openclaw
560 tracked vulnerabilities.
CVE-2026-35661
MEDIUM
OpenClaw < 2026.3.25 - Telegram DM-Scoped Inline Button Callback Authorization Bypass
Apr 10, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35660
HIGH
OpenClaw < 2026.3.23 - Insufficient Access Control in Gateway Agent Session Reset
Apr 10, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-35659
MEDIUM
OpenClaw < 2026.3.22 - Unresolved Service Metadata Routing via Bonjour and DNS-SD Discovery
Apr 10, 2026
CVSS 4.6
EPSS 0.00
CVE-2026-35658
MEDIUM
OpenClaw < 2026.3.2 - Filesystem Boundary Bypass in Image Tool
Apr 10, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35657
MEDIUM
OpenClaw < 2026.3.25 - Authorization Bypass in HTTP Session History Route
Apr 10, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35656
MEDIUM
OpenClaw < 2026.3.22 - XFF Loopback Spoofing Bypass in Canvas Authentication and Rate Limiter
Apr 10, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35655
MEDIUM
OpenClaw < 2026.3.22 - Identity Spoofing via rawInput Tool in ACP Permission Resolution
Apr 10, 2026
CVSS 5.7
EPSS 0.00
CVE-2026-35654
MEDIUM
OpenClaw < 2026.3.25 - Authorization Bypass in Microsoft Teams Feedback Invoke
Apr 10, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35653
HIGH
OpenClaw < 2026.3.24 - Incorrect Authorization in POST /reset-profile via browser.request
Apr 10, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-35652
MEDIUM
OpenClaw < 2026.3.22 - Unauthorized Action Execution via Callback Dispatch
Apr 10, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35651
MEDIUM
OpenClaw 2026.2.13 < 2026.3.25 - ANSI Escape Sequence Injection in Approval Prompt
Apr 10, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-35650
HIGH
OpenClaw < 2026.3.22 - Environment Variable Override Bypass via Inconsistent Sanitization
Apr 10, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-35649
MEDIUM
OpenClaw < 2026.3.22 - Settings Reconciliation Bypass via Empty Allowlist
Apr 10, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35648
LOW
OpenClaw < 2026.3.22 - Policy Bypass via Unvalidated Queued Node Actions
Apr 10, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-35647
MEDIUM
OpenClaw < 2026.3.25 - Direct Message Policy Bypass via Verification Notices
Apr 10, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35643
HIGH
OpenClaw < 2026.3.22 - Arbitrary Code Execution via Unvalidated WebView JavascriptInterface
Apr 10, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-35641
HIGH
OpenClaw < 2026.3.24 - Arbitrary Code Execution via .npmrc in Local Plugin/Hook Installation
Apr 10, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-35621
MEDIUM
OpenClaw < 2026.3.24 - Privilege Escalation via chat.send to Allowlist Persistence
Apr 10, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35620
MEDIUM
OpenClaw < 2026.3.24 - Missing Authorization in /send and /allowlist Chat Commands
Apr 10, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-35619
MEDIUM
OpenClaw < 2026.3.24 - Authorization Bypass via HTTP /v1/models Endpoint
Apr 10, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-6011
MEDIUM
OpenClaw assertPublicHostname web-fetch.ts server-side request forgery
Apr 10, 2026
CVSS 5.6
EPSS 0.00
CVE-2026-35646
MEDIUM
OpenClaw < 2026.3.25 - Pre-Authentication Rate-Limit Bypass in Webhook Token Validation
Apr 09, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-35645
HIGH
OpenClaw < 2026.3.25 - Privilege Escalation via Synthetic operator.admin in deleteSession
Apr 09, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-35644
MEDIUM
OpenClaw < 2026.3.22 - Credential Exposure via baseUrl Fields in Gateway Snapshots
Apr 09, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35642
MEDIUM
OpenClaw < 2026.3.25 - Authorization Bypass in Group Reactions via requireMention Bypass
Apr 09, 2026
CVSS 4.3
EPSS 0.00
Products
Quick Filters