openclaw
560 tracked vulnerabilities.
CVE-2026-32009
MEDIUM
OpenClaw < 2026.2.24 - Binary Hijacking via Static Default Trusted Directories in safeBins
Mar 19, 2026
CVSS 5.7
EPSS 0.00
CVE-2026-32008
MEDIUM
OpenClaw < 2026.2.21 - Arbitrary Local File Read via Browser Navigation Guard
Mar 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32007
MEDIUM
OpenClaw < 2026.2.23 - Sandbox Bypass in apply_patch Tool via Workspace-Only Check Bypass
Mar 19, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-32006
LOW
OpenClaw < 2026.2.26 - Authorization Bypass via DM Pairing-Store Fallback in Group Allowlist
Mar 19, 2026
CVSS 3.1
EPSS 0.00
CVE-2026-32005
MEDIUM
OpenClaw < 2026.2.25 - Authorization Bypass in Interactive Callbacks via Sender Check Skip
Mar 19, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-32004
MEDIUM
OpenClaw < 2026.3.2 - Authentication Bypass via Encoded Path in /api/channels Route
Mar 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32003
MEDIUM
OpenClaw < 2026.2.22 - Remote Code Execution via SHELLOPTS/PS4 Environment Injection in system.run
Mar 19, 2026
CVSS 6.6
EPSS 0.01
CVE-2026-32002
MEDIUM
OpenClaw < 2026.2.23 - Sandbox Boundary Bypass via Image Tool workspaceOnly Bypass
Mar 19, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-32001
MEDIUM
OpenClaw < 2026.2.22 - Node Role Device-Identity Bypass via WebSocket Authentication
Mar 19, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-32000
HIGH
OpenClaw < 2026.2.19 - Command Injection via Windows Shell Fallback in Lobster Tool Execution
Mar 19, 2026
CVSS 7.1
EPSS 0.01
CVE-2026-31999
MEDIUM
OpenClaw 2026.2.26 < 2026.3.1 - Current Working Directory Injection via Windows Wrapper Resolution Fallback
Mar 19, 2026
CVSS 6.3
EPSS 0.00
CVE-2026-31998
HIGH
OpenClaw 2026.2.22 < 2026.2.24 - Authorization Bypass in Synology Chat Plugin via Empty allowedUserIds
Mar 19, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-31997
MEDIUM
OpenClaw < 2026.3.1 - Executable Rebind via Unbound PATH-token in system.run Approvals
Mar 19, 2026
CVSS 6.0
EPSS 0.00
CVE-2026-31996
MEDIUM
OpenClaw < 2026.2.19 - safeBins stdin-only bypass via sort output and recursive grep flags
Mar 19, 2026
CVSS 4.4
EPSS 0.00
CVE-2026-31995
MEDIUM
OpenClaw 2026.1.21 < 2026.2.19 - Command Injection via Windows Shell Fallback in Lobster Extension
Mar 19, 2026
CVSS 5.3
EPSS 0.01
CVE-2026-31994
HIGH
OpenClaw < 2026.2.19 - Local Command Injection via Unsafe cmd Argument Handling in Windows Scheduled Task Script Generation
Mar 19, 2026
CVSS 7.1
EPSS 0.01
CVE-2026-31993
MEDIUM
OpenClaw < 2026.2.22 - Allowlist Parsing Mismatch in system.run Shell Chains
Mar 19, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-31992
HIGH
OpenClaw < 2026.2.23 - Allowlist Exec-Guard Bypass via env -S
Mar 19, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-31991
LOW
OpenClaw < 2026.2.26 - Authorization Bypass via DM Pairing-Store Leakage in Signal Group Allowlist
Mar 19, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-31990
MEDIUM
OpenClaw < 2026.3.2 - Symlink Traversal in stageSandboxMedia Destination
Mar 19, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-31989
HIGH
OpenClaw < 2026.3.1 - Server-Side Request Forgery via web_search Citation Redirect
Mar 19, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-29608
MEDIUM
OpenClaw 2026.3.1 < 2026.3.2 - Approval Integrity Bypass via system.run argv Rewriting
Mar 19, 2026
CVSS 6.7
EPSS 0.00
CVE-2026-29607
MEDIUM
OpenClaw < 2026.2.22 - Authorization Bypass via allow-always Wrapper Persistence
Mar 19, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-28461
HIGH
OpenClaw < 2026.3.1 - Unbounded Memory Growth in Zalo Webhook via Query String Key Churn
Mar 19, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-28460
HIGH
OpenClaw < 2026.2.22 - Allowlist Bypass via Shell Line-Continuation Command Substitution in system.run
Mar 19, 2026
CVSS 7.1
EPSS 0.00
Products
Quick Filters