openclaw
560 tracked vulnerabilities.
CVE-2026-32065
MEDIUM
OpenClaw < 2026.2.25 - Approval Identity Mismatch in system.run Command Execution
Mar 21, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-32064
HIGH
OpenClaw < 2026.2.21 - Missing VNC Authentication in Sandbox Browser noVNC Observer
Mar 21, 2026
CVSS 7.7
EPSS 0.01
CVE-2026-32058
LOW
OpenClaw < 2026.2.26 - Approval Context-Binding Weakness in system.run via host=node
Mar 21, 2026
CVSS 2.6
EPSS 0.00
CVE-2026-32057
HIGH
OpenClaw < 2026.2.25 - Authentication Bypass via Control UI client.id Parameter
Mar 21, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-32056
HIGH
OpenClaw < 2026.2.22 - Remote Code Execution via Shell Startup Environment Variable Injection in system.run
Mar 21, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-32055
HIGH
OpenClaw < 2026.2.26 - Workspace Path Boundary Bypass via Non-existent Symlink
Mar 21, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-32054
MEDIUM
OpenClaw < 2026.2.25 - Symlink Traversal in Browser Trace/Download Path Handling
Mar 21, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32053
MEDIUM
OpenClaw < 2026.2.23 - Twilio Webhook Replay Bypass via Randomized Event ID Normalization
Mar 21, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32052
MEDIUM
OpenClaw < 2026.2.24 - Hidden Command Execution via Shell-Wrapper Positional argv Carriers
Mar 21, 2026
CVSS 6.4
EPSS 0.01
CVE-2026-32051
HIGH
OpenClaw < 2026.3.1 - Authorization Bypass in Agent Runs via Owner-Only Tool Access
Mar 21, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-32050
LOW
OpenClaw < 2026.2.25 - Unauthorized Reaction Status Event Enqueue via Access Check Bypass
Mar 21, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-32049
HIGH
OpenClaw < 2026.2.22 - Denial of Service via Inbound Media Download Byte Limit Bypass
Mar 21, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-32048
HIGH
OpenClaw < 2026.3.1 - Sandbox Escape via Cross-Agent sessions_spawn
Mar 21, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-32046
MEDIUM
OpenClaw < 2026.2.21 - OS-level Sandbox Bypass via --no-sandbox Flag
Mar 21, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-32045
MEDIUM
OpenClaw < 2026.2.21 - Authentication Bypass in HTTP Gateway Routes via Tokenless Tailscale Auth
Mar 21, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-32044
MEDIUM
OpenClaw < 2026.3.2 - Tar Archive Safety Bypass in Skills Installation
Mar 21, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-32043
MEDIUM
OpenClaw < 2026.2.25 - Time-of-Check-Time-of-Use via Mutable Symlink in system.run cwd Parameter
Mar 21, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32042
HIGH
OpenClaw < 2026.2.25 - Privilege Escalation via Unpaired Device Identity in Shared Gateway Authentication
Mar 21, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-22172
CRITICAL
OpenClaw < 2026.3.12 - Scope Elevation in WebSocket Shared-Auth Connections
Mar 20, 2026
CVSS 9.9
EPSS 0.01
CVE-2026-32041
MEDIUM
OpenClaw < 2026.3.1 - Unauthenticated Browser Control Access via Failed Auth Bootstrap
Mar 19, 2026
CVSS 6.9
EPSS 0.00
CVE-2026-32040
MEDIUM
OpenClaw < 2026.2.23 - HTML Injection via Unvalidated Image MIME Type in Data-URL Interpolation
Mar 19, 2026
CVSS 4.6
EPSS 0.00
CVE-2026-32039
MEDIUM
OpenClaw < 2026.2.22 - Sender Authorization Bypass via Identity Collision in toolsBySender
Mar 19, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-32038
CRITICAL
OpenClaw - Sandbox Network Isolation Bypass via docker.network=container Parameter
Mar 19, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-32037
MEDIUM
OpenClaw < 2026.2.22 - Redirect Chain Bypass of Media Host Allowlist in MSTeams Attachment Handling
Mar 19, 2026
CVSS 6.0
EPSS 0.00
CVE-2026-32036
MEDIUM
OpenClaw < 2026.2.26- Authentication Bypass via Encoded Dot-Segment Traversal in /api/channels
Mar 19, 2026
CVSS 6.5
EPSS 0.00
Products
Quick Filters