| CVE-2026-28363 |
🟣 CRITICAL |
9.9 |
In OpenClaw before 2026.2.23, tools.exec.safeBins validation for sort could be… |
2026-02-27 |
| CVE-2026-28466 |
🟣 CRITICAL |
9.4 |
OpenClaw < 2026.2.14 - Remote Code Execution via Node Invoke Approval Bypass |
2026-03-05 |
| CVE-2026-28474 |
🟣 CRITICAL |
9.3 |
OpenClaw Nextcloud Talk < 2026.2.6 - Allowlist Bypass via actor.name Display Name Spoofing |
2026-03-05 |
| CVE-2026-28446 |
🟣 CRITICAL |
9.2 |
OpenClaw < 2026.2.1 - Inbound Allowlist Policy Bypass in voice-call Extension via Empty Caller ID and Suffix Matching |
2026-03-05 |
| CVE-2026-28470 |
🟣 CRITICAL |
9.2 |
OpenClaw < 2026.2.2 - Exec Allowlist Bypass via Command Substitution in Double Quotes |
2026-03-05 |
| CVE-2026-22171 |
🔴 HIGH |
8.8 |
OpenClaw < 2026.2.19 - Path Traversal in Feishu Media Temporary File Naming |
2026-03-18 |
| CVE-2026-24763 |
🔴 HIGH |
8.8 |
OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable |
2026-02-02 |
| CVE-2026-25253 |
🔴 HIGH |
8.8 |
OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl |
2026-02-01 |
| CVE-2026-28478 |
🔴 HIGH |
8.7 |
OpenClaw affected by denial of service via unbounded webhook request body buffering |
2026-03-05 |
| CVE-2026-28479 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.2.15 - Cache Poisoning via Deprecated SHA-1 Hash in Sandbox Configuration |
2026-03-05 |
| CVE-2026-29609 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.2.14 - Denial of Service via Unbounded URL-backed Media Fetch |
2026-03-05 |
| CVE-2026-32062 |
🔴 HIGH |
8.7 |
OpenClaw 2026.2.21-2 < 2026.2.22 - Unauthenticated WebSocket Resource Exhaustion via Media Stream |
2026-03-11 |
| CVE-2026-32059 |
🔴 HIGH |
8.7 |
OpenClaw 2026.2.22-2 < 2026.2.23 - Allowlist Bypass via sort Long-Option Abbreviation in tools.exec.safeBins |
2026-03-11 |
| CVE-2026-32060 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.2.14 - Path Traversal in apply_patch via Crafted Paths |
2026-03-11 |
| CVE-2026-27001 |
🔴 HIGH |
8.6 |
OpenClaw: Unsanitized CWD path injection into LLM prompts |
2026-02-19 |
| CVE-2026-26323 |
🔴 HIGH |
8.6 |
OpenClaw has a command injection in maintainer clawtributors updater |
2026-02-19 |
| CVE-2026-28456 |
🔴 HIGH |
8.6 |
OpenClaw 2026.1.5 < 2026.2.14 - Arbitrary Code Execution via Unsafe Hook Module Path Handling |
2026-03-05 |
| CVE-2026-28463 |
🔴 HIGH |
8.6 |
OpenClaw < 2026.2.14 - Arbitrary File Read via Shell Expansion in Safe Bins Allowlist |
2026-03-05 |
| CVE-2026-28482 |
🔴 HIGH |
8.4 |
OpenClaw < 2026.2.12 - Path Traversal via Unsanitized sessionId and sessionFile Parameters |
2026-03-05 |
| CVE-2026-28393 |
🔴 HIGH |
8.3 |
OpenClaw 2.0.0-beta3 < 2026.2.14 - Arbitrary JavaScript Module Loading via Hook Transform Path Traversal |
2026-03-05 |
| CVE-2026-28453 |
🔴 HIGH |
8.3 |
OpenClaw < 2026.2.14 - Zip Slip Path Traversal in TAR Archive Extraction |
2026-03-05 |
| CVE-2026-31998 |
🔴 HIGH |
8.3 |
OpenClaw 2026.2.22 < 2026.2.24 - Authorization Bypass in Synology Chat Plugin via Empty allowedUserIds |
2026-03-19 |
| CVE-2026-28392 |
🔴 HIGH |
8.2 |
OpenClaw < 2026.2.14 - Privilege Escalation in Slack Slash Command Handler via Direct Messages |
2026-03-05 |
| CVE-2026-28469 |
🔴 HIGH |
8.2 |
OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting |
2026-03-05 |
| CVE-2026-28465 |
🔴 HIGH |
8.2 |
OpenClaw voice-call < 2026.2.3 - Webhook Verification Bypass via Forwarded Headers |
2026-03-05 |
| CVE-2026-29611 |
🔴 HIGH |
8.2 |
OpenClaw < 2026.2.14 - Local File Inclusion via mediaPath Parameter in BlueBubbles Media Handling |
2026-03-05 |
| CVE-2026-29613 |
🔴 HIGH |
8.2 |
OpenClaw < 2026.2.12 - Webhook Authentication Bypass via Loopback remoteAddress Trust |
2026-03-05 |
| CVE-2026-32302 |
🔴 HIGH |
8.1 |
OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode |
2026-03-12 |
| CVE-2026-25157 |
🔴 HIGH |
7.8 |
OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand |
2026-02-04 |
| CVE-2026-29610 |
🔴 HIGH |
7.7 |
OpenClaw < 2026.2.14 - Command Hijacking via Unsafe PATH Handling |
2026-03-05 |
| CVE-2026-26322 |
🔴 HIGH |
7.6 |
OpenClaw Gateway tool allowed unrestricted gatewayUrl override |
2026-02-19 |
| CVE-2026-27487 |
🔴 HIGH |
7.6 |
OpenClaw: Prevent shell injection in macOS keychain credential write |
2026-02-21 |
| CVE-2026-22179 |
🔴 HIGH |
7.5 |
OpenClaw < 2026.2.22 - Allowlist Bypass via Command Substitution in system.run |
2026-03-18 |
| CVE-2026-26319 |
🔴 HIGH |
7.5 |
OpenClaw has Missing Webhook Authentication in Telnyx Provider Allowing Unauthenticated Requests |
2026-02-19 |
| CVE-2026-25474 |
🔴 HIGH |
7.5 |
OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass |
2026-02-19 |
| CVE-2026-26324 |
🔴 HIGH |
7.5 |
OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reachable) |
2026-02-19 |
| CVE-2026-26321 |
🔴 HIGH |
7.5 |
OpenClaw has a local file disclosure via sendMediaFeishu in Feishu extension |
2026-02-19 |
| CVE-2026-28485 |
🔴 HIGH |
7.5 |
OpenClaw 2026.1.5 < 2026.2.12 - Missing Authentication in Browser Control HTTP Endpoints |
2026-03-05 |
| CVE-2026-28458 |
🔴 HIGH |
7.4 |
OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access |
2026-03-05 |
| CVE-2026-26325 |
🔴 HIGH |
7.2 |
OpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals |
2026-02-19 |
| CVE-2026-22169 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.2.22 - Allowlist Bypass via sort Configuration in safeBins |
2026-03-18 |
| CVE-2026-22168 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.2.21 - Command Injection via cmd.exe /c Trailing Arguments in system.run |
2026-03-18 |
| CVE-2026-22175 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.2.23 - Exec Approval Bypass via Unrecognized Multiplexer Shell Wrappers |
2026-03-18 |
| CVE-2026-26317 |
🔴 HIGH |
7.1 |
OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints |
2026-02-19 |
| CVE-2026-26329 |
🔴 HIGH |
7.1 |
OpenClaw has a path traversal in browser upload allows local file read |
2026-02-19 |
| CVE-2026-26327 |
🔴 HIGH |
7.1 |
OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning |
2026-02-19 |
| CVE-2026-27522 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.2.24 - Arbitrary File Read via sendAttachment and setGroupIcon Message Actions |
2026-03-18 |
| CVE-2026-27566 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.2.22 - Allowlist Bypass via Wrapper Binary Unwrapping in system.run |
2026-03-19 |
| CVE-2026-22178 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.2.19 - ReDoS and Regex Injection via Unescaped Feishu Mention Metadata |
2026-03-18 |
| CVE-2026-22176 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.2.19 - Command Injection via Unescaped Environment Variables in Windows Scheduled Task Script Generation |
2026-03-19 |
| CVE-2026-22177 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.2.21 - Environment Variable Injection via Config env.vars |
2026-03-18 |
| CVE-2026-27004 |
🟡 MEDIUM |
6.9 |
OpenClaw session tool visibility hardening and Telegram webhook secret fallback |
2026-02-19 |
| CVE-2026-27003 |
🟡 MEDIUM |
6.9 |
OpenClaw: Telegram bot token exposure via logs |
2026-02-19 |
| CVE-2026-27523 |
🟡 MEDIUM |
6.9 |
OpenClaw's sandbox bind validation could bypass allowed-root and blocked-path checks via symlink-parent missing-leaf paths |
2026-03-18 |
| CVE-2026-27545 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.2.26 - Approval Bypass via Parent Symlink Current Working Directory Rebind |
2026-03-18 |
| CVE-2026-28394 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.2.15 - Denial of Service via Unbounded Response Parsing in web_fetch Tool |
2026-03-05 |
| CVE-2026-27488 |
🟡 MEDIUM |
6.9 |
OpenClaw hardened cron webhook delivery against SSRF |
2026-02-21 |
| CVE-2026-28480 |
🟡 MEDIUM |
6.9 |
OpenClaw Telegram allowlist authorization accepted mutable usernames |
2026-03-05 |
| CVE-2026-31990 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.3.2 - Symlink Traversal in stageSandboxMedia Destination |
2026-03-19 |
| CVE-2026-31994 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.2.19 - Local Command Injection via Unsafe cmd Argument Handling in Windows Scheduled Task Script Generation |
2026-03-19 |
| CVE-2026-32063 |
🟡 MEDIUM |
6.9 |
OpenClaw Improperly Neutralizes Line Breaks in systemd Unit Generation Enables Local Command Execution (Linux) |
2026-03-11 |
| CVE-2026-27008 |
🟡 MEDIUM |
6.8 |
OpenClaw hardened the skill download target directory validation |
2026-02-19 |
| CVE-2026-28486 |
🟡 MEDIUM |
6.8 |
OpenClaw 2026.1.16-2 < 2026.2.14 - Path Traversal (Zip Slip) in Archive Extraction via Installation Commands |
2026-03-05 |
| CVE-2026-29612 |
🟡 MEDIUM |
6.8 |
OpenClaw < 2026.2.14 - Denial of Service via Large Base64 Media File Decoding |
2026-03-05 |
| CVE-2026-28452 |
🟡 MEDIUM |
6.7 |
OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR) |
2026-03-05 |
| CVE-2026-25475 |
🟡 MEDIUM |
6.5 |
OpenClaw Vulnerable to Local File Inclusion via MEDIA: Path Extraction |
2026-02-04 |
| CVE-2026-26328 |
🟡 MEDIUM |
6.5 |
OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities |
2026-02-19 |
| CVE-2026-22170 |
🟡 MEDIUM |
6.3 |
OpenClaw: BlueBubbles (optional plugin) pairing/allowlist mismatch when allowFrom is empty |
2026-03-18 |
| CVE-2026-28395 |
🟡 MEDIUM |
6.3 |
OpenClaw 2026.1.14-1 < 2026.2.12 - Unintended Public Binding of Chrome Extension Relay via Wildcard cdpUrl |
2026-03-05 |
| CVE-2026-28451 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.2.14 - SSRF via Feishu Extension Media Fetching |
2026-03-05 |
| CVE-2026-28449 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.2.25 - Webhook Replay Attack via Missing Durable Replay Suppression |
2026-03-19 |
| CVE-2026-28448 |
🟡 MEDIUM |
6.3 |
OpenClaw 2026.1.29 < 2026.2.1 - Authorization Bypass in Twitch Plugin allowFrom Access Control |
2026-03-05 |
| CVE-2026-28471 |
🟡 MEDIUM |
6.3 |
OpenClaw 2026.1.14-1 < 2026.2.2 - Allowlist Bypass via displayName and Cross-Homeserver localpart Matching in Matrix Plugin |
2026-03-05 |
| CVE-2026-28475 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.2.13 - Timing Attack via Hook Token Comparison |
2026-03-05 |
| CVE-2026-29606 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.2.14 - Webhook Signature Verification Bypass via ngrok Loopback Compatibility |
2026-03-05 |
| CVE-2026-22181 |
🟡 MEDIUM |
6.1 |
OpenClaw < 2026.3.2 - DNS Pinning Bypass via Environment Proxy Configuration in web_fetch |
2026-03-18 |
| CVE-2026-28460 |
🟡 MEDIUM |
6 |
OpenClaw < 2026.2.22 - Allowlist Bypass via Shell Line-Continuation Command Substitution in system.run |
2026-03-19 |
| CVE-2026-22174 |
🟡 MEDIUM |
5.9 |
OpenClaw < 2026.2.22 - Gateway Token Disclosure via Chrome CDP Probe |
2026-03-18 |
| CVE-2026-28477 |
🟡 MEDIUM |
5.9 |
OpenClaw < 2026.2.14 - OAuth State Validation Bypass in Manual Chutes Login Flow |
2026-03-05 |
| CVE-2026-28481 |
🟡 MEDIUM |
5.9 |
OpenClaw < 2026.2.1 - Bearer Token Leakage via MS Teams Attachment Downloader Suffix Matching |
2026-03-05 |
| CVE-2026-22217 |
🟡 MEDIUM |
5.8 |
OpenClaw 2026.2.22 < 2026.2.23 - Arbitrary Binary Execution via $SHELL Environment Variable Trusted Prefix Fallback |
2026-03-18 |
| CVE-2026-27009 |
🟡 MEDIUM |
5.8 |
OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection |
2026-02-19 |
| CVE-2026-27670 |
🟡 MEDIUM |
5.8 |
OpenClaw < 2026.3.2 - Arbitrary File Write via ZIP Extraction Parent Symlink Race Condition |
2026-03-19 |
| CVE-2026-31995 |
🟡 MEDIUM |
5.8 |
OpenClaw 2026.1.21 < 2026.2.19 - Command Injection via Windows Shell Fallback in Lobster Extension |
2026-03-19 |
| CVE-2026-31999 |
🟡 MEDIUM |
5.8 |
OpenClaw 2026.2.26 < 2026.3.1 - Current Working Directory Injection via Windows Wrapper Resolution Fallback |
2026-03-19 |
| CVE-2026-32000 |
🟡 MEDIUM |
5.8 |
OpenClaw < 2026.2.19 - Command Injection via Windows Shell Fallback in Lobster Tool Execution |
2026-03-19 |
| CVE-2026-31993 |
🟡 MEDIUM |
5.6 |
OpenClaw < 2026.2.22 - Allowlist Parsing Mismatch in system.run Shell Chains |
2026-03-19 |
| CVE-2026-29608 |
🟡 MEDIUM |
5.4 |
OpenClaw 2026.3.1 < 2026.3.2 - Approval Integrity Bypass via system.run argv Rewriting |
2026-03-19 |
| CVE-2026-26326 |
🟡 MEDIUM |
5.3 |
OpenClaw skills.status could leak secrets to operator.read clients |
2026-02-19 |
| CVE-2026-31989 |
🟡 MEDIUM |
5.3 |
OpenClaw < 2026.3.1 - Server-Side Request Forgery via web_search Citation Redirect |
2026-03-19 |
| CVE-2026-22180 |
🟡 MEDIUM |
4.8 |
OpenClaw < 2026.3.2 - Path Confinement Bypass in Browser Output and File Write Operations |
2026-03-18 |
| CVE-2026-27007 |
🟡 MEDIUM |
4.8 |
OpenClaw's sandbox config hash sorted primitive arrays and suppressed needed container recreation |
2026-02-19 |
| CVE-2026-27576 |
🟡 MEDIUM |
4.8 |
OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs |
2026-02-21 |
| CVE-2026-27485 |
🟡 MEDIUM |
4.6 |
OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection |
2026-02-21 |
| CVE-2026-31997 |
🟡 MEDIUM |
4.4 |
OpenClaw < 2026.3.1 - Executable Rebind via Unbound PATH-token in system.run Approvals |
2026-03-19 |
| CVE-2026-27486 |
🟡 MEDIUM |
4.3 |
OpenClaw: Process Safety - Unvalidated PID Kill via SIGKILL in Process Cleanup |
2026-02-21 |
| CVE-2026-24764 |
🟢 LOW |
3.7 |
OpenClaw has Remote Code Execution via System Prompt Injection in Slack Channel Descriptions |
2026-02-19 |
| CVE-2026-27484 |
🟢 LOW |
2.3 |
OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows |
2026-02-21 |
| CVE-2026-27524 |
🟢 LOW |
2.3 |
OpenClaw < 2026.2.21 - Prototype Pollution via Debug Override Path |
2026-03-18 |
| CVE-2026-31991 |
🟢 LOW |
2 |
OpenClaw < 2026.2.26 - Authorization Bypass via DM Pairing-Store Leakage in Signal Group Allowlist |
2026-03-19 |
| CVE-2026-31996 |
🟢 LOW |
2 |
OpenClaw < 2026.2.19 - safeBins stdin-only bypass via sort output and recursive grep flags |
2026-03-19 |