npm package
openclaw
pkg:npm/openclaw
Vulnerabilities (393)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-32041 | — | < 2026.3.1 | 2026.3.1 | Mar 19, 2026 | OpenClaw versions prior to 2026.3.1 fail to properly handle authentication bootstrap errors during startup, allowing browser-control routes to remain accessible without authentication. Local processes or loopback-reachable SSRF paths can exploit this to access browser-control rou | ||
| CVE-2026-32040 | — | < 2026.2.23 | 2026.2.23 | Mar 19, 2026 | OpenClaw versions prior to 2026.2.23 contain an html injection vulnerability in the HTML session exporter that allows attackers to execute arbitrary javascript by injecting malicious mimeType values in image content blocks. Attackers can craft session entries with specially craft | ||
| CVE-2026-32039 | — | < 2026.2.22 | 2026.2.22 | Mar 19, 2026 | OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the toolsBySender group policy matching that allows attackers to inherit elevated tool permissions through identifier collision attacks. Attackers can exploit untyped sender keys by forcing coll | ||
| CVE-2026-32038 | — | < 2026.2.24 | 2026.2.24 | Mar 19, 2026 | OpenClaw before 2026.2.24 contains a sandbox network isolation bypass vulnerability that allows trusted operators to join another container's network namespace. Attackers can configure the docker.network parameter with container: values to reach services in target container n | ||
| CVE-2026-32037 | — | < 2026.2.22 | 2026.2.22 | Mar 19, 2026 | OpenClaw versions prior to 2026.2.22 fail to consistently validate redirect chains against configured mediaAllowHosts allowlists during MSTeams media downloads. Attackers can supply or influence attachment URLs to force redirects to non-allowlisted targets, bypassing SSRF boundar | ||
| CVE-2026-32036 | — | < 2026.2.26 | 2026.2.26 | Mar 19, 2026 | OpenClaw gateway plugin versions prior to 2026.2.26 contain a path traversal vulnerability that allows remote attackers to bypass route authentication checks by manipulating /api/channels paths with encoded dot-segment traversal sequences. Attackers can craft alternate paths usin | ||
| CVE-2026-32034 | — | < 2026.2.21 | 2026.2.21 | Mar 19, 2026 | OpenClaw versions prior to 2026.2.21 contain an authentication bypass vulnerability in the Control UI when allowInsecureAuth is explicitly enabled and the gateway is exposed over plaintext HTTP, allowing attackers to bypass device identity and pairing verification. An attacker wi | ||
| CVE-2026-32033 | — | < 2026.2.24 | 2026.2.24 | Mar 19, 2026 | OpenClaw versions prior to 2026.2.24 contain a path traversal vulnerability where @-prefixed absolute paths bypass workspace-only file-system boundary validation due to canonicalization mismatch. Attackers can exploit this by crafting @-prefixed paths like @/etc/passwd to read fi | ||
| CVE-2026-32032 | — | < 2026.2.22 | 2026.2.22 | Mar 19, 2026 | OpenClaw versions prior to 2026.2.22 contain an arbitrary shell execution vulnerability in shell environment fallback that trusts the unvalidated SHELL path from the host environment. An attacker with local environment access can inject a malicious SHELL variable to execute arbit | ||
| CVE-2026-32031 | — | < 2026.2.26 | 2026.2.26 | Mar 19, 2026 | OpenClaw versions prior to 2026.2.26 server-http contains an authentication bypass vulnerability in gateway authentication for plugin channel endpoints due to path canonicalization mismatch between the gateway guard and plugin handler routing. Attackers can bypass authentication | ||
| CVE-2026-32030 | — | < 2026.2.19 | 2026.2.19 | Mar 19, 2026 | OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the stageSandboxMedia function that accepts arbitrary absolute paths when iMessage remote attachment fetching is enabled. An attacker who can tamper with attachment path metadata can disclose files rea | ||
| CVE-2026-32029 | — | < 2026.2.21 | 2026.2.21 | Mar 19, 2026 | OpenClaw versions prior to 2026.2.21 improperly parse the left-most X-Forwarded-For header value when requests originate from configured trusted proxies, allowing attackers to spoof client IP addresses. In proxy chains that append or preserve header values, attackers can inject m | ||
| CVE-2026-32028 | — | < 2026.2.25 | 2026.2.25 | Mar 19, 2026 | OpenClaw versions prior to 2026.2.25 fail to enforce dmPolicy and allowFrom authorization checks on Discord direct-message reaction notifications, allowing non-allowlisted users to enqueue reaction-derived system events. Attackers can exploit this inconsistency by reacting to bot | ||
| CVE-2026-32027 | — | < 2026.2.26 | 2026.2.26 | Mar 19, 2026 | OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-store identities are incorrectly eligible for group allowlist authorization checks. Attackers can exploit this cross-context authorization flaw by using a sender approved via DM pa | ||
| CVE-2026-32026 | — | < 2026.2.24 | 2026.2.24 | Mar 19, 2026 | OpenClaw versions prior to 2026.2.24 contain an improper path validation vulnerability in sandbox media handling that allows absolute paths under the host temporary directory outside the active sandbox root. Attackers can exploit this by providing malicious media references to re | ||
| CVE-2026-32025 | — | < 2026.2.25 | 2026.2.25 | Mar 19, 2026 | OpenClaw versions prior to 2026.2.25 contain an authentication hardening gap in browser-origin WebSocket clients that allows attackers to bypass origin checks and auth throttling on loopback deployments. An attacker can trick a user into opening a malicious webpage and perform pa | ||
| CVE-2026-32024 | — | < 2026.2.22 | 2026.2.22 | Mar 19, 2026 | OpenClaw versions prior to 2026.2.22 contain a symlink traversal vulnerability in avatar handling that allows attackers to read arbitrary files outside the configured workspace boundary. Remote attackers can exploit this by requesting avatar resources through gateway surfaces to | ||
| CVE-2026-32023 | — | < 2026.2.24 | 2026.2.24 | Mar 19, 2026 | OpenClaw versions prior to 2026.2.24 contain an approval gating bypass vulnerability in system.run allowlist mode where nested transparent dispatch wrappers can suppress shell-wrapper detection. Attackers can exploit this by chaining multiple dispatch wrappers like /usr/bin/env t | ||
| CVE-2026-32021 | — | < 2026.2.22 | 2026.2.22 | Mar 19, 2026 | OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the Feishu allowFrom allowlist implementation that accepts mutable sender display names instead of enforcing ID-only matching. An attacker can set a display name equal to an allowlisted ID strin | ||
| CVE-2026-32020 | — | < 2026.2.22 | 2026.2.22 | Mar 19, 2026 | OpenClaw versions prior to 2026.2.22 contain a path traversal vulnerability in the static file handler that follows symbolic links, allowing out-of-root file reads. Attackers can place symlinks under the Control UI root directory to bypass directory confinement checks and read ar |
- CVE-2026-32041Mar 19, 2026affected < 2026.3.1fixed 2026.3.1
OpenClaw versions prior to 2026.3.1 fail to properly handle authentication bootstrap errors during startup, allowing browser-control routes to remain accessible without authentication. Local processes or loopback-reachable SSRF paths can exploit this to access browser-control rou
- CVE-2026-32040Mar 19, 2026affected < 2026.2.23fixed 2026.2.23
OpenClaw versions prior to 2026.2.23 contain an html injection vulnerability in the HTML session exporter that allows attackers to execute arbitrary javascript by injecting malicious mimeType values in image content blocks. Attackers can craft session entries with specially craft
- CVE-2026-32039Mar 19, 2026affected < 2026.2.22fixed 2026.2.22
OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the toolsBySender group policy matching that allows attackers to inherit elevated tool permissions through identifier collision attacks. Attackers can exploit untyped sender keys by forcing coll
- CVE-2026-32038Mar 19, 2026affected < 2026.2.24fixed 2026.2.24
OpenClaw before 2026.2.24 contains a sandbox network isolation bypass vulnerability that allows trusted operators to join another container's network namespace. Attackers can configure the docker.network parameter with container: values to reach services in target container n
- CVE-2026-32037Mar 19, 2026affected < 2026.2.22fixed 2026.2.22
OpenClaw versions prior to 2026.2.22 fail to consistently validate redirect chains against configured mediaAllowHosts allowlists during MSTeams media downloads. Attackers can supply or influence attachment URLs to force redirects to non-allowlisted targets, bypassing SSRF boundar
- CVE-2026-32036Mar 19, 2026affected < 2026.2.26fixed 2026.2.26
OpenClaw gateway plugin versions prior to 2026.2.26 contain a path traversal vulnerability that allows remote attackers to bypass route authentication checks by manipulating /api/channels paths with encoded dot-segment traversal sequences. Attackers can craft alternate paths usin
- CVE-2026-32034Mar 19, 2026affected < 2026.2.21fixed 2026.2.21
OpenClaw versions prior to 2026.2.21 contain an authentication bypass vulnerability in the Control UI when allowInsecureAuth is explicitly enabled and the gateway is exposed over plaintext HTTP, allowing attackers to bypass device identity and pairing verification. An attacker wi
- CVE-2026-32033Mar 19, 2026affected < 2026.2.24fixed 2026.2.24
OpenClaw versions prior to 2026.2.24 contain a path traversal vulnerability where @-prefixed absolute paths bypass workspace-only file-system boundary validation due to canonicalization mismatch. Attackers can exploit this by crafting @-prefixed paths like @/etc/passwd to read fi
- CVE-2026-32032Mar 19, 2026affected < 2026.2.22fixed 2026.2.22
OpenClaw versions prior to 2026.2.22 contain an arbitrary shell execution vulnerability in shell environment fallback that trusts the unvalidated SHELL path from the host environment. An attacker with local environment access can inject a malicious SHELL variable to execute arbit
- CVE-2026-32031Mar 19, 2026affected < 2026.2.26fixed 2026.2.26
OpenClaw versions prior to 2026.2.26 server-http contains an authentication bypass vulnerability in gateway authentication for plugin channel endpoints due to path canonicalization mismatch between the gateway guard and plugin handler routing. Attackers can bypass authentication
- CVE-2026-32030Mar 19, 2026affected < 2026.2.19fixed 2026.2.19
OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the stageSandboxMedia function that accepts arbitrary absolute paths when iMessage remote attachment fetching is enabled. An attacker who can tamper with attachment path metadata can disclose files rea
- CVE-2026-32029Mar 19, 2026affected < 2026.2.21fixed 2026.2.21
OpenClaw versions prior to 2026.2.21 improperly parse the left-most X-Forwarded-For header value when requests originate from configured trusted proxies, allowing attackers to spoof client IP addresses. In proxy chains that append or preserve header values, attackers can inject m
- CVE-2026-32028Mar 19, 2026affected < 2026.2.25fixed 2026.2.25
OpenClaw versions prior to 2026.2.25 fail to enforce dmPolicy and allowFrom authorization checks on Discord direct-message reaction notifications, allowing non-allowlisted users to enqueue reaction-derived system events. Attackers can exploit this inconsistency by reacting to bot
- CVE-2026-32027Mar 19, 2026affected < 2026.2.26fixed 2026.2.26
OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-store identities are incorrectly eligible for group allowlist authorization checks. Attackers can exploit this cross-context authorization flaw by using a sender approved via DM pa
- CVE-2026-32026Mar 19, 2026affected < 2026.2.24fixed 2026.2.24
OpenClaw versions prior to 2026.2.24 contain an improper path validation vulnerability in sandbox media handling that allows absolute paths under the host temporary directory outside the active sandbox root. Attackers can exploit this by providing malicious media references to re
- CVE-2026-32025Mar 19, 2026affected < 2026.2.25fixed 2026.2.25
OpenClaw versions prior to 2026.2.25 contain an authentication hardening gap in browser-origin WebSocket clients that allows attackers to bypass origin checks and auth throttling on loopback deployments. An attacker can trick a user into opening a malicious webpage and perform pa
- CVE-2026-32024Mar 19, 2026affected < 2026.2.22fixed 2026.2.22
OpenClaw versions prior to 2026.2.22 contain a symlink traversal vulnerability in avatar handling that allows attackers to read arbitrary files outside the configured workspace boundary. Remote attackers can exploit this by requesting avatar resources through gateway surfaces to
- CVE-2026-32023Mar 19, 2026affected < 2026.2.24fixed 2026.2.24
OpenClaw versions prior to 2026.2.24 contain an approval gating bypass vulnerability in system.run allowlist mode where nested transparent dispatch wrappers can suppress shell-wrapper detection. Attackers can exploit this by chaining multiple dispatch wrappers like /usr/bin/env t
- CVE-2026-32021Mar 19, 2026affected < 2026.2.22fixed 2026.2.22
OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the Feishu allowFrom allowlist implementation that accepts mutable sender display names instead of enforcing ID-only matching. An attacker can set a display name equal to an allowlisted ID strin
- CVE-2026-32020Mar 19, 2026affected < 2026.2.22fixed 2026.2.22
OpenClaw versions prior to 2026.2.22 contain a path traversal vulnerability in the static file handler that follows symbolic links, allowing out-of-root file reads. Attackers can place symlinks under the Control UI root directory to bypass directory confinement checks and read ar
Page 13 of 20