| CVE-2026-28363 |
🟣 CRITICAL |
9.9 |
In OpenClaw before 2026.2.23, tools.exec.safeBins validation for sort could be… |
2026-02-27 |
| CVE-2026-22172 |
🟣 CRITICAL |
9.4 |
OpenClaw < 2026.3.12 - Scope Elevation in WebSocket Shared-Auth Connections |
2026-03-20 |
| CVE-2026-24763 |
🔴 HIGH |
8.8 |
OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable |
2026-02-02 |
| CVE-2026-25253 |
🔴 HIGH |
8.8 |
OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl |
2026-02-01 |
| CVE-2026-32913 |
🔴 HIGH |
8.8 |
OpenClaw: fetch-guard forwards custom authorization headers across cross-origin redirects |
2026-03-23 |
| CVE-2026-28461 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.3.1 - Unbounded Memory Growth in Zalo Webhook via Query String Key Churn |
2026-03-19 |
| CVE-2026-28479 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.2.15 - Cache Poisoning via Deprecated SHA-1 Hash in Sandbox Configuration |
2026-03-05 |
| CVE-2026-28478 |
🔴 HIGH |
8.7 |
OpenClaw affected by denial of service via unbounded webhook request body buffering |
2026-03-05 |
| CVE-2026-32051 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.3.1 - Authorization Bypass in Agent Runs via Owner-Only Tool Access |
2026-03-21 |
| CVE-2026-32062 |
🔴 HIGH |
8.7 |
OpenClaw 2026.2.21-2 < 2026.2.22 - Unauthenticated WebSocket Resource Exhaustion via Media Stream |
2026-03-11 |
| CVE-2026-32059 |
🔴 HIGH |
8.7 |
OpenClaw 2026.2.22-2 < 2026.2.23 - Allowlist Bypass via sort Long-Option Abbreviation in tools.exec.safeBins |
2026-03-11 |
| CVE-2026-28456 |
🔴 HIGH |
8.6 |
OpenClaw 2026.1.5 < 2026.2.14 - Arbitrary Code Execution via Unsafe Hook Module Path Handling |
2026-03-05 |
| CVE-2026-28463 |
🔴 HIGH |
8.6 |
OpenClaw < 2026.2.14 - Arbitrary File Read via Shell Expansion in Safe Bins Allowlist |
2026-03-05 |
| CVE-2026-32014 |
🔴 HIGH |
8.6 |
OpenClaw < 2026.2.26 - Node Reconnect Metadata Spoofing via Unsigned Platform Fields |
2026-03-19 |
| CVE-2026-32064 |
🔴 HIGH |
8.5 |
OpenClaw < 2026.2.21 - Missing VNC Authentication in Sandbox Browser noVNC Observer |
2026-03-21 |
| CVE-2026-28450 |
🔴 HIGH |
8.3 |
OpenClaw < 2026.2.12 - Unauthenticated Profile Tampering via Nostr Plugin HTTP Endpoints |
2026-03-05 |
| CVE-2026-28453 |
🔴 HIGH |
8.3 |
OpenClaw < 2026.2.14 - Zip Slip Path Traversal in TAR Archive Extraction |
2026-03-05 |
| CVE-2026-31998 |
🔴 HIGH |
8.3 |
OpenClaw's Synology Chat dmPolicy=allowlist failed open on empty allowedUserIds, allowing unauthorized agent dispatch |
2026-03-19 |
| CVE-2026-32004 |
🔴 HIGH |
8.3 |
OpenClaw < 2026.3.2 - Authentication Bypass via Encoded Path in /api/channels Route |
2026-03-19 |
| CVE-2026-32036 |
🔴 HIGH |
8.3 |
OpenClaw < 2026.2.26- Authentication Bypass via Encoded Dot-Segment Traversal in /api/channels |
2026-03-19 |
| CVE-2026-28392 |
🔴 HIGH |
8.2 |
OpenClaw < 2026.2.14 - Privilege Escalation in Slack Slash Command Handler via Direct Messages |
2026-03-05 |
| CVE-2026-28469 |
🔴 HIGH |
8.2 |
OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting |
2026-03-05 |
| CVE-2026-29611 |
🔴 HIGH |
8.2 |
OpenClaw < 2026.2.14 - Local File Inclusion via mediaPath Parameter in BlueBubbles Media Handling |
2026-03-05 |
| CVE-2026-32045 |
🔴 HIGH |
8.2 |
OpenClaw < 2026.2.21 - Authentication Bypass in HTTP Gateway Routes via Tokenless Tailscale Auth |
2026-03-21 |
| CVE-2026-32302 |
🔴 HIGH |
8.1 |
OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode |
2026-03-12 |
| CVE-2026-25157 |
🔴 HIGH |
7.8 |
OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand |
2026-02-04 |
| CVE-2026-27002 |
🔴 HIGH |
7.7 |
OpenClaw: Docker container escape via unvalidated bind mount config injection |
2026-02-19 |
| CVE-2026-32056 |
🔴 HIGH |
7.7 |
OpenClaw < 2026.2.22 - Remote Code Execution via Shell Startup Environment Variable Injection in system.run |
2026-03-21 |
| CVE-2026-27487 |
🔴 HIGH |
7.6 |
OpenClaw: Prevent shell injection in macOS keychain credential write |
2026-02-21 |
| CVE-2026-32007 |
🔴 HIGH |
7.6 |
OpenClaw < 2026.2.23 - Sandbox Bypass in apply_patch Tool via Workspace-Only Check Bypass |
2026-03-19 |
| CVE-2026-32005 |
🔴 HIGH |
7.6 |
OpenClaw: Slack interactive callbacks could skip configured sender checks in some shared-workspace flows |
2026-03-19 |
| CVE-2026-26316 |
🔴 HIGH |
7.5 |
OpenClaw has BlueBubbles webhook auth bypass via loopback proxy trust |
2026-02-19 |
| CVE-2026-25474 |
🔴 HIGH |
7.5 |
OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass |
2026-02-19 |
| CVE-2026-26319 |
🔴 HIGH |
7.5 |
OpenClaw has Missing Webhook Authentication in Telnyx Provider Allowing Unauthenticated Requests |
2026-02-19 |
| CVE-2026-26321 |
🔴 HIGH |
7.5 |
OpenClaw has a local file disclosure via sendMediaFeishu in Feishu extension |
2026-02-19 |
| CVE-2026-28485 |
🔴 HIGH |
7.5 |
OpenClaw 2026.1.5 < 2026.2.12 - Missing Authentication in Browser Control HTTP Endpoints |
2026-03-05 |
| CVE-2026-32003 |
🔴 HIGH |
7.5 |
OpenClaw < 2026.2.22 - Remote Code Execution via SHELLOPTS/PS4 Environment Injection in system.run |
2026-03-19 |
| CVE-2026-32041 |
🔴 HIGH |
7.5 |
OpenClaw < 2026.3.1 - Unauthenticated Browser Control Access via Failed Auth Bootstrap |
2026-03-19 |
| CVE-2026-28458 |
🔴 HIGH |
7.4 |
OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access |
2026-03-05 |
| CVE-2026-32016 |
🔴 HIGH |
7.3 |
OpenClaw < 2026.2.22 - Path Traversal via Basename-Only Allowlist Matching on macOS |
2026-03-19 |
| CVE-2026-26325 |
🔴 HIGH |
7.2 |
OpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals |
2026-02-19 |
| CVE-2026-26317 |
🔴 HIGH |
7.1 |
OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints |
2026-02-19 |
| CVE-2026-22169 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.2.22 - Allowlist Bypass via sort Configuration in safeBins |
2026-03-18 |
| CVE-2026-26320 |
🔴 HIGH |
7.1 |
OpenClaw macOS deep link confirmation truncation can conceal executed agent message |
2026-02-19 |
| CVE-2026-26329 |
🔴 HIGH |
7.1 |
OpenClaw has a path traversal in browser upload allows local file read |
2026-02-19 |
| CVE-2026-27522 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.2.24 - Arbitrary File Read via sendAttachment and setGroupIcon Message Actions |
2026-03-18 |
| CVE-2026-27566 |
🔴 HIGH |
7.1 |
OpenClaw's exec allowlist wrapper analysis did not unwrap env/shell dispatch chains |
2026-03-19 |
| CVE-2026-31992 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.2.23 - Allowlist Exec-Guard Bypass via env -S |
2026-03-19 |
| CVE-2026-32008 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.2.21 - Arbitrary Local File Read via Browser Navigation Guard |
2026-03-19 |
| CVE-2026-32026 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.2.24 - Arbitrary File Read via Improper Temporary Path Validation in Sandbox |
2026-03-19 |
| CVE-2026-22176 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.2.19 - Command Injection via Unescaped Environment Variables in Windows Scheduled Task Script Generation |
2026-03-19 |
| CVE-2026-22178 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.2.19 - ReDoS and Regex Injection via Unescaped Feishu Mention Metadata |
2026-03-18 |
| CVE-2026-27004 |
🟡 MEDIUM |
6.9 |
OpenClaw session tool visibility hardening and Telegram webhook secret fallback |
2026-02-19 |
| CVE-2026-27488 |
🟡 MEDIUM |
6.9 |
OpenClaw hardened cron webhook delivery against SSRF |
2026-02-21 |
| CVE-2026-27545 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.2.26 - Approval Bypass via Parent Symlink Current Working Directory Rebind |
2026-03-18 |
| CVE-2026-27523 |
🟡 MEDIUM |
6.9 |
OpenClaw's sandbox bind validation could bypass allowed-root and blocked-path checks via symlink-parent missing-leaf paths |
2026-03-18 |
| CVE-2026-28394 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.2.15 - Denial of Service via Unbounded Response Parsing in web_fetch Tool |
2026-03-05 |
| CVE-2026-28480 |
🟡 MEDIUM |
6.9 |
OpenClaw Telegram allowlist authorization accepted mutable usernames |
2026-03-05 |
| CVE-2026-31994 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.2.19 - Local Command Injection via Unsafe cmd Argument Handling in Windows Scheduled Task Script Generation |
2026-03-19 |
| CVE-2026-31990 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.3.2 - Symlink Traversal in stageSandboxMedia Destination |
2026-03-19 |
| CVE-2026-28467 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.2.2 - SSRF via Attachment Media URL Hydration |
2026-03-05 |
| CVE-2026-32063 |
🟡 MEDIUM |
6.9 |
OpenClaw 2026.2.19-2 < 2026.2.21 - Command Injection via Newline in systemd Unit Generation |
2026-03-11 |
| CVE-2026-27008 |
🟡 MEDIUM |
6.8 |
OpenClaw hardened the skill download target directory validation |
2026-02-19 |
| CVE-2026-29612 |
🟡 MEDIUM |
6.8 |
OpenClaw < 2026.2.14 - Denial of Service via Large Base64 Media File Decoding |
2026-03-05 |
| CVE-2026-32024 |
🟡 MEDIUM |
6.8 |
OpenClaw < 2026.2.22 - Symlink Traversal in Avatar Handling |
2026-03-19 |
| CVE-2026-26972 |
🟡 MEDIUM |
6.7 |
OpenClaw has a Path Traversal in Browser Download Functionality |
2026-02-19 |
| CVE-2026-28452 |
🟡 MEDIUM |
6.7 |
OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR) |
2026-03-05 |
| CVE-2026-26328 |
🟡 MEDIUM |
6.5 |
OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities |
2026-02-19 |
| CVE-2026-22170 |
🟡 MEDIUM |
6.3 |
OpenClaw: BlueBubbles (optional plugin) pairing/allowlist mismatch when allowFrom is empty |
2026-03-18 |
| CVE-2026-28395 |
🟡 MEDIUM |
6.3 |
OpenClaw 2026.1.14-1 < 2026.2.12 - Unintended Public Binding of Chrome Extension Relay via Wildcard cdpUrl |
2026-03-05 |
| CVE-2026-28449 |
🟡 MEDIUM |
6.3 |
OpenClaw's Nextcloud Talk webhook replay could trigger duplicate inbound processing |
2026-03-19 |
| CVE-2026-28448 |
🟡 MEDIUM |
6.3 |
OpenClaw 2026.1.29 < 2026.2.1 - Authorization Bypass in Twitch Plugin allowFrom Access Control |
2026-03-05 |
| CVE-2026-28476 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.2.14 - Server-Side Request Forgery in Tlon Extension Authentication |
2026-03-05 |
| CVE-2026-28475 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.2.13 - Timing Attack via Hook Token Comparison |
2026-03-05 |
| CVE-2026-32031 |
🟡 MEDIUM |
6.3 |
OpenClaw: /api/channels gateway-auth boundary bypass via path canonicalization mismatch |
2026-03-19 |
| CVE-2026-32050 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.2.25 - Unauthorized Reaction Status Event Enqueue via Access Check Bypass |
2026-03-21 |
| CVE-2026-32034 |
🟡 MEDIUM |
6.1 |
OpenClaw < 2026.2.21 - Insecure Control UI Authentication over Plaintext HTTP |
2026-03-19 |
| CVE-2026-28460 |
🟡 MEDIUM |
6 |
OpenClaw < 2026.2.22 - Allowlist Bypass via Shell Line-Continuation Command Substitution in system.run |
2026-03-19 |
| CVE-2026-32002 |
🟡 MEDIUM |
6 |
OpenClaw's image tool bypasses tools.fs.workspaceOnly on sandbox mount paths and exfiltrates out-of-workspace images |
2026-03-19 |
| CVE-2026-32023 |
🟡 MEDIUM |
6 |
OpenClaw < 2026.2.24 - Approval Gating Bypass via Dispatch-Wrapper Depth-Cap Mismatch in system.run |
2026-03-19 |
| CVE-2026-32022 |
🟡 MEDIUM |
6 |
OpenClaw < 2026.2.21 - Arbitrary File Read via grep -e Flag Policy Bypass |
2026-03-19 |
| CVE-2026-32039 |
🟡 MEDIUM |
6 |
OpenClaw's typed sender-key matching for toolsBySender prevents identity-collision policy bypass |
2026-03-19 |
| CVE-2026-32057 |
🟡 MEDIUM |
6 |
OpenClaw < 2026.2.25 - Authentication Bypass via Control UI client.id Parameter |
2026-03-21 |
| CVE-2026-22174 |
🟡 MEDIUM |
5.9 |
OpenClaw < 2026.2.22 - Gateway Token Disclosure via Chrome CDP Probe |
2026-03-18 |
| CVE-2026-28481 |
🟡 MEDIUM |
5.9 |
OpenClaw < 2026.2.1 - Bearer Token Leakage via MS Teams Attachment Downloader Suffix Matching |
2026-03-05 |
| CVE-2026-32043 |
🟡 MEDIUM |
5.9 |
OpenClaw < 2026.2.25 - Time-of-Check-Time-of-Use via Mutable Symlink in system.run cwd Parameter |
2026-03-21 |
| CVE-2026-32054 |
🟡 MEDIUM |
5.9 |
OpenClaw < 2026.2.25 - Symlink Traversal in Browser Trace/Download Path Handling |
2026-03-21 |
| CVE-2026-22217 |
🟡 MEDIUM |
5.8 |
OpenClaw 2026.2.22 < 2026.2.23 - Arbitrary Binary Execution via $SHELL Environment Variable Trusted Prefix Fallback |
2026-03-18 |
| CVE-2026-27646 |
🟡 MEDIUM |
5.8 |
OpenClaw < 2026.3.7 - Sandbox Escape via /acp spawn Command |
2026-03-23 |
| CVE-2026-27670 |
🟡 MEDIUM |
5.8 |
OpenClaw < 2026.3.2 - Arbitrary File Write via ZIP Extraction Parent Symlink Race Condition |
2026-03-19 |
| CVE-2026-31995 |
🟡 MEDIUM |
5.8 |
OpenClaw has Windows Lobster shell fallback command injection in constrained fallback path |
2026-03-19 |
| CVE-2026-32000 |
🟡 MEDIUM |
5.8 |
OpenClaw < 2026.2.19 - Command Injection via Windows Shell Fallback in Lobster Tool Execution |
2026-03-19 |
| CVE-2026-32010 |
🟡 MEDIUM |
5.8 |
OpenClaw < 2026.2.22 - Allowlist Bypass via sort --compress-program Parameter |
2026-03-19 |
| CVE-2026-32035 |
🟡 MEDIUM |
5.8 |
OpenClaw < 2026.3.2 - Missing Owner Flag Validation in Discord Voice Transcript Handler |
2026-03-19 |
| CVE-2026-32052 |
🟡 MEDIUM |
5.8 |
OpenClaw < 2026.2.24 - Hidden Command Execution via Shell-Wrapper Positional argv Carriers |
2026-03-21 |
| CVE-2026-31993 |
🟡 MEDIUM |
5.6 |
OpenClaw < 2026.2.22 - Allowlist Parsing Mismatch in system.run Shell Chains |
2026-03-19 |
| CVE-2026-29608 |
🟡 MEDIUM |
5.4 |
OpenClaw 2026.3.1 < 2026.3.2 - Approval Integrity Bypass via system.run argv Rewriting |
2026-03-19 |
| CVE-2026-32001 |
🟡 MEDIUM |
5.3 |
OpenClaw's Node role device-identity bypass allows unauthorized node.event injection |
2026-03-19 |
| CVE-2026-32899 |
🟡 MEDIUM |
5.3 |
OpenClaw < 2026.2.25 - Sender Policy Bypass in Slack Reaction and Pin Event Handlers |
2026-03-21 |
| CVE-2026-32020 |
🟡 MEDIUM |
4.8 |
OpenClaw < 2026.2.22 - Arbitrary File Read via Symlink Following in Static File Handler |
2026-03-19 |
| CVE-2026-27485 |
🟡 MEDIUM |
4.6 |
OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection |
2026-02-21 |
| CVE-2026-31997 |
🟡 MEDIUM |
4.4 |
OpenClaw < 2026.3.1 - Executable Rebind via Unbound PATH-token in system.run Approvals |
2026-03-19 |
| CVE-2026-27486 |
🟡 MEDIUM |
4.3 |
OpenClaw: Process Safety - Unvalidated PID Kill via SIGKILL in Process Cleanup |
2026-02-21 |
| CVE-2026-24764 |
🟢 LOW |
3.7 |
OpenClaw has Remote Code Execution via System Prompt Injection in Slack Channel Descriptions |
2026-02-19 |
| CVE-2026-27484 |
🟢 LOW |
2.3 |
OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows |
2026-02-21 |
| CVE-2026-27524 |
🟢 LOW |
2.3 |
OpenClaw < 2026.2.21 - Prototype Pollution via Debug Override Path |
2026-03-18 |
| CVE-2026-32019 |
🟢 LOW |
2.3 |
OpenClaw < 2026.2.22 - Incomplete IPv4 Special-Use Range Blocking in SSRF Guard |
2026-03-19 |
| CVE-2026-32006 |
🟢 LOW |
2.3 |
OpenClaw has a BlueBubbles group allowlist mismatch via DM pairing-store fallback |
2026-03-19 |
| CVE-2026-27183 |
🟢 LOW |
2.1 |
OpenClaw: system.run wrapper-depth boundary could skip shell approval gating |
2026-03-23 |
| CVE-2026-31996 |
🟢 LOW |
2 |
OpenClaw < 2026.2.19 - safeBins stdin-only bypass via sort output and recursive grep flags |
2026-03-19 |
| CVE-2026-32018 |
🟢 LOW |
2 |
OpenClaw < 2026.2.19 - Race Condition in Sandbox Registry Write Operations |
2026-03-19 |
| CVE-2026-32067 |
🟢 LOW |
2 |
OpenClaw < 2026.2.26 - Cross-Account Authorization Bypass in DM Pairing Store |
2026-03-21 |
| CVE-2026-32058 |
🟢 LOW |
2 |
OpenClaw < 2026.2.26 - Approval Context-Binding Weakness in system.run via host=node |
2026-03-21 |