openclaw

560 tracked vulnerabilities.

CVE-2026-42434 HIGH
OpenClaw 2026.4.5 < 2026.4.10 - Sandbox Escape via host Parameter Override in Exec Routing
May 05, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-42433 MEDIUM
OpenClaw < 2026.4.10 - Unauthorized Matrix Profile Config Persistence Access via operator.write Message Tools
May 05, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-42432 HIGH
OpenClaw < 2026.4.8 - Command Escalation via Node Pairing Reconnect Bypass
Apr 28, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-42431 HIGH
OpenClaw < 2026.4.8 - Persistent Profile Mutation via node.invoke(browser.proxy) Bypass
Apr 28, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-42430 MEDIUM
OpenClaw < 2026.4.8 - Strict Browser SSRF Bypass via Playwright Redirect Handling
Apr 28, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-42429 HIGH
OpenClaw < 2026.4.8 - Privilege Escalation via Gateway Plugin HTTP Authentication
Apr 28, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-42428 HIGH
OpenClaw < 2026.4.8 - Missing Integrity Verification in Package Downloads
Apr 28, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-42427 MEDIUM
OpenClaw < 2026.4.8 - Remote Code Execution via Build Tool Environment Variable Injection
Apr 28, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-42426 HIGH
OpenClaw < 2026.4.8 - Improper Authorization in node.pair.approve via operator.write Scope
Apr 28, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-42424 MEDIUM
OpenClaw < 2026.4.8 - Local File Exfiltration via Shared Reply MEDIA Paths
Apr 28, 2026
CVSS 5.7
EPSS 0.00
CVE-2026-42423 HIGH
OpenClaw < 2026.4.8 - strictInlineEval Approval Boundary Bypass via Approval-Timeout Fallback
Apr 28, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-42422 HIGH
OpenClaw < 2026.4.8 - Role Bypass in device.token.rotate Function
Apr 28, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-42421 MEDIUM
OpenClaw < 2026.4.8 - WebSocket Session Persistence via Shared Gateway Token Rotation
Apr 28, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-42420 MEDIUM
OpenClaw < 2026.4.8 - Improper Base64 Decoding Size Validation
Apr 28, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-41916 MEDIUM
OpenClaw < 2026.4.8 - Stale Authentication State via Config Reload
Apr 28, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41915 MEDIUM
OpenClaw < 2026.4.8 - Git Environment Variable Injection via Unfiltered Exec Environment
Apr 28, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41914 HIGH
OpenClaw < 2026.4.8 - Server-Side Request Forgery in QQ Bot Media Fetch Paths
Apr 28, 2026
CVSS 8.5
EPSS 0.00
CVE-2026-41913 LOW
OpenClaw < 2026.4.4 - Rate-Limit Bypass via Concurrent Async Authentication Attempts
Apr 28, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-41912 HIGH
OpenClaw < 2026.4.8 - Server-Side Request Forgery Policy Bypass via Interaction-Triggered Navigation
Apr 28, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-41911 MEDIUM
OpenClaw < 2026.4.8 - Workspace-Only Filesystem Policy Bypass via docx upload_file/upload_image
Apr 28, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41910 MEDIUM
OpenClaw < 2026.4.8 - Missing Owner-Only Enforcement in /allowlist Cross-Channel Writes
Apr 28, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-41408 MEDIUM
OpenClaw < 2026.3.31 - Disk Exhaustion via Media Download Bypass
Apr 28, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-41407 LOW
OpenClaw < 2026.4.2 - Timing Side Channel in Shared-Secret Comparison
Apr 28, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-41406 MEDIUM
OpenClaw < 2026.3.31 - Sender Allowlist Bypass via Thread History and Quoted Messages
Apr 28, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41405 HIGH
OpenClaw < 2026.3.31 - Resource Exhaustion via Unauthenticated MS Teams Webhook Body Parsing
Apr 28, 2026
CVSS 7.5
EPSS 0.00