| CVE-2026-24763 |
🔴 HIGH |
8.8 |
OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable |
2026-02-02 |
| CVE-2026-25253 |
🔴 HIGH |
8.8 |
OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl |
2026-02-01 |
| CVE-2026-28478 |
🔴 HIGH |
8.7 |
OpenClaw affected by denial of service via unbounded webhook request body buffering |
2026-03-05 |
| CVE-2026-42426 |
🔴 HIGH |
8.7 |
OpenClaw `node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval |
2026-04-28 |
| CVE-2026-28469 |
🔴 HIGH |
8.2 |
OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting |
2026-03-05 |
| CVE-2026-25157 |
🔴 HIGH |
7.8 |
OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand |
2026-02-04 |
| CVE-2026-42422 |
🔴 HIGH |
7.7 |
OpenClaw < 2026.4.8 - Role Bypass in device.token.rotate Function |
2026-04-28 |
| CVE-2026-42423 |
🔴 HIGH |
7.7 |
OpenClaw: strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts |
2026-04-28 |
| CVE-2026-42431 |
🔴 HIGH |
7.6 |
OpenClaw `node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard |
2026-04-28 |
| CVE-2026-42428 |
🔴 HIGH |
7.5 |
OpenClaw < 2026.4.8 - Missing Integrity Verification in Package Downloads |
2026-04-28 |
| CVE-2026-28458 |
🔴 HIGH |
7.4 |
OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access |
2026-03-05 |
| CVE-2026-42432 |
🔴 HIGH |
7.3 |
OpenClaw < 2026.4.8 - Command Escalation via Node Pairing Reconnect Bypass |
2026-04-28 |
| CVE-2026-26317 |
🔴 HIGH |
7.1 |
OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints |
2026-02-19 |
| CVE-2026-40037 |
🔴 HIGH |
7.1 |
OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects |
2026-04-08 |
| CVE-2026-28480 |
🟡 MEDIUM |
6.9 |
OpenClaw Telegram allowlist authorization accepted mutable usernames |
2026-03-05 |
| CVE-2026-29612 |
🟡 MEDIUM |
6.8 |
OpenClaw < 2026.2.14 - Denial of Service via Large Base64 Media File Decoding |
2026-03-05 |
| CVE-2026-28452 |
🟡 MEDIUM |
6.7 |
OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR) |
2026-03-05 |
| CVE-2026-26328 |
🟡 MEDIUM |
6.5 |
OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities |
2026-02-19 |
| CVE-2026-41913 |
🟡 MEDIUM |
6.3 |
OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths |
2026-04-28 |
| CVE-2026-41407 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.4.2 - Timing Side Channel in Shared-Secret Comparison |
2026-04-28 |
| CVE-2026-41911 |
🟡 MEDIUM |
6 |
OpenClaw: Feishu docx upload_file/upload_image Bypasses Workspace-Only Filesystem Policy (GHSA-qf48-qfv4-jjm9 Incomplete Fix) |
2026-04-28 |
| CVE-2026-42429 |
🟡 MEDIUM |
6 |
OpenClaw: Gateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write` |
2026-04-28 |
| CVE-2026-40045 |
🟡 MEDIUM |
5.9 |
OpenClaw: Android accepted cleartext remote gateway endpoints and sent stored credentials over ws:// |
2026-04-20 |
| CVE-2026-42424 |
🟡 MEDIUM |
5.9 |
OpenClaw < 2026.4.8 - Local File Exfiltration via Shared Reply MEDIA Paths |
2026-04-28 |
| CVE-2026-41915 |
🟡 MEDIUM |
5.8 |
OpenClaw: GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant) |
2026-04-28 |
| CVE-2026-42427 |
🟡 MEDIUM |
5.8 |
OpenClaw: HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class) |
2026-04-28 |
| CVE-2026-42420 |
🟡 MEDIUM |
5.3 |
OpenClaw < 2026.4.8 - Improper Base64 Decoding Size Validation |
2026-04-28 |
| CVE-2026-41914 |
🟡 MEDIUM |
5.1 |
OpenClaw < 2026.4.8 - Server-Side Request Forgery in QQ Bot Media Fetch Paths |
2026-04-28 |
| CVE-2026-41912 |
🟡 MEDIUM |
4.8 |
OpenClaw has Browser SSRF Policy Bypass via Interaction-Triggered Navigation |
2026-04-28 |
| CVE-2026-42430 |
🟡 MEDIUM |
4.8 |
OpenClaw: Strict browser SSRF bypass in Playwright redirect handling leaves private targets reachable |
2026-04-28 |
| CVE-2026-41910 |
🟢 LOW |
2.3 |
OpenClaw: /allowlist omits owner-only enforcement for cross-channel allowlist writes |
2026-04-28 |
| CVE-2026-41916 |
🟢 LOW |
2.3 |
OpenClaw < 2026.4.8 - Stale Authentication State via Config Reload |
2026-04-28 |
| CVE-2026-42421 |
🟢 LOW |
2.3 |
OpenClaw: Existing WS sessions survive shared gateway token rotation |
2026-04-28 |