openclaw

477 tracked vulnerabilities.

CVE-2026-22217 MEDIUM
OpenClaw 2026.2.22 < 2026.2.23 - Arbitrary Binary Execution via $SHELL Environment Variable Trusted Prefix Fallback
Mar 18, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-22181 HIGH
OpenClaw < 2026.3.2 - DNS Pinning Bypass via Environment Proxy Configuration in web_fetch
Mar 18, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-22180 MEDIUM
OpenClaw < 2026.3.2 - Path Confinement Bypass in Browser Output and File Write Operations
Mar 18, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-22179 HIGH
OpenClaw < 2026.2.22 - Allowlist Bypass via Command Substitution in system.run
Mar 18, 2026
CVSS 7.2
EPSS 0.00
CVE-2026-22178 MEDIUM
OpenClaw < 2026.2.19 - ReDoS and Regex Injection via Unescaped Feishu Mention Metadata
Mar 18, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-22177 MEDIUM
OpenClaw < 2026.2.21 - Environment Variable Injection via Config env.vars
Mar 18, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-22175 HIGH
OpenClaw < 2026.2.23 - Exec Approval Bypass via Unrecognized Multiplexer Shell Wrappers
Mar 18, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-22174 MEDIUM
OpenClaw < 2026.2.22 - Gateway Token Disclosure via Chrome CDP Probe
Mar 18, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-22171 HIGH
OpenClaw < 2026.2.19 - Path Traversal in Feishu Media Temporary File Naming
Mar 18, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-22170 MEDIUM
OpenClaw < 2026.2.22 BlueBubbles - Access Control Bypass via Empty allowFrom Configuration
Mar 18, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-22169 MEDIUM
OpenClaw < 2026.2.22 - Allowlist Bypass via sort Configuration in safeBins
Mar 18, 2026
CVSS 6.7
EPSS 0.00
CVE-2026-22168 MEDIUM
OpenClaw < 2026.2.21 - Command Injection via cmd.exe /c Trailing Arguments in system.run
Mar 18, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32302 HIGH
OpenClaw < 2026.3.11 - Unauthenticated Privilege Escalation via WebSocket Origin Validation Bypass
Mar 13, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-4040 LOW
OpenClaw <2026.2.17 - Info Disclosure
Mar 12, 2026
CVSS 3.3
EPSS 0.00
CVE-2026-4039 MEDIUM
OpenClaw 2026.2.19-2 - Code Injection
Mar 12, 2026
CVSS 6.3
EPSS 0.00
CVE-2026-30741 CRITICAL
OpenClaw Agent Platform 2026.2.6 - RCE
Mar 11, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-32063 HIGH
OpenClaw <2026.2.21 - Command Injection
Mar 11, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-32062 HIGH
OpenClaw 2026.2.21-2-2026.2.22 & @openclaw/voice-call 2026.2.21-2026.2.22 - DoS via Media-Stream WebSocket
Mar 11, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-32061 MEDIUM
OpenClaw <2026.2.17 - Path Traversal
Mar 11, 2026
CVSS 4.4
EPSS 0.00
CVE-2026-32060 HIGH
OpenClaw <2026.2.14 - Path Traversal
Mar 11, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-32059 HIGH
OpenClaw <2026.2.23 - Command Injection
Mar 11, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-29613 MEDIUM
OpenClaw < 2026.2.12 - Unauthenticated Webhook Authentication Bypass via Loopback RemoteAddress Trust
Mar 05, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-29612 MEDIUM
OpenClaw < 2026.2.14 - Denial of Service via Large Base64 Media File Decoding
Mar 05, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-29611 HIGH
OpenClaw <2026.2.14 - Path Traversal
Mar 05, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-29610 HIGH
OpenClaw <2026.2.14 - Command Injection
Mar 05, 2026
CVSS 8.8
EPSS 0.00
Products
openclaw 447 OpenClaw 383 crabbox 5 voice-call 2 bluebubbles 1 openclaw\/voice-call 1
Quick Filters
Critical CVEs With Exploits In CISA KEV