openclaw

560 tracked vulnerabilities.

CVE-2026-35640 MEDIUM
OpenClaw < 2026.3.25 - Denial of Service via Unauthenticated Webhook Request Parsing
Apr 09, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35639 HIGH
OpenClaw < 2026.3.22 - Privilege Escalation via device.pair.approve Scope Validation
Apr 09, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-35638 HIGH
OpenClaw < 2026.3.22 - Privilege Escalation via Self-Declared Scopes in Trusted-Proxy Control UI
Apr 09, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-35637 HIGH
OpenClaw < 2026.3.22 - Premature Cite Expansion Before Authorization in Channel and DM
Apr 09, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-35636 MEDIUM
OpenClaw 2026.3.11 < 2026.3.25 - Session Isolation Bypass via sessionId Resolution
Apr 09, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35635 MEDIUM
OpenClaw < 2026.3.22 - Webhook Path Route Replacement Vulnerability in Synology Chat
Apr 09, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-35634 MEDIUM
OpenClaw < 2026.3.23 - Authentication Bypass via Local-Direct Requests in Canvas Gateway
Apr 09, 2026
CVSS 5.1
EPSS 0.00
CVE-2026-35633 MEDIUM
OpenClaw < 2026.3.22 - Unbounded Memory Allocation via Remote Media Error Responses
Apr 09, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35632 HIGH
OpenClaw < 2026.2.22 - Symlink Traversal via IDENTITY.md appendFile in agents.create/update
Apr 09, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-35631 MEDIUM
OpenClaw < 2026.3.22 - Missing Authorization Enforcement in Internal ACP Chat Commands
Apr 09, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35629 HIGH
OpenClaw < 2026.3.25 - Server-Side Request Forgery via Unguarded Configured Base URLs in Channel Extensions
Apr 09, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-35628 MEDIUM
OpenClaw < 2026.3.25 - Brute-Force Attack via Missing Telegram Webhook Rate Limiting
Apr 09, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-35627 MEDIUM
OpenClaw < 2026.3.22 - Unauthenticated Cryptographic Work in Nostr Inbound DM Handling
Apr 09, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35626 MEDIUM
OpenClaw < 2026.3.22 - Unauthenticated Resource Exhaustion via Voice Call Webhook
Apr 09, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35625 HIGH
OpenClaw < 2026.3.25 - Privilege Escalation via Silent Local Shared-Auth Reconnect
Apr 09, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-35624 MEDIUM
OpenClaw < 2026.3.22 - Policy Confusion via Room Name Collision in Nextcloud Talk
Apr 09, 2026
CVSS 4.2
EPSS 0.00
CVE-2026-35623 MEDIUM
OpenClaw < 2026.3.25 - Brute-Force Attack via Missing Webhook Password Rate Limiting
Apr 09, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-35622 MEDIUM
OpenClaw < 2026.3.22 - Improper Authentication Verification in Google Chat Webhook
Apr 09, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-35618 MEDIUM
OpenClaw < 2026.3.23 - Replay Identity Drift via Query-Only Variants in Plivo V2 Verification
Apr 09, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35617 MEDIUM
OpenClaw < 2026.3.25 - Authorization Bypass via Group Policy Rebinding with Mutable Space displayName
Apr 09, 2026
CVSS 4.2
EPSS 0.00
CVE-2026-34512 HIGH
OpenClaw < 2026.3.25 - Improper Access Control in /sessions/:sessionKey/kill Endpoint
Apr 09, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-40037 MEDIUM
OpenClaw < 2026.3.31 - Unsafe Request Body Replay via fetchWithSsrFGuard Cross-Origin Redirects
Apr 08, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-34511 MEDIUM
OpenClaw < 2026.4.2 - PKCE Verifier Exposure via OAuth State Parameter
Apr 03, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34426 HIGH
OpenClaw - Approval Bypass via Environment Variable Normalization
Apr 02, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-34425 MEDIUM
OpenClaw - Shell-Bleed Protection Preflight Validation Bypass
Apr 02, 2026
CVSS 5.4
EPSS 0.00