| CVE-2026-32978 |
🟣 CRITICAL |
9.4 |
OpenClaw < 2026.3.11 - Approval Bypass via Unrecognized Script Runners |
2026-03-29 |
| CVE-2026-32038 |
🟣 CRITICAL |
9.3 |
OpenClaw - Sandbox Network Isolation Bypass via docker.network=container Parameter |
2026-03-19 |
| CVE-2026-32987 |
🟣 CRITICAL |
9.3 |
OpenClaw < 2026.3.13 - Bootstrap Setup Code Replay via Device Pairing |
2026-03-29 |
| CVE-2026-32916 |
🟣 CRITICAL |
9.2 |
OpenClaw 2026.3.7 < 2026.3.11 - Authorization Bypass in Plugin Subagent Routes via Synthetic Admin Scopes |
2026-03-31 |
| CVE-2026-24763 |
🔴 HIGH |
8.8 |
OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable |
2026-02-02 |
| CVE-2026-25253 |
🔴 HIGH |
8.8 |
OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl |
2026-02-01 |
| CVE-2026-29609 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.2.14 - Denial of Service via Unbounded URL-backed Media Fetch |
2026-03-05 |
| CVE-2026-28478 |
🔴 HIGH |
8.7 |
OpenClaw affected by denial of service via unbounded webhook request body buffering |
2026-03-05 |
| CVE-2026-28479 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.2.15 - Cache Poisoning via Deprecated SHA-1 Hash in Sandbox Configuration |
2026-03-05 |
| CVE-2026-32011 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.3.2 - Slow-Request Denial of Service via Pre-Auth Webhook Body Parsing |
2026-03-19 |
| CVE-2026-32042 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.2.25 - Privilege Escalation via Unpaired Device Identity in Shared Gateway Authentication |
2026-03-21 |
| CVE-2026-33573 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.3.11 - Workspace Boundary Bypass via Agent RPC Parameters |
2026-03-29 |
| CVE-2026-35639 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.3.22 - Privilege Escalation via device.pair.approve Scope Validation |
2026-04-09 |
| CVE-2026-26323 |
🔴 HIGH |
8.6 |
OpenClaw has a command injection in maintainer clawtributors updater |
2026-02-19 |
| CVE-2026-28456 |
🔴 HIGH |
8.6 |
OpenClaw 2026.1.5 < 2026.2.14 - Arbitrary Code Execution via Unsafe Hook Module Path Handling |
2026-03-05 |
| CVE-2026-28463 |
🔴 HIGH |
8.6 |
OpenClaw < 2026.2.14 - Arbitrary File Read via Shell Expansion in Safe Bins Allowlist |
2026-03-05 |
| CVE-2026-32920 |
🔴 HIGH |
8.6 |
OpenClaw < 2026.3.12 - Arbitrary Code Execution via Auto-Discovery of Workspace Plugins |
2026-03-31 |
| CVE-2026-33579 |
🔴 HIGH |
8.6 |
OpenClaw < 2026.3.28 - Privilege Escalation via Missing Caller Scope Validation in Device Pair Approval |
2026-03-31 |
| CVE-2026-35625 |
🔴 HIGH |
8.5 |
OpenClaw < 2026.3.25 - Privilege Escalation via Silent Local Shared-Auth Reconnect |
2026-04-09 |
| CVE-2026-28393 |
🔴 HIGH |
8.3 |
OpenClaw 2.0.0-beta3 < 2026.2.14 - Arbitrary JavaScript Module Loading via Hook Transform Path Traversal |
2026-03-05 |
| CVE-2026-32036 |
🔴 HIGH |
8.3 |
OpenClaw < 2026.2.26- Authentication Bypass via Encoded Dot-Segment Traversal in /api/channels |
2026-03-19 |
| CVE-2026-28392 |
🔴 HIGH |
8.2 |
OpenClaw < 2026.2.14 - Privilege Escalation in Slack Slash Command Handler via Direct Messages |
2026-03-05 |
| CVE-2026-28469 |
🔴 HIGH |
8.2 |
OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting |
2026-03-05 |
| CVE-2026-32045 |
🔴 HIGH |
8.2 |
OpenClaw < 2026.2.21 - Authentication Bypass in HTTP Gateway Routes via Tokenless Tailscale Auth |
2026-03-21 |
| CVE-2026-25157 |
🔴 HIGH |
7.8 |
OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand |
2026-02-04 |
| CVE-2026-32007 |
🔴 HIGH |
7.6 |
OpenClaw < 2026.2.23 - Sandbox Bypass in apply_patch Tool via Workspace-Only Check Bypass |
2026-03-19 |
| CVE-2026-25474 |
🔴 HIGH |
7.5 |
OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass |
2026-02-19 |
| CVE-2026-26316 |
🔴 HIGH |
7.5 |
OpenClaw has BlueBubbles webhook auth bypass via loopback proxy trust |
2026-02-19 |
| CVE-2026-26321 |
🔴 HIGH |
7.5 |
OpenClaw has a local file disclosure via sendMediaFeishu in Feishu extension |
2026-02-19 |
| CVE-2026-28458 |
🔴 HIGH |
7.4 |
OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access |
2026-03-05 |
| CVE-2026-32016 |
🔴 HIGH |
7.3 |
OpenClaw < 2026.2.22 - Path Traversal via Basename-Only Allowlist Matching on macOS |
2026-03-19 |
| CVE-2026-28473 |
🔴 HIGH |
7.2 |
OpenClaw < 2026.2.2 - Authorization Bypass via /approve Chat Command |
2026-03-05 |
| CVE-2026-32055 |
🔴 HIGH |
7.2 |
OpenClaw < 2026.2.26 - Workspace Path Boundary Bypass via Non-existent Symlink |
2026-03-21 |
| CVE-2026-34512 |
🔴 HIGH |
7.2 |
OpenClaw < 2026.3.25 - Improper Access Control in /sessions/:sessionKey/kill Endpoint |
2026-04-09 |
| CVE-2026-26317 |
🔴 HIGH |
7.1 |
OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints |
2026-02-19 |
| CVE-2026-22175 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.2.23 - Exec Approval Bypass via Unrecognized Multiplexer Shell Wrappers |
2026-03-18 |
| CVE-2026-26327 |
🔴 HIGH |
7.1 |
OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning |
2026-02-19 |
| CVE-2026-27522 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.2.24 - Arbitrary File Read via sendAttachment and setGroupIcon Message Actions |
2026-03-18 |
| CVE-2026-35621 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.3.24 - Privilege Escalation via chat.send to Allowlist Persistence |
2026-04-10 |
| CVE-2026-35644 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.3.22 - Credential Exposure via baseUrl Fields in Gateway Snapshots |
2026-04-09 |
| CVE-2026-40037 |
🔴 HIGH |
7.1 |
OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects |
2026-04-08 |
| CVE-2026-35668 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.3.24 - Sandbox Media Root Bypass via Unnormalized mediaUrl and fileUrl Parameters |
2026-04-10 |
| CVE-2026-28447 |
🔴 HIGH |
7 |
OpenClaw 2026.1.29-beta.1 < 2026.2.1 - Path Traversal in Plugin Installation via Package Name |
2026-03-05 |
| CVE-2026-32009 |
🔴 HIGH |
7 |
OpenClaw < 2026.2.24 - Binary Hijacking via Static Default Trusted Directories in safeBins |
2026-03-19 |
| CVE-2026-22177 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.2.21 - Environment Variable Injection via Config env.vars |
2026-03-18 |
| CVE-2026-27523 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.2.24 - Sandbox Bind Validation Bypass via Symlink-Parent Missing-Leaf Paths |
2026-03-18 |
| CVE-2026-28394 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.2.15 - Denial of Service via Unbounded Response Parsing in web_fetch Tool |
2026-03-05 |
| CVE-2026-28480 |
🟡 MEDIUM |
6.9 |
OpenClaw Telegram allowlist authorization accepted mutable usernames |
2026-03-05 |
| CVE-2026-32924 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.3.12 - Authorization Bypass via Misclassified Reaction Events in Feishu |
2026-03-29 |
| CVE-2026-32975 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.3.12 - Weak Authorization via Mutable Group Names in Zalouser Allowlist |
2026-03-29 |
| CVE-2026-32053 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.2.23 - Twilio Webhook Replay Bypass via Randomized Event ID Normalization |
2026-03-21 |
| CVE-2026-32919 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.3.11 - Unauthorized Session Reset via agent Slash Commands |
2026-03-29 |
| CVE-2026-35632 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.2.22 - Symlink Traversal via IDENTITY.md appendFile in agents.create/update |
2026-04-09 |
| CVE-2026-35633 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.3.22 - Unbounded Memory Allocation via Remote Media Error Responses |
2026-04-09 |
| CVE-2026-35626 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.3.22 - Unauthenticated Resource Exhaustion via Voice Call Webhook |
2026-04-09 |
| CVE-2026-35667 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.3.24 - Improper Process Termination via Unpatched killProcessTree in shell-utils.ts |
2026-04-10 |
| CVE-2026-35664 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.3.25 - DM Pairing Bypass via Legacy Card Callbacks |
2026-04-10 |
| CVE-2026-35647 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.3.25 - Direct Message Policy Bypass via Verification Notices |
2026-04-10 |
| CVE-2026-27008 |
🟡 MEDIUM |
6.8 |
OpenClaw hardened the skill download target directory validation |
2026-02-19 |
| CVE-2026-28486 |
🟡 MEDIUM |
6.8 |
OpenClaw 2026.1.16-2 < 2026.2.14 - Path Traversal (Zip Slip) in Archive Extraction via Installation Commands |
2026-03-05 |
| CVE-2026-29612 |
🟡 MEDIUM |
6.8 |
OpenClaw < 2026.2.14 - Denial of Service via Large Base64 Media File Decoding |
2026-03-05 |
| CVE-2026-26972 |
🟡 MEDIUM |
6.7 |
OpenClaw has a Path Traversal in Browser Download Functionality |
2026-02-19 |
| CVE-2026-28452 |
🟡 MEDIUM |
6.7 |
OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR) |
2026-03-05 |
| CVE-2026-32044 |
🟡 MEDIUM |
6.7 |
OpenClaw < 2026.3.2 - Tar Archive Safety Bypass in Skills Installation |
2026-03-21 |
| CVE-2026-25475 |
🟡 MEDIUM |
6.5 |
OpenClaw Vulnerable to Local File Inclusion via MEDIA: Path Extraction |
2026-02-04 |
| CVE-2026-26328 |
🟡 MEDIUM |
6.5 |
OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities |
2026-02-19 |
| CVE-2026-28475 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.2.13 - Timing Attack via Hook Token Comparison |
2026-03-05 |
| CVE-2026-29606 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.2.14 - Webhook Signature Verification Bypass via ngrok Loopback Compatibility |
2026-03-05 |
| CVE-2026-32897 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.2.22 - Authentication Token Reuse in Owner ID Prompt Hashing Fallback |
2026-03-21 |
| CVE-2026-35656 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.3.22 - XFF Loopback Spoofing Bypass in Canvas Authentication and Rate Limiter |
2026-04-10 |
| CVE-2026-35649 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.3.22 - Settings Reconciliation Bypass via Empty Allowlist |
2026-04-10 |
| CVE-2026-35645 |
🟡 MEDIUM |
6.1 |
OpenClaw < 2026.3.25 - Privilege Escalation via Synthetic operator.admin in deleteSession |
2026-04-09 |
| CVE-2026-28460 |
🟡 MEDIUM |
6 |
OpenClaw < 2026.2.22 - Allowlist Bypass via Shell Line-Continuation Command Substitution in system.run |
2026-03-19 |
| CVE-2026-32033 |
🟡 MEDIUM |
6 |
OpenClaw < 2026.2.24 - Path Traversal via @-prefixed Absolute Paths in Workspace Boundary Validation |
2026-03-19 |
| CVE-2026-35670 |
🟡 MEDIUM |
6 |
OpenClaw < 2026.3.22 - Webhook Reply Rebinding via Username Resolution in Synology Chat |
2026-04-10 |
| CVE-2026-28481 |
🟡 MEDIUM |
5.9 |
OpenClaw < 2026.2.1 - Bearer Token Leakage via MS Teams Attachment Downloader Suffix Matching |
2026-03-05 |
| CVE-2026-22217 |
🟡 MEDIUM |
5.8 |
OpenClaw 2026.2.22 < 2026.2.23 - Arbitrary Binary Execution via $SHELL Environment Variable Trusted Prefix Fallback |
2026-03-18 |
| CVE-2026-27670 |
🟡 MEDIUM |
5.8 |
OpenClaw < 2026.3.2 - Arbitrary File Write via ZIP Extraction Parent Symlink Race Condition |
2026-03-19 |
| CVE-2026-27646 |
🟡 MEDIUM |
5.8 |
OpenClaw < 2026.3.7 - Sandbox Escape via /acp spawn Command |
2026-03-23 |
| CVE-2026-32035 |
🟡 MEDIUM |
5.8 |
OpenClaw < 2026.3.2 - Missing Owner Flag Validation in Discord Voice Transcript Handler |
2026-03-19 |
| CVE-2026-32010 |
🟡 MEDIUM |
5.8 |
OpenClaw < 2026.2.22 - Allowlist Bypass via sort --compress-program Parameter |
2026-03-19 |
| CVE-2026-33574 |
🟡 MEDIUM |
5.8 |
OpenClaw < 2026.3.8 - Path Traversal via Tools Root Rebinding in Skills Download |
2026-03-29 |
| CVE-2026-32052 |
🟡 MEDIUM |
5.8 |
OpenClaw < 2026.2.24 - Hidden Command Execution via Shell-Wrapper Positional argv Carriers |
2026-03-21 |
| CVE-2026-28457 |
🟡 MEDIUM |
5.6 |
OpenClaw < 2026.2.14 - Path Traversal in Sandbox Skill Mirroring via Name Parameter |
2026-03-05 |
| CVE-2026-31993 |
🟡 MEDIUM |
5.6 |
OpenClaw < 2026.2.22 - Allowlist Parsing Mismatch in system.run Shell Chains |
2026-03-19 |
| CVE-2026-29608 |
🟡 MEDIUM |
5.4 |
OpenClaw 2026.3.1 < 2026.3.2 - Approval Integrity Bypass via system.run argv Rewriting |
2026-03-19 |
| CVE-2026-32001 |
🟡 MEDIUM |
5.3 |
OpenClaw < 2026.2.22 - Node Role Device-Identity Bypass via WebSocket Authentication |
2026-03-19 |
| CVE-2026-32898 |
🟡 MEDIUM |
5.3 |
OpenClaw < 2026.2.23 - ACP Permission Auto-Approval Bypass via Untrusted Tool Metadata |
2026-03-21 |
| CVE-2026-32899 |
🟡 MEDIUM |
5.3 |
OpenClaw < 2026.2.25 - Sender Policy Bypass in Slack Reaction and Pin Event Handlers |
2026-03-21 |
| CVE-2026-32923 |
🟡 MEDIUM |
5.3 |
OpenClaw < 2026.3.11 - Authorization Bypass in Discord Guild Reaction Allowlist Enforcement |
2026-03-29 |
| CVE-2026-33578 |
🟡 MEDIUM |
5.3 |
OpenClaw < 2026.3.28 - Sender Policy Allowlist Bypass via Policy Downgrade in Google Chat and Zalouser Extensions |
2026-03-31 |
| CVE-2026-35619 |
🟡 MEDIUM |
5.3 |
OpenClaw < 2026.3.24 - Authorization Bypass via HTTP /v1/models Endpoint |
2026-04-10 |
| CVE-2026-35662 |
🟡 MEDIUM |
5.3 |
OpenClaw < 2026.3.22 - Missing controlScope Enforcement in Send Action |
2026-04-10 |
| CVE-2026-35634 |
🟡 MEDIUM |
5.1 |
OpenClaw < 2026.3.23 - Authentication Bypass via Local-Direct Requests in Canvas Gateway |
2026-04-09 |
| CVE-2026-35659 |
🟡 MEDIUM |
5.1 |
OpenClaw < 2026.3.22 - Unresolved Service Metadata Routing via Bonjour and DNS-SD Discovery |
2026-04-10 |
| CVE-2026-27576 |
🟡 MEDIUM |
4.8 |
OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs |
2026-02-21 |
| CVE-2026-32020 |
🟡 MEDIUM |
4.8 |
OpenClaw < 2026.2.22 - Arbitrary File Read via Symlink Following in Static File Handler |
2026-03-19 |
| CVE-2026-32046 |
🟡 MEDIUM |
4.8 |
OpenClaw < 2026.2.21 - OS-level Sandbox Bypass via --no-sandbox Flag |
2026-03-21 |
| CVE-2026-27485 |
🟡 MEDIUM |
4.6 |
OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection |
2026-02-21 |
| CVE-2026-27486 |
🟡 MEDIUM |
4.3 |
OpenClaw: Process Safety - Unvalidated PID Kill via SIGKILL in Process Cleanup |
2026-02-21 |
| CVE-2026-24764 |
🟢 LOW |
3.7 |
OpenClaw has Remote Code Execution via System Prompt Injection in Slack Channel Descriptions |
2026-02-19 |
| CVE-2026-27524 |
🟢 LOW |
2.3 |
OpenClaw < 2026.2.21 - Prototype Pollution via Debug Override Path |
2026-03-18 |
| CVE-2026-31991 |
🟢 LOW |
2 |
OpenClaw < 2026.2.26 - Authorization Bypass via DM Pairing-Store Leakage in Signal Group Allowlist |
2026-03-19 |
| CVE-2026-32067 |
🟢 LOW |
2 |
OpenClaw < 2026.2.26 - Cross-Account Authorization Bypass in DM Pairing Store |
2026-03-21 |