| CVE-2026-28363 |
🟣 CRITICAL |
9.9 |
In OpenClaw before 2026.2.23, tools.exec.safeBins validation for sort could be… |
2026-02-27 |
| CVE-2026-32915 |
🟣 CRITICAL |
9.3 |
OpenClaw < 2026.3.11 - Sandbox Boundary Bypass via Subagent Control Surface |
2026-03-29 |
| CVE-2026-28470 |
🟣 CRITICAL |
9.2 |
OpenClaw < 2026.2.2 - Exec Allowlist Bypass via Command Substitution in Double Quotes |
2026-03-05 |
| CVE-2026-25253 |
🔴 HIGH |
8.8 |
OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl |
2026-02-01 |
| CVE-2026-24763 |
🔴 HIGH |
8.8 |
OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable |
2026-02-02 |
| CVE-2026-22171 |
🔴 HIGH |
8.8 |
OpenClaw < 2026.2.19 - Path Traversal in Feishu Media Temporary File Naming |
2026-03-18 |
| CVE-2026-32913 |
🔴 HIGH |
8.8 |
OpenClaw < 2026.3.7 - Custom Authorization Header Leakage via Cross-Origin Redirects |
2026-03-23 |
| CVE-2026-28462 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.2.13 - Path Traversal in Trace and Download Output Paths |
2026-03-05 |
| CVE-2026-28478 |
🔴 HIGH |
8.7 |
OpenClaw affected by denial of service via unbounded webhook request body buffering |
2026-03-05 |
| CVE-2026-32042 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.2.25 - Privilege Escalation via Unpaired Device Identity in Shared Gateway Authentication |
2026-03-21 |
| CVE-2026-32060 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.2.14 - Path Traversal in apply_patch via Crafted Paths |
2026-03-11 |
| CVE-2026-32059 |
🔴 HIGH |
8.7 |
OpenClaw 2026.2.22-2 < 2026.2.23 - Allowlist Bypass via sort Long-Option Abbreviation in tools.exec.safeBins |
2026-03-11 |
| CVE-2026-35638 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.3.22 - Privilege Escalation via Self-Declared Scopes in Trusted-Proxy Control UI |
2026-04-09 |
| CVE-2026-35669 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.3.25 - Privilege Escalation via Gateway Plugin HTTP Authentication Scope |
2026-04-10 |
| CVE-2026-26323 |
🔴 HIGH |
8.6 |
OpenClaw has a command injection in maintainer clawtributors updater |
2026-02-19 |
| CVE-2026-28456 |
🔴 HIGH |
8.6 |
OpenClaw 2026.1.5 < 2026.2.14 - Arbitrary Code Execution via Unsafe Hook Module Path Handling |
2026-03-05 |
| CVE-2026-32920 |
🔴 HIGH |
8.6 |
OpenClaw < 2026.3.12 - Arbitrary Code Execution via Auto-Discovery of Workspace Plugins |
2026-03-31 |
| CVE-2026-33577 |
🔴 HIGH |
8.6 |
OpenClaw < 2026.3.28 - Insufficient Scope Validation in node.pair.approve |
2026-03-31 |
| CVE-2026-28468 |
🔴 HIGH |
8.5 |
OpenClaw 2026.1.29-beta.1 < 2026.2.14 - Authentication Bypass in Sandbox Browser Bridge Server |
2026-03-05 |
| CVE-2026-28469 |
🔴 HIGH |
8.2 |
OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting |
2026-03-05 |
| CVE-2026-29611 |
🔴 HIGH |
8.2 |
OpenClaw < 2026.2.14 - Local File Inclusion via mediaPath Parameter in BlueBubbles Media Handling |
2026-03-05 |
| CVE-2026-25157 |
🔴 HIGH |
7.8 |
OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand |
2026-02-04 |
| CVE-2026-29610 |
🔴 HIGH |
7.7 |
OpenClaw < 2026.2.14 - Command Hijacking via Unsafe PATH Handling |
2026-03-05 |
| CVE-2026-32056 |
🔴 HIGH |
7.7 |
OpenClaw < 2026.2.22 - Remote Code Execution via Shell Startup Environment Variable Injection in system.run |
2026-03-21 |
| CVE-2026-35650 |
🔴 HIGH |
7.7 |
OpenClaw < 2026.3.22 - Environment Variable Override Bypass via Inconsistent Sanitization |
2026-04-10 |
| CVE-2026-22179 |
🔴 HIGH |
7.5 |
OpenClaw < 2026.2.22 - Allowlist Bypass via Command Substitution in system.run |
2026-03-18 |
| CVE-2026-26321 |
🔴 HIGH |
7.5 |
OpenClaw has a local file disclosure via sendMediaFeishu in Feishu extension |
2026-02-19 |
| CVE-2026-26319 |
🔴 HIGH |
7.5 |
OpenClaw has Missing Webhook Authentication in Telnyx Provider Allowing Unauthenticated Requests |
2026-02-19 |
| CVE-2026-26324 |
🔴 HIGH |
7.5 |
OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reachable) |
2026-02-19 |
| CVE-2026-32003 |
🔴 HIGH |
7.5 |
OpenClaw < 2026.2.22 - Remote Code Execution via SHELLOPTS/PS4 Environment Injection in system.run |
2026-03-19 |
| CVE-2026-32025 |
🔴 HIGH |
7.5 |
OpenClaw < 2026.2.25 - Password Brute-Force via Browser-Origin WebSocket Authentication Bypass |
2026-03-19 |
| CVE-2026-32041 |
🔴 HIGH |
7.5 |
OpenClaw < 2026.3.1 - Unauthenticated Browser Control Access via Failed Auth Bootstrap |
2026-03-19 |
| CVE-2026-28458 |
🔴 HIGH |
7.4 |
OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access |
2026-03-05 |
| CVE-2026-32015 |
🔴 HIGH |
7.3 |
OpenClaw 2026.1.21 < 2026.2.19 - PATH Hijacking Bypass in tools.exec.safeBins Allowlist Validation |
2026-03-19 |
| CVE-2026-28473 |
🔴 HIGH |
7.2 |
OpenClaw < 2026.2.2 - Authorization Bypass via /approve Chat Command |
2026-03-05 |
| CVE-2026-32055 |
🔴 HIGH |
7.2 |
OpenClaw < 2026.2.26 - Workspace Path Boundary Bypass via Non-existent Symlink |
2026-03-21 |
| CVE-2026-34512 |
🔴 HIGH |
7.2 |
OpenClaw < 2026.3.25 - Improper Access Control in /sessions/:sessionKey/kill Endpoint |
2026-04-09 |
| CVE-2026-35660 |
🔴 HIGH |
7.2 |
OpenClaw < 2026.3.23 - Insufficient Access Control in Gateway Agent Session Reset |
2026-04-10 |
| CVE-2026-22168 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.2.21 - Command Injection via cmd.exe /c Trailing Arguments in system.run |
2026-03-18 |
| CVE-2026-22169 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.2.22 - Allowlist Bypass via sort Configuration in safeBins |
2026-03-18 |
| CVE-2026-26317 |
🔴 HIGH |
7.1 |
OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints |
2026-02-19 |
| CVE-2026-26327 |
🔴 HIGH |
7.1 |
OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning |
2026-02-19 |
| CVE-2026-27566 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.2.22 - Allowlist Bypass via Wrapper Binary Unwrapping in system.run |
2026-03-19 |
| CVE-2026-27522 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.2.24 - Arbitrary File Read via sendAttachment and setGroupIcon Message Actions |
2026-03-18 |
| CVE-2026-28459 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.2.12 - Arbitrary File Write via Untrusted sessionFile Path |
2026-03-05 |
| CVE-2026-32008 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.2.21 - Arbitrary Local File Read via Browser Navigation Guard |
2026-03-19 |
| CVE-2026-32976 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.3.11 - Account-Scoped configWrites Policy Bypass via Channel Commands |
2026-03-31 |
| CVE-2026-32972 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.3.11 - Authorization Bypass in Browser Profile Management via browser.request |
2026-03-29 |
| CVE-2026-33581 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.3.24 - Arbitrary File Read via mediaUrl and fileUrl Parameters |
2026-03-31 |
| CVE-2026-35636 |
🔴 HIGH |
7.1 |
OpenClaw 2026.3.11 < 2026.3.25 - Session Isolation Bypass via sessionId Resolution |
2026-04-09 |
| CVE-2026-40037 |
🔴 HIGH |
7.1 |
OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects |
2026-04-08 |
| CVE-2026-35631 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.3.22 - Missing Authorization Enforcement in Internal ACP Chat Commands |
2026-04-09 |
| CVE-2026-32979 |
🔴 HIGH |
7 |
OpenClaw < 2026.3.11 - Unbound Interpreter and Runtime Commands Bypass in node-host Approval |
2026-03-29 |
| CVE-2026-22178 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.2.19 - ReDoS and Regex Injection via Unescaped Feishu Mention Metadata |
2026-03-18 |
| CVE-2026-22177 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.2.21 - Environment Variable Injection via Config env.vars |
2026-03-18 |
| CVE-2026-27488 |
🟡 MEDIUM |
6.9 |
OpenClaw hardened cron webhook delivery against SSRF |
2026-02-21 |
| CVE-2026-27545 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.2.26 - Approval Bypass via Parent Symlink Current Working Directory Rebind |
2026-03-18 |
| CVE-2026-27523 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.2.24 - Sandbox Bind Validation Bypass via Symlink-Parent Missing-Leaf Paths |
2026-03-18 |
| CVE-2026-28480 |
🟡 MEDIUM |
6.9 |
OpenClaw Telegram allowlist authorization accepted mutable usernames |
2026-03-05 |
| CVE-2026-32919 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.3.11 - Unauthorized Session Reset via agent Slash Commands |
2026-03-29 |
| CVE-2026-32063 |
🟡 MEDIUM |
6.9 |
OpenClaw 2026.2.19-2 < 2026.2.21 - Command Injection via Newline in systemd Unit Generation |
2026-03-11 |
| CVE-2026-35652 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.3.22 - Unauthorized Action Execution via Callback Dispatch |
2026-04-10 |
| CVE-2026-35647 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.3.25 - Direct Message Policy Bypass via Verification Notices |
2026-04-10 |
| CVE-2026-27008 |
🟡 MEDIUM |
6.8 |
OpenClaw hardened the skill download target directory validation |
2026-02-19 |
| CVE-2026-28486 |
🟡 MEDIUM |
6.8 |
OpenClaw 2026.1.16-2 < 2026.2.14 - Path Traversal (Zip Slip) in Archive Extraction via Installation Commands |
2026-03-05 |
| CVE-2026-29612 |
🟡 MEDIUM |
6.8 |
OpenClaw < 2026.2.14 - Denial of Service via Large Base64 Media File Decoding |
2026-03-05 |
| CVE-2026-32024 |
🟡 MEDIUM |
6.8 |
OpenClaw < 2026.2.22 - Symlink Traversal in Avatar Handling |
2026-03-19 |
| CVE-2026-26972 |
🟡 MEDIUM |
6.7 |
OpenClaw has a Path Traversal in Browser Download Functionality |
2026-02-19 |
| CVE-2026-28452 |
🟡 MEDIUM |
6.7 |
OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR) |
2026-03-05 |
| CVE-2026-26328 |
🟡 MEDIUM |
6.5 |
OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities |
2026-02-19 |
| CVE-2026-28395 |
🟡 MEDIUM |
6.3 |
OpenClaw 2026.1.14-1 < 2026.2.12 - Unintended Public Binding of Chrome Extension Relay via Wildcard cdpUrl |
2026-03-05 |
| CVE-2026-28449 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.2.25 - Webhook Replay Attack via Missing Durable Replay Suppression |
2026-03-19 |
| CVE-2026-28448 |
🟡 MEDIUM |
6.3 |
OpenClaw 2026.1.29 < 2026.2.1 - Authorization Bypass in Twitch Plugin allowFrom Access Control |
2026-03-05 |
| CVE-2026-28471 |
🟡 MEDIUM |
6.3 |
OpenClaw 2026.1.14-1 < 2026.2.2 - Allowlist Bypass via displayName and Cross-Homeserver localpart Matching in Matrix Plugin |
2026-03-05 |
| CVE-2026-29606 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.2.14 - Webhook Signature Verification Bypass via ngrok Loopback Compatibility |
2026-03-05 |
| CVE-2026-32021 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.2.22 - Authorization Bypass via Display Name Collision in Feishu allowFrom |
2026-03-19 |
| CVE-2026-35623 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.3.25 - Brute-Force Attack via Missing Webhook Password Rate Limiting |
2026-04-09 |
| CVE-2026-35645 |
🟡 MEDIUM |
6.1 |
OpenClaw < 2026.3.25 - Privilege Escalation via Synthetic operator.admin in deleteSession |
2026-04-09 |
| CVE-2026-32023 |
🟡 MEDIUM |
6 |
OpenClaw < 2026.2.24 - Approval Gating Bypass via Dispatch-Wrapper Depth-Cap Mismatch in system.run |
2026-03-19 |
| CVE-2026-32039 |
🟡 MEDIUM |
6 |
OpenClaw < 2026.2.22 - Sender Authorization Bypass via Identity Collision in toolsBySender |
2026-03-19 |
| CVE-2026-34511 |
🟡 MEDIUM |
6 |
OpenClaw < 2026.4.2 - PKCE Verifier Exposure via OAuth State Parameter |
2026-04-03 |
| CVE-2026-35622 |
🟡 MEDIUM |
6 |
OpenClaw < 2026.3.22 - Improper Authentication Verification in Google Chat Webhook |
2026-04-09 |
| CVE-2026-22174 |
🟡 MEDIUM |
5.9 |
OpenClaw < 2026.2.22 - Gateway Token Disclosure via Chrome CDP Probe |
2026-03-18 |
| CVE-2026-28477 |
🟡 MEDIUM |
5.9 |
OpenClaw < 2026.2.14 - OAuth State Validation Bypass in Manual Chutes Login Flow |
2026-03-05 |
| CVE-2026-22217 |
🟡 MEDIUM |
5.8 |
OpenClaw 2026.2.22 < 2026.2.23 - Arbitrary Binary Execution via $SHELL Environment Variable Trusted Prefix Fallback |
2026-03-18 |
| CVE-2026-27009 |
🟡 MEDIUM |
5.8 |
OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection |
2026-02-19 |
| CVE-2026-27646 |
🟡 MEDIUM |
5.8 |
OpenClaw < 2026.3.7 - Sandbox Escape via /acp spawn Command |
2026-03-23 |
| CVE-2026-32035 |
🟡 MEDIUM |
5.8 |
OpenClaw < 2026.3.2 - Missing Owner Flag Validation in Discord Voice Transcript Handler |
2026-03-19 |
| CVE-2026-32988 |
🟡 MEDIUM |
5.8 |
OpenClaw < 2026.3.11 - Sandbox Boundary Bypass via Unvalidated Temporary File Creation |
2026-03-31 |
| CVE-2026-33574 |
🟡 MEDIUM |
5.8 |
OpenClaw < 2026.3.8 - Path Traversal via Tools Root Rebinding in Skills Download |
2026-03-29 |
| CVE-2026-31989 |
🟡 MEDIUM |
5.3 |
OpenClaw < 2026.3.1 - Server-Side Request Forgery via web_search Citation Redirect |
2026-03-19 |
| CVE-2026-32923 |
🟡 MEDIUM |
5.3 |
OpenClaw < 2026.3.11 - Authorization Bypass in Discord Guild Reaction Allowlist Enforcement |
2026-03-29 |
| CVE-2026-32899 |
🟡 MEDIUM |
5.3 |
OpenClaw < 2026.2.25 - Sender Policy Bypass in Slack Reaction and Pin Event Handlers |
2026-03-21 |
| CVE-2026-35629 |
🟡 MEDIUM |
5.3 |
OpenClaw < 2026.3.25 - Server-Side Request Forgery via Unguarded Configured Base URLs in Channel Extensions |
2026-04-09 |
| CVE-2026-35619 |
🟡 MEDIUM |
5.3 |
OpenClaw < 2026.3.24 - Authorization Bypass via HTTP /v1/models Endpoint |
2026-04-10 |
| CVE-2026-35659 |
🟡 MEDIUM |
5.1 |
OpenClaw < 2026.3.22 - Unresolved Service Metadata Routing via Bonjour and DNS-SD Discovery |
2026-04-10 |
| CVE-2026-32046 |
🟡 MEDIUM |
4.8 |
OpenClaw < 2026.2.21 - OS-level Sandbox Bypass via --no-sandbox Flag |
2026-03-21 |
| CVE-2026-24764 |
🟢 LOW |
3.7 |
OpenClaw has Remote Code Execution via System Prompt Injection in Slack Channel Descriptions |
2026-02-19 |
| CVE-2026-32040 |
🟢 LOW |
2.4 |
OpenClaw < 2026.2.23 - HTML Injection via Unvalidated Image MIME Type in Data-URL Interpolation |
2026-03-19 |
| CVE-2026-27484 |
🟢 LOW |
2.3 |
OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows |
2026-02-21 |
| CVE-2026-35617 |
🟢 LOW |
2.3 |
OpenClaw < 2026.3.25 - Authorization Bypass via Group Policy Rebinding with Mutable Space displayName |
2026-04-09 |
| CVE-2026-35648 |
🟢 LOW |
2.3 |
OpenClaw < 2026.3.22 - Policy Bypass via Unvalidated Queued Node Actions |
2026-04-10 |
| CVE-2026-31991 |
🟢 LOW |
2 |
OpenClaw < 2026.2.26 - Authorization Bypass via DM Pairing-Store Leakage in Signal Group Allowlist |
2026-03-19 |
| CVE-2026-32067 |
🟢 LOW |
2 |
OpenClaw < 2026.2.26 - Cross-Account Authorization Bypass in DM Pairing Store |
2026-03-21 |