openclaw

560 tracked vulnerabilities.

CVE-2026-32035 MEDIUM
OpenClaw < 2026.3.2 - Missing Owner Flag Validation in Discord Voice Transcript Handler
Mar 19, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-32034 HIGH
OpenClaw < 2026.2.21 - Insecure Control UI Authentication over Plaintext HTTP
Mar 19, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-32033 MEDIUM
OpenClaw < 2026.2.24 - Path Traversal via @-prefixed Absolute Paths in Workspace Boundary Validation
Mar 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32032 HIGH
OpenClaw < 2026.2.22 - Arbitrary Shell Execution via Unvalidated SHELL Environment Variable
Mar 19, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-32031 MEDIUM
OpenClaw < 2026.2.26 - Authentication Bypass via Path Canonicalization Mismatch in /api/channels Gateway
Mar 19, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-32030 HIGH
OpenClaw < 2026.2.19 - Sensitive File Disclosure via stageSandboxMedia Path Traversal
Mar 19, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-32029 MEDIUM
OpenClaw < 2026.2.21 - Client IP Spoofing via X-Forwarded-For Header Parsing
Mar 19, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-32028 MEDIUM
OpenClaw < 2026.2.25 - Missing Authorization Check in Discord DM Reaction Ingress
Mar 19, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-32027 MEDIUM
OpenClaw < 2026.2.26 - Improper Authorization via DM Pairing Store Identity Inheritance in Group Allowlist
Mar 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32026 MEDIUM
OpenClaw < 2026.2.24 - Arbitrary File Read via Improper Temporary Path Validation in Sandbox
Mar 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32025 HIGH
OpenClaw < 2026.2.25 - Password Brute-Force via Browser-Origin WebSocket Authentication Bypass
Mar 19, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-32024 MEDIUM
OpenClaw < 2026.2.22 - Symlink Traversal in Avatar Handling
Mar 19, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-32023 HIGH
OpenClaw < 2026.2.24 - Approval Gating Bypass via Dispatch-Wrapper Depth-Cap Mismatch in system.run
Mar 19, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-32022 MEDIUM
OpenClaw < 2026.2.21 - Arbitrary File Read via grep -e Flag Policy Bypass
Mar 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32021 MEDIUM
OpenClaw < 2026.2.22 - Authorization Bypass via Display Name Collision in Feishu allowFrom
Mar 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32020 LOW
OpenClaw < 2026.2.22 - Arbitrary File Read via Symlink Following in Static File Handler
Mar 19, 2026
CVSS 3.3
EPSS 0.00
CVE-2026-32019 HIGH
OpenClaw < 2026.2.22 - Incomplete IPv4 Special-Use Range Blocking in SSRF Guard
Mar 19, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-32018 LOW
OpenClaw < 2026.2.19 - Race Condition in Sandbox Registry Write Operations
Mar 19, 2026
CVSS 3.6
EPSS 0.00
CVE-2026-32017 HIGH
OpenClaw < 2026.2.19 - Arbitrary File Write via Short-Option Bypass in exec Allowlist
Mar 19, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-32016 HIGH
OpenClaw < 2026.2.22 - Path Traversal via Basename-Only Allowlist Matching on macOS
Mar 19, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-32015 HIGH
OpenClaw 2026.1.21 < 2026.2.19 - PATH Hijacking Bypass in tools.exec.safeBins Allowlist Validation
Mar 19, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-32014 HIGH
OpenClaw < 2026.2.26 - Node Reconnect Metadata Spoofing via Unsigned Platform Fields
Mar 19, 2026
CVSS 8.0
EPSS 0.00
CVE-2026-32013 HIGH
OpenClaw < 2026.2.25 - Symlink Traversal in agents.files Methods
Mar 19, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-32011 HIGH
OpenClaw < 2026.3.2 - Slow-Request Denial of Service via Pre-Auth Webhook Body Parsing
Mar 19, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-32010 MEDIUM
OpenClaw < 2026.2.22 - Allowlist Bypass via sort --compress-program Parameter
Mar 19, 2026
CVSS 6.3
EPSS 0.00