Filtered by vendor Openclaw
Subscribe
Total
209 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-28460 | 1 Openclaw | 1 Openclaw | 2026-03-25 | N/A | 7.1 HIGH |
| OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run that allows attackers to execute non-allowlisted commands by splitting command substitution using shell line-continuation characters. Attackers can bypass security analysis by injecting $\\ followed by a newline and opening parenthesis inside double quotes, causing the shell to fold the line continuation into executable command substitution that circumvents approval boundaries. | |||||
| CVE-2026-28449 | 1 Openclaw | 1 Openclaw | 2026-03-25 | N/A | 6.5 MEDIUM |
| OpenClaw versions prior to 2026.2.25 lack durable replay state for Nextcloud Talk webhook events, allowing valid signed webhook requests to be replayed without suppression. Attackers can capture and replay previously valid signed webhook requests to trigger duplicate inbound message processing and cause integrity or availability issues. | |||||
| CVE-2026-27646 | 1 Openclaw | 1 Openclaw | 2026-03-25 | N/A | 6.1 MEDIUM |
| OpenClaw versions prior to 2026.3.7 contain a sandbox escape vulnerability in the /acp spawn command that allows authorized sandboxed sessions to initialize host-side ACP runtime. Attackers can bypass sandbox restrictions by invoking the /acp spawn slash-command to cross from sandboxed chat context into host-side ACP session initialization when ACP is enabled. | |||||
| CVE-2026-27524 | 1 Openclaw | 1 Openclaw | 2026-03-25 | N/A | 4.3 MEDIUM |
| OpenClaw versions prior to 2026.2.21 accept prototype-reserved keys in runtime /debug set override object values, allowing prototype pollution attacks. Authorized /debug set callers can inject __proto__, constructor, or prototype keys to manipulate object prototypes and bypass command gate restrictions. | |||||
| CVE-2026-27183 | 1 Openclaw | 1 Openclaw | 2026-03-25 | N/A | 5.3 MEDIUM |
| OpenClaw versions prior to 2026.3.7 contain a shell approval gating bypass vulnerability in system.run dispatch-wrapper handling that allows attackers to skip shell wrapper approval requirements. The approval classifier and execution planner apply different depth-boundary rules, permitting exactly four transparent dispatch wrappers like repeated env invocations before /bin/sh -c to bypass security=allowlist approval gating by misaligning classification with execution planning. | |||||
| CVE-2026-22217 | 1 Openclaw | 1 Openclaw | 2026-03-25 | N/A | 6.1 MEDIUM |
| OpenClaw version 2026.2.22 prior to 2026.2.23 contain an arbitrary code execution vulnerability in shell-env that allows attackers to execute attacker-controlled binaries by exploiting trusted-prefix fallback logic for the $SHELL variable. An attacker can influence the $SHELL environment variable on systems with writable trusted-prefix directories such as /opt/homebrew/bin to execute arbitrary binaries in the OpenClaw process context. | |||||
| CVE-2026-22181 | 1 Openclaw | 1 Openclaw | 2026-03-25 | N/A | 7.6 HIGH |
| OpenClaw versions prior to 2026.3.2 contain a DNS pinning bypass vulnerability in strict URL fetch paths that allows attackers to circumvent SSRF guards when environment proxy variables are configured. When HTTP_PROXY, HTTPS_PROXY, or ALL_PROXY environment variables are present, attacker-influenced URLs can be routed through proxy behavior instead of pinned-destination routing, enabling access to internal targets reachable from the proxy environment. | |||||
| CVE-2026-22179 | 1 Openclaw | 1 Openclaw | 2026-03-25 | N/A | 7.2 HIGH |
| OpenClaw versions prior to 2026.2.22 in macOS node-host system.run contain an allowlist bypass vulnerability that allows remote attackers to execute non-allowlisted commands by exploiting improper parsing of command substitution tokens. Attackers can craft shell payloads with command substitution syntax within double-quoted text to bypass security restrictions and execute arbitrary commands on the system. | |||||
| CVE-2026-22174 | 1 Openclaw | 1 Openclaw | 2026-03-25 | N/A | 6.8 MEDIUM |
| OpenClaw versions prior to 2026.2.22 inject the x-OpenClaw-relay-token header into Chrome CDP probe traffic on loopback interfaces, allowing local processes to capture the Gateway authentication token. An attacker controlling a loopback port can intercept CDP reachability probes to the /json/version endpoint and reuse the leaked token as Gateway bearer authentication. | |||||
| CVE-2026-22170 | 1 Openclaw | 1 Openclaw | 2026-03-25 | N/A | 6.5 MEDIUM |
| OpenClaw versions prior to 2026.2.22 with the optional BlueBubbles plugin contain an access control bypass vulnerability where empty allowFrom configuration causes dmPolicy pairing and allowlist restrictions to be ineffective. Remote attackers can send direct messages to BlueBubbles accounts by exploiting the misconfigured allowlist validation logic to bypass intended sender authorization checks. | |||||
| CVE-2026-22169 | 1 Openclaw | 1 Openclaw | 2026-03-25 | N/A | 6.7 MEDIUM |
| OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the safeBins configuration that allows attackers to invoke external helpers through the compress-program option. When sort is explicitly added to tools.exec.safeBins, remote attackers can bypass intended safe-bin approval constraints by leveraging the compress-program parameter to execute unauthorized external programs. | |||||
| CVE-2026-32302 | 1 Openclaw | 1 Openclaw | 2026-03-24 | N/A | 8.1 HIGH |
| OpenClaw is a personal AI assistant. Prior to 2026.3.11, browser-originated WebSocket connections could bypass origin validation when gateway.auth.mode was set to trusted-proxy and the request arrived with proxy headers. A page served from an untrusted origin could connect through a trusted reverse proxy, inherit proxy-authenticated identity, and establish a privileged operator session. This vulnerability is fixed in 2026.3.11. | |||||
| CVE-2026-32005 | 1 Openclaw | 1 Openclaw | 2026-03-24 | N/A | 6.8 MEDIUM |
| OpenClaw versions prior to 2026.2.25 fail to enforce sender authorization checks for interactive callbacks including block_action, view_submission, and view_closed in shared workspace deployments. Unauthorized workspace members can bypass allowFrom restrictions and channel user allowlists to enqueue system-event text into active sessions. | |||||
| CVE-2026-32007 | 1 Openclaw | 1 Openclaw | 2026-03-24 | N/A | 6.8 MEDIUM |
| OpenClaw versions prior to 2026.2.23 contain a path traversal vulnerability in the experimental apply_patch tool that allows attackers with sandbox access to modify files outside the workspace directory by exploiting inconsistent enforcement of workspace-only checks on mounted paths. Attackers can use apply_patch operations on writable mounts outside the workspace root to access and modify arbitrary files on the system. | |||||
| CVE-2026-32006 | 1 Openclaw | 1 Openclaw | 2026-03-24 | N/A | 3.1 LOW |
| OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-store identities are incorrectly treated as group allowlist identities when dmPolicy=pairing and groupPolicy=allowlist. Remote attackers can send messages and reactions as DM-paired identities without explicit groupAllowFrom membership to bypass group sender authorization checks. | |||||
| CVE-2026-22172 | 1 Openclaw | 1 Openclaw | 2026-03-24 | N/A | 9.9 CRITICAL |
| OpenClaw versions prior to 2026.3.12 contain an authorization bypass vulnerability in the WebSocket connect path that allows shared-token or password-authenticated connections to self-declare elevated scopes without server-side binding. Attackers can exploit this logic flaw to present unauthorized scopes such as operator.admin and perform admin-only gateway operations. | |||||
| CVE-2026-32045 | 1 Openclaw | 1 Openclaw | 2026-03-24 | N/A | 5.9 MEDIUM |
| OpenClaw versions prior to 2026.2.21 incorrectly apply tokenless Tailscale header authentication to HTTP gateway routes, allowing bypass of token and password requirements. Attackers on trusted networks can exploit this misconfiguration to access HTTP gateway routes without proper authentication credentials. | |||||
| CVE-2026-32053 | 1 Openclaw | 1 Openclaw | 2026-03-24 | N/A | 6.5 MEDIUM |
| OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized event IDs are randomized per parse, allowing replay events to bypass manager dedupe checks. Attackers can replay Twilio webhook events to trigger duplicate or stale call-state transitions, potentially causing incorrect call handling and state corruption. | |||||
| CVE-2026-32054 | 1 Openclaw | 1 Openclaw | 2026-03-24 | N/A | 6.5 MEDIUM |
| OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in browser trace and download output path handling that allows local attackers to escape the managed temp root directory. An attacker with local access can create symlinks to route file writes outside the intended temp directory, enabling arbitrary file overwrite on the affected system. | |||||
| CVE-2026-32058 | 1 Openclaw | 1 Openclaw | 2026-03-24 | N/A | 2.6 LOW |
| OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness in system.run execution flows with host=node that allows reuse of previously approved requests with modified environment variables. Attackers with access to an approval id can exploit this by reusing an approval with changed env input, bypassing execution-integrity controls in approval-enabled workflows. | |||||