openclaw

477 tracked vulnerabilities.

CVE-2026-33576 MEDIUM
OpenClaw < 2026.3.28 - Unauthorized Media Download via Zalo Channel
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-34506 MEDIUM
OpenClaw < 2026.3.8 - Sender Allowlist Bypass in Microsoft Teams Plugin via Route Allowlist Configuration
Mar 31, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-34505 MEDIUM
OpenClaw < 2026.3.12 - Webhook Rate Limiting Bypass via Pre-Authentication Secret Validation
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32988 HIGH
OpenClaw < 2026.3.11 - Sandbox Boundary Bypass via Unvalidated Temporary File Creation
Mar 31, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-32982 HIGH
OpenClaw < 2026.3.13 - Telegram Bot Token Exposure in Media Fetch Error Logs
Mar 31, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-32977 MEDIUM
OpenClaw < 2026.3.11 - Sandbox Boundary Bypass via Unanchored writeFile Commit Path
Mar 31, 2026
CVSS 6.3
EPSS 0.00
CVE-2026-32976 MEDIUM
OpenClaw < 2026.3.11 - Account-Scoped configWrites Policy Bypass via Channel Commands
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32971 HIGH
OpenClaw < 2026.3.11 - Node-Host Approval UI Mismatch Allows Execution of Unintended Commands
Mar 31, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-32970 LOW
OpenClaw < 2026.3.11 - Credential Fallback Logic Bypass via Unavailable Local Auth SecretRefs
Mar 31, 2026
CVSS 2.5
EPSS 0.00
CVE-2026-32921 MEDIUM
OpenClaw < 2026.3.8 - Script Content Modification via Mutable Operand Binding in system.run
Mar 31, 2026
CVSS 6.3
EPSS 0.00
CVE-2026-32920 HIGH
OpenClaw < 2026.3.12 - Arbitrary Code Execution via Auto-Discovery of Workspace Plugins
Mar 31, 2026
CVSS 8.4
EPSS 0.00
CVE-2026-32917 CRITICAL
OpenClaw < 2026.3.13 - Remote Command Injection via Unsanitized iMessage Attachment Paths in SCP
Mar 31, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-32916 CRITICAL
OpenClaw 2026.3.7 < 2026.3.11 - Authorization Bypass in Plugin Subagent Routes via Synthetic Admin Scopes
Mar 31, 2026
CVSS 9.4
EPSS 0.00
CVE-2026-33575 HIGH
OpenClaw < 2026.3.12 - Long-lived Credential Exposure in Pairing Setup Codes
Mar 29, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33574 MEDIUM
OpenClaw < 2026.3.8 - Path Traversal via Tools Root Rebinding in Skills Download
Mar 29, 2026
CVSS 6.2
EPSS 0.00
CVE-2026-33573 HIGH
OpenClaw < 2026.3.11 - Workspace Boundary Bypass via Agent RPC Parameters
Mar 29, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-33572 HIGH
OpenClaw < 2026.2.17 - Insufficient File Permissions in Session Transcript Files
Mar 29, 2026
CVSS 8.4
EPSS 0.00
CVE-2026-32987 CRITICAL
OpenClaw < 2026.3.13 - Bootstrap Setup Code Replay via Device Pairing
Mar 29, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-32980 HIGH
OpenClaw < 2026.3.13 - Resource Exhaustion via Unauthenticated Telegram Webhook Request
Mar 29, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-32979 HIGH
OpenClaw < 2026.3.11 - Unbound Interpreter and Runtime Commands Bypass in node-host Approval
Mar 29, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-32978 HIGH
OpenClaw < 2026.3.11 - Approval Bypass via Unrecognized Script Runners
Mar 29, 2026
CVSS 8.0
EPSS 0.00
CVE-2026-32975 CRITICAL
OpenClaw < 2026.3.12 - Weak Authorization via Mutable Group Names in Zalouser Allowlist
Mar 29, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-32974 HIGH
OpenClaw < 2026.3.12 - Forged Event Injection via Feishu Webhook Verification Token
Mar 29, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-32973 CRITICAL
OpenClaw < 2026.3.11 - Exec Allowlist Pattern Overmatch via POSIX Path Normalization
Mar 29, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-32972 HIGH
OpenClaw < 2026.3.11 - Authorization Bypass in Browser Profile Management via browser.request
Mar 29, 2026
CVSS 7.1
EPSS 0.00
Products
openclaw 447 OpenClaw 383 crabbox 5 voice-call 2 bluebubbles 1 openclaw\/voice-call 1
Quick Filters
Critical CVEs With Exploits In CISA KEV