| CVE-2026-32922 |
🟣 CRITICAL |
9.4 |
OpenClaw < 2026.3.11 - Privilege Escalation via Unvalidated Scope in device.token.rotate |
2026-03-29 |
| CVE-2026-32915 |
🟣 CRITICAL |
9.3 |
OpenClaw < 2026.3.11 - Sandbox Boundary Bypass via Subagent Control Surface |
2026-03-29 |
| CVE-2026-32987 |
🟣 CRITICAL |
9.3 |
OpenClaw < 2026.3.13 - Bootstrap Setup Code Replay via Device Pairing |
2026-03-29 |
| CVE-2026-28446 |
🟣 CRITICAL |
9.2 |
OpenClaw < 2026.2.1 - Inbound Allowlist Policy Bypass in voice-call Extension via Empty Caller ID and Suffix Matching |
2026-03-05 |
| CVE-2026-25253 |
🔴 HIGH |
8.8 |
OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl |
2026-02-01 |
| CVE-2026-24763 |
🔴 HIGH |
8.8 |
OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable |
2026-02-02 |
| CVE-2026-32974 |
🔴 HIGH |
8.8 |
OpenClaw < 2026.3.12 - Forged Event Injection via Feishu Webhook Verification Token |
2026-03-29 |
| CVE-2026-41296 |
🔴 HIGH |
8.8 |
OpenClaw < 2026.3.31 - Sandbox Escape via TOCTOU Race in Remote FS Bridge readFile |
2026-04-20 |
| CVE-2026-28479 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.2.15 - Cache Poisoning via Deprecated SHA-1 Hash in Sandbox Configuration |
2026-03-05 |
| CVE-2026-28478 |
🔴 HIGH |
8.7 |
OpenClaw affected by denial of service via unbounded webhook request body buffering |
2026-03-05 |
| CVE-2026-29609 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.2.14 - Denial of Service via Unbounded URL-backed Media Fetch |
2026-03-05 |
| CVE-2026-32042 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.2.25 - Privilege Escalation via Unpaired Device Identity in Shared Gateway Authentication |
2026-03-21 |
| CVE-2026-32982 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.3.13 - Telegram Bot Token Exposure in Media Fetch Error Logs |
2026-03-31 |
| CVE-2026-32059 |
🔴 HIGH |
8.7 |
OpenClaw 2026.2.22-2 < 2026.2.23 - Allowlist Bypass via sort Long-Option Abbreviation in tools.exec.safeBins |
2026-03-11 |
| CVE-2026-33573 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.3.11 - Workspace Boundary Bypass via Agent RPC Parameters |
2026-03-29 |
| CVE-2026-35639 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.3.22 - Privilege Escalation via device.pair.approve Scope Validation |
2026-04-09 |
| CVE-2026-35669 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.3.25 - Privilege Escalation via Gateway Plugin HTTP Authentication Scope |
2026-04-10 |
| CVE-2026-35663 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.3.25 - Privilege Escalation via Backend Reconnect Scope Self-Claim |
2026-04-10 |
| CVE-2026-33575 |
🔴 HIGH |
8.6 |
OpenClaw < 2026.3.12 - Long-lived Credential Exposure in Pairing Setup Codes |
2026-03-29 |
| CVE-2026-34503 |
🔴 HIGH |
8.6 |
OpenClaw < 2026.3.28 - Incomplete WebSocket Session Termination on Device Removal and Token Revocation |
2026-03-31 |
| CVE-2026-32064 |
🔴 HIGH |
8.5 |
OpenClaw < 2026.2.21 - Missing VNC Authentication in Sandbox Browser noVNC Observer |
2026-03-21 |
| CVE-2026-35625 |
🔴 HIGH |
8.5 |
OpenClaw < 2026.3.25 - Privilege Escalation via Silent Local Shared-Auth Reconnect |
2026-04-09 |
| CVE-2026-41295 |
🔴 HIGH |
8.5 |
OpenClaw: Untrusted workspace channel shadows could execute during built-in channel setup |
2026-04-20 |
| CVE-2026-28393 |
🔴 HIGH |
8.3 |
OpenClaw 2.0.0-beta3 < 2026.2.14 - Arbitrary JavaScript Module Loading via Hook Transform Path Traversal |
2026-03-05 |
| CVE-2026-28464 |
🔴 HIGH |
8.2 |
OpenClaw < 2026.2.12 - Timing Attack in Hooks Token Authentication |
2026-03-05 |
| CVE-2026-28469 |
🔴 HIGH |
8.2 |
OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting |
2026-03-05 |
| CVE-2026-25157 |
🔴 HIGH |
7.8 |
OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand |
2026-02-04 |
| CVE-2026-32056 |
🔴 HIGH |
7.7 |
OpenClaw < 2026.2.22 - Remote Code Execution via Shell Startup Environment Variable Injection in system.run |
2026-03-21 |
| CVE-2026-27487 |
🔴 HIGH |
7.6 |
OpenClaw: Prevent shell injection in macOS keychain credential write |
2026-02-21 |
| CVE-2026-26324 |
🔴 HIGH |
7.5 |
OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reachable) |
2026-02-19 |
| CVE-2026-25474 |
🔴 HIGH |
7.5 |
OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass |
2026-02-19 |
| CVE-2026-26316 |
🔴 HIGH |
7.5 |
OpenClaw has BlueBubbles webhook auth bypass via loopback proxy trust |
2026-02-19 |
| CVE-2026-26319 |
🔴 HIGH |
7.5 |
OpenClaw has Missing Webhook Authentication in Telnyx Provider Allowing Unauthenticated Requests |
2026-02-19 |
| CVE-2026-28485 |
🔴 HIGH |
7.5 |
OpenClaw 2026.1.5 < 2026.2.12 - Missing Authentication in Browser Control HTTP Endpoints |
2026-03-05 |
| CVE-2026-28458 |
🔴 HIGH |
7.4 |
OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access |
2026-03-05 |
| CVE-2026-41342 |
🔴 HIGH |
7.4 |
OpenClaw < 2026.3.28 - Unauthenticated Discovery Endpoint Credential Exfiltration via Remote Onboarding |
2026-04-23 |
| CVE-2026-35660 |
🔴 HIGH |
7.2 |
OpenClaw < 2026.3.23 - Insufficient Access Control in Gateway Agent Session Reset |
2026-04-10 |
| CVE-2026-22175 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.2.23 - Exec Approval Bypass via Unrecognized Multiplexer Shell Wrappers |
2026-03-18 |
| CVE-2026-26320 |
🔴 HIGH |
7.1 |
OpenClaw macOS deep link confirmation truncation can conceal executed agent message |
2026-02-19 |
| CVE-2026-22169 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.2.22 - Allowlist Bypass via sort Configuration in safeBins |
2026-03-18 |
| CVE-2026-26317 |
🔴 HIGH |
7.1 |
OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints |
2026-02-19 |
| CVE-2026-29607 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.2.22 - Authorization Bypass via allow-always Wrapper Persistence |
2026-03-19 |
| CVE-2026-32027 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.2.26 - Improper Authorization via DM Pairing Store Identity Inheritance in Group Allowlist |
2026-03-19 |
| CVE-2026-35644 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.3.22 - Credential Exposure via baseUrl Fields in Gateway Snapshots |
2026-04-09 |
| CVE-2026-40037 |
🔴 HIGH |
7.1 |
OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects |
2026-04-08 |
| CVE-2026-41334 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.3.31 - Decompression Bomb Denial of Service via Image Pixel-Limit Guard Bypass |
2026-04-23 |
| CVE-2026-22178 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.2.19 - ReDoS and Regex Injection via Unescaped Feishu Mention Metadata |
2026-03-18 |
| CVE-2026-27004 |
🟡 MEDIUM |
6.9 |
OpenClaw session tool visibility hardening and Telegram webhook secret fallback |
2026-02-19 |
| CVE-2026-28394 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.2.15 - Denial of Service via Unbounded Response Parsing in web_fetch Tool |
2026-03-05 |
| CVE-2026-28480 |
🟡 MEDIUM |
6.9 |
OpenClaw Telegram allowlist authorization accepted mutable usernames |
2026-03-05 |
| CVE-2026-32063 |
🟡 MEDIUM |
6.9 |
OpenClaw 2026.2.19-2 < 2026.2.21 - Command Injection via Newline in systemd Unit Generation |
2026-03-11 |
| CVE-2026-35637 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.3.22 - Premature Cite Expansion Before Authorization in Channel and DM |
2026-04-09 |
| CVE-2026-35655 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.3.22 - Identity Spoofing via rawInput Tool in ACP Permission Resolution |
2026-04-10 |
| CVE-2026-35627 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.3.22 - Unauthenticated Cryptographic Work in Nostr Inbound DM Handling |
2026-04-09 |
| CVE-2026-35665 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.3.24 - Denial of Service via Feishu Webhook Pre-Auth Body Parsing |
2026-04-10 |
| CVE-2026-35633 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.3.22 - Unbounded Memory Allocation via Remote Media Error Responses |
2026-04-09 |
| CVE-2026-41300 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.3.31 - Attacker-Discovered Endpoint Preservation in Remote Onboarding |
2026-04-20 |
| CVE-2026-41301 |
🟡 MEDIUM |
6.9 |
OpenClaw: Forged Nostr DMs could create pairing state before signature verification |
2026-04-20 |
| CVE-2026-41343 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.3.31 - Denial of Service via LINE Webhook Handler Pre-Auth Concurrency |
2026-04-23 |
| CVE-2026-28486 |
🟡 MEDIUM |
6.8 |
OpenClaw 2026.1.16-2 < 2026.2.14 - Path Traversal (Zip Slip) in Archive Extraction via Installation Commands |
2026-03-05 |
| CVE-2026-29612 |
🟡 MEDIUM |
6.8 |
OpenClaw < 2026.2.14 - Denial of Service via Large Base64 Media File Decoding |
2026-03-05 |
| CVE-2026-32024 |
🟡 MEDIUM |
6.8 |
OpenClaw < 2026.2.22 - Symlink Traversal in Avatar Handling |
2026-03-19 |
| CVE-2026-28452 |
🟡 MEDIUM |
6.7 |
OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR) |
2026-03-05 |
| CVE-2026-32061 |
🟡 MEDIUM |
6.7 |
OpenClaw < 2026.2.17 - Arbitrary File Read via $include Directive Path Traversal |
2026-03-11 |
| CVE-2026-32044 |
🟡 MEDIUM |
6.7 |
OpenClaw < 2026.3.2 - Tar Archive Safety Bypass in Skills Installation |
2026-03-21 |
| CVE-2026-25475 |
🟡 MEDIUM |
6.5 |
OpenClaw Vulnerable to Local File Inclusion via MEDIA: Path Extraction |
2026-02-04 |
| CVE-2026-26328 |
🟡 MEDIUM |
6.5 |
OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities |
2026-02-19 |
| CVE-2026-28475 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.2.13 - Timing Attack via Hook Token Comparison |
2026-03-05 |
| CVE-2026-32031 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.2.26 - Authentication Bypass via Path Canonicalization Mismatch in /api/channels Gateway |
2026-03-19 |
| CVE-2026-32897 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.2.22 - Authentication Token Reuse in Owner ID Prompt Hashing Fallback |
2026-03-21 |
| CVE-2026-35623 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.3.25 - Brute-Force Attack via Missing Webhook Password Rate Limiting |
2026-04-09 |
| CVE-2026-33580 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.3.28 - Brute Force Attack via Missing Rate Limiting on Webhook Shared Secret Authentication |
2026-03-31 |
| CVE-2026-35635 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.3.22 - Webhook Path Route Replacement Vulnerability in Synology Chat |
2026-04-09 |
| CVE-2026-35656 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.3.22 - XFF Loopback Spoofing Bypass in Canvas Authentication and Rate Limiter |
2026-04-10 |
| CVE-2026-41337 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.3.31 - Callback Origin Mutation in Plivo Voice-call Replay |
2026-04-23 |
| CVE-2026-41351 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.3.31 - Webhook Replay Detection Bypass via Base64 Signature Re-encoding |
2026-04-23 |
| CVE-2026-22181 |
🟡 MEDIUM |
6.1 |
OpenClaw < 2026.3.2 - DNS Pinning Bypass via Environment Proxy Configuration in web_fetch |
2026-03-18 |
| CVE-2026-32034 |
🟡 MEDIUM |
6.1 |
OpenClaw < 2026.2.21 - Insecure Control UI Authentication over Plaintext HTTP |
2026-03-19 |
| CVE-2026-35645 |
🟡 MEDIUM |
6.1 |
OpenClaw < 2026.3.25 - Privilege Escalation via Synthetic operator.admin in deleteSession |
2026-04-09 |
| CVE-2026-32002 |
🟡 MEDIUM |
6 |
OpenClaw < 2026.2.23 - Sandbox Boundary Bypass via Image Tool workspaceOnly Bypass |
2026-03-19 |
| CVE-2026-41345 |
🟡 MEDIUM |
6 |
OpenClaw < 2026.3.31 - Authorization Header Leak via Cross-Origin Redirect in Media Download |
2026-04-23 |
| CVE-2026-40045 |
🟡 MEDIUM |
5.9 |
OpenClaw: Android accepted cleartext remote gateway endpoints and sent stored credentials over ws:// |
2026-04-20 |
| CVE-2026-32010 |
🟡 MEDIUM |
5.8 |
OpenClaw < 2026.2.22 - Allowlist Bypass via sort --compress-program Parameter |
2026-03-19 |
| CVE-2026-27670 |
🟡 MEDIUM |
5.8 |
OpenClaw < 2026.3.2 - Arbitrary File Write via ZIP Extraction Parent Symlink Race Condition |
2026-03-19 |
| CVE-2026-32035 |
🟡 MEDIUM |
5.8 |
OpenClaw < 2026.3.2 - Missing Owner Flag Validation in Discord Voice Transcript Handler |
2026-03-19 |
| CVE-2026-32977 |
🟡 MEDIUM |
5.8 |
OpenClaw < 2026.3.11 - Sandbox Boundary Bypass via Unanchored writeFile Commit Path |
2026-03-31 |
| CVE-2026-33574 |
🟡 MEDIUM |
5.8 |
OpenClaw < 2026.3.8 - Path Traversal via Tools Root Rebinding in Skills Download |
2026-03-29 |
| CVE-2026-32065 |
🟡 MEDIUM |
5.7 |
OpenClaw < 2026.2.25 - Approval Identity Mismatch in system.run Command Execution |
2026-03-21 |
| CVE-2026-32001 |
🟡 MEDIUM |
5.3 |
OpenClaw < 2026.2.22 - Node Role Device-Identity Bypass via WebSocket Authentication |
2026-03-19 |
| CVE-2026-32898 |
🟡 MEDIUM |
5.3 |
OpenClaw < 2026.2.23 - ACP Permission Auto-Approval Bypass via Untrusted Tool Metadata |
2026-03-21 |
| CVE-2026-32895 |
🟡 MEDIUM |
5.3 |
OpenClaw < 2026.2.26 - Sender Authorization Bypass in Slack System Event Handlers |
2026-03-21 |
| CVE-2026-35642 |
🟡 MEDIUM |
5.3 |
OpenClaw < 2026.3.25 - Authorization Bypass in Group Reactions via requireMention Bypass |
2026-04-09 |
| CVE-2026-35651 |
🟡 MEDIUM |
5.3 |
OpenClaw 2026.2.13 < 2026.3.25 - ANSI Escape Sequence Injection in Approval Prompt |
2026-04-10 |
| CVE-2026-41298 |
🟡 MEDIUM |
5.3 |
OpenClaw < 2026.4.2 - Authorization Bypass in Session Termination Endpoint |
2026-04-20 |
| CVE-2026-41339 |
🟡 MEDIUM |
5.3 |
OpenClaw < 2026.4.2 - Information Disclosure via Gateway Connect Snapshot |
2026-04-23 |
| CVE-2026-41344 |
🟡 MEDIUM |
5.3 |
OpenClaw < 2026.3.28 - Privilege Escalation via chat.send /verbose Parameter |
2026-04-23 |
| CVE-2026-35634 |
🟡 MEDIUM |
5.1 |
OpenClaw < 2026.3.23 - Authentication Bypass via Local-Direct Requests in Canvas Gateway |
2026-04-09 |
| CVE-2026-35659 |
🟡 MEDIUM |
5.1 |
OpenClaw < 2026.3.22 - Unresolved Service Metadata Routing via Bonjour and DNS-SD Discovery |
2026-04-10 |
| CVE-2026-27007 |
🟡 MEDIUM |
4.8 |
OpenClaw's sandbox config hash sorted primitive arrays and suppressed needed container recreation |
2026-02-19 |
| CVE-2026-31997 |
🟡 MEDIUM |
4.4 |
OpenClaw < 2026.3.1 - Executable Rebind via Unbound PATH-token in system.run Approvals |
2026-03-19 |
| CVE-2026-27486 |
🟡 MEDIUM |
4.3 |
OpenClaw: Process Safety - Unvalidated PID Kill via SIGKILL in Process Cleanup |
2026-02-21 |
| CVE-2026-24764 |
🟢 LOW |
3.7 |
OpenClaw has Remote Code Execution via System Prompt Injection in Slack Channel Descriptions |
2026-02-19 |
| CVE-2026-32040 |
🟢 LOW |
2.4 |
OpenClaw < 2026.2.23 - HTML Injection via Unvalidated Image MIME Type in Data-URL Interpolation |
2026-03-19 |
| CVE-2026-32006 |
🟢 LOW |
2.3 |
OpenClaw < 2026.2.26 - Authorization Bypass via DM Pairing-Store Fallback in Group Allowlist |
2026-03-19 |
| CVE-2026-32037 |
🟢 LOW |
2.3 |
OpenClaw < 2026.2.22 - Redirect Chain Bypass of Media Host Allowlist in MSTeams Attachment Handling |
2026-03-19 |
| CVE-2026-35617 |
🟢 LOW |
2.3 |
OpenClaw < 2026.3.25 - Authorization Bypass via Group Policy Rebinding with Mutable Space displayName |
2026-04-09 |
| CVE-2026-41348 |
🟢 LOW |
2.3 |
OpenClaw < 2026.3.31 - Group DM Channel Allowlist Bypass via Discord Slash Commands |
2026-04-23 |
| CVE-2026-41356 |
🟢 LOW |
2.3 |
OpenClaw < 2026.3.31 - Incomplete WebSocket Session Termination in device.token.rotate |
2026-04-23 |
| CVE-2026-32018 |
🟢 LOW |
2 |
OpenClaw < 2026.2.19 - Race Condition in Sandbox Registry Write Operations |
2026-03-19 |
| CVE-2026-32067 |
🟢 LOW |
2 |
OpenClaw < 2026.2.26 - Cross-Account Authorization Bypass in DM Pairing Store |
2026-03-21 |