npm package
openclaw
pkg:npm/openclaw
Vulnerabilities (393)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-28468 | — | >= 2026.1.29-beta.1, < 2026.2.14 | 2026.2.14 | Mar 5, 2026 | OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.14 contain a vulnerability in the sandbox browser bridge server in which it accepts requests without requiring gateway authentication, allowing local attackers to access browser control endpoints. A local attacker can enumerate t | ||
| CVE-2026-28467 | — | < 2026.2.2 | 2026.2.2 | Mar 5, 2026 | OpenClaw versions prior to 2026.2.2 contain a server-side request forgery vulnerability in attachment and media URL hydration that allows remote attackers to fetch arbitrary HTTP(S) URLs. Attackers who can influence media URLs through model-controlled sendAttachment or auto-reply | ||
| CVE-2026-28466 | — | < 2026.2.14 | 2026.2.14 | Mar 5, 2026 | OpenClaw versions prior to 2026.2.14 contain a vulnerability in the gateway in which it fails to sanitize internal approval fields in node.invoke parameters, allowing authenticated clients to bypass exec approval gating for system.run commands. Attackers with valid gateway creden | ||
| CVE-2026-28464 | — | < 2026.2.12 | 2026.2.12 | Mar 5, 2026 | OpenClaw versions prior to 2026.2.12 use non-constant-time string comparison for hook token validation, allowing attackers to infer tokens through timing measurements. Remote attackers with network access to the hooks endpoint can exploit timing side-channels across multiple requ | ||
| CVE-2026-28462 | — | < 2026.2.13 | 2026.2.13 | Mar 5, 2026 | OpenClaw versions prior to 2026.2.13 contain a vulnerability in the browser control API in which it accepts user-supplied output paths for trace and download files without consistently constraining writes to temporary directories. Attackers with API access can exploit path traver | ||
| CVE-2026-28459 | — | < 2026.2.12 | 2026.2.12 | Mar 5, 2026 | OpenClaw versions prior to 2026.2.12 fail to validate the sessionFile path parameter, allowing authenticated gateway clients to write transcript data to arbitrary locations on the host filesystem. Attackers can supply a sessionFile path outside the sessions directory to create fi | ||
| CVE-2026-28458 | — | >= 2026.1.20, < 2026.2.1 | 2026.2.1 | Mar 5, 2026 | OpenClaw version 2026.1.20 prior to 2026.2.1 contains a vulnerability in the Browser Relay (extension must be installed and enabled) /cdp WebSocket endpoint in which it does not require authentication tokens, allowing websites to connect via loopback and access sensitive data. At | ||
| CVE-2026-28457 | — | < 2026.2.14 | 2026.2.14 | Mar 5, 2026 | OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in sandbox skill mirroring (must be enabled) that uses the skill frontmatter name parameter unsanitized when copying skills into the sandbox workspace. Attackers who provide a crafted skill package with t | ||
| CVE-2026-28456 | — | >= 2026.1.5, < 2026.2.14 | 2026.2.14 | Mar 5, 2026 | OpenClaw versions 2026.1.5 prior to 2026.2.14 contain a vulnerability in the Gateway in which it does not sufficiently constrain configured hook module paths before passing them to dynamic import(), allowing code execution. An attacker with gateway configuration modification acce | ||
| CVE-2026-28454 | — | < 2026.2.1 | 2026.2.1 | Mar 5, 2026 | OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode (must be enabled), allowing unauthenticated HTTP POST requests to the webhook endpoint that trust attacker-controlled JSON payloads. Remote attackers can forge Telegram updates by spoofi | ||
| CVE-2026-28453 | — | < 2026.2.14 | 2026.2.14 | Mar 5, 2026 | OpenClaw versions prior to 2026.2.14 fail to validate TAR archive entry paths during extraction, allowing path traversal sequences to write files outside the intended directory. Attackers can craft malicious archives with traversal sequences like ../../ to write files outside ext | ||
| CVE-2026-28452 | — | < 2026.2.14 | 2026.2.14 | Mar 5, 2026 | OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the extractArchive function within src/infra/archive.ts that allows attackers to consume excessive CPU, memory, and disk resources through high-expansion ZIP and TAR archives. Remote attackers can t | ||
| CVE-2026-28451 | — | < 2026.2.14 | 2026.2.14 | Mar 5, 2026 | OpenClaw versions prior to 2026.2.14 contain server-side request forgery vulnerabilities in the Feishu extension that allow attackers to fetch attacker-controlled remote URLs without SSRF protections via sendMediaFeishu function and markdown image processing. Attackers can influe | ||
| CVE-2026-28450 | — | < 2026.2.12 | 2026.2.12 | Mar 5, 2026 | OpenClaw versions prior to 2026.2.12 with the optional Nostr plugin enabled expose unauthenticated HTTP endpoints at /api/channels/nostr/:accountId/profile and /api/channels/nostr/:accountId/profile/import that allow reading and modifying Nostr profiles without gateway authentica | ||
| CVE-2026-28448 | — | >= 2026.1.29, < 2026.2.1 | 2026.2.1 | Mar 5, 2026 | OpenClaw versions 2026.1.29 prior to 2026.2.1 contain a vulnerability in the Twitch plugin (must be installed and enabled) in which it fails to enforce the allowFrom allowlist when allowedRoles is unset or empty, allowing unauthorized Twitch users to trigger agent dispatch. Remot | ||
| CVE-2026-28447 | — | >= 2026.1.20, < 2026.2.1 | 2026.2.1 | Mar 5, 2026 | OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugin installation that allows malicious plugin package names to escape the extensions directory. Attackers can craft scoped package names containing path traversal sequences like .. t | ||
| CVE-2026-28446 | — | < 2026.2.2 | 2026.2.2 | Mar 5, 2026 | OpenClaw versions prior to 2026.2.1 with the voice-call extension installed and enabled contain an authentication bypass vulnerability in inbound allowlist policy validation that accepts empty caller IDs and uses suffix-based matching instead of strict equality. Remote attackers | ||
| CVE-2026-28394 | — | < 2026.2.15 | 2026.2.15 | Mar 5, 2026 | OpenClaw versions prior to 2026.2.15 contain a denial of service vulnerability in the web_fetch tool that allows attackers to crash the Gateway process through memory exhaustion by parsing oversized or deeply nested HTML responses. Remote attackers can social-engineer users into | ||
| CVE-2026-28393 | — | >= 2.0.0-beta3, < 2026.2.14 | 2026.2.14 | Mar 5, 2026 | OpenClaw versions 2.0.0-beta3 prior to 2026.2.14 contain a path traversal vulnerability in hook transform module loading that allows arbitrary JavaScript execution. The hooks.mappings[].transform.module parameter accepts absolute paths and traversal sequences, enabling attackers | ||
| CVE-2026-28392 | — | < 2026.2.14 | 2026.2.14 | Mar 5, 2026 | OpenClaw versions prior to 2026.2.14 contain a privilege escalation vulnerability in the Slack slash-command handler that incorrectly authorizes any direct message sender when dmPolicy is set to open (must be configured). Attackers can execute privileged slash commands via direct |
- CVE-2026-28468Mar 5, 2026affected >= 2026.1.29-beta.1, < 2026.2.14fixed 2026.2.14
OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.14 contain a vulnerability in the sandbox browser bridge server in which it accepts requests without requiring gateway authentication, allowing local attackers to access browser control endpoints. A local attacker can enumerate t
- CVE-2026-28467Mar 5, 2026affected < 2026.2.2fixed 2026.2.2
OpenClaw versions prior to 2026.2.2 contain a server-side request forgery vulnerability in attachment and media URL hydration that allows remote attackers to fetch arbitrary HTTP(S) URLs. Attackers who can influence media URLs through model-controlled sendAttachment or auto-reply
- CVE-2026-28466Mar 5, 2026affected < 2026.2.14fixed 2026.2.14
OpenClaw versions prior to 2026.2.14 contain a vulnerability in the gateway in which it fails to sanitize internal approval fields in node.invoke parameters, allowing authenticated clients to bypass exec approval gating for system.run commands. Attackers with valid gateway creden
- CVE-2026-28464Mar 5, 2026affected < 2026.2.12fixed 2026.2.12
OpenClaw versions prior to 2026.2.12 use non-constant-time string comparison for hook token validation, allowing attackers to infer tokens through timing measurements. Remote attackers with network access to the hooks endpoint can exploit timing side-channels across multiple requ
- CVE-2026-28462Mar 5, 2026affected < 2026.2.13fixed 2026.2.13
OpenClaw versions prior to 2026.2.13 contain a vulnerability in the browser control API in which it accepts user-supplied output paths for trace and download files without consistently constraining writes to temporary directories. Attackers with API access can exploit path traver
- CVE-2026-28459Mar 5, 2026affected < 2026.2.12fixed 2026.2.12
OpenClaw versions prior to 2026.2.12 fail to validate the sessionFile path parameter, allowing authenticated gateway clients to write transcript data to arbitrary locations on the host filesystem. Attackers can supply a sessionFile path outside the sessions directory to create fi
- CVE-2026-28458Mar 5, 2026affected >= 2026.1.20, < 2026.2.1fixed 2026.2.1
OpenClaw version 2026.1.20 prior to 2026.2.1 contains a vulnerability in the Browser Relay (extension must be installed and enabled) /cdp WebSocket endpoint in which it does not require authentication tokens, allowing websites to connect via loopback and access sensitive data. At
- CVE-2026-28457Mar 5, 2026affected < 2026.2.14fixed 2026.2.14
OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in sandbox skill mirroring (must be enabled) that uses the skill frontmatter name parameter unsanitized when copying skills into the sandbox workspace. Attackers who provide a crafted skill package with t
- CVE-2026-28456Mar 5, 2026affected >= 2026.1.5, < 2026.2.14fixed 2026.2.14
OpenClaw versions 2026.1.5 prior to 2026.2.14 contain a vulnerability in the Gateway in which it does not sufficiently constrain configured hook module paths before passing them to dynamic import(), allowing code execution. An attacker with gateway configuration modification acce
- CVE-2026-28454Mar 5, 2026affected < 2026.2.1fixed 2026.2.1
OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode (must be enabled), allowing unauthenticated HTTP POST requests to the webhook endpoint that trust attacker-controlled JSON payloads. Remote attackers can forge Telegram updates by spoofi
- CVE-2026-28453Mar 5, 2026affected < 2026.2.14fixed 2026.2.14
OpenClaw versions prior to 2026.2.14 fail to validate TAR archive entry paths during extraction, allowing path traversal sequences to write files outside the intended directory. Attackers can craft malicious archives with traversal sequences like ../../ to write files outside ext
- CVE-2026-28452Mar 5, 2026affected < 2026.2.14fixed 2026.2.14
OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the extractArchive function within src/infra/archive.ts that allows attackers to consume excessive CPU, memory, and disk resources through high-expansion ZIP and TAR archives. Remote attackers can t
- CVE-2026-28451Mar 5, 2026affected < 2026.2.14fixed 2026.2.14
OpenClaw versions prior to 2026.2.14 contain server-side request forgery vulnerabilities in the Feishu extension that allow attackers to fetch attacker-controlled remote URLs without SSRF protections via sendMediaFeishu function and markdown image processing. Attackers can influe
- CVE-2026-28450Mar 5, 2026affected < 2026.2.12fixed 2026.2.12
OpenClaw versions prior to 2026.2.12 with the optional Nostr plugin enabled expose unauthenticated HTTP endpoints at /api/channels/nostr/:accountId/profile and /api/channels/nostr/:accountId/profile/import that allow reading and modifying Nostr profiles without gateway authentica
- CVE-2026-28448Mar 5, 2026affected >= 2026.1.29, < 2026.2.1fixed 2026.2.1
OpenClaw versions 2026.1.29 prior to 2026.2.1 contain a vulnerability in the Twitch plugin (must be installed and enabled) in which it fails to enforce the allowFrom allowlist when allowedRoles is unset or empty, allowing unauthorized Twitch users to trigger agent dispatch. Remot
- CVE-2026-28447Mar 5, 2026affected >= 2026.1.20, < 2026.2.1fixed 2026.2.1
OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugin installation that allows malicious plugin package names to escape the extensions directory. Attackers can craft scoped package names containing path traversal sequences like .. t
- CVE-2026-28446Mar 5, 2026affected < 2026.2.2fixed 2026.2.2
OpenClaw versions prior to 2026.2.1 with the voice-call extension installed and enabled contain an authentication bypass vulnerability in inbound allowlist policy validation that accepts empty caller IDs and uses suffix-based matching instead of strict equality. Remote attackers
- CVE-2026-28394Mar 5, 2026affected < 2026.2.15fixed 2026.2.15
OpenClaw versions prior to 2026.2.15 contain a denial of service vulnerability in the web_fetch tool that allows attackers to crash the Gateway process through memory exhaustion by parsing oversized or deeply nested HTML responses. Remote attackers can social-engineer users into
- CVE-2026-28393Mar 5, 2026affected >= 2.0.0-beta3, < 2026.2.14fixed 2026.2.14
OpenClaw versions 2.0.0-beta3 prior to 2026.2.14 contain a path traversal vulnerability in hook transform module loading that allows arbitrary JavaScript execution. The hooks.mappings[].transform.module parameter accepts absolute paths and traversal sequences, enabling attackers
- CVE-2026-28392Mar 5, 2026affected < 2026.2.14fixed 2026.2.14
OpenClaw versions prior to 2026.2.14 contain a privilege escalation vulnerability in the Slack slash-command handler that incorrectly authorizes any direct message sender when dmPolicy is set to open (must be configured). Attackers can execute privileged slash commands via direct
Page 18 of 20