openclaw

560 tracked vulnerabilities.

CVE-2026-41404 HIGH
OpenClaw < 2026.3.31 - Operator Admin Privilege Escalation via Trusted-Proxy Authentication
Apr 28, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-41403 LOW
OpenClaw < 2026.3.31 - Access Control Bypass via Proxied Remote Request Misclassification
Apr 28, 2026
CVSS 2.9
EPSS 0.00
CVE-2026-41402 MEDIUM
OpenClaw < 2026.3.31 - Webhook Replay Cache Cross-Target messageId Scope Bypass
Apr 28, 2026
CVSS 4.2
EPSS 0.00
CVE-2026-41400 MEDIUM
OpenClaw < 2026.3.31 - Resource Consumption via Oversized WebSocket Frames in voice-call
Apr 28, 2026
CVSS 5.3
EPSS 0.01
CVE-2026-41399 HIGH
OpenClaw < 2026.3.28 - Denial of Service via Unbounded Pre-auth WebSocket Upgrades
Apr 28, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41398 MEDIUM
OpenClaw - Unauthorized Agent Request Dispatch via Untrusted Local-Network Pages in iOS A2UI Bridge
Apr 28, 2026
CVSS 4.6
EPSS 0.00
CVE-2026-41397 MEDIUM
OpenClaw < 2026.3.31 - Sandbox Escape via Unrestricted File Sync and Symlink Traversal
Apr 28, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-41396 HIGH
OpenClaw < 2026.3.31 - Environment Variable Override of Plugin Trust Root
Apr 28, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-41395 HIGH
OpenClaw < 2026.3.28 - Webhook Replay via Query Parameter Reordering in Plivo V3
Apr 28, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41394 HIGH
OpenClaw < 2026.3.31 - Unauthorized Operator Scope Access in Unauthenticated Plugin-Auth Routes
Apr 28, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-41393 MEDIUM
OpenClaw < 2026.3.31 - Arbitrary DNS Authority Acceptance and Credential Exfiltration via Wide-Area Discovery
Apr 28, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-41392 MEDIUM
OpenClaw < 2026.3.31 - Exec Allowlist Bypass via Shell Init-File Options
Apr 28, 2026
CVSS 6.7
EPSS 0.00
CVE-2026-41391 MEDIUM
OpenClaw < 2026.3.31 - Environment Variable Bypass in Package Index URL Handling
Apr 28, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41390 HIGH
OpenClaw < 2026.3.28 - Exec Allowlist Bypass via Unregistered /usr/bin/script Wrapper
Apr 28, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-41388 MEDIUM
OpenClaw < 2026.3.31 - Configuration Rehydration via Empty-Array Revocation Handling
Apr 28, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41387 HIGH
OpenClaw < 2026.3.22 - Supply Chain Redirection via Incomplete Host Environment Sanitization
Apr 28, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-41386 CRITICAL
OpenClaw < 2026.3.22 - Privilege Escalation via Unbound Bootstrap Setup Codes
Apr 28, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-41385 MEDIUM
OpenClaw < 2026.3.31 - Nostr Private Key Exposure via config.get Redaction Bypass
Apr 28, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41384 HIGH
OpenClaw < 2026.3.24 - Environment Variable Injection via Workspace Config in CLI Backend
Apr 28, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-41383 HIGH
OpenClaw < 2026.4.2 - Arbitrary Remote Directory Deletion via Mis-scoped Mirror Mode Paths
Apr 28, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-41382 MEDIUM
OpenClaw < 2026.3.31 - Discord Voice Ingress Authorization Bypass via Channel and Role Validation Gaps
Apr 28, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41381 MEDIUM
OpenClaw < 2026.3.31 - Access Control Bypass in Discord Voice Manager via Channel Allowlist
Apr 28, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41380 HIGH
OpenClaw < 2026.3.28 - Arbitrary Execution Allowlist via Wrapper Carrier Executables
Apr 28, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-41379 HIGH
OpenClaw < 2026.3.28 - Privilege Escalation via chat.send to Admin-Class Talk Voice Config
Apr 28, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-41378 HIGH
OpenClaw < 2026.3.31 - Privilege Escalation to Remote Code Execution via Unrestricted node.event Agent Dispatch
Apr 28, 2026
CVSS 8.8
EPSS 0.00