openclaw

477 tracked vulnerabilities.

CVE-2026-41344 MEDIUM
OpenClaw < 2026.3.28 - Privilege Escalation via chat.send /verbose Parameter
Apr 23, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41343 MEDIUM
OpenClaw < 2026.3.31 - Denial of Service via LINE Webhook Handler Pre-Auth Concurrency
Apr 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41342 HIGH
OpenClaw < 2026.3.28 - Unauthenticated Discovery Endpoint Credential Exfiltration via Remote Onboarding
Apr 23, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-41341 MEDIUM
OpenClaw < 2026.3.31 - Component Interaction Misclassification in Discord Extension
Apr 23, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41340 MEDIUM
OpenClaw < 2026.3.31 - Authentication Boundary Bypass via Telegram Legacy allowFrom Migration
Apr 23, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41339 MEDIUM
OpenClaw < 2026.4.2 - Information Disclosure via Gateway Connect Snapshot
Apr 23, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-41338 MEDIUM
OpenClaw < 2026.3.31 - Time-of-Check-Time-of-Use (TOCTOU) Vulnerability in Sandbox File Operations
Apr 23, 2026
CVSS 5.0
EPSS 0.00
CVE-2026-41337 MEDIUM
OpenClaw < 2026.3.31 - Callback Origin Mutation in Plivo Voice-call Replay
Apr 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41336 HIGH
OpenClaw < 2026.3.31 - Arbitrary Hook Code Execution via OPENCLAW_BUNDLED_HOOKS_DIR Environment Variable Override
Apr 23, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-41335 MEDIUM
OpenClaw < 2026.3.31 - Information Disclosure via Control UI Bootstrap JSON
Apr 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41334 MEDIUM
OpenClaw < 2026.3.31 - Decompression Bomb Denial of Service via Image Pixel-Limit Guard Bypass
Apr 23, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41333 LOW
OpenClaw < 2026.3.31 - Authentication Rate Limiting Bypass via Fake DeviceToken
Apr 23, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-41332 MEDIUM
OpenClaw < 2026.3.28 - Code Execution via Missing Environment Variable Blocklist
Apr 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41909 MEDIUM
OpenClaw < 2026.4.20 - Improper Authorization in Paired-Device Pairing Actions
Apr 23, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41908 MEDIUM
OpenClaw < 2026.4.20 - Scope Enforcement Bypass in Assistant-Media Route
Apr 23, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-41331 MEDIUM
OpenClaw < 2026.3.31 - Resource Consumption via Unauthorized Telegram Audio Preflight Transcription
Apr 21, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41330 MEDIUM
OpenClaw < 2026.3.31 - Environment Variable Override via Host Exec Policy
Apr 21, 2026
CVSS 4.4
EPSS 0.00
CVE-2026-41329 CRITICAL
OpenClaw < 2026.3.31 - Sandbox Bypass via Heartbeat Context Inheritance and senderIsOwner Escalation
Apr 21, 2026
CVSS 9.9
EPSS 0.00
CVE-2026-41303 HIGH
OpenClaw < 2026.3.28 - Authorization Bypass in Discord Text Approval Commands
Apr 21, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-41302 HIGH
OpenClaw < 2026.3.31 - Server-Side Request Forgery via Unguarded fetch() in Marketplace Plugin Download
Apr 21, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-41301 MEDIUM
OpenClaw 2026.3.22 < 2026.3.31 - Forged Nostr DM Pairing State Creation via Signature Verification Bypass
Apr 21, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41300 MEDIUM
OpenClaw < 2026.3.31 - Attacker-Discovered Endpoint Preservation in Remote Onboarding
Apr 21, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41299 HIGH
OpenClaw < 2026.3.28 - Client Identity Spoofing in chat.send Gateway Provenance Guard
Apr 21, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-41298 MEDIUM
OpenClaw < 2026.4.2 - Authorization Bypass in Session Termination Endpoint
Apr 21, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41297 HIGH
OpenClaw < 2026.3.31 - Server-Side Request Forgery via Marketplace Plugin Download Redirect
Apr 21, 2026
CVSS 7.6
EPSS 0.00
Products
openclaw 447 OpenClaw 383 crabbox 5 voice-call 2 bluebubbles 1 openclaw\/voice-call 1
Quick Filters
Critical CVEs With Exploits In CISA KEV