Filtered by vendor Openclaw
Subscribe
Total
229 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-22171 | 1 Openclaw | 1 Openclaw | 2026-03-19 | N/A | 8.2 HIGH |
| OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the Feishu media download flow where untrusted media keys are interpolated directly into temporary file paths in extensions/feishu/src/media.ts. An attacker who can control Feishu media key values returned to the client can use traversal segments to escape os.tmpdir() and write arbitrary files within the OpenClaw process permissions. | |||||
| CVE-2026-22168 | 1 Openclaw | 1 Openclaw | 2026-03-19 | N/A | 6.5 MEDIUM |
| OpenClaw versions prior to 2026.2.21 contain an approval-integrity mismatch vulnerability in system.run that allows authenticated operators to execute arbitrary trailing arguments after cmd.exe /c while approval text reflects only a benign command. Attackers can smuggle malicious arguments through cmd.exe /c to achieve local command execution on trusted Windows nodes with mismatched audit logs. | |||||
| CVE-2026-27522 | 1 Openclaw | 1 Openclaw | 2026-03-18 | N/A | 6.5 MEDIUM |
| OpenClaw versions prior to 2026.2.24 contain a local media root bypass vulnerability in sendAttachment and setGroupIcon message actions when sandboxRoot is unset. Attackers can hydrate media from local absolute paths to read arbitrary host files accessible by the runtime user. | |||||
| CVE-2026-27523 | 1 Openclaw | 1 Openclaw | 2026-03-18 | N/A | 6.1 MEDIUM |
| OpenClaw versions prior to 2026.2.24 contain a sandbox bind validation vulnerability allowing attackers to bypass allowed-root and blocked-path checks via symlinked parent directories with non-existent leaf paths. Attackers can craft bind source paths that appear within allowed roots but resolve outside sandbox boundaries once missing leaf components are created, weakening bind-source isolation enforcement. | |||||
| CVE-2026-27545 | 1 Openclaw | 1 Openclaw | 2026-03-18 | N/A | 6.1 MEDIUM |
| OpenClaw versions prior to 2026.2.26 contain an approval bypass vulnerability in system.run execution that allows attackers to execute commands from unintended filesystem locations by rebinding writable parent symlinks in the current working directory after approval. An attacker can modify mutable parent symlink path components between approval and execution time to redirect command execution to a different location while preserving the visible working directory string. | |||||
| CVE-2026-28477 | 1 Openclaw | 1 Openclaw | 2026-03-17 | N/A | 7.1 HIGH |
| OpenClaw versions prior to 2026.2.14 contain an oauth state validation bypass vulnerability in the manual Chutes login flow that allows attackers to bypass CSRF protection. An attacker can convince a user to paste attacker-controlled OAuth callback data, enabling credential substitution and token persistence for unauthorized accounts. | |||||
| CVE-2026-28478 | 1 Openclaw | 1 Openclaw | 2026-03-17 | N/A | 7.5 HIGH |
| OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies without strict byte or time limits. Remote unauthenticated attackers can send oversized JSON payloads or slow uploads to webhook endpoints causing memory pressure and availability degradation. | |||||
| CVE-2026-28479 | 1 Openclaw | 1 Openclaw | 2026-03-17 | N/A | 7.5 HIGH |
| OpenClaw versions prior to 2026.2.15 use SHA-1 to hash sandbox identifier cache keys for Docker and browser sandbox configurations, which is deprecated and vulnerable to collision attacks. An attacker can exploit SHA-1 collisions to cause cache poisoning, allowing one sandbox configuration to be misinterpreted as another and enabling unsafe sandbox state reuse. | |||||
| CVE-2026-28480 | 1 Openclaw | 1 Openclaw | 2026-03-17 | N/A | 6.5 MEDIUM |
| OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram allowlist matching accepts mutable usernames instead of immutable numeric sender IDs. Attackers can spoof identity by obtaining recycled usernames to bypass allowlist restrictions and interact with bots as unauthorized senders. | |||||
| CVE-2026-28481 | 1 Openclaw | 1 Openclaw | 2026-03-17 | N/A | 6.5 MEDIUM |
| OpenClaw versions 2026.1.30 and earlier, contain an information disclosure vulnerability, patched in 2026.2.1, in the MS Teams attachment downloader (optional extension must be enabled) that leaks bearer tokens to allowlisted suffix domains. When retrying downloads after receiving 401 or 403 responses, the application sends Authorization bearer tokens to untrusted hosts matching the permissive suffix-based allowlist, enabling token theft. | |||||
| CVE-2026-30741 | 1 Openclaw | 1 Openclaw | 2026-03-17 | N/A | 9.8 CRITICAL |
| A remote code execution (RCE) vulnerability in OpenClaw Agent Platform v2026.2.6 allows attackers to execute arbitrary code via a Request-Side prompt injection attack. | |||||
| CVE-2026-4040 | 1 Openclaw | 1 Openclaw | 2026-03-16 | 1.7 LOW | 3.3 LOW |
| A vulnerability was identified in OpenClaw up to 2026.2.17. This issue affects the function tools.exec.safeBins of the component File Existence Handler. The manipulation leads to information exposure through discrepancy. The attack needs to be performed locally. Upgrading to version 2026.2.19-beta.1 is capable of addressing this issue. The identifier of the patch is bafdbb6f112409a65decd3d4e7350fbd637c7754. Upgrading the affected component is advised. | |||||
| CVE-2026-4039 | 1 Openclaw | 1 Openclaw | 2026-03-16 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was determined in OpenClaw 2026.2.19-2. This vulnerability affects the function applySkillConfigenvOverrides of the component Skill Env Handler. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. Upgrading to version 2026.2.21-beta.1 is able to resolve this issue. This patch is called 8c9f35cdb51692b650ddf05b259ccdd75cc9a83c. It is recommended to upgrade the affected component. | |||||
| CVE-2026-32061 | 1 Openclaw | 1 Openclaw | 2026-03-16 | N/A | 4.4 MEDIUM |
| OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows reading arbitrary local files outside the config directory boundary. Attackers with config modification capabilities can exploit this by specifying absolute paths, traversal sequences, or symlinks to access sensitive files readable by the OpenClaw process user, including API keys and credentials. | |||||
| CVE-2026-32063 | 1 Openclaw | 1 Openclaw | 2026-03-16 | N/A | 7.1 HIGH |
| OpenClaw version 2026.2.19-2 prior to 2026.2.21 contains a command injection vulnerability in systemd unit file generation where attacker-controlled environment values are not validated for CR/LF characters, allowing newline injection to break out of Environment= lines and inject arbitrary systemd directives. An attacker who can influence config.env.vars and trigger service install or restart can execute arbitrary commands with the privileges of the OpenClaw gateway service user. | |||||
| CVE-2026-32060 | 1 Openclaw | 1 Openclaw | 2026-03-16 | N/A | 8.8 HIGH |
| OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in apply_patch that allows attackers to write or delete files outside the configured workspace directory. When apply_patch is enabled without filesystem sandbox containment, attackers can exploit crafted paths including directory traversal sequences or absolute paths to escape workspace boundaries and modify arbitrary files. | |||||
| CVE-2026-32059 | 1 Openclaw | 1 Openclaw | 2026-03-16 | N/A | 8.8 HIGH |
| OpenClaw version 2026.2.22-2 prior to 2026.2.23 tools.exec.safeBins validation for sort command fails to properly validate GNU long-option abbreviations, allowing attackers to bypass denied-flag checks via abbreviated options. Remote attackers can execute sort commands with abbreviated long options to skip approval requirements in allowlist mode. | |||||
| CVE-2026-28471 | 1 Openclaw | 1 Openclaw | 2026-03-11 | N/A | 5.3 MEDIUM |
| OpenClaw version 2026.1.14-1 prior to 2026.2.2, with the Matrix plugin installed and enabled, contain a vulnerability in which DM allowlist matching could be bypassed by exact-matching against sender display names and localparts without homeserver validation. Remote Matrix users can impersonate allowed identities by using attacker-controlled display names or matching localparts from different homeservers to reach the routing and agent pipeline. | |||||
| CVE-2026-28473 | 1 Openclaw | 1 Openclaw | 2026-03-11 | N/A | 8.1 HIGH |
| OpenClaw versions prior to 2026.2.2 contain an authorization bypass vulnerability where clients with operator.write scope can approve or deny exec approval requests by sending the /approve chat command. The /approve command path invokes exec.approval.resolve through an internal privileged gateway client, bypassing the operator.approvals permission check that protects direct RPC calls. | |||||
| CVE-2026-28475 | 1 Openclaw | 1 Openclaw | 2026-03-11 | N/A | 4.8 MEDIUM |
| OpenClaw versions prior to 2026.2.13 use non-constant-time string comparison for hook token validation, allowing attackers to infer tokens through timing measurements. Remote attackers with network access to the hooks endpoint can exploit timing side-channels across multiple requests to gradually recover the authentication token. | |||||