| CVE-2026-28363 |
🟣 CRITICAL |
9.9 |
In OpenClaw before 2026.2.23, tools.exec.safeBins validation for sort could be… |
2026-02-27 |
| CVE-2026-28466 |
🟣 CRITICAL |
9.4 |
OpenClaw < 2026.2.14 - Remote Code Execution via Node Invoke Approval Bypass |
2026-03-05 |
| CVE-2026-32922 |
🟣 CRITICAL |
9.4 |
OpenClaw < 2026.3.11 - Privilege Escalation via Unvalidated Scope in device.token.rotate |
2026-03-29 |
| CVE-2026-32978 |
🟣 CRITICAL |
9.4 |
OpenClaw < 2026.3.11 - Approval Bypass via Unrecognized Script Runners |
2026-03-29 |
| CVE-2026-28474 |
🟣 CRITICAL |
9.3 |
OpenClaw Nextcloud Talk < 2026.2.6 - Allowlist Bypass via actor.name Display Name Spoofing |
2026-03-05 |
| CVE-2026-32038 |
🟣 CRITICAL |
9.3 |
OpenClaw - Sandbox Network Isolation Bypass via docker.network=container Parameter |
2026-03-19 |
| CVE-2026-28391 |
🟣 CRITICAL |
9.2 |
OpenClaw < 2026.2.2 - Command Injection via cmd.exe Parsing Bypass in Allowlist Enforcement |
2026-03-05 |
| CVE-2026-28472 |
🟣 CRITICAL |
9.2 |
OpenClaw < 2026.2.2 - Device Identity Check Bypass in Gateway WebSocket Connect Handshake |
2026-03-05 |
| CVE-2026-32916 |
🟣 CRITICAL |
9.2 |
OpenClaw 2026.3.7 < 2026.3.11 - Authorization Bypass in Plugin Subagent Routes via Synthetic Admin Scopes |
2026-03-31 |
| CVE-2026-32918 |
🟣 CRITICAL |
9.2 |
OpenClaw < 2026.3.11 - Session Sandbox Escape via session_status Tool |
2026-03-29 |
| CVE-2026-24763 |
🔴 HIGH |
8.8 |
OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable |
2026-02-02 |
| CVE-2026-25253 |
🔴 HIGH |
8.8 |
OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl |
2026-02-01 |
| CVE-2026-32913 |
🔴 HIGH |
8.8 |
OpenClaw < 2026.3.7 - Custom Authorization Header Leakage via Cross-Origin Redirects |
2026-03-23 |
| CVE-2026-32974 |
🔴 HIGH |
8.8 |
OpenClaw < 2026.3.12 - Forged Event Injection via Feishu Webhook Verification Token |
2026-03-29 |
| CVE-2026-28461 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.3.1 - Unbounded Memory Growth in Zalo Webhook via Query String Key Churn |
2026-03-19 |
| CVE-2026-28462 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.2.13 - Path Traversal in Trace and Download Output Paths |
2026-03-05 |
| CVE-2026-28478 |
🔴 HIGH |
8.7 |
OpenClaw affected by denial of service via unbounded webhook request body buffering |
2026-03-05 |
| CVE-2026-32011 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.3.2 - Slow-Request Denial of Service via Pre-Auth Webhook Body Parsing |
2026-03-19 |
| CVE-2026-32042 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.2.25 - Privilege Escalation via Unpaired Device Identity in Shared Gateway Authentication |
2026-03-21 |
| CVE-2026-32049 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.2.22 - Denial of Service via Inbound Media Download Byte Limit Bypass |
2026-03-21 |
| CVE-2026-32059 |
🔴 HIGH |
8.7 |
OpenClaw 2026.2.22-2 < 2026.2.23 - Allowlist Bypass via sort Long-Option Abbreviation in tools.exec.safeBins |
2026-03-11 |
| CVE-2026-32914 |
🔴 HIGH |
8.7 |
OpenClaw < 2026.3.12 - Insufficient Access Control in /config and /debug Endpoints |
2026-03-29 |
| CVE-2026-27001 |
🔴 HIGH |
8.6 |
OpenClaw: Unsanitized CWD path injection into LLM prompts |
2026-02-19 |
| CVE-2026-26323 |
🔴 HIGH |
8.6 |
OpenClaw has a command injection in maintainer clawtributors updater |
2026-02-19 |
| CVE-2026-28463 |
🔴 HIGH |
8.6 |
OpenClaw < 2026.2.14 - Arbitrary File Read via Shell Expansion in Safe Bins Allowlist |
2026-03-05 |
| CVE-2026-33577 |
🔴 HIGH |
8.6 |
OpenClaw < 2026.3.28 - Insufficient Scope Validation in node.pair.approve |
2026-03-31 |
| CVE-2026-34503 |
🔴 HIGH |
8.6 |
OpenClaw's device removal and token revocation do not terminate active WebSocket sessions |
2026-03-31 |
| CVE-2026-32064 |
🔴 HIGH |
8.5 |
OpenClaw < 2026.2.21 - Missing VNC Authentication in Sandbox Browser noVNC Observer |
2026-03-21 |
| CVE-2026-25593 |
🔴 HIGH |
8.4 |
OpenClaw Affected by Unauthenticated Local RCE via WebSocket config.apply |
2026-02-06 |
| CVE-2026-31998 |
🔴 HIGH |
8.3 |
OpenClaw 2026.2.22 < 2026.2.24 - Authorization Bypass in Synology Chat Plugin via Empty allowedUserIds |
2026-03-19 |
| CVE-2026-32036 |
🔴 HIGH |
8.3 |
OpenClaw < 2026.2.26- Authentication Bypass via Encoded Dot-Segment Traversal in /api/channels |
2026-03-19 |
| CVE-2026-28454 |
🔴 HIGH |
8.2 |
OpenClaw < 2026.2.2 - Authorization Bypass via Unauthenticated Telegram Webhook |
2026-03-05 |
| CVE-2026-28464 |
🔴 HIGH |
8.2 |
OpenClaw < 2026.2.12 - Timing Attack in Hooks Token Authentication |
2026-03-05 |
| CVE-2026-28469 |
🔴 HIGH |
8.2 |
OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting |
2026-03-05 |
| CVE-2026-28465 |
🔴 HIGH |
8.2 |
OpenClaw voice-call < 2026.2.3 - Webhook Verification Bypass via Forwarded Headers |
2026-03-05 |
| CVE-2026-25157 |
🔴 HIGH |
7.8 |
OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand |
2026-02-04 |
| CVE-2026-32048 |
🔴 HIGH |
7.7 |
OpenClaw < 2026.3.1 - Sandbox Escape via Cross-Agent sessions_spawn |
2026-03-21 |
| CVE-2026-32056 |
🔴 HIGH |
7.7 |
OpenClaw < 2026.2.22 - Remote Code Execution via Shell Startup Environment Variable Injection in system.run |
2026-03-21 |
| CVE-2026-26322 |
🔴 HIGH |
7.6 |
OpenClaw Gateway tool allowed unrestricted gatewayUrl override |
2026-02-19 |
| CVE-2026-32007 |
🔴 HIGH |
7.6 |
OpenClaw < 2026.2.23 - Sandbox Bypass in apply_patch Tool via Workspace-Only Check Bypass |
2026-03-19 |
| CVE-2026-22179 |
🔴 HIGH |
7.5 |
OpenClaw < 2026.2.22 - Allowlist Bypass via Command Substitution in system.run |
2026-03-18 |
| CVE-2026-28485 |
🔴 HIGH |
7.5 |
OpenClaw 2026.1.5 < 2026.2.12 - Missing Authentication in Browser Control HTTP Endpoints |
2026-03-05 |
| CVE-2026-32025 |
🔴 HIGH |
7.5 |
OpenClaw < 2026.2.25 - Password Brute-Force via Browser-Origin WebSocket Authentication Bypass |
2026-03-19 |
| CVE-2026-28458 |
🔴 HIGH |
7.4 |
OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access |
2026-03-05 |
| CVE-2026-26325 |
🔴 HIGH |
7.2 |
OpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals |
2026-02-19 |
| CVE-2026-22168 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.2.21 - Command Injection via cmd.exe /c Trailing Arguments in system.run |
2026-03-18 |
| CVE-2026-26317 |
🔴 HIGH |
7.1 |
OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints |
2026-02-19 |
| CVE-2026-32026 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.2.24 - Arbitrary File Read via Improper Temporary Path Validation in Sandbox |
2026-03-19 |
| CVE-2026-32027 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.2.26 - Improper Authorization via DM Pairing Store Identity Inheritance in Group Allowlist |
2026-03-19 |
| CVE-2026-33581 |
🔴 HIGH |
7.1 |
OpenClaw < 2026.3.24 - Arbitrary File Read via mediaUrl and fileUrl Parameters |
2026-03-31 |
| CVE-2026-28447 |
🔴 HIGH |
7 |
OpenClaw 2026.1.29-beta.1 < 2026.2.1 - Path Traversal in Plugin Installation via Package Name |
2026-03-05 |
| CVE-2026-32979 |
🔴 HIGH |
7 |
OpenClaw < 2026.3.11 - Unbound Interpreter and Runtime Commands Bypass in node-host Approval |
2026-03-29 |
| CVE-2026-22176 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.2.19 - Command Injection via Unescaped Environment Variables in Windows Scheduled Task Script Generation |
2026-03-19 |
| CVE-2026-28480 |
🟡 MEDIUM |
6.9 |
OpenClaw Telegram allowlist authorization accepted mutable usernames |
2026-03-05 |
| CVE-2026-31990 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.3.2 - Symlink Traversal in stageSandboxMedia Destination |
2026-03-19 |
| CVE-2026-28394 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.2.15 - Denial of Service via Unbounded Response Parsing in web_fetch Tool |
2026-03-05 |
| CVE-2026-32063 |
🟡 MEDIUM |
6.9 |
OpenClaw 2026.2.19-2 < 2026.2.21 - Command Injection via Newline in systemd Unit Generation |
2026-03-11 |
| CVE-2026-32919 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.3.11 - Unauthorized Session Reset via agent Slash Commands |
2026-03-29 |
| CVE-2026-32924 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.3.12 - Authorization Bypass via Misclassified Reaction Events in Feishu |
2026-03-29 |
| CVE-2026-33576 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.3.28 - Unauthorized Media Download via Zalo Channel |
2026-03-31 |
| CVE-2026-34510 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.3.22 - Remote File URL Acceptance in Windows Media Loaders |
2026-04-01 |
| CVE-2026-34505 |
🟡 MEDIUM |
6.9 |
OpenClaw < 2026.3.12 - Webhook Rate Limiting Bypass via Pre-Authentication Secret Validation |
2026-03-31 |
| CVE-2026-29612 |
🟡 MEDIUM |
6.8 |
OpenClaw < 2026.2.14 - Denial of Service via Large Base64 Media File Decoding |
2026-03-05 |
| CVE-2026-32024 |
🟡 MEDIUM |
6.8 |
OpenClaw < 2026.2.22 - Symlink Traversal in Avatar Handling |
2026-03-19 |
| CVE-2026-28452 |
🟡 MEDIUM |
6.7 |
OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR) |
2026-03-05 |
| CVE-2026-32044 |
🟡 MEDIUM |
6.7 |
OpenClaw < 2026.3.2 - Tar Archive Safety Bypass in Skills Installation |
2026-03-21 |
| CVE-2026-26328 |
🟡 MEDIUM |
6.5 |
OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities |
2026-02-19 |
| CVE-2026-28448 |
🟡 MEDIUM |
6.3 |
OpenClaw 2026.1.29 < 2026.2.1 - Authorization Bypass in Twitch Plugin allowFrom Access Control |
2026-03-05 |
| CVE-2026-28451 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.2.14 - SSRF via Feishu Extension Media Fetching |
2026-03-05 |
| CVE-2026-28475 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.2.13 - Timing Attack via Hook Token Comparison |
2026-03-05 |
| CVE-2026-32031 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.2.26 - Authentication Bypass via Path Canonicalization Mismatch in /api/channels Gateway |
2026-03-19 |
| CVE-2026-32050 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.2.25 - Unauthorized Reaction Status Event Enqueue via Access Check Bypass |
2026-03-21 |
| CVE-2026-32896 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.2.21 - Unauthenticated Webhook Access via Passwordless Fallback in BlueBubbles Plugin |
2026-03-21 |
| CVE-2026-32897 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.2.22 - Authentication Token Reuse in Owner ID Prompt Hashing Fallback |
2026-03-21 |
| CVE-2026-33580 |
🟡 MEDIUM |
6.3 |
OpenClaw < 2026.3.28 - Brute Force Attack via Missing Rate Limiting on Webhook Shared Secret Authentication |
2026-03-31 |
| CVE-2026-32023 |
🟡 MEDIUM |
6 |
OpenClaw < 2026.2.24 - Approval Gating Bypass via Dispatch-Wrapper Depth-Cap Mismatch in system.run |
2026-03-19 |
| CVE-2026-32039 |
🟡 MEDIUM |
6 |
OpenClaw < 2026.2.22 - Sender Authorization Bypass via Identity Collision in toolsBySender |
2026-03-19 |
| CVE-2026-32033 |
🟡 MEDIUM |
6 |
OpenClaw < 2026.2.24 - Path Traversal via @-prefixed Absolute Paths in Workspace Boundary Validation |
2026-03-19 |
| CVE-2026-22174 |
🟡 MEDIUM |
5.9 |
OpenClaw < 2026.2.22 - Gateway Token Disclosure via Chrome CDP Probe |
2026-03-18 |
| CVE-2026-32054 |
🟡 MEDIUM |
5.9 |
OpenClaw < 2026.2.25 - Symlink Traversal in Browser Trace/Download Path Handling |
2026-03-21 |
| CVE-2026-22217 |
🟡 MEDIUM |
5.8 |
OpenClaw 2026.2.22 < 2026.2.23 - Arbitrary Binary Execution via $SHELL Environment Variable Trusted Prefix Fallback |
2026-03-18 |
| CVE-2026-27670 |
🟡 MEDIUM |
5.8 |
OpenClaw < 2026.3.2 - Arbitrary File Write via ZIP Extraction Parent Symlink Race Condition |
2026-03-19 |
| CVE-2026-27646 |
🟡 MEDIUM |
5.8 |
OpenClaw < 2026.3.7 - Sandbox Escape via /acp spawn Command |
2026-03-23 |
| CVE-2026-31999 |
🟡 MEDIUM |
5.8 |
OpenClaw 2026.2.26 < 2026.3.1 - Current Working Directory Injection via Windows Wrapper Resolution Fallback |
2026-03-19 |
| CVE-2026-32035 |
🟡 MEDIUM |
5.8 |
OpenClaw < 2026.3.2 - Missing Owner Flag Validation in Discord Voice Transcript Handler |
2026-03-19 |
| CVE-2026-32052 |
🟡 MEDIUM |
5.8 |
OpenClaw < 2026.2.24 - Hidden Command Execution via Shell-Wrapper Positional argv Carriers |
2026-03-21 |
| CVE-2026-32977 |
🟡 MEDIUM |
5.8 |
OpenClaw < 2026.3.11 - Sandbox Boundary Bypass via Unanchored writeFile Commit Path |
2026-03-31 |
| CVE-2026-32065 |
🟡 MEDIUM |
5.7 |
OpenClaw < 2026.2.25 - Approval Identity Mismatch in system.run Command Execution |
2026-03-21 |
| CVE-2026-28457 |
🟡 MEDIUM |
5.6 |
OpenClaw < 2026.2.14 - Path Traversal in Sandbox Skill Mirroring via Name Parameter |
2026-03-05 |
| CVE-2026-31993 |
🟡 MEDIUM |
5.6 |
OpenClaw < 2026.2.22 - Allowlist Parsing Mismatch in system.run Shell Chains |
2026-03-19 |
| CVE-2026-31989 |
🟡 MEDIUM |
5.3 |
OpenClaw < 2026.3.1 - Server-Side Request Forgery via web_search Citation Redirect |
2026-03-19 |
| CVE-2026-32001 |
🟡 MEDIUM |
5.3 |
OpenClaw < 2026.2.22 - Node Role Device-Identity Bypass via WebSocket Authentication |
2026-03-19 |
| CVE-2026-32895 |
🟡 MEDIUM |
5.3 |
OpenClaw < 2026.2.26 - Sender Authorization Bypass in Slack System Event Handlers |
2026-03-21 |
| CVE-2026-32921 |
🟡 MEDIUM |
5.3 |
OpenClaw < 2026.3.8 - Script Content Modification via Mutable Operand Binding in system.run |
2026-03-31 |
| CVE-2026-32923 |
🟡 MEDIUM |
5.3 |
OpenClaw < 2026.3.11 - Authorization Bypass in Discord Guild Reaction Allowlist Enforcement |
2026-03-29 |
| CVE-2026-33578 |
🟡 MEDIUM |
5.3 |
OpenClaw: Google Chat and Zalouser group sender allowlist bypass via policy downgrade |
2026-03-31 |
| CVE-2026-27576 |
🟡 MEDIUM |
4.8 |
OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs |
2026-02-21 |
| CVE-2026-32020 |
🟡 MEDIUM |
4.8 |
OpenClaw < 2026.2.22 - Arbitrary File Read via Symlink Following in Static File Handler |
2026-03-19 |
| CVE-2026-32046 |
🟡 MEDIUM |
4.8 |
OpenClaw < 2026.2.21 - OS-level Sandbox Bypass via --no-sandbox Flag |
2026-03-21 |
| CVE-2026-31997 |
🟡 MEDIUM |
4.4 |
OpenClaw < 2026.3.1 - Executable Rebind via Unbound PATH-token in system.run Approvals |
2026-03-19 |
| CVE-2026-27486 |
🟡 MEDIUM |
4.3 |
OpenClaw: Process Safety - Unvalidated PID Kill via SIGKILL in Process Cleanup |
2026-02-21 |
| CVE-2026-24764 |
🟢 LOW |
3.7 |
OpenClaw has Remote Code Execution via System Prompt Injection in Slack Channel Descriptions |
2026-02-19 |
| CVE-2026-27524 |
🟢 LOW |
2.3 |
OpenClaw < 2026.2.21 - Prototype Pollution via Debug Override Path |
2026-03-18 |
| CVE-2026-34506 |
🟢 LOW |
2.3 |
OpenClaw < 2026.3.8 - Sender Allowlist Bypass in Microsoft Teams Plugin via Route Allowlist Configuration |
2026-03-31 |
| CVE-2026-31991 |
🟢 LOW |
2 |
OpenClaw < 2026.2.26 - Authorization Bypass via DM Pairing-Store Leakage in Signal Group Allowlist |
2026-03-19 |
| CVE-2026-32067 |
🟢 LOW |
2 |
OpenClaw < 2026.2.26 - Cross-Account Authorization Bypass in DM Pairing Store |
2026-03-21 |
| CVE-2026-32018 |
🟢 LOW |
2 |
OpenClaw < 2026.2.19 - Race Condition in Sandbox Registry Write Operations |
2026-03-19 |