openclaw

477 tracked vulnerabilities.

CVE-2026-35632 HIGH
OpenClaw < 2026.2.22 - Symlink Traversal via IDENTITY.md appendFile in agents.create/update
Apr 09, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-35631 MEDIUM
OpenClaw < 2026.3.22 - Missing Authorization Enforcement in Internal ACP Chat Commands
Apr 09, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35629 HIGH
OpenClaw < 2026.3.25 - Server-Side Request Forgery via Unguarded Configured Base URLs in Channel Extensions
Apr 09, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-35628 MEDIUM
OpenClaw < 2026.3.25 - Brute-Force Attack via Missing Telegram Webhook Rate Limiting
Apr 09, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-35627 MEDIUM
OpenClaw < 2026.3.22 - Unauthenticated Cryptographic Work in Nostr Inbound DM Handling
Apr 09, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35626 MEDIUM
OpenClaw < 2026.3.22 - Unauthenticated Resource Exhaustion via Voice Call Webhook
Apr 09, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35625 HIGH
OpenClaw < 2026.3.25 - Privilege Escalation via Silent Local Shared-Auth Reconnect
Apr 09, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-35624 MEDIUM
OpenClaw < 2026.3.22 - Policy Confusion via Room Name Collision in Nextcloud Talk
Apr 09, 2026
CVSS 4.2
EPSS 0.00
CVE-2026-35623 MEDIUM
OpenClaw < 2026.3.25 - Brute-Force Attack via Missing Webhook Password Rate Limiting
Apr 09, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-35622 MEDIUM
OpenClaw < 2026.3.22 - Improper Authentication Verification in Google Chat Webhook
Apr 09, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-35618 MEDIUM
OpenClaw < 2026.3.23 - Replay Identity Drift via Query-Only Variants in Plivo V2 Verification
Apr 09, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35617 MEDIUM
OpenClaw < 2026.3.25 - Authorization Bypass via Group Policy Rebinding with Mutable Space displayName
Apr 09, 2026
CVSS 4.2
EPSS 0.00
CVE-2026-34512 HIGH
OpenClaw < 2026.3.25 - Improper Access Control in /sessions/:sessionKey/kill Endpoint
Apr 09, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-40037 MEDIUM
OpenClaw < 2026.3.31 - Unsafe Request Body Replay via fetchWithSsrFGuard Cross-Origin Redirects
Apr 08, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-34511 MEDIUM
OpenClaw < 2026.4.2 - PKCE Verifier Exposure via OAuth State Parameter
Apr 03, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34426 HIGH
OpenClaw - Approval Bypass via Environment Variable Normalization
Apr 02, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-34425 MEDIUM
OpenClaw - Shell-Bleed Protection Preflight Validation Bypass
Apr 02, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-34510 MEDIUM
OpenClaw < 2026.3.22 - Remote File URL Acceptance in Windows Media Loaders
Apr 01, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34504 HIGH
OpenClaw < 2026.3.28 - Server-Side Request Forgery via Unguarded Image Download in fal Provider
Mar 31, 2026
CVSS 8.3
EPSS 0.00
CVE-2026-34503 HIGH
OpenClaw < 2026.3.28 - Incomplete WebSocket Session Termination on Device Removal and Token Revocation
Mar 31, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-33581 MEDIUM
OpenClaw < 2026.3.24 - Arbitrary File Read via mediaUrl and fileUrl Parameters
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-33580 MEDIUM
OpenClaw < 2026.3.28 - Brute Force Attack via Missing Rate Limiting on Webhook Shared Secret Authentication
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-33579 CRITICAL
OpenClaw < 2026.3.28 - Privilege Escalation via Missing Caller Scope Validation in Device Pair Approval
Mar 31, 2026
CVSS 9.9
EPSS 0.00
CVE-2026-33578 MEDIUM
OpenClaw < 2026.3.28 - Sender Policy Allowlist Bypass via Policy Downgrade in Google Chat and Zalouser Extensions
Mar 31, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-33577 HIGH
OpenClaw < 2026.3.28 - Insufficient Scope Validation in node.pair.approve
Mar 31, 2026
CVSS 8.1
EPSS 0.00
Products
openclaw 447 OpenClaw 383 crabbox 5 voice-call 2 bluebubbles 1 openclaw\/voice-call 1
Quick Filters
Critical CVEs With Exploits In CISA KEV