openclaw

560 tracked vulnerabilities.

CVE-2026-53832 HIGH
OpenClaw < 2026.5.18 - Identity Header Forgery via Trusted-Proxy Configuration
Jun 12, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-53831 HIGH
OpenClaw < 2026.5.18 - Arbitrary File Read via Shell Expansion in system.run Safe-bin Allowlist
Jun 12, 2026
CVSS 8.3
EPSS 0.00
CVE-2026-53830 MEDIUM
OpenClaw < 2026.4.22 - Webhook Secret Revocation Bypass via secrets.reload
Jun 12, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-53829 HIGH
OpenClaw < 2026.5.18 - Command Truncation in Exec Approval Display
Jun 12, 2026
CVSS 8.0
EPSS 0.00
CVE-2026-53828 HIGH
OpenClaw < 2026.5.6 - Native Command Authorization Bypass via Owner-Command Enforcement
Jun 12, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-53827 MEDIUM
OpenClaw < 2026.5.2 - Credential Exposure via Model-Supplied Loopback URLs in message.action Forwarding
Jun 12, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-53826 MEDIUM
OpenClaw < 2026.4.26 - Information Disclosure via Sandboxed Session Spawn
Jun 12, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-53825 MEDIUM
OpenClaw < 2026.4.7 - Arbitrary Local File Read via memory-wiki Ingest with operator.write Scope
Jun 12, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-53824 MEDIUM
Mattermost < 2026.4.24 - Slash Token Revocation Lag via Monitor Refresh Delay
Jun 12, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-53823 HIGH
OpenClaw < 2026.5.3 - Privilege Escalation via Mutable Slack Display Names in allowFrom
Jun 12, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-53822 HIGH
OpenClaw < 2026.5.18 - Command Argument Modification via Shell Wrapper Between Approval and Execution
Jun 12, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-53821 HIGH
OpenClaw < 2026.5.18 - Scope Elevation in trusted-proxy Control UI WebSocket
Jun 12, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-53820 MEDIUM
OpenClaw < 2026.5.12 - Exec Denylist Bypass in Bundle MCP Loopback Session Spawn
Jun 12, 2026
CVSS 6.6
EPSS 0.00
CVE-2026-53819 HIGH
OpenClaw < 2026.5.27 - Arbitrary Homebrew Executable Execution via Workspace .env Override
Jun 11, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-53818 MEDIUM
OpenClaw < 2026.4.24 - Owner-Only Tool Policy Bypass via MCP Loopback
Jun 11, 2026
CVSS 6.6
EPSS 0.00
CVE-2026-53817 HIGH
OpenClaw < 2026.5.22 - Control UI Locality Spoofing in Device Pairing
Jun 11, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-53816 HIGH
OpenClaw < 2026.5.18 - Exec Lifecycle Event Forgery via Paired Node
Jun 11, 2026
CVSS 7.2
EPSS 0.00
CVE-2026-53815 MEDIUM
OpenClaw < 2026.5.19 - Channel Allowlist Bypass in Message Read Actions
Jun 11, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-53814 HIGH
OpenClaw < 2026.5.20 - Privilege Escalation via Hook-Triggered CLI MCP Tool Authority
Jun 11, 2026
CVSS 8.3
EPSS 0.00
CVE-2026-53813 HIGH
OpenClaw < 2026.4.25 - Arbitrary Artifact Loading via Fake Package Root Resolution
Jun 11, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-53812 HIGH
OpenClaw < 2026.5.18 - Private-Network Navigation Bypass via Browser Act Interactions
Jun 11, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-53811 HIGH
OpenClaw < 2026.5.7 - Privilege Escalation via Mutable Display Names in Matrix allowFrom
Jun 11, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-53810 HIGH
OpenClaw < 2026.5.18 - Arbitrary Code Execution via Unscanned Marketplace Runtime Extension Metadata
Jun 11, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-53809 LOW
OpenClaw < 2026.4.25 - Provider Alias Confusion in Embedded Runner Policy
Jun 11, 2026
CVSS 3.8
EPSS 0.00
CVE-2026-53808 MEDIUM
OpenClaw < 2026.5.6 - Approval Policy Bypass in Skill Workshop Apply Flow
Jun 11, 2026
CVSS 6.5
EPSS 0.00