Peter Steinberger

176 exploits Active since Feb 2026
CVE-2026-41386 WRITEUP CRITICAL WRITEUP
OpenClaw < 2026.3.22 - Privilege Escalation via Unbound Bootstrap Setup Codes
OpenClaw before 2026.3.22 contains a privilege escalation vulnerability where bootstrap setup codes are not bound to intended device roles and scopes during pairing. Attackers can exploit this during first-use device pairing to escalate privileges beyond their intended role and scope.
CVSS 9.1
CVE-2026-41353 WRITEUP HIGH WRITEUP
OpenClaw < 2026.3.22 - allowProfiles Bypass via Profile Mutation and Runtime Selection
OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to circumvent profile restrictions through persistent profile mutation and runtime profile selection. Remote attackers can exploit this by manipulating browser proxy profiles at runtime to access restricted profiles and bypass intended access controls.
CVSS 8.1
CVE-2026-35658 WRITEUP MEDIUM WRITEUP
OpenClaw < 2026.3.2 - Filesystem Boundary Bypass in Image Tool
OpenClaw before 2026.3.2 contains a filesystem boundary bypass vulnerability in the image tool that fails to honor tools.fs.workspaceOnly restrictions. Attackers can traverse sandbox bridge mounts outside the workspace to read files that other filesystem tools would reject.
CVSS 6.5
CVE-2026-35620 WRITEUP MEDIUM WRITEUP
OpenClaw < 2026.3.24 - Missing Authorization in /send and /allowlist Chat Commands
OpenClaw before 2026.3.24 contains missing authorization vulnerabilities in the /send and /allowlist chat command handlers. The /send command allows non-owner command-authorized senders to change owner-only session delivery policy settings, and the /allowlist mutating commands fail to enforce operator.admin scope. Attackers with operator.write scope can invoke /send on|off|inherit to persistently mutate the current session's sendPolicy, and execute /allowlist add commands to modify config-backed allowFrom entries and pairing-store allowlist entries without proper admin authorization.
CVSS 5.4
CVE-2026-35653 WRITEUP HIGH WRITEUP
OpenClaw < 2026.3.24 - Incorrect Authorization in POST /reset-profile via browser.request
OpenClaw before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profile endpoint that allows authenticated callers with operator.write access to browser.request to bypass profile mutation restrictions. Attackers can invoke POST /reset-profile through the browser.request surface to stop the running browser, close Playwright connections, and move profile directories to Trash, crossing intended privilege boundaries.
CVSS 8.1
CVE-2026-35659 WRITEUP MEDIUM WRITEUP
OpenClaw < 2026.3.22 - Unresolved Service Metadata Routing via Bonjour and DNS-SD Discovery
OpenClaw before 2026.3.22 contains a service discovery vulnerability where TXT metadata from Bonjour and DNS-SD could influence CLI routing even when actual service resolution failed. Attackers can exploit unresolved hints to steer routing decisions to unintended targets by providing malicious discovery metadata.
CVSS 4.6
CVE-2026-35666 WRITEUP HIGH WRITEUP
OpenClaw < 2026.3.22 - Allowlist Bypass via Unregistered Time Dispatch Wrapper
OpenClaw before 2026.3.22 contains an allowlist bypass vulnerability in system.run approvals that fails to unwrap /usr/bin/time wrappers. Attackers can bypass executable binding restrictions by using an unregistered time wrapper to reuse approval state for inner commands.
CVSS 8.8
CVE-2026-35670 WRITEUP MEDIUM WRITEUP
OpenClaw < 2026.3.22 - Webhook Reply Rebinding via Username Resolution in Synology Chat
OpenClaw before 2026.3.22 contains a webhook reply delivery vulnerability that allows attackers to rebind chat replies to unintended users by exploiting mutable username matching instead of stable numeric user identifiers. Attackers can manipulate username changes to redirect webhook-triggered replies to different users, bypassing the intended recipient binding recorded in webhook events.
CVSS 5.9
CVE-2026-6011 WRITEUP MEDIUM WRITEUP
OpenClaw assertPublicHostname web-fetch.ts server-side request forgery
A weakness has been identified in OpenClaw up to 2026.1.26. Affected by this issue is some unknown functionality of the file src/agents/tools/web-fetch.ts of the component assertPublicHostname Handler. Executing a manipulation can lead to server-side request forgery. The attack can be executed remotely. This attack is characterized by high complexity. The exploitation is known to be difficult. The exploit has been made available to the public and could be used for attacks. Upgrading to version 2026.1.29 can resolve this issue. This patch is called b623557a2ec7e271bda003eb3ac33fbb2e218505. Upgrading the affected component is advised.
CVSS 5.6
CVE-2026-35626 WRITEUP MEDIUM WRITEUP
OpenClaw < 2026.3.22 - Unauthenticated Resource Exhaustion via Voice Call Webhook
OpenClaw before 2026.3.22 contains an unauthenticated resource exhaustion vulnerability in voice call webhook handling that buffers request bodies before provider signature checks. Attackers can send large or malicious webhook requests to exhaust server resources without authentication by bypassing signature validation.
CVSS 5.3
CVE-2026-35627 WRITEUP MEDIUM WRITEUP
OpenClaw < 2026.3.22 - Unauthenticated Cryptographic Work in Nostr Inbound DM Handling
OpenClaw before 2026.3.22 performs cryptographic and dispatch operations on inbound Nostr direct messages before enforcing sender and pairing policy validation. Attackers can trigger unauthorized pre-authentication computation by sending crafted DM messages, enabling denial of service through resource exhaustion.
CVSS 6.5
CVE-2026-35633 WRITEUP MEDIUM WRITEUP
OpenClaw < 2026.3.22 - Unbounded Memory Allocation via Remote Media Error Responses
OpenClaw before 2026.3.22 contains an unbounded memory allocation vulnerability in remote media HTTP error handling that allows attackers to trigger excessive memory consumption. Attackers can send crafted HTTP error responses with large bodies to remote media endpoints, causing the application to allocate unbounded memory before failure handling occurs.
CVSS 5.3
CVE-2026-35635 WRITEUP MEDIUM WRITEUP
OpenClaw < 2026.3.22 - Webhook Path Route Replacement Vulnerability in Synology Chat
OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in the Synology Chat extension that allows attackers to collapse multi-account configurations onto shared webhook paths. Attackers can exploit inherited or duplicate webhook paths to bypass per-account DM access control policies and replace route ownership across accounts.
CVSS 4.8
CVE-2026-35637 WRITEUP HIGH WRITEUP
OpenClaw < 2026.3.22 - Premature Cite Expansion Before Authorization in Channel and DM
OpenClaw before 2026.3.22 performs cite expansion before completing channel and DM authorization checks, allowing cite work and content handling prior to final auth decisions. Attackers can exploit this timing vulnerability to access or manipulate content before proper authorization validation occurs.
CVSS 7.3
CVE-2026-35638 WRITEUP HIGH WRITEUP
OpenClaw < 2026.3.22 - Privilege Escalation via Self-Declared Scopes in Trusted-Proxy Control UI
OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the Control UI that allows unauthenticated sessions to retain self-declared privileged scopes without device identity verification. Attackers can exploit the device-less allow path in the trusted-proxy mechanism to maintain elevated permissions by declaring arbitrary scopes, bypassing device identity requirements.
CVSS 8.8
CVE-2026-34510 WRITEUP MEDIUM WRITEUP
OpenClaw < 2026.3.22 - Remote File URL Acceptance in Windows Media Loaders
OpenClaw before 2026.3.22 contains a path traversal vulnerability in Windows media loaders that accepts remote-host file URLs and UNC-style paths before local-path validation. Attackers can exploit this by providing network-hosted file targets that are treated as local content, bypassing intended access restrictions.
CVSS 5.3
CVE-2026-32921 WRITEUP MEDIUM WRITEUP
OpenClaw < 2026.3.8 - Script Content Modification via Mutable Operand Binding in system.run
OpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run where mutable script operands are not bound across approval and execution phases. Attackers can obtain approval for script execution, modify the approved script file before execution, and execute different content while maintaining the same approved command shape.
CVSS 6.3
CVE-2026-34506 WRITEUP MEDIUM WRITEUP
OpenClaw < 2026.3.8 - Sender Allowlist Bypass in Microsoft Teams Plugin via Route Allowlist Configuration
OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message handler synthesizes wildcard sender authorization, permitting any sender in the matched team/channel to trigger replies in allowlisted Teams routes.
CVSS 4.3
CVE-2026-34509 WRITEUP MEDIUM WRITEUP
OpenClaw < 2026.3.8 - Sender Allowlist Bypass in Microsoft Teams Plugin via Route Allowlist Configuration
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CVSS 4.3
CVE-2026-33574 WRITEUP MEDIUM WRITEUP
OpenClaw < 2026.3.8 - Path Traversal via Tools Root Rebinding in Skills Download
OpenClaw before 2026.3.8 contains a path traversal vulnerability in the skills download installer that validates the tools root lexically but reuses the mutable path during archive download and copy operations. A local attacker can rebind the tools-root path between validation and final write to redirect the installer outside the intended tools directory.
CVSS 6.2
CVE-2026-27183 WRITEUP MEDIUM WRITEUP
OpenClaw < 2026.3.7 - Shell Approval Gating Bypass via Dispatch Wrapper Depth Mismatch
OpenClaw versions prior to 2026.3.7 contain a shell approval gating bypass vulnerability in system.run dispatch-wrapper handling that allows attackers to skip shell wrapper approval requirements. The approval classifier and execution planner apply different depth-boundary rules, permitting exactly four transparent dispatch wrappers like repeated env invocations before /bin/sh -c to bypass security=allowlist approval gating by misaligning classification with execution planning.
CVSS 5.3
CVE-2026-27646 WRITEUP MEDIUM WRITEUP
OpenClaw <2026.3.7 - Sandbox Escape
OpenClaw versions prior to 2026.3.7 contain a sandbox escape vulnerability in the /acp spawn command that allows authorized sandboxed sessions to initialize host-side ACP runtime. Attackers can bypass sandbox restrictions by invoking the /acp spawn slash-command to cross from sandboxed chat context into host-side ACP session initialization when ACP is enabled.
CVSS 6.1
CVE-2026-32042 WRITEUP HIGH WRITEUP
OpenClaw < 2026.2.25 - Privilege Escalation via Unpaired Device Identity in Shared Gateway Authentication
OpenClaw versions 2026.2.22 prior to 2026.2.25 contain a privilege escalation vulnerability allowing unpaired device identities to bypass operator pairing requirements and self-assign elevated operator scopes including operator.admin. Attackers with valid shared gateway authentication can present a self-signed unpaired device identity to request and obtain higher operator scopes before pairing approval is granted.
CVSS 8.8
CVE-2026-32043 WRITEUP MEDIUM WRITEUP
OpenClaw < 2026.2.25 - Time-of-Check-Time-of-Use via Mutable Symlink in system.run cwd Parameter
OpenClaw versions prior to 2026.2.25 contain a time-of-check-time-of-use vulnerability in approval-bound system.run execution where the cwd parameter is validated at approval time but resolved at execution time. Attackers can retarget a symlinked cwd between approval and execution to bypass command execution restrictions and execute arbitrary commands on node hosts.
CVSS 6.5
CVE-2026-32044 WRITEUP MEDIUM WRITEUP
OpenClaw < 2026.3.2 - Tar Archive Safety Bypass in Skills Installation
OpenClaw versions prior to 2026.3.2 contain an archive extraction vulnerability in the tar.bz2 installer path that bypasses safety checks enforced on other archive formats. Attackers can craft malicious tar.bz2 skill archives to bypass special-entry blocking and extracted-size guardrails, causing local denial of service during skill installation.
CVSS 5.5