Openclaw
Sign in to watchby OpenClaw
Source repositories
CVEs (467)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-35666 | Hig | 0.50 | 8.8 | 0.00 | Apr 10, 2026 | OpenClaw before 2026.3.22 contains an allowlist bypass vulnerability in system.run approvals that fails to unwrap /usr/bin/time wrappers. Attackers can bypass executable binding restrictions by using an unregistered time wrapper to reuse approval state for inner commands. | |
| CVE-2026-35663 | Hig | 0.50 | 8.8 | 0.00 | Apr 10, 2026 | OpenClaw before 2026.3.25 contains a privilege escalation vulnerability allowing non-admin operators to self-request broader scopes during backend reconnect. Attackers can bypass pairing requirements to reconnect as operator.admin, gaining unauthorized administrative privileges. | |
| CVE-2026-35643 | Hig | 0.50 | 8.8 | 0.00 | Apr 10, 2026 | OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary instructions. Untrusted pages can invoke the canvas bridge to execute malicious code within the Android application context. | |
| CVE-2026-35639 | Hig | 0.50 | 8.8 | 0.00 | Apr 9, 2026 | OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the device.pair.approve method that allows an operator.pairing approver to approve pending device requests with broader operator scopes than the approver actually holds. Attackers can exploit insufficient scope validation to escalate privileges to operator.admin and achieve remote code execution on the Node infrastructure. | |
| CVE-2026-35638 | Hig | 0.50 | 8.8 | 0.00 | Apr 9, 2026 | OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the Control UI that allows unauthenticated sessions to retain self-declared privileged scopes without device identity verification. Attackers can exploit the device-less allow path in the trusted-proxy mechanism to maintain elevated permissions by declaring arbitrary scopes, bypassing device identity requirements. | |
| CVE-2026-44116 | Hig | 0.49 | 8.6 | 0.00 | May 6, 2026 | OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthorized access to internal resources. | |
| CVE-2026-43533 | Hig | 0.49 | 8.6 | 0.00 | May 5, 2026 | OpenClaw before 2026.4.10 contains an arbitrary file read vulnerability in QQBot media tags that allows attackers to reference host-local paths outside the intended media storage boundary. Attackers can craft malicious reply text containing media tags to disclose arbitrary local files through outbound media handling. | |
| CVE-2026-41294 | Hig | 0.49 | 8.6 | 0.00 | Apr 21, 2026 | OpenClaw before 2026.3.28 loads the current working directory .env file before trusted state-dir configuration, allowing environment variable injection. Attackers can place a malicious .env file in a repository or workspace to override runtime configuration and security-sensitive environment settings during OpenClaw startup. | |
| CVE-2026-32988 | Hig | 0.49 | 7.5 | 0.00 | Mar 31, 2026 | OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in fs-bridge staged writes where temporary file creation and population are not pinned to a verified parent directory. Attackers can exploit a race condition in parent-path alias changes to write attacker-controlled bytes outside the intended validated path before the final guarded replace step executes. | |
| CVE-2026-42439 | Hig | 0.48 | 8.5 | 0.00 | May 5, 2026 | OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in the browser tabs action select and close routes. Attackers can bypass configured browser SSRF policy protections by exploiting the /tabs/action endpoint to perform unauthorized tab navigation operations. | |
| CVE-2026-41914 | Hig | 0.48 | 8.5 | 0.00 | Apr 28, 2026 | OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in QQ Bot media download paths that bypass SSRF protection. Attackers can exploit unprotected media fetch endpoints to access internal resources and bypass allowlist policies. | |
| CVE-2026-3690 | Hig | 0.48 | 7.4 | 0.00 | Apr 11, 2026 | OpenClaw Canvas Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of OpenClaw. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the the authentication function for canvas endpoints. The issue results from improper implementation of authentication. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-29311. | |
| CVE-2026-33572 | Hig | 0.48 | 8.4 | 0.00 | Mar 29, 2026 | OpenClaw before 2026.2.17 creates session transcript JSONL files with overly broad default permissions, allowing local users to read transcript contents. Attackers with local access can read transcript files to extract sensitive information including secrets from tool output. | |
| CVE-2026-28463 | Hig | 0.48 | 8.4 | 0.00 | Mar 5, 2026 | OpenClaw versions prior to 2026.2.14 contain an arbitrary file read vulnerability in the exec-approvals allowlist validation that checks pre-expansion argv tokens but executes using real shell expansion. Attackers with authorization or through prompt-injection attacks can exploit safe binaries like head, tail, or grep with glob patterns or environment variables to disclose files readable by the gateway or node process when host execution is enabled in allowlist mode. | |
| CVE-2026-34504 | Hig | 0.47 | 8.3 | 0.00 | Mar 31, 2026 | OpenClaw before 2026.3.28 contains a server-side request forgery vulnerability in the fal provider image-generation-provider.ts component that allows attackers to fetch internal URLs. A malicious or compromised fal relay can exploit unguarded image download fetches to expose internal service metadata and responses through the image pipeline. | |
| CVE-2026-28476 | Hig | 0.47 | 8.3 | 0.00 | Mar 5, 2026 | OpenClaw versions prior to 2026.2.14 contain a server-side request forgery vulnerability in the optional Tlon Urbit extension that accepts user-provided base URLs for authentication without proper validation. Attackers who can influence the configured Urbit URL can induce the gateway to make HTTP requests to arbitrary hosts including internal addresses. | |
| CVE-2026-43585 | Hig | 0.46 | 8.1 | 0.00 | May 6, 2026 | OpenClaw before 2026.4.15 captures resolved bearer-auth configuration at startup, allowing revoked tokens to remain valid after SecretRef rotation. Gateway HTTP and WebSocket handlers fail to re-resolve authentication per-request, enabling attackers to use rotated-out bearer tokens for unauthorized gateway access. | |
| CVE-2026-43526 | Hig | 0.46 | 8.2 | 0.00 | May 5, 2026 | OpenClaw before 2026.4.12 contains a server-side request forgery vulnerability in QQBot reply media URL handling that allows attackers to fetch arbitrary content. Attackers can exploit this by providing malicious media URLs that trigger SSRF requests, with fetched bytes subsequently re-uploaded through the channel. | |
| CVE-2026-42431 | Hig | 0.46 | 8.1 | 0.00 | Apr 28, 2026 | OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invoke(browser.proxy) that allows mutation of persistent browser profiles. Attackers can exploit this path to circumvent the browser.request persistent profile-mutation guard and modify browser configurations. | |
| CVE-2026-41394 | Hig | 0.46 | 8.2 | 0.00 | Apr 28, 2026 | OpenClaw before 2026.3.31 contains an authentication bypass vulnerability where unauthenticated plugin-auth HTTP routes receive operator runtime write scopes. Attackers can access these routes without authentication to perform privileged runtime actions intended for authorized operators. |
Page 3 of 24