npm package

openclaw

pkg:npm/openclaw

Vulnerabilities (392)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-44118	Hig	7.8	< 2026.4.22	2026.4.22	May 6, 2026	OpenClaw before 2026.4.22 derives loopback MCP owner context from spoofable server-issued bearer tokens in request headers. Non-owner loopback clients can present themselves as owner to bypass owner-gated operations by manipulating the sender-owner header metadata.
CVE-2026-44117	Med	5.8	< 2026.4.20	2026.4.20	May 6, 2026	OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in QQBot direct media upload that skips URL validation. Attackers can bypass SSRF protections by sending crafted image URLs to uploadC2CMedia and uploadGroupMedia endpoints to relay unintended requests
CVE-2026-44116	Hig	8.6	< 2026.4.22	2026.4.22	May 6, 2026	OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, en
CVE-2026-44114	Hig	7.8	< 2026.4.20	2026.4.20	May 6, 2026	OpenClaw before 2026.4.20 fails to properly reserve the OPENCLAW_ runtime-control environment namespace in workspace dotenv files, allowing attackers to override critical runtime variables. Malicious workspaces can set variables like OPENCLAW_GIT_DIR to manipulate trusted OpenCla
CVE-2026-44113	Hig	7.7	< 2026.4.22	2026.4.22	May 6, 2026	OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in the OpenShell filesystem bridge that allows attackers to read files outside the intended mount root. Attackers can exploit symlink swaps during filesystem operations to bypass sandbox restrictions an
CVE-2026-44112	Cri	9.6	< 2026.4.22	2026.4.22	May 6, 2026	OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in OpenShell sandbox filesystem writes that allows attackers to redirect writes outside the intended mount root. Attackers can exploit symlink swaps during filesystem operations to bypass sandbox restri
CVE-2026-44109	Cri	9.8	< 2026.4.15	2026.4.15	May 6, 2026	OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting request
CVE-2026-43585	Hig	8.1	< 2026.4.15	2026.4.15	May 6, 2026	OpenClaw before 2026.4.15 captures resolved bearer-auth configuration at startup, allowing revoked tokens to remain valid after SecretRef rotation. Gateway HTTP and WebSocket handlers fail to re-resolve authentication per-request, enabling attackers to use rotated-out bearer toke
CVE-2026-43584	Hig	8.8	< 2026.4.10	2026.4.10	May 6, 2026	OpenClaw before 2026.4.10 contains an insufficient environment variable denylist vulnerability in its exec environment policy that allows operator-supplied overrides of high-risk interpreter startup variables including VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES. Attackers can exp
CVE-2026-43583	Med	5.3	>= 2026.4.10, < 2026.4.14	2026.4.14	May 6, 2026	OpenClaw versions 2026.4.10 before 2026.4.14 fail to persist session context during delivery queue recovery for media replay. Attackers can exploit recovered queued outbound media to bypass group tool policy enforcement and weaken channel media restrictions after service restart
CVE-2026-43582	Med	6.3	< 2026.4.10	2026.4.10	May 6, 2026	OpenClaw before 2026.4.10 contains a server-side request forgery vulnerability in browser navigation policy that allows attackers to bypass hostname validation through DNS rebinding attacks. Attackers can exploit inconsistent hostname resolution between validation and actual netw
CVE-2026-43580	Hig	7.7	< 2026.4.10	2026.4.10	May 6, 2026	OpenClaw before 2026.4.10 contains an incomplete navigation guard vulnerability that allows attackers to trigger navigation without complete SSRF policy enforcement. Browser press/type style interactions, including pressKey and type submit flows, can bypass post-action security c
CVE-2026-43576	Hig	7.7	< 2026.4.5	2026.4.5	May 6, 2026	OpenClaw before 2026.4.5 contains a server-side request forgery vulnerability in the CDP /json/version WebSocket endpoint that allows attackers to pivot to untrusted second-hop targets. The webSocketDebuggerUrl response field is not properly validated, enabling attackers to redir
CVE-2026-43574	Med	6.5	< 2026.4.12	2026.4.12	May 5, 2026	OpenClaw before 2026.4.12 contains an improper authorization vulnerability in helper-backed channels where empty resolved approver lists are interpreted as explicit approval authorization. Attackers can resolve pending approvals without proper authorization by exploiting this log
CVE-2026-43573	Hig	7.7	< 2026.4.10	2026.4.10	May 5, 2026	OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in existing-session browser interaction routes. Attackers can bypass SSRF navigation guards to interact with or navigate to unauthorized targets without policy enforcement.
CVE-2026-43572	Med	5.3	>= 2026.4.10, < 2026.4.14	2026.4.14	May 5, 2026	OpenClaw versions 2026.4.10 before 2026.4.14 contain a missing authorization vulnerability in the Microsoft Teams SSO invoke handler that fails to apply sender allowlist checks. Attackers can bypass sender authorization by sending SSO invoke requests that are processed without pr
CVE-2026-43571	Hig	8.8	< 2026.4.10	2026.4.10	May 5, 2026	OpenClaw before 2026.4.10 contains a plugin trust bypass vulnerability that allows channel setup catalog lookups to resolve workspace plugin shadows before bundled channel plugins. Attackers can exploit this by crafting malicious workspace plugins that bypass intended trust gates
CVE-2026-43570	Med	6.5	>= 2026.3.22, < 2026.4.5	2026.4.5	May 5, 2026	OpenClaw versions 2026.3.22 before 2026.4.5 contain a symlink traversal vulnerability in remote marketplace repository path handling that allows attackers to escape the expected repository root. Attackers can exploit this by providing crafted symlink paths to access files outside
CVE-2026-43569	Hig	8.8	< 2026.4.9	2026.4.9	May 5, 2026	OpenClaw before 2026.4.9 contains an authentication bypass vulnerability allowing untrusted workspace plugins to be auto-enabled during non-interactive onboarding when provider auth choices are shadowed. Attackers can exploit this by crafting malicious workspace plugins that are
CVE-2026-43568	Med	6.5	>= 2026.4.5, < 2026.4.10	2026.4.10	May 5, 2026	OpenClaw versions 2026.4.5 before 2026.4.10 contain a privilege escalation vulnerability allowing write-scoped operators to modify persistent memory dreaming settings. Attackers with write-scoped gateway access can toggle admin-class configuration mutations through the /dreaming

CVE-2026-44118HigMay 6, 2026
affected < 2026.4.22fixed 2026.4.22
OpenClaw before 2026.4.22 derives loopback MCP owner context from spoofable server-issued bearer tokens in request headers. Non-owner loopback clients can present themselves as owner to bypass owner-gated operations by manipulating the sender-owner header metadata.
CVE-2026-44117MedMay 6, 2026
affected < 2026.4.20fixed 2026.4.20
OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in QQBot direct media upload that skips URL validation. Attackers can bypass SSRF protections by sending crafted image URLs to uploadC2CMedia and uploadGroupMedia endpoints to relay unintended requests
CVE-2026-44116HigMay 6, 2026
affected < 2026.4.22fixed 2026.4.22
OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, en
CVE-2026-44114HigMay 6, 2026
affected < 2026.4.20fixed 2026.4.20
OpenClaw before 2026.4.20 fails to properly reserve the OPENCLAW_ runtime-control environment namespace in workspace dotenv files, allowing attackers to override critical runtime variables. Malicious workspaces can set variables like OPENCLAW_GIT_DIR to manipulate trusted OpenCla
CVE-2026-44113HigMay 6, 2026
affected < 2026.4.22fixed 2026.4.22
OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in the OpenShell filesystem bridge that allows attackers to read files outside the intended mount root. Attackers can exploit symlink swaps during filesystem operations to bypass sandbox restrictions an
CVE-2026-44112CriMay 6, 2026
affected < 2026.4.22fixed 2026.4.22
OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in OpenShell sandbox filesystem writes that allows attackers to redirect writes outside the intended mount root. Attackers can exploit symlink swaps during filesystem operations to bypass sandbox restri
CVE-2026-44109CriMay 6, 2026
affected < 2026.4.15fixed 2026.4.15
OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting request
CVE-2026-43585HigMay 6, 2026
affected < 2026.4.15fixed 2026.4.15
OpenClaw before 2026.4.15 captures resolved bearer-auth configuration at startup, allowing revoked tokens to remain valid after SecretRef rotation. Gateway HTTP and WebSocket handlers fail to re-resolve authentication per-request, enabling attackers to use rotated-out bearer toke
CVE-2026-43584HigMay 6, 2026
affected < 2026.4.10fixed 2026.4.10
OpenClaw before 2026.4.10 contains an insufficient environment variable denylist vulnerability in its exec environment policy that allows operator-supplied overrides of high-risk interpreter startup variables including VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES. Attackers can exp
CVE-2026-43583MedMay 6, 2026
affected >= 2026.4.10, < 2026.4.14fixed 2026.4.14
OpenClaw versions 2026.4.10 before 2026.4.14 fail to persist session context during delivery queue recovery for media replay. Attackers can exploit recovered queued outbound media to bypass group tool policy enforcement and weaken channel media restrictions after service restart
CVE-2026-43582MedMay 6, 2026
affected < 2026.4.10fixed 2026.4.10
OpenClaw before 2026.4.10 contains a server-side request forgery vulnerability in browser navigation policy that allows attackers to bypass hostname validation through DNS rebinding attacks. Attackers can exploit inconsistent hostname resolution between validation and actual netw
CVE-2026-43580HigMay 6, 2026
affected < 2026.4.10fixed 2026.4.10
OpenClaw before 2026.4.10 contains an incomplete navigation guard vulnerability that allows attackers to trigger navigation without complete SSRF policy enforcement. Browser press/type style interactions, including pressKey and type submit flows, can bypass post-action security c
CVE-2026-43576HigMay 6, 2026
affected < 2026.4.5fixed 2026.4.5
OpenClaw before 2026.4.5 contains a server-side request forgery vulnerability in the CDP /json/version WebSocket endpoint that allows attackers to pivot to untrusted second-hop targets. The webSocketDebuggerUrl response field is not properly validated, enabling attackers to redir
CVE-2026-43574MedMay 5, 2026
affected < 2026.4.12fixed 2026.4.12
OpenClaw before 2026.4.12 contains an improper authorization vulnerability in helper-backed channels where empty resolved approver lists are interpreted as explicit approval authorization. Attackers can resolve pending approvals without proper authorization by exploiting this log
CVE-2026-43573HigMay 5, 2026
affected < 2026.4.10fixed 2026.4.10
OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in existing-session browser interaction routes. Attackers can bypass SSRF navigation guards to interact with or navigate to unauthorized targets without policy enforcement.
CVE-2026-43572MedMay 5, 2026
affected >= 2026.4.10, < 2026.4.14fixed 2026.4.14
OpenClaw versions 2026.4.10 before 2026.4.14 contain a missing authorization vulnerability in the Microsoft Teams SSO invoke handler that fails to apply sender allowlist checks. Attackers can bypass sender authorization by sending SSO invoke requests that are processed without pr
CVE-2026-43571HigMay 5, 2026
affected < 2026.4.10fixed 2026.4.10
OpenClaw before 2026.4.10 contains a plugin trust bypass vulnerability that allows channel setup catalog lookups to resolve workspace plugin shadows before bundled channel plugins. Attackers can exploit this by crafting malicious workspace plugins that bypass intended trust gates
CVE-2026-43570MedMay 5, 2026
affected >= 2026.3.22, < 2026.4.5fixed 2026.4.5
OpenClaw versions 2026.3.22 before 2026.4.5 contain a symlink traversal vulnerability in remote marketplace repository path handling that allows attackers to escape the expected repository root. Attackers can exploit this by providing crafted symlink paths to access files outside
CVE-2026-43569HigMay 5, 2026
affected < 2026.4.9fixed 2026.4.9
OpenClaw before 2026.4.9 contains an authentication bypass vulnerability allowing untrusted workspace plugins to be auto-enabled during non-interactive onboarding when provider auth choices are shadowed. Attackers can exploit this by crafting malicious workspace plugins that are
CVE-2026-43568MedMay 5, 2026
affected >= 2026.4.5, < 2026.4.10fixed 2026.4.10
OpenClaw versions 2026.4.5 before 2026.4.10 contain a privilege escalation vulnerability allowing write-scoped operators to modify persistent memory dreaming settings. Attackers with write-scoped gateway access can toggle admin-class configuration mutations through the /dreaming

Page 1 of 20