npm package
openclaw
pkg:npm/openclaw
Vulnerabilities (393)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-32921 | Med | 6.3 | < 2026.3.8 | 2026.3.8 | Mar 31, 2026 | OpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run where mutable script operands are not bound across approval and execution phases. Attackers can obtain approval for script execution, modify the approved script file before execution, and execute dif | |
| CVE-2026-32920 | Hig | 8.4 | < 2026.3.12 | 2026.3.12 | Mar 31, 2026 | OpenClaw before 2026.3.12 automatically discovers and loads plugins from .OpenClaw/extensions/ without explicit trust verification, allowing arbitrary code execution. Attackers can execute malicious code by including crafted workspace plugins in cloned repositories that execute w | |
| CVE-2026-32916 | Cri | 9.4 | >= 2026.3.7, < 2026.3.11 | 2026.3.11 | Mar 31, 2026 | OpenClaw versions 2026.3.7 before 2026.3.11 contain an authorization bypass vulnerability where plugin subagent routes execute gateway methods through a synthetic operator client with broad administrative scopes. Remote unauthenticated requests to plugin-owned routes can invoke r | |
| CVE-2026-33574 | Med | 6.2 | < 2026.3.8 | 2026.3.8 | Mar 29, 2026 | OpenClaw before 2026.3.8 contains a path traversal vulnerability in the skills download installer that validates the tools root lexically but reuses the mutable path during archive download and copy operations. A local attacker can rebind the tools-root path between validation an | |
| CVE-2026-33572 | Hig | 8.4 | < 2026.2.17 | 2026.2.17 | Mar 29, 2026 | OpenClaw before 2026.2.17 creates session transcript JSONL files with overly broad default permissions, allowing local users to read transcript contents. Attackers with local access can read transcript files to extract sensitive information including secrets from tool output. | |
| CVE-2026-32980 | Hig | 7.5 | < 2026.3.13 | 2026.3.13 | Mar 29, 2026 | OpenClaw before 2026.3.13 reads and buffers Telegram webhook request bodies before validating the x-telegram-bot-api-secret-token header, allowing unauthenticated attackers to exhaust server resources. Attackers can send POST requests to the webhook endpoint to force memory consu | |
| CVE-2026-32918 | Hig | 8.4 | < 2026.3.11 | 2026.3.11 | Mar 29, 2026 | OpenClaw before 2026.3.11 contains a session sandbox escape vulnerability in the session_status tool that allows sandboxed subagents to access parent or sibling session state. Attackers can supply arbitrary sessionKey values to read or modify session data outside their sandbox sc | |
| CVE-2026-32979 | — | < 2026.3.11 | 2026.3.11 | Mar 29, 2026 | OpenClaw before 2026.3.11 contains an approval integrity vulnerability allowing attackers to execute rewritten local code by modifying scripts between approval and execution when exact file binding cannot occur. Remote attackers can change approved local scripts before execution | ||
| CVE-2026-32978 | — | < 2026.3.11 | 2026.3.11 | Mar 29, 2026 | OpenClaw before 2026.3.11 contains an approval integrity vulnerability where system.run approvals fail to bind mutable file operands for certain script runners like tsx and jiti. Attackers can obtain approval for benign script commands, rewrite referenced scripts on disk, and exe | ||
| CVE-2026-32974 | — | < 2026.3.12 | 2026.3.12 | Mar 29, 2026 | OpenClaw before 2026.3.12 contains an authentication bypass vulnerability in Feishu webhook mode when only verificationToken is configured without encryptKey, allowing acceptance of forged events. Unauthenticated network attackers can inject forged Feishu events and trigger downs | ||
| CVE-2026-32846 | Hig | 7.5 | < 2026.03.28 | 2026.03.28 | Mar 26, 2026 | OpenClaw before 2026.3.28 contains a path traversal vulnerability in media parsing that allows attackers to read arbitrary files by bypassing path validation in the isLikelyLocalPath() and isValidMedia() functions. Attackers can exploit incomplete validation and the allowBareFile | |
| CVE-2026-32913 | — | < 2026.3.7 | 2026.3.7 | Mar 23, 2026 | OpenClaw before 2026.3.7 contains an improper header validation vulnerability in fetchWithSsrFGuard that forwards custom authorization headers across cross-origin redirects. Attackers can trigger redirects to different origins to intercept sensitive headers like X-Api-Key and Pri | ||
| CVE-2026-27646 | — | < 2026.3.7 | 2026.3.7 | Mar 23, 2026 | OpenClaw versions prior to 2026.3.7 contain a sandbox escape vulnerability in the /acp spawn command that allows authorized sandboxed sessions to initialize host-side ACP runtime. Attackers can bypass sandbox restrictions by invoking the /acp spawn slash-command to cross from san | ||
| CVE-2026-27183 | — | < 2026.3.7 | 2026.3.7 | Mar 23, 2026 | OpenClaw versions prior to 2026.3.7 contain a shell approval gating bypass vulnerability in system.run dispatch-wrapper handling that allows attackers to skip shell wrapper approval requirements. The approval classifier and execution planner apply different depth-boundary rules, | ||
| CVE-2026-32896 | Med | 4.8 | < 2026.2.21 | 2026.2.21 | Mar 21, 2026 | The BlueBubbles webhook handler in OpenClaw versions prior to 2026.2.21 contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local routing configurations. Attackers can bypass webhook authentication by exploit | |
| CVE-2026-32067 | Low | 3.7 | < 2026.2.26 | 2026.2.26 | Mar 21, 2026 | OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability in the pairing-store access control for direct message pairing policy that allows attackers to reuse pairing approvals across multiple accounts. An attacker approved as a sender in one account can | |
| CVE-2026-32899 | — | < 2026.2.25 | 2026.2.25 | Mar 21, 2026 | OpenClaw versions prior to 2026.2.25 fail to consistently apply sender-policy checks to reaction_* and pin_* non-message events before adding them to system-event context. Attackers can bypass configured DM policies and channel user allowlists to inject unauthorized reaction and | ||
| CVE-2026-32898 | — | < 2026.2.23 | 2026.2.23 | Mar 21, 2026 | OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP client that auto-approves tool calls based on untrusted toolCall.kind metadata and permissive name heuristics. Attackers can bypass interactive approval prompts for read-class operations | ||
| CVE-2026-32897 | — | < 2026.2.22 | 2026.2.22 | Mar 21, 2026 | OpenClaw versions prior to 2026.2.22 reuse gateway.auth.token as a fallback hash secret for owner-ID prompt obfuscation when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset, creating dual-use of authentication secrets across security domains. Attacke | ||
| CVE-2026-32895 | — | < 2026.2.26 | 2026.2.26 | Mar 21, 2026 | OpenClaw versions prior to 2026.2.26 fail to enforce sender authorization in member and message subtype system event handlers, allowing unauthorized events to be enqueued. Attackers can bypass Slack DM allowlists and per-channel user allowlists by sending system events from non-a |
- affected < 2026.3.8fixed 2026.3.8
OpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run where mutable script operands are not bound across approval and execution phases. Attackers can obtain approval for script execution, modify the approved script file before execution, and execute dif
- affected < 2026.3.12fixed 2026.3.12
OpenClaw before 2026.3.12 automatically discovers and loads plugins from .OpenClaw/extensions/ without explicit trust verification, allowing arbitrary code execution. Attackers can execute malicious code by including crafted workspace plugins in cloned repositories that execute w
- affected >= 2026.3.7, < 2026.3.11fixed 2026.3.11
OpenClaw versions 2026.3.7 before 2026.3.11 contain an authorization bypass vulnerability where plugin subagent routes execute gateway methods through a synthetic operator client with broad administrative scopes. Remote unauthenticated requests to plugin-owned routes can invoke r
- affected < 2026.3.8fixed 2026.3.8
OpenClaw before 2026.3.8 contains a path traversal vulnerability in the skills download installer that validates the tools root lexically but reuses the mutable path during archive download and copy operations. A local attacker can rebind the tools-root path between validation an
- affected < 2026.2.17fixed 2026.2.17
OpenClaw before 2026.2.17 creates session transcript JSONL files with overly broad default permissions, allowing local users to read transcript contents. Attackers with local access can read transcript files to extract sensitive information including secrets from tool output.
- affected < 2026.3.13fixed 2026.3.13
OpenClaw before 2026.3.13 reads and buffers Telegram webhook request bodies before validating the x-telegram-bot-api-secret-token header, allowing unauthenticated attackers to exhaust server resources. Attackers can send POST requests to the webhook endpoint to force memory consu
- affected < 2026.3.11fixed 2026.3.11
OpenClaw before 2026.3.11 contains a session sandbox escape vulnerability in the session_status tool that allows sandboxed subagents to access parent or sibling session state. Attackers can supply arbitrary sessionKey values to read or modify session data outside their sandbox sc
- CVE-2026-32979Mar 29, 2026affected < 2026.3.11fixed 2026.3.11
OpenClaw before 2026.3.11 contains an approval integrity vulnerability allowing attackers to execute rewritten local code by modifying scripts between approval and execution when exact file binding cannot occur. Remote attackers can change approved local scripts before execution
- CVE-2026-32978Mar 29, 2026affected < 2026.3.11fixed 2026.3.11
OpenClaw before 2026.3.11 contains an approval integrity vulnerability where system.run approvals fail to bind mutable file operands for certain script runners like tsx and jiti. Attackers can obtain approval for benign script commands, rewrite referenced scripts on disk, and exe
- CVE-2026-32974Mar 29, 2026affected < 2026.3.12fixed 2026.3.12
OpenClaw before 2026.3.12 contains an authentication bypass vulnerability in Feishu webhook mode when only verificationToken is configured without encryptKey, allowing acceptance of forged events. Unauthenticated network attackers can inject forged Feishu events and trigger downs
- affected < 2026.03.28fixed 2026.03.28
OpenClaw before 2026.3.28 contains a path traversal vulnerability in media parsing that allows attackers to read arbitrary files by bypassing path validation in the isLikelyLocalPath() and isValidMedia() functions. Attackers can exploit incomplete validation and the allowBareFile
- CVE-2026-32913Mar 23, 2026affected < 2026.3.7fixed 2026.3.7
OpenClaw before 2026.3.7 contains an improper header validation vulnerability in fetchWithSsrFGuard that forwards custom authorization headers across cross-origin redirects. Attackers can trigger redirects to different origins to intercept sensitive headers like X-Api-Key and Pri
- CVE-2026-27646Mar 23, 2026affected < 2026.3.7fixed 2026.3.7
OpenClaw versions prior to 2026.3.7 contain a sandbox escape vulnerability in the /acp spawn command that allows authorized sandboxed sessions to initialize host-side ACP runtime. Attackers can bypass sandbox restrictions by invoking the /acp spawn slash-command to cross from san
- CVE-2026-27183Mar 23, 2026affected < 2026.3.7fixed 2026.3.7
OpenClaw versions prior to 2026.3.7 contain a shell approval gating bypass vulnerability in system.run dispatch-wrapper handling that allows attackers to skip shell wrapper approval requirements. The approval classifier and execution planner apply different depth-boundary rules,
- affected < 2026.2.21fixed 2026.2.21
The BlueBubbles webhook handler in OpenClaw versions prior to 2026.2.21 contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local routing configurations. Attackers can bypass webhook authentication by exploit
- affected < 2026.2.26fixed 2026.2.26
OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability in the pairing-store access control for direct message pairing policy that allows attackers to reuse pairing approvals across multiple accounts. An attacker approved as a sender in one account can
- CVE-2026-32899Mar 21, 2026affected < 2026.2.25fixed 2026.2.25
OpenClaw versions prior to 2026.2.25 fail to consistently apply sender-policy checks to reaction_* and pin_* non-message events before adding them to system-event context. Attackers can bypass configured DM policies and channel user allowlists to inject unauthorized reaction and
- CVE-2026-32898Mar 21, 2026affected < 2026.2.23fixed 2026.2.23
OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP client that auto-approves tool calls based on untrusted toolCall.kind metadata and permissive name heuristics. Attackers can bypass interactive approval prompts for read-class operations
- CVE-2026-32897Mar 21, 2026affected < 2026.2.22fixed 2026.2.22
OpenClaw versions prior to 2026.2.22 reuse gateway.auth.token as a fallback hash secret for owner-ID prompt obfuscation when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset, creating dual-use of authentication secrets across security domains. Attacke
- CVE-2026-32895Mar 21, 2026affected < 2026.2.26fixed 2026.2.26
OpenClaw versions prior to 2026.2.26 fail to enforce sender authorization in member and message subtype system event handlers, allowing unauthorized events to be enqueued. Attackers can bypass Slack DM allowlists and per-channel user allowlists by sending system events from non-a
Page 11 of 20