openclaw

477 tracked vulnerabilities.

CVE-2026-8634 CRITICAL
Crabbox < v0.12.0 Environment Variable Information Disclosure
May 14, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-8629 HIGH
Crabbox < v0.12.0 Privilege Escalation via Agent Ticket Endpoints
May 14, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-8621 HIGH
Crabbox < v0.12.0 Authentication Bypass via Header Spoofing
May 14, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-45224 HIGH
Crabbox < 0.9.0 Path Traversal via Islo Provider Workspace Resolution
May 11, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-45223 HIGH
Crabbox < 0.9.0 Authentication Bypass via Admin Claim Injection
May 11, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-8305 HIGH
OpenClaw bluebubbles Webhook monitor.ts handleBlueBubblesWebhookRequest improper authentication
May 11, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-45006 HIGH
OpenClaw < 2026.4.23 - Unsafe Config Mutation via Gateway Tool Denylist Bypass
May 11, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-45005 MEDIUM
OpenClaw < 2026.4.23 - Webhook Route Secret Cache Not Invalidated After Rotation
May 11, 2026
CVSS 6.0
EPSS 0.00
CVE-2026-45004 HIGH
OpenClaw < 2026.4.23 - Arbitrary Code Execution via setup-api.js in Current Working Directory
May 11, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-45003 MEDIUM
OpenClaw < 2026.4.22 - Connector Endpoint Host Override via Workspace dotenv Files
May 11, 2026
CVSS 5.0
EPSS 0.00
CVE-2026-45002 MEDIUM
OpenClaw < 2026.4.20 - Hook Session-Key Bypass via Template Mapping
May 11, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-45001 HIGH
OpenClaw < 2026.4.20 - Gateway Config Mutation Guard Bypass via Agent Tool Access
May 11, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-45000 MEDIUM
OpenClaw < 2026.4.20 - Server-Side Request Forgery via Browser CDP Profile Creation
May 11, 2026
CVSS 5.0
EPSS 0.00
CVE-2026-44999 MEDIUM
OpenClaw < 2026.4.20 - Improper Trust Labeling in Isolated Cron Awareness Events
May 11, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-44998 MEDIUM
OpenClaw < 2026.4.20 - Tool Policy Bypass via Bundled MCP/LSP Tools
May 11, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-44997 MEDIUM
OpenClaw < 2026.4.22 - Security Envelope Constraint Bypass in ACP Child Sessions
May 11, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-44996 LOW
OpenClaw < 2026.4.15 - Arbitrary Local File Read via Webchat Audio Embedding
May 11, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-44995 HIGH
OpenClaw < 2026.4.20 - Arbitrary Code Execution via MCP stdio Environment Variables
May 11, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-44994 MEDIUM
OpenClaw < 2026.4.22 - Authentication Bypass in Gateway Control UI Bootstrap Config Endpoint
May 11, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-44993 MEDIUM
OpenClaw < 2026.4.20 - Direct Message Misclassification in Feishu Card Actions
May 11, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-44992 MEDIUM
OpenClaw 2026.4.5 < 2026.4.20 - MiniMax API Host Override via Workspace dotenv
May 11, 2026
CVSS 5.0
EPSS 0.00
CVE-2026-44991 MEDIUM
OpenClaw < 2026.4.21 - Authorization Bypass in Owner-Enforced Commands via Wildcard Channel Senders
May 11, 2026
CVSS 4.2
EPSS 0.00
CVE-2026-44118 HIGH
OpenClaw < 2026.4.22 - Owner Context Spoofing via Bearer Token Header
May 06, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-44117 MEDIUM
OpenClaw < 2026.4.20 - Server-Side Request Forgery in QQBot Direct Media Upload
May 06, 2026
CVSS 5.8
EPSS 0.00
CVE-2026-44116 HIGH
OpenClaw < 2026.4.22 - Server-Side Request Forgery in Zalo Photo URL Validation
May 06, 2026
CVSS 8.6
EPSS 0.00
Products
openclaw 447 OpenClaw 383 crabbox 5 voice-call 2 bluebubbles 1 openclaw\/voice-call 1
Quick Filters
Critical CVEs With Exploits In CISA KEV