openclaw

477 tracked vulnerabilities.

CVE-2026-32924 CRITICAL
OpenClaw < 2026.3.12 - Authorization Bypass via Misclassified Reaction Events in Feishu
Mar 29, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-32923 MEDIUM
OpenClaw < 2026.3.11 - Authorization Bypass in Discord Guild Reaction Allowlist Enforcement
Mar 29, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-32922 CRITICAL
OpenClaw < 2026.3.11 - Privilege Escalation via Unvalidated Scope in device.token.rotate
Mar 29, 2026
CVSS 9.9
EPSS 0.00
CVE-2026-32919 MEDIUM
OpenClaw < 2026.3.11 - Unauthorized Session Reset via agent Slash Commands
Mar 29, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-32918 HIGH
OpenClaw < 2026.3.11 - Session Sandbox Escape via session_status Tool
Mar 29, 2026
CVSS 8.4
EPSS 0.00
CVE-2026-32915 HIGH
OpenClaw < 2026.3.11 - Sandbox Boundary Bypass via Subagent Control Surface
Mar 29, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-32914 HIGH
OpenClaw < 2026.3.12 - Insufficient Access Control in /config and /debug Endpoints
Mar 29, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-32846 HIGH
OpenClaw Media Parsing Path Traversal to Arbitrary File Read
Mar 26, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-32913 CRITICAL
OpenClaw < 2026.3.7 - Custom Authorization Header Leakage via Cross-Origin Redirects
Mar 23, 2026
CVSS 9.3
EPSS 0.00
CVE-2026-27646 MEDIUM
OpenClaw <2026.3.7 - Sandbox Escape
Mar 23, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-27183 MEDIUM
OpenClaw < 2026.3.7 - Shell Approval Gating Bypass via Dispatch Wrapper Depth Mismatch
Mar 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-32899 MEDIUM
OpenClaw < 2026.2.25 - Sender Policy Bypass in Slack Reaction and Pin Event Handlers
Mar 21, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-32898 MEDIUM
OpenClaw < 2026.2.23 - ACP Permission Auto-Approval Bypass via Untrusted Tool Metadata
Mar 21, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-32897 LOW
OpenClaw < 2026.2.22 - Authentication Token Reuse in Owner ID Prompt Hashing Fallback
Mar 21, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-32896 MEDIUM
OpenClaw < 2026.2.21 - Unauthenticated Webhook Access via Passwordless Fallback in BlueBubbles Plugin
Mar 21, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-32895 MEDIUM
OpenClaw < 2026.2.26 - Sender Authorization Bypass in Slack System Event Handlers
Mar 21, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-32067 LOW
OpenClaw < 2026.2.26 - Cross-Account Authorization Bypass in DM Pairing Store
Mar 21, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-32065 MEDIUM
OpenClaw < 2026.2.25 - Approval Identity Mismatch in system.run Command Execution
Mar 21, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-32064 HIGH
OpenClaw < 2026.2.21 - Missing VNC Authentication in Sandbox Browser noVNC Observer
Mar 21, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-32058 LOW
OpenClaw < 2026.2.26 - Approval Context-Binding Weakness in system.run via host=node
Mar 21, 2026
CVSS 2.6
EPSS 0.00
CVE-2026-32057 HIGH
OpenClaw < 2026.2.25 - Authentication Bypass via Control UI client.id Parameter
Mar 21, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-32056 HIGH
OpenClaw < 2026.2.22 - Remote Code Execution via Shell Startup Environment Variable Injection in system.run
Mar 21, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-32055 HIGH
OpenClaw < 2026.2.26 - Workspace Path Boundary Bypass via Non-existent Symlink
Mar 21, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-32054 MEDIUM
OpenClaw < 2026.2.25 - Symlink Traversal in Browser Trace/Download Path Handling
Mar 21, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32053 MEDIUM
OpenClaw < 2026.2.23 - Twilio Webhook Replay Bypass via Randomized Event ID Normalization
Mar 21, 2026
CVSS 6.5
EPSS 0.00
Products
openclaw 447 OpenClaw 383 crabbox 5 voice-call 2 bluebubbles 1 openclaw\/voice-call 1
Quick Filters
Critical CVEs With Exploits In CISA KEV