Total
292 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-35659 | 1 Openclaw | 1 Openclaw | 2026-04-13 | N/A | 4.6 MEDIUM |
| OpenClaw before 2026.3.22 contains a service discovery vulnerability where TXT metadata from Bonjour and DNS-SD could influence CLI routing even when actual service resolution failed. Attackers can exploit unresolved hints to steer routing decisions to unintended targets by providing malicious discovery metadata. | |||||
| CVE-2026-22177 | 1 Openclaw | 1 Openclaw | 2026-04-08 | N/A | 6.1 MEDIUM |
| OpenClaw versions prior to 2026.2.21 fail to filter dangerous process-control environment variables from config env.vars, allowing startup-time code execution. Attackers can inject variables like NODE_OPTIONS or LD_* through configuration to execute arbitrary code in the OpenClaw gateway service runtime context. | |||||
| CVE-2026-28463 | 1 Openclaw | 1 Openclaw | 2026-04-08 | N/A | 8.4 HIGH |
| OpenClaw versions prior to 2026.2.14 contain an arbitrary file read vulnerability in the exec-approvals allowlist validation that checks pre-expansion argv tokens but executes using real shell expansion. Attackers with authorization or through prompt-injection attacks can exploit safe binaries like head, tail, or grep with glob patterns or environment variables to disclose files readable by the gateway or node process when host execution is enabled in allowlist mode. | |||||
| CVE-2026-34510 | 1 Openclaw | 1 Openclaw | 2026-04-07 | N/A | 5.3 MEDIUM |
| OpenClaw before 2026.3.22 contains a path traversal vulnerability in Windows media loaders that accepts remote-host file URLs and UNC-style paths before local-path validation. Attackers can exploit this by providing network-hosted file targets that are treated as local content, bypassing intended access restrictions. | |||||
| CVE-2026-33579 | 1 Openclaw | 1 Openclaw | 2026-04-06 | N/A | 9.9 CRITICAL |
| OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privileges but without admin privileges can approve pending device requests asking for broader scopes including admin access by exploiting the missing scope validation in extensions/device-pair/index.ts and src/infra/device-pairing.ts. | |||||
| CVE-2026-34426 | 1 Openclaw | 1 Openclaw | 2026-04-06 | N/A | 7.6 HIGH |
| OpenClaw versions prior to commit b57b680 contain an approval bypass vulnerability due to inconsistent environment variable normalization between approval and execution paths, allowing attackers to inject attacker-controlled environment variables into execution without approval system validation. Attackers can exploit differing normalization logic to discard non-portable keys during approval processing while accepting them at execution time, bypassing operator review and potentially influencing runtime behavior including execution of attacker-controlled binaries. | |||||
| CVE-2026-32916 | 1 Openclaw | 1 Openclaw | 2026-04-02 | N/A | 9.4 CRITICAL |
| OpenClaw versions 2026.3.7 before 2026.3.11 contain an authorization bypass vulnerability where plugin subagent routes execute gateway methods through a synthetic operator client with broad administrative scopes. Remote unauthenticated requests to plugin-owned routes can invoke runtime.subagent methods to perform privileged gateway actions including session deletion and agent execution. | |||||
| CVE-2026-32917 | 1 Openclaw | 1 Openclaw | 2026-04-02 | N/A | 9.8 CRITICAL |
| OpenClaw before 2026.3.13 contains a remote command injection vulnerability in the iMessage attachment staging flow that allows attackers to execute arbitrary commands on configured remote hosts. The vulnerability exists because unsanitized remote attachment paths containing shell metacharacters are passed directly to the SCP remote operand without validation, enabling command execution when remote attachment staging is enabled. | |||||
| CVE-2026-32920 | 1 Openclaw | 1 Openclaw | 2026-04-02 | N/A | 8.4 HIGH |
| OpenClaw before 2026.3.12 automatically discovers and loads plugins from .OpenClaw/extensions/ without explicit trust verification, allowing arbitrary code execution. Attackers can execute malicious code by including crafted workspace plugins in cloned repositories that execute when users run OpenClaw from the directory. | |||||
| CVE-2026-32921 | 1 Openclaw | 1 Openclaw | 2026-04-02 | N/A | 6.3 MEDIUM |
| OpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run where mutable script operands are not bound across approval and execution phases. Attackers can obtain approval for script execution, modify the approved script file before execution, and execute different content while maintaining the same approved command shape. | |||||
| CVE-2026-32970 | 1 Openclaw | 1 Openclaw | 2026-04-02 | N/A | 2.5 LOW |
| OpenClaw before 2026.3.11 contains a credential fallback vulnerability where unavailable local gateway.auth.token and gateway.auth.password SecretRefs are treated as unset, allowing fallback to remote credentials in local mode. Attackers can exploit misconfigured local auth references to cause CLI and helper paths to select incorrect credential sources, potentially bypassing intended local authentication boundaries. | |||||
| CVE-2026-32971 | 1 Openclaw | 1 Openclaw | 2026-04-02 | N/A | 7.1 HIGH |
| OpenClaw before 2026.3.11 contains an approval-integrity vulnerability in node-host system.run approvals that displays extracted shell payloads instead of the executed argv. Attackers can place wrapper binaries and induce wrapper-shaped commands to execute local code after operators approve misleading command text. | |||||
| CVE-2026-32976 | 1 Openclaw | 1 Openclaw | 2026-04-02 | N/A | 6.5 MEDIUM |
| OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing channel commands to mutate protected sibling-account configuration despite configWrites restrictions. Attackers with authorized access on one account can execute channel commands like /config set channels.<provider>.accounts.<id> to modify configuration on target accounts with configWrites: false. | |||||
| CVE-2026-32977 | 1 Openclaw | 1 Openclaw | 2026-04-02 | N/A | 6.3 MEDIUM |
| OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in the fs-bridge writeFile commit step that uses an unanchored container path during the final move operation. An attacker can exploit a time-of-check-time-of-use race condition by modifying parent paths inside the sandbox to redirect committed files outside the validated writable path within the container mount namespace. | |||||
| CVE-2026-32982 | 1 Openclaw | 1 Openclaw | 2026-04-02 | N/A | 7.5 HIGH |
| OpenClaw before 2026.3.13 contains an information disclosure vulnerability in the fetchRemoteMedia function that exposes Telegram bot tokens in error messages. When media downloads fail, the original Telegram file URLs containing bot tokens are embedded in MediaFetchError strings and leaked to logs and error surfaces. | |||||
| CVE-2026-32988 | 1 Openclaw | 1 Openclaw | 2026-04-02 | N/A | 7.5 HIGH |
| OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in fs-bridge staged writes where temporary file creation and population are not pinned to a verified parent directory. Attackers can exploit a race condition in parent-path alias changes to write attacker-controlled bytes outside the intended validated path before the final guarded replace step executes. | |||||
| CVE-2026-34505 | 1 Openclaw | 1 Openclaw | 2026-04-02 | N/A | 6.5 MEDIUM |
| OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to bypass rate limits and brute-force webhook secrets. Attackers can submit repeated authentication requests with invalid secrets without triggering rate limit responses, enabling systematic secret guessing and subsequent forged webhook submission. | |||||
| CVE-2026-34503 | 1 Openclaw | 1 Openclaw | 2026-04-02 | N/A | 8.1 HIGH |
| OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection. | |||||
| CVE-2026-34504 | 1 Openclaw | 1 Openclaw | 2026-04-02 | N/A | 8.3 HIGH |
| OpenClaw before 2026.3.28 contains a server-side request forgery vulnerability in the fal provider image-generation-provider.ts component that allows attackers to fetch internal URLs. A malicious or compromised fal relay can exploit unguarded image download fetches to expose internal service metadata and responses through the image pipeline. | |||||
| CVE-2026-34506 | 1 Openclaw | 1 Openclaw | 2026-04-01 | N/A | 4.3 MEDIUM |
| OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message handler synthesizes wildcard sender authorization, permitting any sender in the matched team/channel to trigger replies in allowlisted Teams routes. | |||||