| CVE-2026-22172 |
🟣 CRITICAL |
9.4 |
OpenClaw < 2026.3.12 - Scope Elevation in WebSocket Shared-Auth Connections |
2026-03-20 |
| CVE-2026-32922 |
🟣 CRITICAL |
9.4 |
OpenClaw < 2026.3.11 - Privilege Escalation via Unvalidated Scope in device.token.rotate |
2026-03-29 |
| CVE-2026-32987 |
🟣 CRITICAL |
9.3 |
OpenClaw < 2026.3.13 - Bootstrap Setup Code Replay via Device Pairing |
2026-03-29 |
| CVE-2026-32916 |
🟣 CRITICAL |
9.2 |
OpenClaw 2026.3.7 < 2026.3.11 - Authorization Bypass in Plugin Subagent Routes via Synthetic Admin Scopes |
2026-03-31 |
| CVE-2026-32917 |
🟣 CRITICAL |
9.2 |
OpenClaw < 2026.3.13 - Remote Command Injection via Unsanitized iMessage Attachment Paths in SCP |
2026-03-31 |
| CVE-2026-25253 |
🔴 HIGH |
8.8 |
OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl |
2026-02-01 |
| CVE-2026-24763 |
🔴 HIGH |
8.8 |
OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable |
2026-02-02 |
| CVE-2026-28462 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.2.13 - Path Traversal in Trace and Download Output Paths |
2026-03-05 |
| CVE-2026-28478 |
🔴 HIGH |
8.7 |
OpenClaw affected by denial of service via unbounded webhook request body buffering |
2026-03-05 |
| CVE-2026-29609 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.2.14 - Denial of Service via Unbounded URL-backed Media Fetch |
2026-03-05 |
| CVE-2026-32011 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.3.2 - Slow-Request Denial of Service via Pre-Auth Webhook Body Parsing |
2026-03-19 |
| CVE-2026-32051 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.3.1 - Authorization Bypass in Agent Runs via Owner-Only Tool Access |
2026-03-21 |
| CVE-2026-32062 |
🔴 HIGH |
8.7 |
OpenClaw 2026.2.21-2 < 2026.2.22 - Unauthenticated WebSocket Resource Exhaustion via Media Stream |
2026-03-11 |
| CVE-2026-32914 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.3.12 - Insufficient Access Control in /config and /debug Endpoints |
2026-03-29 |
| CVE-2026-33573 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.3.11 - Workspace Boundary Bypass via Agent RPC Parameters |
2026-03-29 |
| CVE-2026-32982 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.3.13 - Telegram Bot Token Exposure in Media Fetch Error Logs |
2026-03-31 |
| CVE-2026-32060 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.2.14 - Path Traversal in apply_patch via Crafted Paths |
2026-03-11 |
| CVE-2026-41303 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.3.28 - Authorization Bypass in Discord Text Approval Commands |
2026-04-20 |
| CVE-2026-28463 |
🔴 HIGH |
8.6 |
OpenClaw < 2026.2.14 - Arbitrary File Read via Shell Expansion in Safe Bins Allowlist |
2026-03-05 |
| CVE-2026-32014 |
🔴 HIGH |
8.6 |
OpenClaw < 2026.2.26 - Node Reconnect Metadata Spoofing via Unsigned Platform Fields |
2026-03-19 |
| CVE-2026-32920 |
🔴 HIGH |
8.6 |
OpenClaw < 2026.3.12 - Arbitrary Code Execution via Auto-Discovery of Workspace Plugins |
2026-03-31 |
| CVE-2026-34503 |
🔴 HIGH |
8.6 |
OpenClaw < 2026.3.28 - Incomplete WebSocket Session Termination on Device Removal and Token Revocation |
2026-03-31 |
| CVE-2026-35643 |
🔴 HIGH |
8.6 |
OpenClaw < 2026.3.22 - Arbitrary Code Execution via Unvalidated WebView JavascriptInterface |
2026-04-10 |
| CVE-2026-41295 |
🔴 HIGH |
8.5 |
OpenClaw: Untrusted workspace channel shadows could execute during built-in channel setup |
2026-04-20 |
| CVE-2026-35641 |
🔴 HIGH |
8.4 |
OpenClaw < 2026.3.24 - Arbitrary Code Execution via .npmrc in Local Plugin/Hook Installation |
2026-04-10 |
| CVE-2026-31998 |
🔴 HIGH |
8.3 |
OpenClaw 2026.2.22 < 2026.2.24 - Authorization Bypass in Synology Chat Plugin via Empty allowedUserIds |
2026-03-19 |
| CVE-2026-35618 |
🔴 HIGH |
8.3 |
OpenClaw < 2026.3.23 - Replay Identity Drift via Query-Only Variants in Plivo V2 Verification |
2026-04-09 |
| CVE-2026-28464 |
🔴 HIGH |
8.2 |
OpenClaw < 2026.2.12 - Timing Attack in Hooks Token Authentication |
2026-03-05 |
| CVE-2026-28469 |
🔴 HIGH |
8.2 |
OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting |
2026-03-05 |
| CVE-2026-28465 |
🔴 HIGH |
8.2 |
OpenClaw voice-call < 2026.2.3 - Webhook Verification Bypass via Forwarded Headers |
2026-03-05 |
| CVE-2026-32045 |
🔴 HIGH |
8.2 |
OpenClaw < 2026.2.21 - Authentication Bypass in HTTP Gateway Routes via Tokenless Tailscale Auth |
2026-03-21 |
| CVE-2026-25157 |
🔴 HIGH |
7.8 |
OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand |
2026-02-04 |
| CVE-2026-32048 |
🔴 HIGH |
7.7 |
OpenClaw < 2026.3.1 - Sandbox Escape via Cross-Agent sessions_spawn |
2026-03-21 |
| CVE-2026-27487 |
🔴 HIGH |
7.6 |
OpenClaw: Prevent shell injection in macOS keychain credential write |
2026-02-21 |
| CVE-2026-32005 |
🔴 HIGH |
7.6 |
OpenClaw < 2026.2.25 - Authorization Bypass in Interactive Callbacks via Sender Check Skip |
2026-03-19 |
| CVE-2026-25474 |
🔴 HIGH |
7.5 |
OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass |
2026-02-19 |
| CVE-2026-28485 |
🔴 HIGH |
7.5 |
OpenClaw 2026.1.5 < 2026.2.12 - Missing Authentication in Browser Control HTTP Endpoints |
2026-03-05 |
| CVE-2026-28458 |
🔴 HIGH |
7.4 |
OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access |
2026-03-05 |
| CVE-2026-41342 |
🔴 HIGH |
7.4 |
OpenClaw < 2026.3.28 - Unauthenticated Discovery Endpoint Credential Exfiltration via Remote Onboarding |
2026-04-23 |
| CVE-2026-32016 |
🔴 HIGH |
7.3 |
OpenClaw < 2026.2.22 - Path Traversal via Basename-Only Allowlist Matching on macOS |
2026-03-19 |
| CVE-2026-32971 |
🔴 HIGH |
7.3 |
OpenClaw < 2026.3.11 - Node-Host Approval UI Mismatch Allows Execution of Unintended Commands |
2026-03-31 |
| CVE-2026-28473 |
🔴 HIGH |
7.2 |
OpenClaw < 2026.2.2 - Authorization Bypass via /approve Chat Command |
2026-03-05 |
| CVE-2026-26320 |
🔴 HIGH |
7.1 |
OpenClaw macOS deep link confirmation truncation can conceal executed agent message |
2026-02-19 |
| CVE-2026-26317 |
🔴 HIGH |
7.1 |
OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints |
2026-02-19 |
| CVE-2026-22168 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.2.21 - Command Injection via cmd.exe /c Trailing Arguments in system.run |
2026-03-18 |
| CVE-2026-29607 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.2.22 - Authorization Bypass via allow-always Wrapper Persistence |
2026-03-19 |
| CVE-2026-32027 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.2.26 - Improper Authorization via DM Pairing Store Identity Inheritance in Group Allowlist |
2026-03-19 |
| CVE-2026-35636 |
🔴 HIGH |
7.1 |
OpenClaw 2026.3.11 < 2026.3.25 - Session Isolation Bypass via sessionId Resolution |
2026-04-09 |
| CVE-2026-40037 |
🔴 HIGH |
7.1 |
OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects |
2026-04-08 |
| CVE-2026-22176 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.2.19 - Command Injection via Unescaped Environment Variables in Windows Scheduled Task Script Generation |
2026-03-19 |
| CVE-2026-28480 |
🟡 MEDIUM |
6.9 |
OpenClaw Telegram allowlist authorization accepted mutable usernames |
2026-03-05 |
| CVE-2026-32924 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.3.12 - Authorization Bypass via Misclassified Reaction Events in Feishu |
2026-03-29 |
| CVE-2026-35626 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.3.22 - Unauthenticated Resource Exhaustion via Voice Call Webhook |
2026-04-09 |
| CVE-2026-34504 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.3.28 - Server-Side Request Forgery via Unguarded Image Download in fal Provider |
2026-03-31 |
| CVE-2026-35667 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.3.24 - Improper Process Termination via Unpatched killProcessTree in shell-utils.ts |
2026-04-10 |
| CVE-2026-35640 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.3.25 - Denial of Service via Unauthenticated Webhook Request Parsing |
2026-04-09 |
| CVE-2026-41301 |
🟡 MEDIUM |
6.9 |
OpenClaw: Forged Nostr DMs could create pairing state before signature verification |
2026-04-20 |
| CVE-2026-41343 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.3.31 - Denial of Service via LINE Webhook Handler Pre-Auth Concurrency |
2026-04-23 |
| CVE-2026-29612 |
🟡 MEDIUM |
6.8 |
OpenClaw < 2026.2.14 - Denial of Service via Large Base64 Media File Decoding |
2026-03-05 |
| CVE-2026-33572 |
🟡 MEDIUM |
6.8 |
OpenClaw < 2026.2.17 - Insufficient File Permissions in Session Transcript Files |
2026-03-29 |
| CVE-2026-28452 |
🟡 MEDIUM |
6.7 |
OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR) |
2026-03-05 |
| CVE-2026-32044 |
🟡 MEDIUM |
6.7 |
OpenClaw < 2026.3.2 - Tar Archive Safety Bypass in Skills Installation |
2026-03-21 |
| CVE-2026-26328 |
🟡 MEDIUM |
6.5 |
OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities |
2026-02-19 |
| CVE-2026-28476 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.2.14 - Server-Side Request Forgery in Tlon Extension Authentication |
2026-03-05 |
| CVE-2026-28448 |
🟡 MEDIUM |
6.3 |
OpenClaw 2026.1.29 < 2026.2.1 - Authorization Bypass in Twitch Plugin allowFrom Access Control |
2026-03-05 |
| CVE-2026-28475 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.2.13 - Timing Attack via Hook Token Comparison |
2026-03-05 |
| CVE-2026-32031 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.2.26 - Authentication Bypass via Path Canonicalization Mismatch in /api/channels Gateway |
2026-03-19 |
| CVE-2026-32050 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.2.25 - Unauthorized Reaction Status Event Enqueue via Access Check Bypass |
2026-03-21 |
| CVE-2026-32897 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.2.22 - Authentication Token Reuse in Owner ID Prompt Hashing Fallback |
2026-03-21 |
| CVE-2026-33580 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.3.28 - Brute Force Attack via Missing Rate Limiting on Webhook Shared Secret Authentication |
2026-03-31 |
| CVE-2026-35656 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.3.22 - XFF Loopback Spoofing Bypass in Canvas Authentication and Rate Limiter |
2026-04-10 |
| CVE-2026-41340 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.3.31 - Authentication Boundary Bypass via Telegram Legacy allowFrom Migration |
2026-04-23 |
| CVE-2026-41337 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.3.31 - Callback Origin Mutation in Plivo Voice-call Replay |
2026-04-23 |
| CVE-2026-32034 |
🟡 MEDIUM |
6.1 |
OpenClaw < 2026.2.21 - Insecure Control UI Authentication over Plaintext HTTP |
2026-03-19 |
| CVE-2026-28460 |
🟡 MEDIUM |
6 |
OpenClaw < 2026.2.22 - Allowlist Bypass via Shell Line-Continuation Command Substitution in system.run |
2026-03-19 |
| CVE-2026-32039 |
🟡 MEDIUM |
6 |
OpenClaw < 2026.2.22 - Sender Authorization Bypass via Identity Collision in toolsBySender |
2026-03-19 |
| CVE-2026-32002 |
🟡 MEDIUM |
6 |
OpenClaw < 2026.2.23 - Sandbox Boundary Bypass via Image Tool workspaceOnly Bypass |
2026-03-19 |
| CVE-2026-32057 |
🟡 MEDIUM |
6 |
OpenClaw < 2026.2.25 - Authentication Bypass via Control UI client.id Parameter |
2026-03-21 |
| CVE-2026-35670 |
🟡 MEDIUM |
6 |
OpenClaw < 2026.3.22 - Webhook Reply Rebinding via Username Resolution in Synology Chat |
2026-04-10 |
| CVE-2026-28481 |
🟡 MEDIUM |
5.9 |
OpenClaw < 2026.2.1 - Bearer Token Leakage via MS Teams Attachment Downloader Suffix Matching |
2026-03-05 |
| CVE-2026-40045 |
🟡 MEDIUM |
5.9 |
OpenClaw: Android accepted cleartext remote gateway endpoints and sent stored credentials over ws:// |
2026-04-20 |
| CVE-2026-27646 |
🟡 MEDIUM |
5.8 |
OpenClaw < 2026.3.7 - Sandbox Escape via /acp spawn Command |
2026-03-23 |
| CVE-2026-27670 |
🟡 MEDIUM |
5.8 |
OpenClaw < 2026.3.2 - Arbitrary File Write via ZIP Extraction Parent Symlink Race Condition |
2026-03-19 |
| CVE-2026-32010 |
🟡 MEDIUM |
5.8 |
OpenClaw < 2026.2.22 - Allowlist Bypass via sort --compress-program Parameter |
2026-03-19 |
| CVE-2026-32035 |
🟡 MEDIUM |
5.8 |
OpenClaw < 2026.3.2 - Missing Owner Flag Validation in Discord Voice Transcript Handler |
2026-03-19 |
| CVE-2026-32977 |
🟡 MEDIUM |
5.8 |
OpenClaw < 2026.3.11 - Sandbox Boundary Bypass via Unanchored writeFile Commit Path |
2026-03-31 |
| CVE-2026-41332 |
🟡 MEDIUM |
5.8 |
OpenClaw < 2026.3.28 - Code Execution via Missing Environment Variable Blocklist |
2026-04-23 |
| CVE-2026-29608 |
🟡 MEDIUM |
5.4 |
OpenClaw 2026.3.1 < 2026.3.2 - Approval Integrity Bypass via system.run argv Rewriting |
2026-03-19 |
| CVE-2026-41360 |
🟡 MEDIUM |
5.4 |
OpenClaw < 2026.4.2 - Approval Integrity Bypass in pnpm dlx Local Script Binding |
2026-04-23 |
| CVE-2026-26326 |
🟡 MEDIUM |
5.3 |
OpenClaw skills.status could leak secrets to operator.read clients |
2026-02-19 |
| CVE-2026-31989 |
🟡 MEDIUM |
5.3 |
OpenClaw < 2026.3.1 - Server-Side Request Forgery via web_search Citation Redirect |
2026-03-19 |
| CVE-2026-33578 |
🟡 MEDIUM |
5.3 |
OpenClaw < 2026.3.28 - Sender Policy Allowlist Bypass via Policy Downgrade in Google Chat and Zalouser Extensions |
2026-03-31 |
| CVE-2026-35629 |
🟡 MEDIUM |
5.3 |
OpenClaw < 2026.3.25 - Server-Side Request Forgery via Unguarded Configured Base URLs in Channel Extensions |
2026-04-09 |
| CVE-2026-35662 |
🟡 MEDIUM |
5.3 |
OpenClaw < 2026.3.22 - Missing controlScope Enforcement in Send Action |
2026-04-10 |
| CVE-2026-41298 |
🟡 MEDIUM |
5.3 |
OpenClaw < 2026.4.2 - Authorization Bypass in Session Termination Endpoint |
2026-04-20 |
| CVE-2026-41344 |
🟡 MEDIUM |
5.3 |
OpenClaw < 2026.3.28 - Privilege Escalation via chat.send /verbose Parameter |
2026-04-23 |
| CVE-2026-41350 |
🟡 MEDIUM |
5.3 |
OpenClaw < 2026.3.31 - Session Visibility Bypass via session_status in Unsandboxed Invocations |
2026-04-23 |
| CVE-2026-35634 |
🟡 MEDIUM |
5.1 |
OpenClaw < 2026.3.23 - Authentication Bypass via Local-Direct Requests in Canvas Gateway |
2026-04-09 |
| CVE-2026-27576 |
🟡 MEDIUM |
4.8 |
OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs |
2026-02-21 |
| CVE-2026-22180 |
🟡 MEDIUM |
4.8 |
OpenClaw < 2026.3.2 - Path Confinement Bypass in Browser Output and File Write Operations |
2026-03-18 |
| CVE-2026-32046 |
🟡 MEDIUM |
4.8 |
OpenClaw < 2026.2.21 - OS-level Sandbox Bypass via --no-sandbox Flag |
2026-03-21 |
| CVE-2026-32020 |
🟡 MEDIUM |
4.8 |
OpenClaw < 2026.2.22 - Arbitrary File Read via Symlink Following in Static File Handler |
2026-03-19 |
| CVE-2026-27485 |
🟡 MEDIUM |
4.6 |
OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection |
2026-02-21 |
| CVE-2026-24764 |
🟢 LOW |
3.7 |
OpenClaw has Remote Code Execution via System Prompt Injection in Slack Channel Descriptions |
2026-02-19 |
| CVE-2026-32006 |
🟢 LOW |
2.3 |
OpenClaw < 2026.2.26 - Authorization Bypass via DM Pairing-Store Fallback in Group Allowlist |
2026-03-19 |
| CVE-2026-32037 |
🟢 LOW |
2.3 |
OpenClaw < 2026.2.22 - Redirect Chain Bypass of Media Host Allowlist in MSTeams Attachment Handling |
2026-03-19 |
| CVE-2026-35617 |
🟢 LOW |
2.3 |
OpenClaw < 2026.3.25 - Authorization Bypass via Group Policy Rebinding with Mutable Space displayName |
2026-04-09 |
| CVE-2026-34506 |
🟢 LOW |
2.3 |
OpenClaw < 2026.3.8 - Sender Allowlist Bypass in Microsoft Teams Plugin via Route Allowlist Configuration |
2026-03-31 |