openclaw
560 tracked vulnerabilities.
CVE-2026-53832
HIGH
OpenClaw < 2026.5.18 - Identity Header Forgery via Trusted-Proxy Configuration
Jun 12, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-53831
HIGH
OpenClaw < 2026.5.18 - Arbitrary File Read via Shell Expansion in system.run Safe-bin Allowlist
Jun 12, 2026
CVSS 8.3
EPSS 0.00
CVE-2026-53830
MEDIUM
OpenClaw < 2026.4.22 - Webhook Secret Revocation Bypass via secrets.reload
Jun 12, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-53829
HIGH
OpenClaw < 2026.5.18 - Command Truncation in Exec Approval Display
Jun 12, 2026
CVSS 8.0
EPSS 0.00
CVE-2026-53828
HIGH
OpenClaw < 2026.5.6 - Native Command Authorization Bypass via Owner-Command Enforcement
Jun 12, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-53827
MEDIUM
OpenClaw < 2026.5.2 - Credential Exposure via Model-Supplied Loopback URLs in message.action Forwarding
Jun 12, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-53826
MEDIUM
OpenClaw < 2026.4.26 - Information Disclosure via Sandboxed Session Spawn
Jun 12, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-53825
MEDIUM
OpenClaw < 2026.4.7 - Arbitrary Local File Read via memory-wiki Ingest with operator.write Scope
Jun 12, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-53824
MEDIUM
Mattermost < 2026.4.24 - Slash Token Revocation Lag via Monitor Refresh Delay
Jun 12, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-53823
HIGH
OpenClaw < 2026.5.3 - Privilege Escalation via Mutable Slack Display Names in allowFrom
Jun 12, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-53822
HIGH
OpenClaw < 2026.5.18 - Command Argument Modification via Shell Wrapper Between Approval and Execution
Jun 12, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-53821
HIGH
OpenClaw < 2026.5.18 - Scope Elevation in trusted-proxy Control UI WebSocket
Jun 12, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-53820
MEDIUM
OpenClaw < 2026.5.12 - Exec Denylist Bypass in Bundle MCP Loopback Session Spawn
Jun 12, 2026
CVSS 6.6
EPSS 0.00
CVE-2026-53819
HIGH
OpenClaw < 2026.5.27 - Arbitrary Homebrew Executable Execution via Workspace .env Override
Jun 11, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-53818
MEDIUM
OpenClaw < 2026.4.24 - Owner-Only Tool Policy Bypass via MCP Loopback
Jun 11, 2026
CVSS 6.6
EPSS 0.00
CVE-2026-53817
HIGH
OpenClaw < 2026.5.22 - Control UI Locality Spoofing in Device Pairing
Jun 11, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-53816
HIGH
OpenClaw < 2026.5.18 - Exec Lifecycle Event Forgery via Paired Node
Jun 11, 2026
CVSS 7.2
EPSS 0.00
CVE-2026-53815
MEDIUM
OpenClaw < 2026.5.19 - Channel Allowlist Bypass in Message Read Actions
Jun 11, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-53814
HIGH
OpenClaw < 2026.5.20 - Privilege Escalation via Hook-Triggered CLI MCP Tool Authority
Jun 11, 2026
CVSS 8.3
EPSS 0.00
CVE-2026-53813
HIGH
OpenClaw < 2026.4.25 - Arbitrary Artifact Loading via Fake Package Root Resolution
Jun 11, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-53812
HIGH
OpenClaw < 2026.5.18 - Private-Network Navigation Bypass via Browser Act Interactions
Jun 11, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-53811
HIGH
OpenClaw < 2026.5.7 - Privilege Escalation via Mutable Display Names in Matrix allowFrom
Jun 11, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-53810
HIGH
OpenClaw < 2026.5.18 - Arbitrary Code Execution via Unscanned Marketplace Runtime Extension Metadata
Jun 11, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-53809
LOW
OpenClaw < 2026.4.25 - Provider Alias Confusion in Embedded Runner Policy
Jun 11, 2026
CVSS 3.8
EPSS 0.00
CVE-2026-53808
MEDIUM
OpenClaw < 2026.5.6 - Approval Policy Bypass in Skill Workshop Apply Flow
Jun 11, 2026
CVSS 6.5
EPSS 0.00
Products
Quick Filters