openclaw

560 tracked vulnerabilities.

CVE-2026-53807 HIGH
OpenClaw < 2026.5.6 - Authorization Bypass in Telegram Interactive Callbacks via commands.allowFrom
Jun 11, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-53806 HIGH
OpenClaw < 2026.5.12 - Shell Option Parsing Bypass in Exec Revalidation
Jun 11, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-35674 HIGH
OpenClaw < 2026.5.18 - Scope Bypass via Inherited chat.send Route
May 29, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-35673 MEDIUM
OpenClaw < 2026.4.29 - SSRF Policy Bypass via Browser Debug/Export Routes
May 29, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35630 HIGH
OpenClaw < 2026.5.18 - QQBot Missing Approver Identity Enforcement in Native Approval Buttons
May 29, 2026
CVSS 8.0
EPSS 0.00
CVE-2026-34507 MEDIUM
OpenClaw < 2026.4.29 - Policy Bypass in QQBot Admin Commands via DM-only and allowFrom Checks
May 29, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-32906 MEDIUM
OpenClaw < 2026.5.12 - Privilege Escalation in Slack Plugin Approvals via Exec Approver Gate
May 29, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-32905 HIGH
OpenClaw < 2026.5.4 - Unauthorized Device-Pairing Bootstrap Code Issuance via Chat Command
May 29, 2026
CVSS 8.3
EPSS 0.00
CVE-2026-8634 CRITICAL
Crabbox < v0.12.0 Environment Variable Information Disclosure
May 14, 2026
CVSS 9.1
EPSS 0.01
CVE-2026-8629 HIGH
Crabbox < v0.12.0 Privilege Escalation via Agent Ticket Endpoints
May 14, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-8621 HIGH
Crabbox < v0.12.0 Authentication Bypass via Header Spoofing
May 14, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-45224 HIGH
Crabbox < 0.9.0 Path Traversal via Islo Provider Workspace Resolution
May 11, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-45223 HIGH
Crabbox < 0.9.0 Authentication Bypass via Admin Claim Injection
May 11, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-8305 HIGH
OpenClaw bluebubbles Webhook monitor.ts handleBlueBubblesWebhookRequest improper authentication
May 11, 2026
CVSS 7.3
EPSS 0.01
CVE-2026-45006 HIGH
OpenClaw < 2026.4.23 - Unsafe Config Mutation via Gateway Tool Denylist Bypass
May 11, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-45005 MEDIUM
OpenClaw < 2026.4.23 - Webhook Route Secret Cache Not Invalidated After Rotation
May 11, 2026
CVSS 6.0
EPSS 0.00
CVE-2026-45004 HIGH
OpenClaw < 2026.4.23 - Arbitrary Code Execution via setup-api.js in Current Working Directory
May 11, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-45003 MEDIUM
OpenClaw < 2026.4.22 - Connector Endpoint Host Override via Workspace dotenv Files
May 11, 2026
CVSS 5.0
EPSS 0.00
CVE-2026-45002 MEDIUM
OpenClaw < 2026.4.20 - Hook Session-Key Bypass via Template Mapping
May 11, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-45001 HIGH
OpenClaw < 2026.4.20 - Gateway Config Mutation Guard Bypass via Agent Tool Access
May 11, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-45000 MEDIUM
OpenClaw < 2026.4.20 - Server-Side Request Forgery via Browser CDP Profile Creation
May 11, 2026
CVSS 5.0
EPSS 0.00
CVE-2026-44999 MEDIUM
OpenClaw < 2026.4.20 - Improper Trust Labeling in Isolated Cron Awareness Events
May 11, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-44998 MEDIUM
OpenClaw < 2026.4.20 - Tool Policy Bypass via Bundled MCP/LSP Tools
May 11, 2026
CVSS 5.4
EPSS 0.01
CVE-2026-44997 MEDIUM
OpenClaw < 2026.4.22 - Security Envelope Constraint Bypass in ACP Child Sessions
May 11, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-44996 LOW
OpenClaw < 2026.4.15 - Arbitrary Local File Read via Webchat Audio Embedding
May 11, 2026
CVSS 3.7
EPSS 0.00