openclaw
560 tracked vulnerabilities.
CVE-2026-35640
MEDIUM
OpenClaw < 2026.3.25 - Denial of Service via Unauthenticated Webhook Request Parsing
Apr 09, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35639
HIGH
OpenClaw < 2026.3.22 - Privilege Escalation via device.pair.approve Scope Validation
Apr 09, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-35638
HIGH
OpenClaw < 2026.3.22 - Privilege Escalation via Self-Declared Scopes in Trusted-Proxy Control UI
Apr 09, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-35637
HIGH
OpenClaw < 2026.3.22 - Premature Cite Expansion Before Authorization in Channel and DM
Apr 09, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-35636
MEDIUM
OpenClaw 2026.3.11 < 2026.3.25 - Session Isolation Bypass via sessionId Resolution
Apr 09, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35635
MEDIUM
OpenClaw < 2026.3.22 - Webhook Path Route Replacement Vulnerability in Synology Chat
Apr 09, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-35634
MEDIUM
OpenClaw < 2026.3.23 - Authentication Bypass via Local-Direct Requests in Canvas Gateway
Apr 09, 2026
CVSS 5.1
EPSS 0.00
CVE-2026-35633
MEDIUM
OpenClaw < 2026.3.22 - Unbounded Memory Allocation via Remote Media Error Responses
Apr 09, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35632
HIGH
OpenClaw < 2026.2.22 - Symlink Traversal via IDENTITY.md appendFile in agents.create/update
Apr 09, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-35631
MEDIUM
OpenClaw < 2026.3.22 - Missing Authorization Enforcement in Internal ACP Chat Commands
Apr 09, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35629
HIGH
OpenClaw < 2026.3.25 - Server-Side Request Forgery via Unguarded Configured Base URLs in Channel Extensions
Apr 09, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-35628
MEDIUM
OpenClaw < 2026.3.25 - Brute-Force Attack via Missing Telegram Webhook Rate Limiting
Apr 09, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-35627
MEDIUM
OpenClaw < 2026.3.22 - Unauthenticated Cryptographic Work in Nostr Inbound DM Handling
Apr 09, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35626
MEDIUM
OpenClaw < 2026.3.22 - Unauthenticated Resource Exhaustion via Voice Call Webhook
Apr 09, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35625
HIGH
OpenClaw < 2026.3.25 - Privilege Escalation via Silent Local Shared-Auth Reconnect
Apr 09, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-35624
MEDIUM
OpenClaw < 2026.3.22 - Policy Confusion via Room Name Collision in Nextcloud Talk
Apr 09, 2026
CVSS 4.2
EPSS 0.00
CVE-2026-35623
MEDIUM
OpenClaw < 2026.3.25 - Brute-Force Attack via Missing Webhook Password Rate Limiting
Apr 09, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-35622
MEDIUM
OpenClaw < 2026.3.22 - Improper Authentication Verification in Google Chat Webhook
Apr 09, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-35618
MEDIUM
OpenClaw < 2026.3.23 - Replay Identity Drift via Query-Only Variants in Plivo V2 Verification
Apr 09, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35617
MEDIUM
OpenClaw < 2026.3.25 - Authorization Bypass via Group Policy Rebinding with Mutable Space displayName
Apr 09, 2026
CVSS 4.2
EPSS 0.00
CVE-2026-34512
HIGH
OpenClaw < 2026.3.25 - Improper Access Control in /sessions/:sessionKey/kill Endpoint
Apr 09, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-40037
MEDIUM
OpenClaw < 2026.3.31 - Unsafe Request Body Replay via fetchWithSsrFGuard Cross-Origin Redirects
Apr 08, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-34511
MEDIUM
OpenClaw < 2026.4.2 - PKCE Verifier Exposure via OAuth State Parameter
Apr 03, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34426
HIGH
OpenClaw - Approval Bypass via Environment Variable Normalization
Apr 02, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-34425
MEDIUM
OpenClaw - Shell-Bleed Protection Preflight Validation Bypass
Apr 02, 2026
CVSS 5.4
EPSS 0.00
Products
Quick Filters