Filtered by vendor Openclaw
Subscribe
Total
473 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-45004 | 1 Openclaw | 1 Openclaw | 2026-05-13 | N/A | 7.8 HIGH |
| OpenClaw before 2026.4.23 contains an arbitrary code execution vulnerability in the bundled plugin setup resolver that loads setup-api.js from process.cwd() during provider setup metadata resolution. Attackers can execute arbitrary JavaScript under the current user account by placing a malicious extensions/<plugin>/setup-api.js file in a repository and convincing a user to run OpenClaw commands from that directory. | |||||
| CVE-2026-45003 | 1 Openclaw | 1 Openclaw | 2026-05-13 | N/A | 5.0 MEDIUM |
| OpenClaw before 2026.4.22 allows workspace dotenv files to override connector endpoint hosts for Matrix, Mattermost, IRC, and Synology connectors. Attackers with workspace access can redirect runtime traffic to malicious endpoints by setting endpoint variables in dotenv files. | |||||
| CVE-2026-45002 | 1 Openclaw | 1 Openclaw | 2026-05-13 | N/A | 5.3 MEDIUM |
| OpenClaw before 2026.4.20 contains a hook session-key bypass vulnerability that allows attackers to circumvent the hooks.allowRequestSessionKey opt-in restriction. Attackers can render externally influenced session keys through templated hook mappings to bypass webhook routing isolation controls. | |||||
| CVE-2026-45001 | 1 Openclaw | 1 Openclaw | 2026-05-13 | N/A | 7.1 HIGH |
| OpenClaw before 2026.4.20 contains a guard bypass vulnerability in the agent-facing gateway config.patch and config.apply endpoints that fails to protect operator-trusted settings including sandbox policy, plugin enablement, gateway auth/TLS, hook routing, MCP server configuration, SSRF policy, and filesystem hardening. A prompt-injected model with access to the owner-only gateway tool can persist unauthorized changes to protected operator settings. | |||||
| CVE-2026-45000 | 1 Openclaw | 1 Openclaw | 2026-05-13 | N/A | 5.0 MEDIUM |
| OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in browser CDP profile creation that skips strict-mode SSRF policy checks. Attackers can create stored profiles pointing to private-network or metadata endpoints that bypass security policies and are later probed during normal profile status operations. | |||||
| CVE-2026-44999 | 1 Openclaw | 1 Openclaw | 2026-05-13 | N/A | 5.3 MEDIUM |
| OpenClaw before 2026.4.20 fails to properly preserve untrusted labels for isolated cron awareness events, allowing webhook-triggered cron agent output to be recorded as trusted system events. Attackers can exploit this trust-labeling issue to strengthen prompt-injection attacks by rendering untrusted events as trusted System events. | |||||
| CVE-2026-44998 | 1 Openclaw | 1 Openclaw | 2026-05-13 | N/A | 5.4 MEDIUM |
| OpenClaw before 2026.4.20 contains a tool policy bypass vulnerability allowing bundled MCP and LSP tools to circumvent configured tool restrictions. Attackers with local agent access can append restricted tools to the effective tool set after policy filtering, bypassing profile policies, allow/deny lists, owner-only restrictions, sandbox policies, and subagent policies. | |||||
| CVE-2026-44997 | 1 Openclaw | 1 Openclaw | 2026-05-13 | N/A | 4.3 MEDIUM |
| OpenClaw before 2026.4.22 contains a security envelope constraint bypass vulnerability allowing restricted subagents to spawn ACP child sessions that fail to inherit depth, child-count limits, control scope, or target-agent restrictions. Attackers can exploit this by spawning child sessions that bypass subagent-only constraints, potentially escalating privileges or accessing restricted resources. | |||||
| CVE-2026-44996 | 1 Openclaw | 1 Openclaw | 2026-05-13 | N/A | 3.7 LOW |
| OpenClaw before 2026.4.15 contains an arbitrary local file read vulnerability in the webchat audio embedding helper that fails to apply local media root containment checks. Attackers can influence agent or tool-produced ReplyPayload.mediaUrl parameters to resolve absolute local paths or file URLs, read audio-like files, and embed them base64-encoded into webchat responses. | |||||
| CVE-2026-44995 | 1 Openclaw | 1 Openclaw | 2026-05-13 | N/A | 7.3 HIGH |
| OpenClaw before 2026.4.20 contains an improper environment variable validation vulnerability in MCP stdio server configuration that allows attackers to execute arbitrary code. Malicious workspace configurations can pass dangerous startup variables like NODE_OPTIONS, LD_PRELOAD, or BASH_ENV to spawned MCP server processes, enabling code injection when operators start sessions using those servers. | |||||
| CVE-2026-44994 | 1 Openclaw | 1 Openclaw | 2026-05-13 | N/A | 5.3 MEDIUM |
| OpenClaw before 2026.4.22 contains an authentication bypass vulnerability in the Control UI bootstrap config endpoint that allows unauthenticated attackers to read sensitive configuration fields. Attackers can access the bootstrap config route without a valid Gateway token to expose sensitive bootstrap and config information intended only for authenticated Control UI sessions. | |||||
| CVE-2026-44993 | 1 Openclaw | 1 Openclaw | 2026-05-13 | N/A | 5.4 MEDIUM |
| OpenClaw before 2026.4.20 contains a message classification vulnerability in Feishu card-action callbacks that misclassifies direct messages as group conversations. Attackers can bypass dmPolicy enforcement by triggering card-action flows in direct message conversations that should have been blocked by restrictive policies. | |||||
| CVE-2026-44992 | 1 Openclaw | 1 Openclaw | 2026-05-13 | N/A | 5.0 MEDIUM |
| OpenClaw versions 2026.4.5 before 2026.4.20 contain an environment variable injection vulnerability allowing workspace dotenv to override MINIMAX_API_HOST. Attackers can redirect credentialed MiniMax API requests to attacker-controlled origins, exposing the MiniMax API key in Authorization headers. | |||||
| CVE-2026-44991 | 1 Openclaw | 1 Openclaw | 2026-05-13 | N/A | 4.2 MEDIUM |
| OpenClaw before 2026.4.21 contains an authorization bypass vulnerability in command-auth.ts that allows non-owner senders to execute owner-enforced slash commands when wildcard inbound senders are configured without explicit owner allowFrom settings. Attackers can exploit this by sending commands like /send, /config, or /debug on affected channels to bypass owner-only command authorization checks. | |||||
| CVE-2026-41355 | 1 Openclaw | 1 Openclaw | 2026-05-12 | N/A | 7.3 HIGH |
| OpenClaw before 2026.3.28 contains an arbitrary code execution vulnerability in mirror mode that converts untrusted sandbox files into workspace hooks. Attackers with mirror mode access can execute arbitrary code on the host during gateway startup by exploiting enabled workspace hooks. | |||||
| CVE-2026-44111 | 1 Openclaw | 1 Openclaw | 2026-05-07 | N/A | 4.3 MEDIUM |
| OpenClaw before 2026.4.15 contains an arbitrary file read vulnerability in the QMD backend memory_get function that allows callers to read any Markdown files within the workspace root. Attackers with access to the memory tool can bypass path restrictions by providing arbitrary workspace Markdown paths to read files outside canonical memory locations or indexed QMD result sets. | |||||
| CVE-2026-44110 | 1 Openclaw | 1 Openclaw | 2026-05-07 | N/A | 8.8 HIGH |
| OpenClaw before 2026.4.15 contains an authorization bypass vulnerability in Matrix room control-command authorization that trusts DM pairing-store entries. Attackers with DM-paired sender IDs can execute room control commands without being in configured allowlists by posting in bot rooms, potentially enabling privileged OpenClaw behavior. | |||||
| CVE-2026-44109 | 1 Openclaw | 1 Openclaw | 2026-05-07 | N/A | 9.8 CRITICAL |
| OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting requests, enabling attackers to bypass signature verification and replay protection to execute arbitrary commands. | |||||
| CVE-2026-43585 | 1 Openclaw | 1 Openclaw | 2026-05-07 | N/A | 8.1 HIGH |
| OpenClaw before 2026.4.15 captures resolved bearer-auth configuration at startup, allowing revoked tokens to remain valid after SecretRef rotation. Gateway HTTP and WebSocket handlers fail to re-resolve authentication per-request, enabling attackers to use rotated-out bearer tokens for unauthorized gateway access. | |||||
| CVE-2026-43584 | 1 Openclaw | 1 Openclaw | 2026-05-07 | N/A | 8.8 HIGH |
| OpenClaw before 2026.4.10 contains an insufficient environment variable denylist vulnerability in its exec environment policy that allows operator-supplied overrides of high-risk interpreter startup variables including VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES. Attackers can exploit this by manipulating these environment variables to influence downstream execution behavior or network connectivity. | |||||