw: Multiple Code Paths Missing Base64 Pre-Allocation Size Checks |
| CVE-2026-41911 |
medium |
6.5 |
6.5 |
|
|
|
1mo ago |
OpenClaw: Feishu docx upload_file/upload_image Bypasses Workspace-Only Filesystem Policy (GHSA-qf48-qfv4-jjm9 Incomplete Fix) |
| CVE-2026-41408 |
medium |
6.5 |
6.5 |
|
|
|
1mo ago |
OpenClaw: Tlon media downloads can bypass core safety limits and exhaust disk |
| CVE-2026-41388 |
medium |
6.5 |
6.5 |
|
|
|
1mo ago |
OpenClaw: Tlon Startup Migration Rehydrates Empty-Array Revocations From File Config |
| CVE-2026-41385 |
medium |
6.5 |
6.5 |
|
|
|
1mo ago |
OpenClaw Nostr privateKey config redaction bypass leaks plaintext signing key via config.get |
| CVE-2026-41376 |
medium |
6.5 |
6.5 |
|
|
|
1mo ago |
OpenClaw: Matrix thread root and reply context bypass sender allowlist |
| CVE-2026-41375 |
medium |
6.5 |
6.5 |
|
|
|
1mo ago |
OpenClaw: `/phone arm`/`/phone disarm` Bypasses `operator.admin` Scope Check for External Channels |
| CVE-2026-41369 |
medium |
6.5 |
6.5 |
|
|
|
1mo ago |
OpenClaw: Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables |
| CVE-2026-41363 |
medium |
6.5 |
6.5 |
|
|
|
1mo ago |
OpenClaw: Feishu extension resolveUploadInput bypasses file-system sandbox and allows arbitrary file reads via upload_image |
| CVE-2026-41908 |
medium |
6.5 |
6.5 |
|
|
|
1mo ago |
OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization |
| CVE-2026-32896 |
medium |
6.5 |
6.5 |
|
|
|
2mo ago |
OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback) |
| CVE-2026-32022 |
medium |
6.5 |
6.5 |
|
|
|
2mo ago |
OpenClaw safeBins grep -e File Read Bypass (stdin-only policy bypass) |
| CVE-2026-43582 |
medium |
6.3 |
6.3 |
|
|
|
22d ago |
OpenClaw: Browser SSRF hostname validation could be bypassed by DNS rebinding |
| CVE-2026-41915 |
medium |
6.1 |
6.1 |
|
|
|
1mo ago |
OpenClaw: GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant) |
| CVE-2026-41391 |
medium |
6.1 |
6.1 |
|
|
|
1mo ago |
OpenClaw: PIP_INDEX_URL and UV_INDEX_URL bypass host exec env sanitization and redirect Python package-index traffic |
| CVE-2026-41373 |
medium |
6.1 |
6.1 |
|
|
|
1mo ago |
OpenClaw: Incomplete host-env-security-policy allows untrusted model to substitute compiler binaries via env overrides |
| CVE-2026-35667 |
medium |
6.1 |
6.1 |
|
|
|
2mo ago |
OpenClaw has incomplete Fix for CVE-2026-27486: Unvalidated SIGKILL in `!stop` Chat Command via `shell-utils.ts` |
| CVE-2026-22217 |
medium |
6.1 |
6.1 |
|
|
|
2mo ago |
OpenClaw: shell-env trusted-prefix fallback allowed attacker-controlled binary execution via $SHELL |
| CVE-2026-45005 |
medium |
6.0 |
6.0 |
|
|
|
17d ago |
OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload |
| CVE-2026-44117 |
medium |
5.8 |
5.8 |
|
|
|
22d ago |
OpenClaw: QQBot direct media upload skipped URL SSRF validation |
| CVE-2026-41372 |
medium |
5.8 |
5.8 |
|
|
|
1mo ago |
OpenClaw: Trailing-dot localhost CDP hosts could bypass remote loopback protections |
| CVE-2026-41389 |
medium |
5.8 |
5.8 |
|
|
|
1mo ago |
OpenClaw: Webchat media embedding enforces local-root containment for tool-result files |