openclaw

560 tracked vulnerabilities.

CVE-2026-41377 MEDIUM
OpenClaw < 2026.3.31 - Fail-Open Security Scan Bypass in Plugin Installation
Apr 28, 2026
CVSS 4.6
EPSS 0.00
CVE-2026-41376 MEDIUM
OpenClaw < 2026.3.31 - Matrix Thread Context Allowlist Bypass via Sender Validation
Apr 28, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41375 MEDIUM
OpenClaw < 2026.3.28 - Authorization Bypass in /phone arm and /phone disarm Endpoints
Apr 28, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41374 MEDIUM
OpenClaw < 2026.3.31 - Resource Consumption via Discord Audio Preflight Before Member Authorization
Apr 28, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41373 MEDIUM
OpenClaw < 2026.3.31 - Compiler Binary Substitution via Environment Variable Override in Host Execution Policy
Apr 28, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-41372 MEDIUM
OpenClaw < 2026.4.2 - Loopback Protection Bypass via Trailing-Dot Localhost in CDP Discovery
Apr 28, 2026
CVSS 5.8
EPSS 0.00
CVE-2026-41371 HIGH
OpenClaw < 2026.3.28 - Privilege Escalation via chat.send Reset Command
Apr 28, 2026
CVSS 8.5
EPSS 0.00
CVE-2026-41370 MEDIUM
OpenClaw < 2026.3.31 - Path Traversal via Inbound Channel Attachment Path in ACP Dispatch
Apr 28, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41369 MEDIUM
OpenClaw < 2026.3.31 - Insufficient Environment Variable Sanitization in Host Execution
Apr 28, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41368 MEDIUM
OpenClaw < 2026.3.28 - Environment Variable Disclosure via jq $ENV Filter Bypass
Apr 28, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41367 MEDIUM
OpenClaw 2026.2.14 < 2026.3.28 - Policy Enforcement Bypass in Discord Component Interactions
Apr 28, 2026
CVSS 5.0
EPSS 0.00
CVE-2026-41366 MEDIUM
OpenClaw < 2026.3.31 - Arbitrary Host File Read via appendLocalMediaParentRoots Self-Whitelisting
Apr 28, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-41365 MEDIUM
OpenClaw < 2026.3.31 - Sender Allowlist Bypass via Graph API Thread History
Apr 28, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41364 HIGH
OpenClaw < 2026.3.31 - Arbitrary File Write via Symlink Following in SSH Sandbox Tar Upload
Apr 28, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-41363 MEDIUM
OpenClaw 2026.2.6 < 2026.3.28 - Arbitrary File Read via Feishu upload_image Parameter
Apr 28, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41362 MEDIUM
OpenClaw 2026.2.19 < 2026.3.31 - Webhook Replay Dedupe Cache Event Suppression via Shared Authentication
Apr 28, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-41361 HIGH
OpenClaw < 2026.3.28 - SSRF Guard Bypass via IPv6 Special-Use Ranges
Apr 23, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-41360 MEDIUM
OpenClaw < 2026.4.2 - Approval Integrity Bypass in pnpm dlx Local Script Binding
Apr 23, 2026
CVSS 6.7
EPSS 0.00
CVE-2026-41359 HIGH
OpenClaw < 2026.3.28 - Privilege Escalation via operator.write to Admin-Class Telegram Config and Cron Persistence
Apr 23, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-41358 MEDIUM
OpenClaw < 2026.4.2 - Sender Allowlist Bypass via Slack Thread Context
Apr 23, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41357 LOW
OpenClaw < 2026.3.31 - Unsanitized Environment Variable Leakage in SSH Sandbox Backends
Apr 23, 2026
CVSS 3.3
EPSS 0.00
CVE-2026-41356 MEDIUM
OpenClaw < 2026.3.31 - Incomplete WebSocket Session Termination in device.token.rotate
Apr 23, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41355 HIGH
OpenShell < 2026.3.28 - Arbitrary Code Execution via Mirror Mode Sandbox File Conversion
Apr 23, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-41354 LOW
OpenClaw < 2026.4.2 - Insufficient Scope in Zalo Webhook Replay Dedupe Keys
Apr 23, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-41353 HIGH
OpenClaw < 2026.3.22 - allowProfiles Bypass via Profile Mutation and Runtime Selection
Apr 23, 2026
CVSS 8.1
EPSS 0.00