openclaw

477 tracked vulnerabilities.

CVE-2026-41395 HIGH
OpenClaw < 2026.3.28 - Webhook Replay via Query Parameter Reordering in Plivo V3
Apr 28, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41394 HIGH
OpenClaw < 2026.3.31 - Unauthorized Operator Scope Access in Unauthenticated Plugin-Auth Routes
Apr 28, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-41393 MEDIUM
OpenClaw < 2026.3.31 - Arbitrary DNS Authority Acceptance and Credential Exfiltration via Wide-Area Discovery
Apr 28, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-41392 MEDIUM
OpenClaw < 2026.3.31 - Exec Allowlist Bypass via Shell Init-File Options
Apr 28, 2026
CVSS 6.7
EPSS 0.00
CVE-2026-41391 MEDIUM
OpenClaw < 2026.3.31 - Environment Variable Bypass in Package Index URL Handling
Apr 28, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41390 HIGH
OpenClaw < 2026.3.28 - Exec Allowlist Bypass via Unregistered /usr/bin/script Wrapper
Apr 28, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-41388 MEDIUM
OpenClaw < 2026.3.31 - Configuration Rehydration via Empty-Array Revocation Handling
Apr 28, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41387 HIGH
OpenClaw < 2026.3.22 - Supply Chain Redirection via Incomplete Host Environment Sanitization
Apr 28, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-41386 CRITICAL
OpenClaw < 2026.3.22 - Privilege Escalation via Unbound Bootstrap Setup Codes
Apr 28, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-41385 MEDIUM
OpenClaw < 2026.3.31 - Nostr Private Key Exposure via config.get Redaction Bypass
Apr 28, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41384 HIGH
OpenClaw < 2026.3.24 - Environment Variable Injection via Workspace Config in CLI Backend
Apr 28, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-41383 HIGH
OpenClaw < 2026.4.2 - Arbitrary Remote Directory Deletion via Mis-scoped Mirror Mode Paths
Apr 28, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-41382 MEDIUM
OpenClaw < 2026.3.31 - Discord Voice Ingress Authorization Bypass via Channel and Role Validation Gaps
Apr 28, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41381 MEDIUM
OpenClaw < 2026.3.31 - Access Control Bypass in Discord Voice Manager via Channel Allowlist
Apr 28, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41380 HIGH
OpenClaw < 2026.3.28 - Arbitrary Execution Allowlist via Wrapper Carrier Executables
Apr 28, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-41379 HIGH
OpenClaw < 2026.3.28 - Privilege Escalation via chat.send to Admin-Class Talk Voice Config
Apr 28, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-41378 HIGH
OpenClaw < 2026.3.31 - Privilege Escalation to Remote Code Execution via Unrestricted node.event Agent Dispatch
Apr 28, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-41377 MEDIUM
OpenClaw < 2026.3.31 - Fail-Open Security Scan Bypass in Plugin Installation
Apr 28, 2026
CVSS 4.6
EPSS 0.00
CVE-2026-41376 MEDIUM
OpenClaw < 2026.3.31 - Matrix Thread Context Allowlist Bypass via Sender Validation
Apr 28, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41375 MEDIUM
OpenClaw < 2026.3.28 - Authorization Bypass in /phone arm and /phone disarm Endpoints
Apr 28, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41374 MEDIUM
OpenClaw < 2026.3.31 - Resource Consumption via Discord Audio Preflight Before Member Authorization
Apr 28, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41373 MEDIUM
OpenClaw < 2026.3.31 - Compiler Binary Substitution via Environment Variable Override in Host Execution Policy
Apr 28, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-41372 MEDIUM
OpenClaw < 2026.4.2 - Loopback Protection Bypass via Trailing-Dot Localhost in CDP Discovery
Apr 28, 2026
CVSS 5.8
EPSS 0.00
CVE-2026-41371 HIGH
OpenClaw < 2026.3.28 - Privilege Escalation via chat.send Reset Command
Apr 28, 2026
CVSS 8.5
EPSS 0.00
CVE-2026-41370 MEDIUM
OpenClaw < 2026.3.31 - Path Traversal via Inbound Channel Attachment Path in ACP Dispatch
Apr 28, 2026
CVSS 6.5
EPSS 0.00
Products
openclaw 447 OpenClaw 383 crabbox 5 voice-call 2 bluebubbles 1 openclaw\/voice-call 1
Quick Filters
Critical CVEs With Exploits In CISA KEV