npm package
openclaw
pkg:npm/openclaw
Vulnerabilities (393)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-31996 | — | < 2026.2.19 | 2026.2.19 | Mar 19, 2026 | OpenClaw versions prior to 2026.2.19 tools.exec.safeBins contains an input validation bypass vulnerability that allows attackers to execute unintended filesystem operations through sort output flags or recursive grep flags. Attackers with command execution access can leverage sor | ||
| CVE-2026-31995 | — | >= 2026.1.21, < 2026.2.19 | 2026.2.19 | Mar 19, 2026 | OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism that allows attackers to inject arbitrary commands through tool-provided arguments. When spawn failures trigger shell fallback with | ||
| CVE-2026-31994 | — | < 2026.2.19 | 2026.2.19 | Mar 19, 2026 | OpenClaw versions prior to 2026.2.19 contain a local command injection vulnerability in Windows scheduled task script generation due to unsafe handling of cmd metacharacters and expansion-sensitive characters in gateway.cmd files. Local attackers with control over service script | ||
| CVE-2026-31993 | — | < 2026.2.22 | 2026.2.22 | Mar 19, 2026 | OpenClaw versions prior to 2026.2.22 contain an allowlist parsing mismatch vulnerability in the macOS companion app that allows authenticated operators to bypass exec approval checks. Attackers with operator.write privileges and a paired macOS beta node can craft shell-chain payl | ||
| CVE-2026-31992 | — | < 2026.2.23 | 2026.2.23 | Mar 19, 2026 | OpenClaw versions prior to 2026.2.23 contain an allowlist bypass vulnerability in system.run guardrails that allows authenticated operators to execute unintended commands. When /usr/bin/env is allowlisted, attackers can use env -S to bypass policy analysis and execute shell wrapp | ||
| CVE-2026-31991 | — | < 2026.2.26 | 2026.2.26 | Mar 19, 2026 | OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where Signal group allowlist policy incorrectly accepts sender identities from DM pairing-store approvals. Attackers can exploit this boundary weakness by obtaining DM pairing approval to bypass gr | ||
| CVE-2026-31990 | — | < 2026.3.2 | 2026.3.2 | Mar 19, 2026 | OpenClaw versions prior to 2026.3.2 contain a vulnerability in the stageSandboxMedia function in which it fails to validate destination symlinks during media staging, allowing writes to follow symlinks outside the sandbox workspace. Attackers can exploit this by placing symlinks | ||
| CVE-2026-31989 | — | < 2026.3.1 | 2026.3.1 | Mar 19, 2026 | OpenClaw versions prior to 2026.3.1 contain a server-side request forgery vulnerability in web_search citation redirect resolution that uses a private-network-allowing SSRF policy. An attacker who can influence citation redirect targets can trigger internal-network requests from | ||
| CVE-2026-29608 | — | >= 2026.3.1, < 2026.3.2 | 2026.3.2 | Mar 19, 2026 | OpenClaw 2026.3.1 contains an approval integrity vulnerability in system.run node-host execution where argv rewriting changes command semantics. Attackers can place malicious local scripts in the working directory to execute unintended code despite operator approval of different | ||
| CVE-2026-29607 | — | < 2026.2.22 | 2026.2.22 | Mar 19, 2026 | OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in allow-always wrapper persistence that allows attackers to bypass approval checks by persisting wrapper-level allowlist entries instead of validating inner executable intent. Remote attackers can | ||
| CVE-2026-28460 | — | < 2026.2.22 | 2026.2.22 | Mar 19, 2026 | OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run that allows attackers to execute non-allowlisted commands by splitting command substitution using shell line-continuation characters. Attackers can bypass security analysis by injecting $ | ||
| CVE-2026-28449 | — | < 2026.2.25 | 2026.2.25 | Mar 19, 2026 | OpenClaw versions prior to 2026.2.25 lack durable replay state for Nextcloud Talk webhook events, allowing valid signed webhook requests to be replayed without suppression. Attackers can capture and replay previously valid signed webhook requests to trigger duplicate inbound mess | ||
| CVE-2026-27566 | — | < 2026.2.22 | 2026.2.22 | Mar 19, 2026 | OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run exec analysis that fails to unwrap env and shell-dispatch wrapper chains. Attackers can route execution through wrapper binaries like env bash to smuggle payloads that satisfy allowlist e | ||
| CVE-2026-22176 | — | < 2026.2.19 | 2026.2.19 | Mar 19, 2026 | OpenClaw versions prior to 2026.2.19 contain a command injection vulnerability in Windows Scheduled Task script generation where environment variables are written to gateway.cmd using unquoted set KEY=VALUE assignments, allowing shell metacharacters to break out of assignment con | ||
| CVE-2026-22217 | Med | 6.1 | >= 2026.2.22, < 2026.2.23 | 2026.2.23 | Mar 18, 2026 | OpenClaw version 2026.2.22 prior to 2026.2.23 contains an arbitrary code execution vulnerability in shell-env that allows attackers to execute attacker-controlled binaries by exploiting trusted-prefix fallback logic for the $SHELL variable. An attacker can influence the $SHELL en | |
| CVE-2026-22177 | Med | 6.1 | < 2026.2.21 | 2026.2.21 | Mar 18, 2026 | OpenClaw versions prior to 2026.2.21 fail to filter dangerous process-control environment variables from config env.vars, allowing startup-time code execution. Attackers can inject variables like NODE_OPTIONS or LD_* through configuration to execute arbitrary code in the OpenClaw | |
| CVE-2026-27545 | — | < 2026.2.26 | 2026.2.26 | Mar 18, 2026 | OpenClaw versions prior to 2026.2.26 contain an approval bypass vulnerability in system.run execution that allows attackers to execute commands from unintended filesystem locations by rebinding writable parent symlinks in the current working directory after approval. An attacker | ||
| CVE-2026-27524 | — | < 2026.2.21 | 2026.2.21 | Mar 18, 2026 | OpenClaw versions prior to 2026.2.21 accept prototype-reserved keys in runtime /debug set override object values, allowing prototype pollution attacks. Authorized /debug set callers can inject __proto__, constructor, or prototype keys to manipulate object prototypes and bypass co | ||
| CVE-2026-27523 | — | < 2026.2.24 | 2026.2.24 | Mar 18, 2026 | OpenClaw versions prior to 2026.2.24 contain a sandbox bind validation vulnerability allowing attackers to bypass allowed-root and blocked-path checks via symlinked parent directories with non-existent leaf paths. Attackers can craft bind source paths that appear within allowed r | ||
| CVE-2026-27522 | — | < 2026.2.24 | 2026.2.24 | Mar 18, 2026 | OpenClaw versions prior to 2026.2.24 contain a local media root bypass vulnerability in sendAttachment and setGroupIcon message actions when sandboxRoot is unset. Attackers can hydrate media from local absolute paths to read arbitrary host files accessible by the runtime user. |
- CVE-2026-31996Mar 19, 2026affected < 2026.2.19fixed 2026.2.19
OpenClaw versions prior to 2026.2.19 tools.exec.safeBins contains an input validation bypass vulnerability that allows attackers to execute unintended filesystem operations through sort output flags or recursive grep flags. Attackers with command execution access can leverage sor
- CVE-2026-31995Mar 19, 2026affected >= 2026.1.21, < 2026.2.19fixed 2026.2.19
OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism that allows attackers to inject arbitrary commands through tool-provided arguments. When spawn failures trigger shell fallback with
- CVE-2026-31994Mar 19, 2026affected < 2026.2.19fixed 2026.2.19
OpenClaw versions prior to 2026.2.19 contain a local command injection vulnerability in Windows scheduled task script generation due to unsafe handling of cmd metacharacters and expansion-sensitive characters in gateway.cmd files. Local attackers with control over service script
- CVE-2026-31993Mar 19, 2026affected < 2026.2.22fixed 2026.2.22
OpenClaw versions prior to 2026.2.22 contain an allowlist parsing mismatch vulnerability in the macOS companion app that allows authenticated operators to bypass exec approval checks. Attackers with operator.write privileges and a paired macOS beta node can craft shell-chain payl
- CVE-2026-31992Mar 19, 2026affected < 2026.2.23fixed 2026.2.23
OpenClaw versions prior to 2026.2.23 contain an allowlist bypass vulnerability in system.run guardrails that allows authenticated operators to execute unintended commands. When /usr/bin/env is allowlisted, attackers can use env -S to bypass policy analysis and execute shell wrapp
- CVE-2026-31991Mar 19, 2026affected < 2026.2.26fixed 2026.2.26
OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where Signal group allowlist policy incorrectly accepts sender identities from DM pairing-store approvals. Attackers can exploit this boundary weakness by obtaining DM pairing approval to bypass gr
- CVE-2026-31990Mar 19, 2026affected < 2026.3.2fixed 2026.3.2
OpenClaw versions prior to 2026.3.2 contain a vulnerability in the stageSandboxMedia function in which it fails to validate destination symlinks during media staging, allowing writes to follow symlinks outside the sandbox workspace. Attackers can exploit this by placing symlinks
- CVE-2026-31989Mar 19, 2026affected < 2026.3.1fixed 2026.3.1
OpenClaw versions prior to 2026.3.1 contain a server-side request forgery vulnerability in web_search citation redirect resolution that uses a private-network-allowing SSRF policy. An attacker who can influence citation redirect targets can trigger internal-network requests from
- CVE-2026-29608Mar 19, 2026affected >= 2026.3.1, < 2026.3.2fixed 2026.3.2
OpenClaw 2026.3.1 contains an approval integrity vulnerability in system.run node-host execution where argv rewriting changes command semantics. Attackers can place malicious local scripts in the working directory to execute unintended code despite operator approval of different
- CVE-2026-29607Mar 19, 2026affected < 2026.2.22fixed 2026.2.22
OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in allow-always wrapper persistence that allows attackers to bypass approval checks by persisting wrapper-level allowlist entries instead of validating inner executable intent. Remote attackers can
- CVE-2026-28460Mar 19, 2026affected < 2026.2.22fixed 2026.2.22
OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run that allows attackers to execute non-allowlisted commands by splitting command substitution using shell line-continuation characters. Attackers can bypass security analysis by injecting $
- CVE-2026-28449Mar 19, 2026affected < 2026.2.25fixed 2026.2.25
OpenClaw versions prior to 2026.2.25 lack durable replay state for Nextcloud Talk webhook events, allowing valid signed webhook requests to be replayed without suppression. Attackers can capture and replay previously valid signed webhook requests to trigger duplicate inbound mess
- CVE-2026-27566Mar 19, 2026affected < 2026.2.22fixed 2026.2.22
OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run exec analysis that fails to unwrap env and shell-dispatch wrapper chains. Attackers can route execution through wrapper binaries like env bash to smuggle payloads that satisfy allowlist e
- CVE-2026-22176Mar 19, 2026affected < 2026.2.19fixed 2026.2.19
OpenClaw versions prior to 2026.2.19 contain a command injection vulnerability in Windows Scheduled Task script generation where environment variables are written to gateway.cmd using unquoted set KEY=VALUE assignments, allowing shell metacharacters to break out of assignment con
- affected >= 2026.2.22, < 2026.2.23fixed 2026.2.23
OpenClaw version 2026.2.22 prior to 2026.2.23 contains an arbitrary code execution vulnerability in shell-env that allows attackers to execute attacker-controlled binaries by exploiting trusted-prefix fallback logic for the $SHELL variable. An attacker can influence the $SHELL en
- affected < 2026.2.21fixed 2026.2.21
OpenClaw versions prior to 2026.2.21 fail to filter dangerous process-control environment variables from config env.vars, allowing startup-time code execution. Attackers can inject variables like NODE_OPTIONS or LD_* through configuration to execute arbitrary code in the OpenClaw
- CVE-2026-27545Mar 18, 2026affected < 2026.2.26fixed 2026.2.26
OpenClaw versions prior to 2026.2.26 contain an approval bypass vulnerability in system.run execution that allows attackers to execute commands from unintended filesystem locations by rebinding writable parent symlinks in the current working directory after approval. An attacker
- CVE-2026-27524Mar 18, 2026affected < 2026.2.21fixed 2026.2.21
OpenClaw versions prior to 2026.2.21 accept prototype-reserved keys in runtime /debug set override object values, allowing prototype pollution attacks. Authorized /debug set callers can inject __proto__, constructor, or prototype keys to manipulate object prototypes and bypass co
- CVE-2026-27523Mar 18, 2026affected < 2026.2.24fixed 2026.2.24
OpenClaw versions prior to 2026.2.24 contain a sandbox bind validation vulnerability allowing attackers to bypass allowed-root and blocked-path checks via symlinked parent directories with non-existent leaf paths. Attackers can craft bind source paths that appear within allowed r
- CVE-2026-27522Mar 18, 2026affected < 2026.2.24fixed 2026.2.24
OpenClaw versions prior to 2026.2.24 contain a local media root bypass vulnerability in sendAttachment and setGroupIcon message actions when sandboxRoot is unset. Attackers can hydrate media from local absolute paths to read arbitrary host files accessible by the runtime user.
Page 15 of 20