openclaw

560 tracked vulnerabilities.

CVE-2026-26319 HIGH
OpenClaw < 2026.2.14 - Unauthenticated Webhook Spoofing via Missing Telnyx Signature Verification
Feb 19, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-26317 HIGH
OpenClaw < 2026.2.14 - Cross-Site Request Forgery via Unvalidated Origin/Referer
Feb 19, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-26316 HIGH
OpenClaw < 2026.2.13 - Incorrect Authorization via BlueBubbles Webhook Loopback Bypass
Feb 19, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-25474 HIGH
OpenClaw < 2026.2.1 - Insufficient Verification of Telegram Webhook Secret Token
Feb 19, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-24764 LOW
OpenClaw <=2026.2.2 - Command Injection
Feb 19, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-25593 HIGH
OpenClaw < 2026.1.20 - Unauthenticated OS Command Injection via Gateway WebSocket API
Feb 06, 2026
CVSS 8.4
EPSS 0.01
CVE-2026-25475 MEDIUM
OpenClaw < 2026.1.30 - Unauthenticated Arbitrary File Read via MEDIA Path Traversal
Feb 04, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-25157 HIGH
OpenClaw < 2026.1.29 - OS Command Injection via Project Root Path in sshNodeCommand
Feb 04, 2026
CVSS 7.7
EPSS 0.01
CVE-2026-24763 HIGH
OpenClaw < 2026.1.29 - Authenticated OS Command Injection via PATH Environment Variable
Feb 02, 2026
CVSS 8.8
EPSS 0.05
CVE-2026-25253 HIGH
OpenClaw <2026.1.29 - Info Disclosure
Feb 01, 2026
CVSS 8.8
EPSS 0.08