npm package
openclaw
pkg:npm/openclaw
Vulnerabilities (393)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-35618 | Med | 6.5 | < 2026.3.23 | 2026.3.23 | Apr 9, 2026 | OpenClaw before 2026.3.23 contains a replay identity vulnerability in Plivo V2 signature verification that allows attackers to bypass replay protection by modifying query parameters. The verification path derives replay keys from the full URL including query strings instead of th | |
| CVE-2026-35617 | Med | 4.2 | < 2026.3.28 | 2026.3.28 | Apr 9, 2026 | OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Google Chat group policy enforcement that relies on mutable space display names. Attackers can rebind group policies by changing or colliding space display names to gain unauthorized access to protected r | |
| CVE-2026-40037 | Med | 6.5 | < 2026.4.8 | 2026.4.8 | Apr 8, 2026 | OpenClaw before 2026.3.31 (patched in 2026.4.8) contains a request body replay vulnerability in fetchWithSsrFGuard that allows unsafe request bodies to be resent across cross-origin redirects. Attackers can exploit this by triggering redirects to exfiltrate sensitive request data | |
| CVE-2026-34511 | Med | 5.3 | < 2026.4.2 | 2026.4.2 | Apr 3, 2026 | OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling t | |
| CVE-2026-34426 | Hig | 7.6 | < 2026.3.22 | 2026.3.22 | Apr 2, 2026 | OpenClaw versions prior to commit b57b680 contain an approval bypass vulnerability due to inconsistent environment variable normalization between approval and execution paths, allowing attackers to inject attacker-controlled environment variables into execution without approval s | |
| CVE-2026-34425 | Med | 5.4 | < 2026.4.2 | 2026.4.2 | Apr 2, 2026 | OpenClaw versions prior to commit 8aceaf5 contain a preflight validation bypass vulnerability in shell-bleed protection that allows attackers to execute blocked script content by using piped or complex command forms that the parser fails to recognize. Attackers can craft commands | |
| CVE-2026-34504 | Hig | 8.3 | < 2026.3.28 | 2026.3.28 | Mar 31, 2026 | OpenClaw before 2026.3.28 contains a server-side request forgery vulnerability in the fal provider image-generation-provider.ts component that allows attackers to fetch internal URLs. A malicious or compromised fal relay can exploit unguarded image download fetches to expose inte | |
| CVE-2026-34503 | Hig | 8.1 | < 2026.3.28 | 2026.3.28 | Mar 31, 2026 | OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection. | |
| CVE-2026-33581 | Med | 6.5 | < 2026.3.24 | 2026.3.24 | Mar 31, 2026 | OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows attackers to read arbitrary local files by using mediaUrl and fileUrl alias parameters that bypass localRoots validation. Remote attackers can exploit this by routing file requests t | |
| CVE-2026-33580 | Med | 6.5 | < 2026.3.28 | 2026.3.28 | Mar 31, 2026 | OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication that allows attackers to brute-force weak shared secrets. Attackers who can reach the webhook endpoint can exploit this to forge inbound webhook events by repeate | |
| CVE-2026-33579 | Cri | 9.9 | < 2026.3.28 | 2026.3.28 | Mar 31, 2026 | OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privileges but without admin privileges can approve pending device requests asking for | |
| CVE-2026-33578 | Med | 4.3 | < 2026.3.28 | 2026.3.28 | Mar 31, 2026 | OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy. Attackers can exploit this policy resolution flaw to bypass sender restrictions and int | |
| CVE-2026-33577 | Hig | 8.1 | < 2026.3.28 | 2026.3.28 | Mar 31, 2026 | OpenClaw before 2026.3.28 contains an insufficient scope validation vulnerability in the node pairing approval path that allows low-privilege operators to approve nodes with broader scopes. Attackers can exploit missing callerScopes validation in node-pairing.ts to extend privile | |
| CVE-2026-33576 | Med | 6.5 | < 2026.3.28 | 2026.3.28 | Mar 31, 2026 | OpenClaw before 2026.3.28 downloads and stores inbound media from Zalo channels before validating sender authorization. Unauthorized senders can force network fetches and disk writes to the media store by sending messages that are subsequently rejected. | |
| CVE-2026-34508 | — | < 2026.3.12 | 2026.3.12 | Mar 31, 2026 | Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | ||
| CVE-2026-34506 | Med | 4.3 | < 2026.3.8 | 2026.3.8 | Mar 31, 2026 | OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message | |
| CVE-2026-34505 | Med | 6.5 | < 2026.3.12 | 2026.3.12 | Mar 31, 2026 | OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to bypass rate limits and brute-force webhook secrets. Attackers can submit repeated authentication requests with invalid secrets without triggering rate limit respons | |
| CVE-2026-32977 | Med | 6.3 | < 2026.3.11 | 2026.3.11 | Mar 31, 2026 | OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in the fs-bridge writeFile commit step that uses an unanchored container path during the final move operation. An attacker can exploit a time-of-check-time-of-use race condition by modifying parent paths i | |
| CVE-2026-32971 | Hig | 7.1 | < 2026.3.11 | 2026.3.11 | Mar 31, 2026 | OpenClaw before 2026.3.11 contains an approval-integrity vulnerability in node-host system.run approvals that displays extracted shell payloads instead of the executed argv. Attackers can place wrapper binaries and induce wrapper-shaped commands to execute local code after operat | |
| CVE-2026-32970 | Low | 2.5 | < 2026.3.11 | 2026.3.11 | Mar 31, 2026 | OpenClaw before 2026.3.11 contains a credential fallback vulnerability where unavailable local gateway.auth.token and gateway.auth.password SecretRefs are treated as unset, allowing fallback to remote credentials in local mode. Attackers can exploit misconfigured local auth refer |
- affected < 2026.3.23fixed 2026.3.23
OpenClaw before 2026.3.23 contains a replay identity vulnerability in Plivo V2 signature verification that allows attackers to bypass replay protection by modifying query parameters. The verification path derives replay keys from the full URL including query strings instead of th
- affected < 2026.3.28fixed 2026.3.28
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Google Chat group policy enforcement that relies on mutable space display names. Attackers can rebind group policies by changing or colliding space display names to gain unauthorized access to protected r
- affected < 2026.4.8fixed 2026.4.8
OpenClaw before 2026.3.31 (patched in 2026.4.8) contains a request body replay vulnerability in fetchWithSsrFGuard that allows unsafe request bodies to be resent across cross-origin redirects. Attackers can exploit this by triggering redirects to exfiltrate sensitive request data
- affected < 2026.4.2fixed 2026.4.2
OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling t
- affected < 2026.3.22fixed 2026.3.22
OpenClaw versions prior to commit b57b680 contain an approval bypass vulnerability due to inconsistent environment variable normalization between approval and execution paths, allowing attackers to inject attacker-controlled environment variables into execution without approval s
- affected < 2026.4.2fixed 2026.4.2
OpenClaw versions prior to commit 8aceaf5 contain a preflight validation bypass vulnerability in shell-bleed protection that allows attackers to execute blocked script content by using piped or complex command forms that the parser fails to recognize. Attackers can craft commands
- affected < 2026.3.28fixed 2026.3.28
OpenClaw before 2026.3.28 contains a server-side request forgery vulnerability in the fal provider image-generation-provider.ts component that allows attackers to fetch internal URLs. A malicious or compromised fal relay can exploit unguarded image download fetches to expose inte
- affected < 2026.3.28fixed 2026.3.28
OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection.
- affected < 2026.3.24fixed 2026.3.24
OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows attackers to read arbitrary local files by using mediaUrl and fileUrl alias parameters that bypass localRoots validation. Remote attackers can exploit this by routing file requests t
- affected < 2026.3.28fixed 2026.3.28
OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication that allows attackers to brute-force weak shared secrets. Attackers who can reach the webhook endpoint can exploit this to forge inbound webhook events by repeate
- affected < 2026.3.28fixed 2026.3.28
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privileges but without admin privileges can approve pending device requests asking for
- affected < 2026.3.28fixed 2026.3.28
OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy. Attackers can exploit this policy resolution flaw to bypass sender restrictions and int
- affected < 2026.3.28fixed 2026.3.28
OpenClaw before 2026.3.28 contains an insufficient scope validation vulnerability in the node pairing approval path that allows low-privilege operators to approve nodes with broader scopes. Attackers can exploit missing callerScopes validation in node-pairing.ts to extend privile
- affected < 2026.3.28fixed 2026.3.28
OpenClaw before 2026.3.28 downloads and stores inbound media from Zalo channels before validating sender authorization. Unauthorized senders can force network fetches and disk writes to the media store by sending messages that are subsequently rejected.
- CVE-2026-34508Mar 31, 2026affected < 2026.3.12fixed 2026.3.12
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
- affected < 2026.3.8fixed 2026.3.8
OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message
- affected < 2026.3.12fixed 2026.3.12
OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to bypass rate limits and brute-force webhook secrets. Attackers can submit repeated authentication requests with invalid secrets without triggering rate limit respons
- affected < 2026.3.11fixed 2026.3.11
OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in the fs-bridge writeFile commit step that uses an unanchored container path during the final move operation. An attacker can exploit a time-of-check-time-of-use race condition by modifying parent paths i
- affected < 2026.3.11fixed 2026.3.11
OpenClaw before 2026.3.11 contains an approval-integrity vulnerability in node-host system.run approvals that displays extracted shell payloads instead of the executed argv. Attackers can place wrapper binaries and induce wrapper-shaped commands to execute local code after operat
- affected < 2026.3.11fixed 2026.3.11
OpenClaw before 2026.3.11 contains a credential fallback vulnerability where unavailable local gateway.auth.token and gateway.auth.password SecretRefs are treated as unset, allowing fallback to remote credentials in local mode. Attackers can exploit misconfigured local auth refer
Page 10 of 20