npm package

openclaw

pkg:npm/openclaw

Vulnerabilities (392)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-42431	Hig	8.1	< 2026.4.8	2026.4.8	Apr 28, 2026	OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invoke(browser.proxy) that allows mutation of persistent browser profiles. Attackers can exploit this path to circumvent the browser.request persistent profile-mutation guard and modify browser configuratio
CVE-2026-42430	Med	6.5	< 2026.4.8	2026.4.8	Apr 28, 2026	OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in Playwright redirect handling that allows attackers to bypass strict SSRF checks. Attackers can exploit request-time navigation to reach private targets that should be restricted by browser SSRF prote
CVE-2026-42429	Hig	7.1	< 2026.4.8	2026.4.8	Apr 28, 2026	OpenClaw before 2026.4.8 contains a privilege escalation vulnerability in the gateway plugin HTTP authentication mechanism that widens identity-bearing operator.read requests into runtime operator.write permissions. Attackers can exploit this by sending read-scoped requests throu
CVE-2026-42428	Hig	7.1	< 2026.4.8	2026.4.8	Apr 28, 2026	OpenClaw versions before 2026.4.8 fail to enforce integrity verification on downloaded plugin archives. Attackers can install malicious or tampered plugin packages without detection, compromising the local assistant environment.
CVE-2026-42427	Med	5.3	< 2026.4.8	2026.4.8	Apr 28, 2026	OpenClaw before 2026.4.8 contains a remote code execution vulnerability caused by missing environment variable denylist entries for HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS. Attackers can inject malicious build tool environment variables to influence host
CVE-2026-42426	Hig	8.8	< 2026.4.8	2026.4.8	Apr 28, 2026	OpenClaw before 2026.4.8 contains an improper authorization vulnerability where the node.pair.approve method accepts operator.write scope instead of the narrower operator.pairing scope, allowing unprivileged users to approve node pairing. Attackers with operator.write permissions
CVE-2026-42424	Med	5.7	< 2026.4.8	2026.4.8	Apr 28, 2026	OpenClaw before 2026.4.8 treats shared reply MEDIA paths as trusted, allowing crafted references to trigger cross-channel local file exfiltration. Attackers can exploit this by crafting malicious shared reply MEDIA references to cause another channel to read local file paths as t
CVE-2026-42423	Hig	7.5	< 2026.4.8	2026.4.8	Apr 28, 2026	OpenClaw before 2026.4.8 contains an approval-timeout fallback mechanism that bypasses strictInlineEval explicit-approval requirements on gateway and node exec hosts. Attackers can exploit this timeout fallback to execute inline eval commands that should require explicit user app
CVE-2026-42422	Hig	8.8	< 2026.4.8	2026.4.8	Apr 28, 2026	OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function that allows minting tokens for unapproved roles. Attackers can bypass device role-upgrade pairing to preserve or mint roles and scopes that had not undergone intended approval.
CVE-2026-42421	Med	5.4	< 2026.4.8	2026.4.8	Apr 28, 2026	OpenClaw before 2026.4.8 contains a session management vulnerability where existing WebSocket sessions survive shared gateway token rotation. Attackers can maintain unauthorized access to WebSocket connections after token rotation by exploiting the failure to disconnect existing
CVE-2026-42420	Med	4.3	< 2026.4.8	2026.4.8	Apr 28, 2026	OpenClaw before 2026.4.8 contains improper input validation in base64 decode paths that allocate memory before enforcing decoded-size limits. Attackers can exploit multiple code paths to cause memory exhaustion or denial of service through crafted base64-encoded input.
CVE-2026-41916	Med	5.4	< 2026.4.8	2026.4.8	Apr 28, 2026	OpenClaw before 2026.4.8 contains an authentication state management vulnerability where the resolvedAuth closure becomes stale after configuration reload. Newly accepted gateway connections continue using outdated resolved auth state, allowing attackers to bypass authentication
CVE-2026-41915	Med	5.3	< 2026.4.8	2026.4.8	Apr 28, 2026	OpenClaw before 2026.4.8 fails to remove git plumbing environment variables from the execution environment before host exec operations. Attackers can exploit this by setting GIT_DIR and related variables to redirect git operations and compromise repository integrity.
CVE-2026-41914	Hig	8.5	< 2026.4.8	2026.4.8	Apr 28, 2026	OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in QQ Bot media download paths that bypass SSRF protection. Attackers can exploit unprotected media fetch endpoints to access internal resources and bypass allowlist policies.
CVE-2026-41913	Low	3.7	< 2026.4.4	2026.4.4	Apr 28, 2026	OpenClaw before 2026.4.4 contains a race condition vulnerability in shared-secret authentication that allows concurrent asynchronous requests to bypass the per-key rate-limit budget. Attackers can exploit this by sending multiple simultaneous authentication attempts to circumvent
CVE-2026-41912	Hig	7.6	< 2026.4.8	2026.4.8	Apr 28, 2026	OpenClaw before 2026.4.8 contains a server-side request forgery policy bypass vulnerability allowing attackers to trigger navigations bypassing normal SSRF checks. Attackers can exploit browser interactions to bypass SSRF protections and access restricted resources.
CVE-2026-41911	Med	6.5	< 2026.4.8	2026.4.8	Apr 28, 2026	OpenClaw before 2026.4.8 contains a filesystem policy bypass vulnerability in docx upload processing that allows local file reads outside workspace boundaries. Attackers can exploit upload_file and upload_image endpoints to access files beyond the intended workspace-only filesyst
CVE-2026-41910	Med	4.3	< 2026.4.8	2026.4.8	Apr 28, 2026	OpenClaw before 2026.4.8 omits owner-only enforcement for cross-channel allowlist writes in the /allowlist endpoint. An authorized non-owner sender can bypass access controls to perform allowlist modifications against different channels, violating the intended trust model.
CVE-2026-41408	Med	4.3	< 2026.3.31	2026.3.31	Apr 28, 2026	OpenClaw before 2026.3.31 contains a resource exhaustion vulnerability in media downloads that bypasses core safety limits for file size, count, and cleanup operations. Attackers can exhaust disk space by downloading media files without triggering intended safety restrictions, ca
CVE-2026-41407	Low	3.7	< 2026.4.2	2026.4.2	Apr 28, 2026	OpenClaw before 2026.4.2 contains a timing side channel vulnerability in shared-secret comparison call sites that use early length-mismatch checks instead of fixed-length comparison helpers. Attackers can measure timing differences to leak secret-length information, weakening con

CVE-2026-42431HigApr 28, 2026
affected < 2026.4.8fixed 2026.4.8
OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invoke(browser.proxy) that allows mutation of persistent browser profiles. Attackers can exploit this path to circumvent the browser.request persistent profile-mutation guard and modify browser configuratio
CVE-2026-42430MedApr 28, 2026
affected < 2026.4.8fixed 2026.4.8
OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in Playwright redirect handling that allows attackers to bypass strict SSRF checks. Attackers can exploit request-time navigation to reach private targets that should be restricted by browser SSRF prote
CVE-2026-42429HigApr 28, 2026
affected < 2026.4.8fixed 2026.4.8
OpenClaw before 2026.4.8 contains a privilege escalation vulnerability in the gateway plugin HTTP authentication mechanism that widens identity-bearing operator.read requests into runtime operator.write permissions. Attackers can exploit this by sending read-scoped requests throu
CVE-2026-42428HigApr 28, 2026
affected < 2026.4.8fixed 2026.4.8
OpenClaw versions before 2026.4.8 fail to enforce integrity verification on downloaded plugin archives. Attackers can install malicious or tampered plugin packages without detection, compromising the local assistant environment.
CVE-2026-42427MedApr 28, 2026
affected < 2026.4.8fixed 2026.4.8
OpenClaw before 2026.4.8 contains a remote code execution vulnerability caused by missing environment variable denylist entries for HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS. Attackers can inject malicious build tool environment variables to influence host
CVE-2026-42426HigApr 28, 2026
affected < 2026.4.8fixed 2026.4.8
OpenClaw before 2026.4.8 contains an improper authorization vulnerability where the node.pair.approve method accepts operator.write scope instead of the narrower operator.pairing scope, allowing unprivileged users to approve node pairing. Attackers with operator.write permissions
CVE-2026-42424MedApr 28, 2026
affected < 2026.4.8fixed 2026.4.8
OpenClaw before 2026.4.8 treats shared reply MEDIA paths as trusted, allowing crafted references to trigger cross-channel local file exfiltration. Attackers can exploit this by crafting malicious shared reply MEDIA references to cause another channel to read local file paths as t
CVE-2026-42423HigApr 28, 2026
affected < 2026.4.8fixed 2026.4.8
OpenClaw before 2026.4.8 contains an approval-timeout fallback mechanism that bypasses strictInlineEval explicit-approval requirements on gateway and node exec hosts. Attackers can exploit this timeout fallback to execute inline eval commands that should require explicit user app
CVE-2026-42422HigApr 28, 2026
affected < 2026.4.8fixed 2026.4.8
OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function that allows minting tokens for unapproved roles. Attackers can bypass device role-upgrade pairing to preserve or mint roles and scopes that had not undergone intended approval.
CVE-2026-42421MedApr 28, 2026
affected < 2026.4.8fixed 2026.4.8
OpenClaw before 2026.4.8 contains a session management vulnerability where existing WebSocket sessions survive shared gateway token rotation. Attackers can maintain unauthorized access to WebSocket connections after token rotation by exploiting the failure to disconnect existing
CVE-2026-42420MedApr 28, 2026
affected < 2026.4.8fixed 2026.4.8
OpenClaw before 2026.4.8 contains improper input validation in base64 decode paths that allocate memory before enforcing decoded-size limits. Attackers can exploit multiple code paths to cause memory exhaustion or denial of service through crafted base64-encoded input.
CVE-2026-41916MedApr 28, 2026
affected < 2026.4.8fixed 2026.4.8
OpenClaw before 2026.4.8 contains an authentication state management vulnerability where the resolvedAuth closure becomes stale after configuration reload. Newly accepted gateway connections continue using outdated resolved auth state, allowing attackers to bypass authentication
CVE-2026-41915MedApr 28, 2026
affected < 2026.4.8fixed 2026.4.8
OpenClaw before 2026.4.8 fails to remove git plumbing environment variables from the execution environment before host exec operations. Attackers can exploit this by setting GIT_DIR and related variables to redirect git operations and compromise repository integrity.
CVE-2026-41914HigApr 28, 2026
affected < 2026.4.8fixed 2026.4.8
OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in QQ Bot media download paths that bypass SSRF protection. Attackers can exploit unprotected media fetch endpoints to access internal resources and bypass allowlist policies.
CVE-2026-41913LowApr 28, 2026
affected < 2026.4.4fixed 2026.4.4
OpenClaw before 2026.4.4 contains a race condition vulnerability in shared-secret authentication that allows concurrent asynchronous requests to bypass the per-key rate-limit budget. Attackers can exploit this by sending multiple simultaneous authentication attempts to circumvent
CVE-2026-41912HigApr 28, 2026
affected < 2026.4.8fixed 2026.4.8
OpenClaw before 2026.4.8 contains a server-side request forgery policy bypass vulnerability allowing attackers to trigger navigations bypassing normal SSRF checks. Attackers can exploit browser interactions to bypass SSRF protections and access restricted resources.
CVE-2026-41911MedApr 28, 2026
affected < 2026.4.8fixed 2026.4.8
OpenClaw before 2026.4.8 contains a filesystem policy bypass vulnerability in docx upload processing that allows local file reads outside workspace boundaries. Attackers can exploit upload_file and upload_image endpoints to access files beyond the intended workspace-only filesyst
CVE-2026-41910MedApr 28, 2026
affected < 2026.4.8fixed 2026.4.8
OpenClaw before 2026.4.8 omits owner-only enforcement for cross-channel allowlist writes in the /allowlist endpoint. An authorized non-owner sender can bypass access controls to perform allowlist modifications against different channels, violating the intended trust model.
CVE-2026-41408MedApr 28, 2026
affected < 2026.3.31fixed 2026.3.31
OpenClaw before 2026.3.31 contains a resource exhaustion vulnerability in media downloads that bypasses core safety limits for file size, count, and cleanup operations. Attackers can exhaust disk space by downloading media files without triggering intended safety restrictions, ca
CVE-2026-41407LowApr 28, 2026
affected < 2026.4.2fixed 2026.4.2
OpenClaw before 2026.4.2 contains a timing side channel vulnerability in shared-secret comparison call sites that use early length-mismatch checks instead of fixed-length comparison helpers. Attackers can measure timing differences to leak secret-length information, weakening con

Page 3 of 20