openclaw

560 tracked vulnerabilities.

CVE-2026-28449 MEDIUM
OpenClaw < 2026.2.25 - Webhook Replay Attack via Missing Durable Replay Suppression
Mar 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-27670 MEDIUM
OpenClaw < 2026.3.2 - Arbitrary File Write via ZIP Extraction Parent Symlink Race Condition
Mar 19, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-27566 HIGH
OpenClaw < 2026.2.22 - Allowlist Bypass via Wrapper Binary Unwrapping in system.run
Mar 19, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-22176 MEDIUM
OpenClaw < 2026.2.19 - Command Injection via Unescaped Environment Variables in Windows Scheduled Task Script Generation
Mar 19, 2026
CVSS 6.1
EPSS 0.01
CVE-2026-27545 MEDIUM
OpenClaw < 2026.2.26 - Approval Bypass via Parent Symlink Current Working Directory Rebind
Mar 18, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-27524 MEDIUM
OpenClaw < 2026.2.21 - Prototype Pollution via Debug Override Path
Mar 18, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-27523 MEDIUM
OpenClaw < 2026.2.24 - Sandbox Bind Validation Bypass via Symlink-Parent Missing-Leaf Paths
Mar 18, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-27522 MEDIUM
OpenClaw < 2026.2.24 - Arbitrary File Read via sendAttachment and setGroupIcon Message Actions
Mar 18, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-22217 MEDIUM
OpenClaw 2026.2.22 < 2026.2.23 - Arbitrary Binary Execution via $SHELL Environment Variable Trusted Prefix Fallback
Mar 18, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-22181 HIGH
OpenClaw < 2026.3.2 - DNS Pinning Bypass via Environment Proxy Configuration in web_fetch
Mar 18, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-22180 MEDIUM
OpenClaw < 2026.3.2 - Path Confinement Bypass in Browser Output and File Write Operations
Mar 18, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-22179 HIGH
OpenClaw < 2026.2.22 - Allowlist Bypass via Command Substitution in system.run
Mar 18, 2026
CVSS 7.2
EPSS 0.01
CVE-2026-22178 MEDIUM
OpenClaw < 2026.2.19 - ReDoS and Regex Injection via Unescaped Feishu Mention Metadata
Mar 18, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-22177 MEDIUM
OpenClaw < 2026.2.21 - Environment Variable Injection via Config env.vars
Mar 18, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-22175 HIGH
OpenClaw < 2026.2.23 - Exec Approval Bypass via Unrecognized Multiplexer Shell Wrappers
Mar 18, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-22174 MEDIUM
OpenClaw < 2026.2.22 - Gateway Token Disclosure via Chrome CDP Probe
Mar 18, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-22171 HIGH
OpenClaw < 2026.2.19 - Path Traversal in Feishu Media Temporary File Naming
Mar 18, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-22170 MEDIUM
OpenClaw < 2026.2.22 BlueBubbles - Access Control Bypass via Empty allowFrom Configuration
Mar 18, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-22169 MEDIUM
OpenClaw < 2026.2.22 - Allowlist Bypass via sort Configuration in safeBins
Mar 18, 2026
CVSS 6.7
EPSS 0.00
CVE-2026-22168 MEDIUM
OpenClaw < 2026.2.21 - Command Injection via cmd.exe /c Trailing Arguments in system.run
Mar 18, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32302 HIGH
OpenClaw < 2026.3.11 - Unauthenticated Privilege Escalation via WebSocket Origin Validation Bypass
Mar 13, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-4040 LOW
OpenClaw <2026.2.17 - Info Disclosure
Mar 12, 2026
CVSS 3.3
EPSS 0.00
CVE-2026-4039 MEDIUM
OpenClaw 2026.2.19-2 - Code Injection
Mar 12, 2026
CVSS 6.3
EPSS 0.00
CVE-2026-30741 CRITICAL
OpenClaw Agent Platform 2026.2.6 - RCE
Mar 11, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-32063 HIGH
OpenClaw <2026.2.21 - Command Injection
Mar 11, 2026
CVSS 7.1
EPSS 0.01