openclaw

477 tracked vulnerabilities.

CVE-2026-35653 HIGH
OpenClaw < 2026.3.24 - Incorrect Authorization in POST /reset-profile via browser.request
Apr 10, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-35652 MEDIUM
OpenClaw < 2026.3.22 - Unauthorized Action Execution via Callback Dispatch
Apr 10, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35651 MEDIUM
OpenClaw 2026.2.13 < 2026.3.25 - ANSI Escape Sequence Injection in Approval Prompt
Apr 10, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-35650 HIGH
OpenClaw < 2026.3.22 - Environment Variable Override Bypass via Inconsistent Sanitization
Apr 10, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-35649 MEDIUM
OpenClaw < 2026.3.22 - Settings Reconciliation Bypass via Empty Allowlist
Apr 10, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35648 LOW
OpenClaw < 2026.3.22 - Policy Bypass via Unvalidated Queued Node Actions
Apr 10, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-35647 MEDIUM
OpenClaw < 2026.3.25 - Direct Message Policy Bypass via Verification Notices
Apr 10, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35643 HIGH
OpenClaw < 2026.3.22 - Arbitrary Code Execution via Unvalidated WebView JavascriptInterface
Apr 10, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-35641 HIGH
OpenClaw < 2026.3.24 - Arbitrary Code Execution via .npmrc in Local Plugin/Hook Installation
Apr 10, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-35621 MEDIUM
OpenClaw < 2026.3.24 - Privilege Escalation via chat.send to Allowlist Persistence
Apr 10, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35620 MEDIUM
OpenClaw < 2026.3.24 - Missing Authorization in /send and /allowlist Chat Commands
Apr 10, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-35619 MEDIUM
OpenClaw < 2026.3.24 - Authorization Bypass via HTTP /v1/models Endpoint
Apr 10, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-6011 MEDIUM
OpenClaw assertPublicHostname web-fetch.ts server-side request forgery
Apr 10, 2026
CVSS 5.6
EPSS 0.00
CVE-2026-35646 MEDIUM
OpenClaw < 2026.3.25 - Pre-Authentication Rate-Limit Bypass in Webhook Token Validation
Apr 09, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-35645 HIGH
OpenClaw < 2026.3.25 - Privilege Escalation via Synthetic operator.admin in deleteSession
Apr 09, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-35644 MEDIUM
OpenClaw < 2026.3.22 - Credential Exposure via baseUrl Fields in Gateway Snapshots
Apr 09, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35642 MEDIUM
OpenClaw < 2026.3.25 - Authorization Bypass in Group Reactions via requireMention Bypass
Apr 09, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-35640 MEDIUM
OpenClaw < 2026.3.25 - Denial of Service via Unauthenticated Webhook Request Parsing
Apr 09, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35639 HIGH
OpenClaw < 2026.3.22 - Privilege Escalation via device.pair.approve Scope Validation
Apr 09, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-35638 HIGH
OpenClaw < 2026.3.22 - Privilege Escalation via Self-Declared Scopes in Trusted-Proxy Control UI
Apr 09, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-35637 HIGH
OpenClaw < 2026.3.22 - Premature Cite Expansion Before Authorization in Channel and DM
Apr 09, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-35636 MEDIUM
OpenClaw 2026.3.11 < 2026.3.25 - Session Isolation Bypass via sessionId Resolution
Apr 09, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35635 MEDIUM
OpenClaw < 2026.3.22 - Webhook Path Route Replacement Vulnerability in Synology Chat
Apr 09, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-35634 MEDIUM
OpenClaw < 2026.3.23 - Authentication Bypass via Local-Direct Requests in Canvas Gateway
Apr 09, 2026
CVSS 5.1
EPSS 0.00
CVE-2026-35633 MEDIUM
OpenClaw < 2026.3.22 - Unbounded Memory Allocation via Remote Media Error Responses
Apr 09, 2026
CVSS 5.3
EPSS 0.00
Products
openclaw 447 OpenClaw 383 crabbox 5 voice-call 2 bluebubbles 1 openclaw\/voice-call 1
Quick Filters
Critical CVEs With Exploits In CISA KEV