openclaw
560 tracked vulnerabilities.
CVE-2026-41352
HIGH
OpenClaw < 2026.3.31 - Remote Code Execution via Node Scope Gate Bypass
Apr 23, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-41351
MEDIUM
OpenClaw < 2026.3.31 - Webhook Replay Detection Bypass via Base64 Signature Re-encoding
Apr 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41350
MEDIUM
OpenClaw < 2026.3.31 - Session Visibility Bypass via session_status in Unsandboxed Invocations
Apr 23, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-41349
HIGH
OpenClaw < 2026.3.28 - Agentic Consent Bypass via config.patch
Apr 23, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-41348
MEDIUM
OpenClaw < 2026.3.31 - Group DM Channel Allowlist Bypass via Discord Slash Commands
Apr 23, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41347
HIGH
OpenClaw < 2026.3.31 - Cross-Site Request Forgery via Missing Browser-Origin Validation in HTTP Operator Endpoints
Apr 23, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-41346
MEDIUM
OpenClaw 2026.2.26 < 2026.3.31 - Denial of Service via Improper Pending Pairing Request Cap Enforcement
Apr 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41345
MEDIUM
OpenClaw < 2026.3.31 - Authorization Header Leak via Cross-Origin Redirect in Media Download
Apr 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41344
MEDIUM
OpenClaw < 2026.3.28 - Privilege Escalation via chat.send /verbose Parameter
Apr 23, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41343
MEDIUM
OpenClaw < 2026.3.31 - Denial of Service via LINE Webhook Handler Pre-Auth Concurrency
Apr 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41342
HIGH
OpenClaw < 2026.3.28 - Unauthenticated Discovery Endpoint Credential Exfiltration via Remote Onboarding
Apr 23, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-41341
MEDIUM
OpenClaw < 2026.3.31 - Component Interaction Misclassification in Discord Extension
Apr 23, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41340
MEDIUM
OpenClaw < 2026.3.31 - Authentication Boundary Bypass via Telegram Legacy allowFrom Migration
Apr 23, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41339
MEDIUM
OpenClaw < 2026.4.2 - Information Disclosure via Gateway Connect Snapshot
Apr 23, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-41338
MEDIUM
OpenClaw < 2026.3.31 - Time-of-Check-Time-of-Use (TOCTOU) Vulnerability in Sandbox File Operations
Apr 23, 2026
CVSS 5.0
EPSS 0.00
CVE-2026-41337
MEDIUM
OpenClaw < 2026.3.31 - Callback Origin Mutation in Plivo Voice-call Replay
Apr 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41336
HIGH
OpenClaw < 2026.3.31 - Arbitrary Hook Code Execution via OPENCLAW_BUNDLED_HOOKS_DIR Environment Variable Override
Apr 23, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-41335
MEDIUM
OpenClaw < 2026.3.31 - Information Disclosure via Control UI Bootstrap JSON
Apr 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41334
MEDIUM
OpenClaw < 2026.3.31 - Decompression Bomb Denial of Service via Image Pixel-Limit Guard Bypass
Apr 23, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41333
LOW
OpenClaw < 2026.3.31 - Authentication Rate Limiting Bypass via Fake DeviceToken
Apr 23, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-41332
MEDIUM
OpenClaw < 2026.3.28 - Code Execution via Missing Environment Variable Blocklist
Apr 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41909
MEDIUM
OpenClaw < 2026.4.20 - Improper Authorization in Paired-Device Pairing Actions
Apr 23, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41908
MEDIUM
OpenClaw < 2026.4.20 - Scope Enforcement Bypass in Assistant-Media Route
Apr 23, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-41331
MEDIUM
OpenClaw < 2026.3.31 - Resource Consumption via Unauthorized Telegram Audio Preflight Transcription
Apr 21, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41330
MEDIUM
OpenClaw < 2026.3.31 - Environment Variable Override via Host Exec Policy
Apr 21, 2026
CVSS 4.4
EPSS 0.00
Products
Quick Filters