npm package
openclaw
pkg:npm/openclaw
Vulnerabilities (393)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-22181 | — | < 2026.3.2 | 2026.3.2 | Mar 18, 2026 | OpenClaw versions prior to 2026.3.2 contain a DNS pinning bypass vulnerability in strict URL fetch paths that allows attackers to circumvent SSRF guards when environment proxy variables are configured. When HTTP_PROXY, HTTPS_PROXY, or ALL_PROXY environment variables are present, | ||
| CVE-2026-22180 | — | < 2026.3.2 | 2026.3.2 | Mar 18, 2026 | OpenClaw versions prior to 2026.3.2 contain a path-confinement bypass vulnerability in browser output handling that allows writes outside intended root directories. Attackers can exploit insufficient canonical path-boundary validation in file write operations to escape root-bound | ||
| CVE-2026-22179 | — | < 2026.2.22 | 2026.2.22 | Mar 18, 2026 | OpenClaw versions prior to 2026.2.22 in macOS node-host system.run contain an allowlist bypass vulnerability that allows remote attackers to execute non-allowlisted commands by exploiting improper parsing of command substitution tokens. Attackers can craft shell payloads with com | ||
| CVE-2026-22178 | — | < 2026.2.19 | 2026.2.19 | Mar 18, 2026 | OpenClaw versions prior to 2026.2.19 construct RegExp objects directly from unescaped Feishu mention metadata in the stripBotMention function, allowing regex injection and denial of service. Attackers can craft nested-quantifier patterns or metacharacters in mention metadata to t | ||
| CVE-2026-22175 | — | < 2026.2.23 | 2026.2.23 | Mar 18, 2026 | OpenClaw versions prior to 2026.2.23 contain an exec approval bypass vulnerability in allowlist mode where allow-always grants could be circumvented through unrecognized multiplexer shell wrappers like busybox and toybox sh -c commands. Attackers can exploit this by invoking arbi | ||
| CVE-2026-22174 | — | < 2026.2.22 | 2026.2.22 | Mar 18, 2026 | OpenClaw versions prior to 2026.2.22 inject the x-OpenClaw-relay-token header into Chrome CDP probe traffic on loopback interfaces, allowing local processes to capture the Gateway authentication token. An attacker controlling a loopback port can intercept CDP reachability probes | ||
| CVE-2026-22171 | — | < 2026.2.19 | 2026.2.19 | Mar 18, 2026 | OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the Feishu media download flow where untrusted media keys are interpolated directly into temporary file paths in extensions/feishu/src/media.ts. An attacker who can control Feishu media key values retu | ||
| CVE-2026-22170 | — | < 2026.2.22 | 2026.2.22 | Mar 18, 2026 | OpenClaw versions prior to 2026.2.22 with the optional BlueBubbles plugin contain an access control bypass vulnerability where empty allowFrom configuration causes dmPolicy pairing and allowlist restrictions to be ineffective. Remote attackers can send direct messages to BlueBubb | ||
| CVE-2026-22169 | — | < 2026.2.22 | 2026.2.22 | Mar 18, 2026 | OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the safeBins configuration that allows attackers to invoke external helpers through the compress-program option. When sort is explicitly added to tools.exec.safeBins, remote attackers can bypass int | ||
| CVE-2026-22168 | — | < 2026.2.21 | 2026.2.21 | Mar 18, 2026 | OpenClaw versions prior to 2026.2.21 contain an approval-integrity mismatch vulnerability in system.run that allows authenticated operators to execute arbitrary trailing arguments after cmd.exe /c while approval text reflects only a benign command. Attackers can smuggle malicious | ||
| CVE-2026-32302 | — | < 2026.3.11 | 2026.3.11 | Mar 12, 2026 | OpenClaw is a personal AI assistant. Prior to 2026.3.11, browser-originated WebSocket connections could bypass origin validation when gateway.auth.mode was set to trusted-proxy and the request arrived with proxy headers. A page served from an untrusted origin could connect throug | ||
| CVE-2026-4040 | — | < 2026.2.19 | 2026.2.19 | Mar 12, 2026 | A vulnerability was identified in OpenClaw up to 2026.2.17. This issue affects the function tools.exec.safeBins of the component File Existence Handler. The manipulation leads to information exposure through discrepancy. The attack needs to be performed locally. Upgrading to vers | ||
| CVE-2026-4039 | — | < 2026.2.21 | 2026.2.21 | Mar 12, 2026 | A vulnerability was determined in OpenClaw 2026.2.19-2. This vulnerability affects the function applySkillConfigenvOverrides of the component Skill Env Handler. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. Upgrading to version | ||
| CVE-2026-32062 | Hig | 7.5 | < 2026.2.22 | 2026.2.22 | Mar 11, 2026 | OpenClaw versions 2026.2.21-2 up to, but not including, 2026.2.22, and @openclaw/voice-call versions 2026.2.21 up to, but not including, 2026.2.22 accept media-stream WebSocket upgrades before stream validation, allowing unauthenticated clients to establish connections. Remote at | |
| CVE-2026-32063 | — | < 2026.2.21 | 2026.2.21 | Mar 11, 2026 | OpenClaw version 2026.2.19-2 prior to 2026.2.21 contains a command injection vulnerability in systemd unit file generation where attacker-controlled environment values are not validated for CR/LF characters, allowing newline injection to break out of Environment= lines and inject | ||
| CVE-2026-32061 | — | < 2026.2.17 | 2026.2.17 | Mar 11, 2026 | OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows reading arbitrary local files outside the config directory boundary. Attackers with config modification capabilities can exploit this by specifying absolut | ||
| CVE-2026-32060 | — | < 2026.2.14 | 2026.2.14 | Mar 11, 2026 | OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in apply_patch that allows attackers to write or delete files outside the configured workspace directory. When apply_patch is enabled without filesystem sandbox containment, attackers can exploit crafted | ||
| CVE-2026-32059 | — | < 2026.2.23 | 2026.2.23 | Mar 11, 2026 | OpenClaw version 2026.2.22-2 prior to 2026.2.23 tools.exec.safeBins validation for sort command fails to properly validate GNU long-option abbreviations, allowing attackers to bypass denied-flag checks via abbreviated options. Remote attackers can execute sort commands with abbre | ||
| CVE-2026-28476 | Hig | 8.3 | < 2026.2.14 | 2026.2.14 | Mar 5, 2026 | OpenClaw versions prior to 2026.2.14 contain a server-side request forgery vulnerability in the optional Tlon Urbit extension that accepts user-provided base URLs for authentication without proper validation. Attackers who can influence the configured Urbit URL can induce the gat | |
| CVE-2026-28463 | Hig | 8.4 | < 2026.2.14 | 2026.2.14 | Mar 5, 2026 | OpenClaw versions prior to 2026.2.14 contain an arbitrary file read vulnerability in the exec-approvals allowlist validation that checks pre-expansion argv tokens but executes using real shell expansion. Attackers with authorization or through prompt-injection attacks can exploit |
- CVE-2026-22181Mar 18, 2026affected < 2026.3.2fixed 2026.3.2
OpenClaw versions prior to 2026.3.2 contain a DNS pinning bypass vulnerability in strict URL fetch paths that allows attackers to circumvent SSRF guards when environment proxy variables are configured. When HTTP_PROXY, HTTPS_PROXY, or ALL_PROXY environment variables are present,
- CVE-2026-22180Mar 18, 2026affected < 2026.3.2fixed 2026.3.2
OpenClaw versions prior to 2026.3.2 contain a path-confinement bypass vulnerability in browser output handling that allows writes outside intended root directories. Attackers can exploit insufficient canonical path-boundary validation in file write operations to escape root-bound
- CVE-2026-22179Mar 18, 2026affected < 2026.2.22fixed 2026.2.22
OpenClaw versions prior to 2026.2.22 in macOS node-host system.run contain an allowlist bypass vulnerability that allows remote attackers to execute non-allowlisted commands by exploiting improper parsing of command substitution tokens. Attackers can craft shell payloads with com
- CVE-2026-22178Mar 18, 2026affected < 2026.2.19fixed 2026.2.19
OpenClaw versions prior to 2026.2.19 construct RegExp objects directly from unescaped Feishu mention metadata in the stripBotMention function, allowing regex injection and denial of service. Attackers can craft nested-quantifier patterns or metacharacters in mention metadata to t
- CVE-2026-22175Mar 18, 2026affected < 2026.2.23fixed 2026.2.23
OpenClaw versions prior to 2026.2.23 contain an exec approval bypass vulnerability in allowlist mode where allow-always grants could be circumvented through unrecognized multiplexer shell wrappers like busybox and toybox sh -c commands. Attackers can exploit this by invoking arbi
- CVE-2026-22174Mar 18, 2026affected < 2026.2.22fixed 2026.2.22
OpenClaw versions prior to 2026.2.22 inject the x-OpenClaw-relay-token header into Chrome CDP probe traffic on loopback interfaces, allowing local processes to capture the Gateway authentication token. An attacker controlling a loopback port can intercept CDP reachability probes
- CVE-2026-22171Mar 18, 2026affected < 2026.2.19fixed 2026.2.19
OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the Feishu media download flow where untrusted media keys are interpolated directly into temporary file paths in extensions/feishu/src/media.ts. An attacker who can control Feishu media key values retu
- CVE-2026-22170Mar 18, 2026affected < 2026.2.22fixed 2026.2.22
OpenClaw versions prior to 2026.2.22 with the optional BlueBubbles plugin contain an access control bypass vulnerability where empty allowFrom configuration causes dmPolicy pairing and allowlist restrictions to be ineffective. Remote attackers can send direct messages to BlueBubb
- CVE-2026-22169Mar 18, 2026affected < 2026.2.22fixed 2026.2.22
OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the safeBins configuration that allows attackers to invoke external helpers through the compress-program option. When sort is explicitly added to tools.exec.safeBins, remote attackers can bypass int
- CVE-2026-22168Mar 18, 2026affected < 2026.2.21fixed 2026.2.21
OpenClaw versions prior to 2026.2.21 contain an approval-integrity mismatch vulnerability in system.run that allows authenticated operators to execute arbitrary trailing arguments after cmd.exe /c while approval text reflects only a benign command. Attackers can smuggle malicious
- CVE-2026-32302Mar 12, 2026affected < 2026.3.11fixed 2026.3.11
OpenClaw is a personal AI assistant. Prior to 2026.3.11, browser-originated WebSocket connections could bypass origin validation when gateway.auth.mode was set to trusted-proxy and the request arrived with proxy headers. A page served from an untrusted origin could connect throug
- CVE-2026-4040Mar 12, 2026affected < 2026.2.19fixed 2026.2.19
A vulnerability was identified in OpenClaw up to 2026.2.17. This issue affects the function tools.exec.safeBins of the component File Existence Handler. The manipulation leads to information exposure through discrepancy. The attack needs to be performed locally. Upgrading to vers
- CVE-2026-4039Mar 12, 2026affected < 2026.2.21fixed 2026.2.21
A vulnerability was determined in OpenClaw 2026.2.19-2. This vulnerability affects the function applySkillConfigenvOverrides of the component Skill Env Handler. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. Upgrading to version
- affected < 2026.2.22fixed 2026.2.22
OpenClaw versions 2026.2.21-2 up to, but not including, 2026.2.22, and @openclaw/voice-call versions 2026.2.21 up to, but not including, 2026.2.22 accept media-stream WebSocket upgrades before stream validation, allowing unauthenticated clients to establish connections. Remote at
- CVE-2026-32063Mar 11, 2026affected < 2026.2.21fixed 2026.2.21
OpenClaw version 2026.2.19-2 prior to 2026.2.21 contains a command injection vulnerability in systemd unit file generation where attacker-controlled environment values are not validated for CR/LF characters, allowing newline injection to break out of Environment= lines and inject
- CVE-2026-32061Mar 11, 2026affected < 2026.2.17fixed 2026.2.17
OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows reading arbitrary local files outside the config directory boundary. Attackers with config modification capabilities can exploit this by specifying absolut
- CVE-2026-32060Mar 11, 2026affected < 2026.2.14fixed 2026.2.14
OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in apply_patch that allows attackers to write or delete files outside the configured workspace directory. When apply_patch is enabled without filesystem sandbox containment, attackers can exploit crafted
- CVE-2026-32059Mar 11, 2026affected < 2026.2.23fixed 2026.2.23
OpenClaw version 2026.2.22-2 prior to 2026.2.23 tools.exec.safeBins validation for sort command fails to properly validate GNU long-option abbreviations, allowing attackers to bypass denied-flag checks via abbreviated options. Remote attackers can execute sort commands with abbre
- affected < 2026.2.14fixed 2026.2.14
OpenClaw versions prior to 2026.2.14 contain a server-side request forgery vulnerability in the optional Tlon Urbit extension that accepts user-provided base URLs for authentication without proper validation. Attackers who can influence the configured Urbit URL can induce the gat
- affected < 2026.2.14fixed 2026.2.14
OpenClaw versions prior to 2026.2.14 contain an arbitrary file read vulnerability in the exec-approvals allowlist validation that checks pre-expansion argv tokens but executes using real shell expansion. Attackers with authorization or through prompt-injection attacks can exploit
Page 16 of 20