openclaw

477 tracked vulnerabilities.

CVE-2026-32052 MEDIUM
OpenClaw < 2026.2.24 - Hidden Command Execution via Shell-Wrapper Positional argv Carriers
Mar 21, 2026
CVSS 6.4
EPSS 0.00
CVE-2026-32051 HIGH
OpenClaw < 2026.3.1 - Authorization Bypass in Agent Runs via Owner-Only Tool Access
Mar 21, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-32050 LOW
OpenClaw < 2026.2.25 - Unauthorized Reaction Status Event Enqueue via Access Check Bypass
Mar 21, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-32049 HIGH
OpenClaw < 2026.2.22 - Denial of Service via Inbound Media Download Byte Limit Bypass
Mar 21, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-32048 HIGH
OpenClaw < 2026.3.1 - Sandbox Escape via Cross-Agent sessions_spawn
Mar 21, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-32046 MEDIUM
OpenClaw < 2026.2.21 - OS-level Sandbox Bypass via --no-sandbox Flag
Mar 21, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-32045 MEDIUM
OpenClaw < 2026.2.21 - Authentication Bypass in HTTP Gateway Routes via Tokenless Tailscale Auth
Mar 21, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-32044 MEDIUM
OpenClaw < 2026.3.2 - Tar Archive Safety Bypass in Skills Installation
Mar 21, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-32043 MEDIUM
OpenClaw < 2026.2.25 - Time-of-Check-Time-of-Use via Mutable Symlink in system.run cwd Parameter
Mar 21, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32042 HIGH
OpenClaw < 2026.2.25 - Privilege Escalation via Unpaired Device Identity in Shared Gateway Authentication
Mar 21, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-22172 CRITICAL
OpenClaw < 2026.3.12 - Scope Elevation in WebSocket Shared-Auth Connections
Mar 20, 2026
CVSS 9.9
EPSS 0.00
CVE-2026-32041 MEDIUM
OpenClaw < 2026.3.1 - Unauthenticated Browser Control Access via Failed Auth Bootstrap
Mar 19, 2026
CVSS 6.9
EPSS 0.00
CVE-2026-32040 MEDIUM
OpenClaw < 2026.2.23 - HTML Injection via Unvalidated Image MIME Type in Data-URL Interpolation
Mar 19, 2026
CVSS 4.6
EPSS 0.00
CVE-2026-32039 MEDIUM
OpenClaw < 2026.2.22 - Sender Authorization Bypass via Identity Collision in toolsBySender
Mar 19, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-32038 CRITICAL
OpenClaw - Sandbox Network Isolation Bypass via docker.network=container Parameter
Mar 19, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-32037 MEDIUM
OpenClaw < 2026.2.22 - Redirect Chain Bypass of Media Host Allowlist in MSTeams Attachment Handling
Mar 19, 2026
CVSS 6.0
EPSS 0.00
CVE-2026-32036 MEDIUM
OpenClaw < 2026.2.26- Authentication Bypass via Encoded Dot-Segment Traversal in /api/channels
Mar 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32035 MEDIUM
OpenClaw < 2026.3.2 - Missing Owner Flag Validation in Discord Voice Transcript Handler
Mar 19, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-32034 HIGH
OpenClaw < 2026.2.21 - Insecure Control UI Authentication over Plaintext HTTP
Mar 19, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-32033 MEDIUM
OpenClaw < 2026.2.24 - Path Traversal via @-prefixed Absolute Paths in Workspace Boundary Validation
Mar 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32032 HIGH
OpenClaw < 2026.2.22 - Arbitrary Shell Execution via Unvalidated SHELL Environment Variable
Mar 19, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-32031 MEDIUM
OpenClaw < 2026.2.26 - Authentication Bypass via Path Canonicalization Mismatch in /api/channels Gateway
Mar 19, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-32030 HIGH
OpenClaw < 2026.2.19 - Sensitive File Disclosure via stageSandboxMedia Path Traversal
Mar 19, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-32029 MEDIUM
OpenClaw < 2026.2.21 - Client IP Spoofing via X-Forwarded-For Header Parsing
Mar 19, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-32028 MEDIUM
OpenClaw < 2026.2.25 - Missing Authorization Check in Discord DM Reaction Ingress
Mar 19, 2026
CVSS 5.3
EPSS 0.00
Products
openclaw 447 OpenClaw 383 crabbox 5 voice-call 2 bluebubbles 1 openclaw\/voice-call 1
Quick Filters
Critical CVEs With Exploits In CISA KEV