VYPR

npm package

openclaw

pkg:npm/openclaw

Vulnerabilities (393)

  • CVE-2026-28391Mar 5, 2026
    affected < 2026.2.2fixed 2026.2.2

    OpenClaw versions prior to 2026.2.2 fail to properly validate Windows cmd.exe metacharacters in allowlist-gated exec requests (non-default configuration), allowing attackers to bypass command approval restrictions. Remote attackers can craft command strings with shell metacharact

  • CVE-2026-28363Feb 27, 2026
    affected < 2026.2.23fixed 2026.2.23

    In OpenClaw before 2026.2.23, tools.exec.safeBins validation for sort could be bypassed via GNU long-option abbreviations (such as --compress-prog) in allowlist mode, leading to approval-free execution paths that were intended to require approval. Only an exact string such as --c

  • CVE-2026-27576Feb 21, 2026
    affected < 2026.2.19fixed 2026.2.19

    OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the ACP bridge accepts very large prompt text blocks and can assemble oversized prompt payloads before forwarding them to chat.send. Because ACP runs over local stdio, this mainly affects local ACP clients (for

  • CVE-2026-27488Feb 21, 2026
    affected < 2026.2.19fixed 2026.2.19

    OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, Cron webhook delivery in src/gateway/server-cron.ts uses fetch() directly, so webhook targets can reach private/metadata/internal endpoints without SSRF policy checks. This issue was fixed in version 2026.2.19.

  • CVE-2026-27487Feb 21, 2026
    affected < 2026.2.14fixed 2026.2.14

    OpenClaw is a personal AI assistant. In versions 2026.2.13 and below, when using macOS, the Claude CLI keychain credential refresh path constructed a shell command to write the updated JSON blob into Keychain via security add-generic-password -w .... Because OAuth tokens are user

  • CVE-2026-27486Feb 21, 2026
    affected < 2026.2.14fixed 2026.2.14

    OpenClaw is a personal AI assistant. In versions 2026.2.13 and below of the OpenClaw CLI, the process cleanup uses system-wide process enumeration and pattern matching to terminate processes without verifying if they are owned by the current OpenClaw process. On shared hosts, unr

  • CVE-2026-27485Feb 21, 2026
    affected < 2026.2.19fixed 2026.2.19

    OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, skills/skill-creator/scripts/package_skill.py (a local helper script used when authors package skills) previously followed symlinks while building .skill archives. If an author runs this script on a crafted loc

  • CVE-2026-27484Feb 21, 2026
    affected < 2026.2.18fixed 2026.2.18

    OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the Discord moderation action handling (timeout, kick, ban) uses sender identity from request parameters in tool-driven flows, instead of trusted runtime sender context. In setups where Discord moderation actio

  • CVE-2026-27009Feb 19, 2026
    affected < 2026.2.15fixed 2026.2.15

    OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a atored XSS issue in the OpenClaw Control UI when rendering assistant identity (name/avatar) into an inline `` could break ou

  • CVE-2026-27008Feb 19, 2026
    affected < 2026.2.15fixed 2026.2.15

    OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a bug in `download` skill installation allowed `targetDir` values from skill frontmatter to resolve outside the per-skill tools directory if not strictly validated. In the admin-only `skills.install` flow, this coul

  • CVE-2026-27007Feb 19, 2026
    affected < 2026.2.15fixed 2026.2.15

    OpenClaw is a personal AI assistant. Prior to version 2026.2.15, `normalizeForHash` in `src/agents/sandbox/config-hash.ts` recursively sorted arrays that contained only primitive values. This made order-sensitive sandbox configuration arrays hash to the same value even when order

  • CVE-2026-27004Feb 19, 2026
    affected < 2026.2.15fixed 2026.2.15

    OpenClaw is a personal AI assistant. Prior to version 2026.2.15, in some shared-agent deployments, OpenClaw session tools (`sessions_list`, `sessions_history`, `sessions_send`) allowed broader session targeting than some operators intended. This is primarily a configuration/visib

  • CVE-2026-27003Feb 19, 2026
    affected < 2026.2.15fixed 2026.2.15

    OpenClaw is a personal AI assistant. Telegram bot tokens can appear in error messages and stack traces (for example, when request URLs include `https://api.telegram.org/bot/...`). Prior to version 2026.2.15, OpenClaw logged these strings without redaction, which could leak

  • CVE-2026-27002Feb 19, 2026
    affected < 2026.2.15fixed 2026.2.15

    OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a configuration injection issue in the Docker tool sandbox could allow dangerous Docker options (bind mounts, host networking, unconfined profiles) to be applied, enabling container escape or host data access. OpenC

  • CVE-2026-27001Feb 19, 2026
    affected < 2026.2.15fixed 2026.2.15

    OpenClaw is a personal AI assistant. Prior to version 2026.2.15, OpenClaw embedded the current working directory (workspace path) into the agent system prompt without sanitization. If an attacker can cause OpenClaw to run inside a directory whose name contains control/format char

  • CVE-2026-26972Feb 19, 2026
    affected >= 2026.1.12, < 2026.2.13fixed 2026.2.13

    OpenClaw is a personal AI assistant. In versions 2026.1.12 through 2026.2.12, OpenClaw browser download helpers accepted an unsanitized output path. When invoked via the browser control gateway routes, this allowed path traversal to write downloads outside the intended OpenClaw t

  • CVE-2026-26329Feb 19, 2026
    affected < 2026.2.14fixed 2026.2.14

    OpenClaw is a personal AI assistant. Prior to version 2026.2.14, authenticated attackers can read arbitrary files from the Gateway host by supplying absolute paths or path traversal sequences to the browser tool's `upload` action. The server passed these paths to Playwright's `se

  • CVE-2026-26328Feb 19, 2026
    affected < 2026.2.14fixed 2026.2.14

    OpenClaw is a personal AI assistant. Prior to version 2026.2.14, under iMessage `groupPolicy=allowlist`, group authorization could be satisfied by sender identities coming from the DM pairing store, broadening DM trust into group contexts. Version 2026.2.14 fixes the issue.

  • CVE-2026-26327Feb 19, 2026
    affected < 2026.2.14fixed 2026.2.14

    OpenClaw is a personal AI assistant. Discovery beacons (Bonjour/mDNS and DNS-SD) include TXT records such as `lanHost`, `tailnetDns`, `gatewayPort`, and `gatewayTlsSha256`. TXT records are unauthenticated. Prior to version 2026.2.14, some clients treated TXT values as authoritati

  • CVE-2026-26326Feb 19, 2026
    affected < 2026.2.14fixed 2026.2.14

    OpenClaw is a personal AI assistant. Prior to version 2026.2.14, `skills.status` could disclose secrets to `operator.read` clients by returning raw resolved config values in `configChecks` for skill `requires.config` paths. Version 2026.2.14 stops including raw resolved config va

Page 19 of 20