npm package
openclaw
pkg:npm/openclaw
Vulnerabilities (392)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-26324 | — | < 2026.2.14 | 2026.2.14 | Feb 19, 2026 | OpenClaw is a personal AI assistant. Prior to version 2026.2.14, OpenClaw's SSRF protection could be bypassed using full-form IPv4-mapped IPv6 literals such as `0:0:0:0:0:ffff:7f00:1` (which is `127.0.0.1`). This could allow requests that should be blocked (loopback / private net | ||
| CVE-2026-26323 | — | >= 2026.1.8, < 2026.2.14 | 2026.2.14 | Feb 19, 2026 | OpenClaw is a personal AI assistant. Versions 2026.1.8 through 2026.2.13 have a command injection in the maintainer/dev script `scripts/update-clawtributors.ts`. The issue affects contributors/maintainers (or CI) who run `bun scripts/update-clawtributors.ts` in a source checkout | ||
| CVE-2026-26322 | — | < 2026.2.14 | 2026.2.14 | Feb 19, 2026 | OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Gateway tool accepted a tool-supplied `gatewayUrl` without sufficient restrictions, which could cause the OpenClaw host to attempt outbound WebSocket connections to user-specified targets. This requires | ||
| CVE-2026-26321 | — | < 2026.2.14 | 2026.2.14 | Feb 19, 2026 | OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Feishu extension previously allowed `sendMediaFeishu` to treat attacker-controlled `mediaUrl` values as local filesystem paths and read them directly. If an attacker can influence tool calls (directly o | ||
| CVE-2026-26320 | — | >= 2026.2.6-0, < 2026.2.14 | 2026.2.14 | Feb 19, 2026 | OpenClaw is a personal AI assistant. OpenClaw macOS desktop client registers the `openclaw://` URL scheme. For `openclaw://agent` deep links without an unattended `key`, the app shows a confirmation dialog that previously displayed only the first 240 characters of the message, bu | ||
| CVE-2026-26319 | — | < 2026.2.14 | 2026.2.14 | Feb 19, 2026 | OpenClaw is a personal AI assistant. Versions 2026.2.13 and below allow the optional @openclaw/voice-call plugin Telnyx webhook handler to accept unsigned inbound webhook requests when telnyx.publicKey is not configured, enabling unauthenticated callers to forge Telnyx events. Te | ||
| CVE-2026-26317 | — | < 2026.2.14 | 2026.2.14 | Feb 19, 2026 | OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malic | ||
| CVE-2026-26316 | — | < 2026.2.13 | 2026.2.13 | Feb 19, 2026 | OpenClaw is a personal AI assistant. Prior to 2026.2.13, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback (`127.0.0.1`, `::1`, `::ffff:127.0.0.1`) even when the configured webhook sec | ||
| CVE-2026-25474 | — | < 2026.2.1 | 2026.2.1 | Feb 19, 2026 | OpenClaw is a personal AI assistant. In versions 2026.1.30 and below, if channels.telegram.webhookSecret is not set when in Telegram webhook mode, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint | ||
| CVE-2026-24764 | — | < 2026.2.3 | 2026.2.3 | Feb 19, 2026 | OpenClaw (formerly Clawdbot) is a personal AI assistant users run on their own devices. In versions 2026.2.2 and below, when the Slack integration is enabled, channel metadata (topic/description) can be incorporated into the model's system prompt. Prompt injection is a documented | ||
| CVE-2026-25593 | — | < 2026.1.20 | 2026.1.20 | Feb 6, 2026 | OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user. | ||
| CVE-2026-25475 | — | < 2026.1.30 | 2026.1.30 | Feb 4, 2026 | OpenClaw is a personal AI assistant. Prior to version 2026.1.30, the isValidMedia() function in src/media/parse.ts allows arbitrary file paths including absolute paths, home directory paths, and directory traversal sequences. An agent can read any file on the system by outputting |
- CVE-2026-26324Feb 19, 2026affected < 2026.2.14fixed 2026.2.14
OpenClaw is a personal AI assistant. Prior to version 2026.2.14, OpenClaw's SSRF protection could be bypassed using full-form IPv4-mapped IPv6 literals such as `0:0:0:0:0:ffff:7f00:1` (which is `127.0.0.1`). This could allow requests that should be blocked (loopback / private net
- CVE-2026-26323Feb 19, 2026affected >= 2026.1.8, < 2026.2.14fixed 2026.2.14
OpenClaw is a personal AI assistant. Versions 2026.1.8 through 2026.2.13 have a command injection in the maintainer/dev script `scripts/update-clawtributors.ts`. The issue affects contributors/maintainers (or CI) who run `bun scripts/update-clawtributors.ts` in a source checkout
- CVE-2026-26322Feb 19, 2026affected < 2026.2.14fixed 2026.2.14
OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Gateway tool accepted a tool-supplied `gatewayUrl` without sufficient restrictions, which could cause the OpenClaw host to attempt outbound WebSocket connections to user-specified targets. This requires
- CVE-2026-26321Feb 19, 2026affected < 2026.2.14fixed 2026.2.14
OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Feishu extension previously allowed `sendMediaFeishu` to treat attacker-controlled `mediaUrl` values as local filesystem paths and read them directly. If an attacker can influence tool calls (directly o
- CVE-2026-26320Feb 19, 2026affected >= 2026.2.6-0, < 2026.2.14fixed 2026.2.14
OpenClaw is a personal AI assistant. OpenClaw macOS desktop client registers the `openclaw://` URL scheme. For `openclaw://agent` deep links without an unattended `key`, the app shows a confirmation dialog that previously displayed only the first 240 characters of the message, bu
- CVE-2026-26319Feb 19, 2026affected < 2026.2.14fixed 2026.2.14
OpenClaw is a personal AI assistant. Versions 2026.2.13 and below allow the optional @openclaw/voice-call plugin Telnyx webhook handler to accept unsigned inbound webhook requests when telnyx.publicKey is not configured, enabling unauthenticated callers to forge Telnyx events. Te
- CVE-2026-26317Feb 19, 2026affected < 2026.2.14fixed 2026.2.14
OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malic
- CVE-2026-26316Feb 19, 2026affected < 2026.2.13fixed 2026.2.13
OpenClaw is a personal AI assistant. Prior to 2026.2.13, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback (`127.0.0.1`, `::1`, `::ffff:127.0.0.1`) even when the configured webhook sec
- CVE-2026-25474Feb 19, 2026affected < 2026.2.1fixed 2026.2.1
OpenClaw is a personal AI assistant. In versions 2026.1.30 and below, if channels.telegram.webhookSecret is not set when in Telegram webhook mode, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint
- CVE-2026-24764Feb 19, 2026affected < 2026.2.3fixed 2026.2.3
OpenClaw (formerly Clawdbot) is a personal AI assistant users run on their own devices. In versions 2026.2.2 and below, when the Slack integration is enabled, channel metadata (topic/description) can be incorporated into the model's system prompt. Prompt injection is a documented
- CVE-2026-25593Feb 6, 2026affected < 2026.1.20fixed 2026.1.20
OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user.
- CVE-2026-25475Feb 4, 2026affected < 2026.1.30fixed 2026.1.30
OpenClaw is a personal AI assistant. Prior to version 2026.1.30, the isValidMedia() function in src/media/parse.ts allows arbitrary file paths including absolute paths, home directory paths, and directory traversal sequences. An agent can read any file on the system by outputting
Page 20 of 20