Filtered by vendor Openclaw
Subscribe
Total
473 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-32972 | 1 Openclaw | 1 Openclaw | 2026-03-31 | N/A | 7.1 HIGH |
| OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing authenticated operators with only operator.write permission to access admin-only browser profile management routes through browser.request. Attackers can create or modify browser profiles and persist attacker-controlled remote CDP endpoints to disk without holding operator.admin privileges. | |||||
| CVE-2026-32980 | 1 Openclaw | 1 Openclaw | 2026-03-31 | N/A | 7.5 HIGH |
| OpenClaw before 2026.3.13 reads and buffers Telegram webhook request bodies before validating the x-telegram-bot-api-secret-token header, allowing unauthenticated attackers to exhaust server resources. Attackers can send POST requests to the webhook endpoint to force memory consumption, socket time, and JSON parsing work before authentication validation occurs. | |||||
| CVE-2026-32987 | 1 Openclaw | 1 Openclaw | 2026-03-31 | N/A | 9.8 CRITICAL |
| OpenClaw before 2026.3.13 allows bootstrap setup codes to be replayed during device pairing verification in src/infra/device-bootstrap.ts. Attackers can verify a valid bootstrap code multiple times before approval to escalate pending pairing scopes, including privilege escalation to operator.admin. | |||||
| CVE-2026-33572 | 1 Openclaw | 1 Openclaw | 2026-03-31 | N/A | 8.4 HIGH |
| OpenClaw before 2026.2.17 creates session transcript JSONL files with overly broad default permissions, allowing local users to read transcript contents. Attackers with local access can read transcript files to extract sensitive information including secrets from tool output. | |||||
| CVE-2026-33574 | 1 Openclaw | 1 Openclaw | 2026-03-31 | N/A | 6.2 MEDIUM |
| OpenClaw before 2026.3.8 contains a path traversal vulnerability in the skills download installer that validates the tools root lexically but reuses the mutable path during archive download and copy operations. A local attacker can rebind the tools-root path between validation and final write to redirect the installer outside the intended tools directory. | |||||
| CVE-2026-32978 | 1 Openclaw | 1 Openclaw | 2026-03-30 | N/A | 8.0 HIGH |
| OpenClaw before 2026.3.11 contains an approval integrity vulnerability where system.run approvals fail to bind mutable file operands for certain script runners like tsx and jiti. Attackers can obtain approval for benign script commands, rewrite referenced scripts on disk, and execute modified code under the approved run context. | |||||
| CVE-2026-32975 | 1 Openclaw | 1 Openclaw | 2026-03-30 | N/A | 9.8 CRITICAL |
| OpenClaw before 2026.3.12 contains a weak authorization vulnerability in Zalouser allowlist mode that matches mutable group display names instead of stable group identifiers. Attackers can create groups with identical names to allowlisted groups to bypass channel authorization and route messages from unintended groups to the agent. | |||||
| CVE-2026-32974 | 1 Openclaw | 1 Openclaw | 2026-03-30 | N/A | 8.6 HIGH |
| OpenClaw before 2026.3.12 contains an authentication bypass vulnerability in Feishu webhook mode when only verificationToken is configured without encryptKey, allowing acceptance of forged events. Unauthenticated network attackers can inject forged Feishu events and trigger downstream tool execution by reaching the webhook endpoint. | |||||
| CVE-2026-32973 | 1 Openclaw | 1 Openclaw | 2026-03-30 | N/A | 9.8 CRITICAL |
| OpenClaw before 2026.3.11 contains an exec allowlist bypass vulnerability where matchesExecAllowlistPattern improperly normalizes patterns with lowercasing and glob matching that overmatches on POSIX paths. Attackers can exploit the ? wildcard matching across path segments to execute commands or paths not intended by operators. | |||||
| CVE-2026-32979 | 1 Openclaw | 1 Openclaw | 2026-03-30 | N/A | 7.3 HIGH |
| OpenClaw before 2026.3.11 contains an approval integrity vulnerability allowing attackers to execute rewritten local code by modifying scripts between approval and execution when exact file binding cannot occur. Remote attackers can change approved local scripts before execution to achieve unintended code execution as the OpenClaw runtime user. | |||||
| CVE-2026-33573 | 1 Openclaw | 1 Openclaw | 2026-03-30 | N/A | 8.8 HIGH |
| OpenClaw before 2026.3.11 contains an authorization bypass vulnerability in the gateway agent RPC that allows authenticated operators with operator.write permission to override workspace boundaries by supplying attacker-controlled spawnedBy and workspaceDir values. Remote operators can escape the configured workspace boundary and execute arbitrary file and exec operations from any process-accessible directory. | |||||
| CVE-2026-33575 | 1 Openclaw | 1 Openclaw | 2026-03-30 | N/A | 7.5 HIGH |
| OpenClaw before 2026.3.12 embeds long-lived shared gateway credentials directly in pairing setup codes generated by /pair endpoint and OpenClaw qr command. Attackers with access to leaked setup codes from chat history, logs, or screenshots can recover and reuse the shared gateway credential outside the intended one-time pairing flow. | |||||
| CVE-2026-32027 | 1 Openclaw | 1 Openclaw | 2026-03-26 | N/A | 6.5 MEDIUM |
| OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-store identities are incorrectly eligible for group allowlist authorization checks. Attackers can exploit this cross-context authorization flaw by using a sender approved via DM pairing to satisfy group sender allowlist checks without explicit presence in groupAllowFrom, bypassing group message access controls. | |||||
| CVE-2026-32057 | 1 Openclaw | 1 Openclaw | 2026-03-25 | N/A | 7.1 HIGH |
| OpenClaw versions prior to 2026.2.25 contain an authentication bypass vulnerability in the trusted-proxy Control UI pairing mechanism that accepts client.id=control-ui without proper device identity verification. An authenticated node role websocket client can exploit this by using the control-ui client identifier to skip pairing requirements and gain unauthorized access to node event execution flows. | |||||
| CVE-2026-32034 | 1 Openclaw | 1 Openclaw | 2026-03-25 | N/A | 8.1 HIGH |
| OpenClaw versions prior to 2026.2.21 contain an authentication bypass vulnerability in the Control UI when allowInsecureAuth is explicitly enabled and the gateway is exposed over plaintext HTTP, allowing attackers to bypass device identity and pairing verification. An attacker with leaked or intercepted credentials can obtain high-privilege Control UI access by exploiting the lack of secure authentication enforcement over unencrypted HTTP connections. | |||||
| CVE-2026-32033 | 1 Openclaw | 1 Openclaw | 2026-03-25 | N/A | 6.5 MEDIUM |
| OpenClaw versions prior to 2026.2.24 contain a path traversal vulnerability where @-prefixed absolute paths bypass workspace-only file-system boundary validation due to canonicalization mismatch. Attackers can exploit this by crafting @-prefixed paths like @/etc/passwd to read files outside the intended workspace boundary when tools.fs.workspaceOnly is enabled. | |||||
| CVE-2026-32032 | 1 Openclaw | 1 Openclaw | 2026-03-25 | N/A | 7.8 HIGH |
| OpenClaw versions prior to 2026.2.22 contain an arbitrary shell execution vulnerability in shell environment fallback that trusts the unvalidated SHELL path from the host environment. An attacker with local environment access can inject a malicious SHELL variable to execute arbitrary commands with the privileges of the OpenClaw process. | |||||
| CVE-2026-32030 | 1 Openclaw | 1 Openclaw | 2026-03-25 | N/A | 7.5 HIGH |
| OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the stageSandboxMedia function that accepts arbitrary absolute paths when iMessage remote attachment fetching is enabled. An attacker who can tamper with attachment path metadata can disclose files readable by the OpenClaw process on the configured remote host via SCP. | |||||
| CVE-2026-32029 | 1 Openclaw | 1 Openclaw | 2026-03-25 | N/A | 5.3 MEDIUM |
| OpenClaw versions prior to 2026.2.21 improperly parse the left-most X-Forwarded-For header value when requests originate from configured trusted proxies, allowing attackers to spoof client IP addresses. In proxy chains that append or preserve header values, attackers can inject malicious header content to influence security decisions including authentication rate-limiting and IP-based access controls. | |||||
| CVE-2026-32028 | 1 Openclaw | 1 Openclaw | 2026-03-25 | N/A | 5.3 MEDIUM |
| OpenClaw versions prior to 2026.2.25 fail to enforce dmPolicy and allowFrom authorization checks on Discord direct-message reaction notifications, allowing non-allowlisted users to enqueue reaction-derived system events. Attackers can exploit this inconsistency by reacting to bot-authored DM messages to bypass DM authorization restrictions and trigger downstream automation or tool policies. | |||||