openclaw
560 tracked vulnerabilities.
CVE-2026-53807
HIGH
OpenClaw < 2026.5.6 - Authorization Bypass in Telegram Interactive Callbacks via commands.allowFrom
Jun 11, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-53806
HIGH
OpenClaw < 2026.5.12 - Shell Option Parsing Bypass in Exec Revalidation
Jun 11, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-35674
HIGH
OpenClaw < 2026.5.18 - Scope Bypass via Inherited chat.send Route
May 29, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-35673
MEDIUM
OpenClaw < 2026.4.29 - SSRF Policy Bypass via Browser Debug/Export Routes
May 29, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35630
HIGH
OpenClaw < 2026.5.18 - QQBot Missing Approver Identity Enforcement in Native Approval Buttons
May 29, 2026
CVSS 8.0
EPSS 0.00
CVE-2026-34507
MEDIUM
OpenClaw < 2026.4.29 - Policy Bypass in QQBot Admin Commands via DM-only and allowFrom Checks
May 29, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-32906
MEDIUM
OpenClaw < 2026.5.12 - Privilege Escalation in Slack Plugin Approvals via Exec Approver Gate
May 29, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-32905
HIGH
OpenClaw < 2026.5.4 - Unauthorized Device-Pairing Bootstrap Code Issuance via Chat Command
May 29, 2026
CVSS 8.3
EPSS 0.00
CVE-2026-8634
CRITICAL
Crabbox < v0.12.0 Environment Variable Information Disclosure
May 14, 2026
CVSS 9.1
EPSS 0.01
CVE-2026-8629
HIGH
Crabbox < v0.12.0 Privilege Escalation via Agent Ticket Endpoints
May 14, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-8621
HIGH
Crabbox < v0.12.0 Authentication Bypass via Header Spoofing
May 14, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-45224
HIGH
Crabbox < 0.9.0 Path Traversal via Islo Provider Workspace Resolution
May 11, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-45223
HIGH
Crabbox < 0.9.0 Authentication Bypass via Admin Claim Injection
May 11, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-8305
HIGH
OpenClaw bluebubbles Webhook monitor.ts handleBlueBubblesWebhookRequest improper authentication
May 11, 2026
CVSS 7.3
EPSS 0.01
CVE-2026-45006
HIGH
OpenClaw < 2026.4.23 - Unsafe Config Mutation via Gateway Tool Denylist Bypass
May 11, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-45005
MEDIUM
OpenClaw < 2026.4.23 - Webhook Route Secret Cache Not Invalidated After Rotation
May 11, 2026
CVSS 6.0
EPSS 0.00
CVE-2026-45004
HIGH
OpenClaw < 2026.4.23 - Arbitrary Code Execution via setup-api.js in Current Working Directory
May 11, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-45003
MEDIUM
OpenClaw < 2026.4.22 - Connector Endpoint Host Override via Workspace dotenv Files
May 11, 2026
CVSS 5.0
EPSS 0.00
CVE-2026-45002
MEDIUM
OpenClaw < 2026.4.20 - Hook Session-Key Bypass via Template Mapping
May 11, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-45001
HIGH
OpenClaw < 2026.4.20 - Gateway Config Mutation Guard Bypass via Agent Tool Access
May 11, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-45000
MEDIUM
OpenClaw < 2026.4.20 - Server-Side Request Forgery via Browser CDP Profile Creation
May 11, 2026
CVSS 5.0
EPSS 0.00
CVE-2026-44999
MEDIUM
OpenClaw < 2026.4.20 - Improper Trust Labeling in Isolated Cron Awareness Events
May 11, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-44998
MEDIUM
OpenClaw < 2026.4.20 - Tool Policy Bypass via Bundled MCP/LSP Tools
May 11, 2026
CVSS 5.4
EPSS 0.01
CVE-2026-44997
MEDIUM
OpenClaw < 2026.4.22 - Security Envelope Constraint Bypass in ACP Child Sessions
May 11, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-44996
LOW
OpenClaw < 2026.4.15 - Arbitrary Local File Read via Webchat Audio Embedding
May 11, 2026
CVSS 3.7
EPSS 0.00
Products
Quick Filters