openclaw

477 tracked vulnerabilities.

CVE-2026-42426 HIGH
OpenClaw < 2026.4.8 - Improper Authorization in node.pair.approve via operator.write Scope
Apr 28, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-42424 MEDIUM
OpenClaw < 2026.4.8 - Local File Exfiltration via Shared Reply MEDIA Paths
Apr 28, 2026
CVSS 5.7
EPSS 0.00
CVE-2026-42423 HIGH
OpenClaw < 2026.4.8 - strictInlineEval Approval Boundary Bypass via Approval-Timeout Fallback
Apr 28, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-42422 HIGH
OpenClaw < 2026.4.8 - Role Bypass in device.token.rotate Function
Apr 28, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-42421 MEDIUM
OpenClaw < 2026.4.8 - WebSocket Session Persistence via Shared Gateway Token Rotation
Apr 28, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-42420 MEDIUM
OpenClaw < 2026.4.8 - Improper Base64 Decoding Size Validation
Apr 28, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-41916 MEDIUM
OpenClaw < 2026.4.8 - Stale Authentication State via Config Reload
Apr 28, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41915 MEDIUM
OpenClaw < 2026.4.8 - Git Environment Variable Injection via Unfiltered Exec Environment
Apr 28, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41914 HIGH
OpenClaw < 2026.4.8 - Server-Side Request Forgery in QQ Bot Media Fetch Paths
Apr 28, 2026
CVSS 8.5
EPSS 0.00
CVE-2026-41913 LOW
OpenClaw < 2026.4.4 - Rate-Limit Bypass via Concurrent Async Authentication Attempts
Apr 28, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-41912 HIGH
OpenClaw < 2026.4.8 - Server-Side Request Forgery Policy Bypass via Interaction-Triggered Navigation
Apr 28, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-41911 MEDIUM
OpenClaw < 2026.4.8 - Workspace-Only Filesystem Policy Bypass via docx upload_file/upload_image
Apr 28, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41910 MEDIUM
OpenClaw < 2026.4.8 - Missing Owner-Only Enforcement in /allowlist Cross-Channel Writes
Apr 28, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-41408 MEDIUM
OpenClaw < 2026.3.31 - Disk Exhaustion via Media Download Bypass
Apr 28, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-41407 LOW
OpenClaw < 2026.4.2 - Timing Side Channel in Shared-Secret Comparison
Apr 28, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-41406 MEDIUM
OpenClaw < 2026.3.31 - Sender Allowlist Bypass via Thread History and Quoted Messages
Apr 28, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41405 HIGH
OpenClaw < 2026.3.31 - Resource Exhaustion via Unauthenticated MS Teams Webhook Body Parsing
Apr 28, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41404 HIGH
OpenClaw < 2026.3.31 - Operator Admin Privilege Escalation via Trusted-Proxy Authentication
Apr 28, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-41403 LOW
OpenClaw < 2026.3.31 - Access Control Bypass via Proxied Remote Request Misclassification
Apr 28, 2026
CVSS 2.9
EPSS 0.00
CVE-2026-41402 MEDIUM
OpenClaw < 2026.3.31 - Webhook Replay Cache Cross-Target messageId Scope Bypass
Apr 28, 2026
CVSS 4.2
EPSS 0.00
CVE-2026-41400 MEDIUM
OpenClaw < 2026.3.31 - Resource Consumption via Oversized WebSocket Frames in voice-call
Apr 28, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41399 HIGH
OpenClaw < 2026.3.28 - Denial of Service via Unbounded Pre-auth WebSocket Upgrades
Apr 28, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41398 MEDIUM
OpenClaw - Unauthorized Agent Request Dispatch via Untrusted Local-Network Pages in iOS A2UI Bridge
Apr 28, 2026
CVSS 4.6
EPSS 0.00
CVE-2026-41397 MEDIUM
OpenClaw < 2026.3.31 - Sandbox Escape via Unrestricted File Sync and Symlink Traversal
Apr 28, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-41396 HIGH
OpenClaw < 2026.3.31 - Environment Variable Override of Plugin Trust Root
Apr 28, 2026
CVSS 7.8
EPSS 0.00
Products
openclaw 447 OpenClaw 383 crabbox 5 voice-call 2 bluebubbles 1 openclaw\/voice-call 1
Quick Filters
Critical CVEs With Exploits In CISA KEV