openclaw

560 tracked vulnerabilities.

CVE-2026-53857 HIGH
OpenClaw < 2026.5.3 - Mutable Display Name Binding in Zalo allowFrom Policy
Jun 16, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-53856 MEDIUM
OpenClaw 2026.4.23 < 2026.4.24 - Insecure File Permissions in Config Recovery via OpenClaw.json
Jun 16, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-53855 HIGH
OpenClaw < 2026.4.2 - Shell Positional Parameters Bypass in Inline-Eval Checks
Jun 16, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-53854 MEDIUM
OpenClaw < 2026.4.25 - Privilege Escalation via ownerAllowFrom Wildcard Inheritance in Internal/Webchat Commands
Jun 16, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-53853 HIGH
OpenClaw < 2026.5.12 - Argument Pattern Bypass in Exec Allowlist via Linux and macOS
Jun 16, 2026
CVSS 8.3
EPSS 0.00
CVE-2026-53852 MEDIUM
OpenClaw < 2026.4.25 - Scope Bypass via Empty-Scope Device Re-pairing
Jun 16, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-53851 MEDIUM
OpenClaw < 2026.5.12 - Slack Reaction Event Notification Bypass
Jun 16, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-53850 MEDIUM
OpenClaw < 2026.4.25 - Control Scope Enforcement Bypass in Focus Command
Jun 16, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-53849 HIGH
OpenClaw < 2026.5.7 - Privilege Escalation via Mutable Discord Display Names in allowFrom
Jun 16, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-53848 MEDIUM
OpenClaw < 2026.5.26 - Exec Allowlist Bypass via Transparent Command Wrappers
Jun 16, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-53847 MEDIUM
OpenClaw < 2026.5.6 - Privilege Escalation via Active Memory Write Scope
Jun 16, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-53846 HIGH
OpenClaw < 2026.4.29 - Arbitrary Package Manager Execution via Workspace .env npm_execpath
Jun 16, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-53845 MEDIUM
OpenClaw < 2026.5.6 - Skill-Command Dispatch Hook Bypass via Before-Tool-Call Hook Skipping
Jun 16, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-53844 MEDIUM
OpenClaw < 2026.4.29 - Session Visibility Check Bypass in Shared Memory Search
Jun 16, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-53843 HIGH
OpenClaw < 2026.5.26 - Node Token Revocation Bypass via Pairing-Scoped Device Session
Jun 16, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-53842 HIGH
OpenClaw < 2026.5.2 - Arbitrary Python Runtime Execution via CLOUDSDK_PYTHON Environment Variable
Jun 16, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-53841 MEDIUM
OpenClaw < 2026.5.12 - Cross-Site Scripting via Unsafe Markdown Links in Exported Session HTML
Jun 16, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-53840 HIGH
OpenClaw < 2026.5.12 - Custom Header Leakage via MCP Streamable HTTP Cross-Origin Redirects
Jun 16, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-53839 MEDIUM
OpenClaw < 2026.5.7 - Hostname Prefix Matching Bypass in Trusted Retry Endpoint Validation
Jun 12, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-53838 CRITICAL
OpenClaw < 2026.5.27 - Node Pairing State Mutation via Reconnection
Jun 12, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-53837 LOW
OpenClaw < 2026.5.6 - Missing Channel Type Validation in Mattermost Event Handlers
Jun 12, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-53836 HIGH
OpenClaw < 2026.5.12 - Allowlist Bypass via PowerShell Encoded-Command Aliases
Jun 12, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-53835 MEDIUM
OpenClaw < 2026.5.6 - Config-Write Enforcement Bypass in Feishu Dynamic-Agent Bindings
Jun 12, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-53834 HIGH
OpenClaw < 2026.4.27 - Authorization Bypass in QQBot Pre-dispatch Slash Commands
Jun 12, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-53833 HIGH
OpenClaw < 2026.4.29 - Authorization Bypass via QQBot Streaming Command
Jun 12, 2026
CVSS 7.7
EPSS 0.00