Total
473 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-32906 | 1 Openclaw | 1 Openclaw | 2026-06-01 | N/A | 4.3 MEDIUM |
| OpenClaw before 2026.5.12 contains a privilege escalation vulnerability in Slack plugin approvals that allows exec-authorized users to resolve plugin approvals through the exec approver gate. Attackers with limited exec approval permissions can bypass intended approval splits to approve plugin actions outside operator configuration. | |||||
| CVE-2026-32905 | 1 Openclaw | 1 Openclaw | 2026-06-01 | N/A | 8.3 HIGH |
| OpenClaw before 2026.5.4 contains an authorization bypass vulnerability in the bundled device-pair plugin that allows non-owner authorized chat senders to issue device-pairing bootstrap codes without proper scope validation. Attackers with chat command access can create setup codes to enroll devices with operator/node capabilities, granting persistent credentials until manual removal. | |||||
| CVE-2026-34507 | 1 Openclaw | 1 Openclaw | 2026-06-01 | N/A | 5.4 MEDIUM |
| OpenClaw before 2026.4.29 contains a policy bypass vulnerability in QQBot admin commands that allows authenticated senders to skip DM-only and allowFrom policy checks. Attackers can route admin commands from unauthorized senders or contexts to execute restricted behavior that policy should have blocked. | |||||
| CVE-2026-35630 | 1 Openclaw | 1 Openclaw | 2026-06-01 | N/A | 8.0 HIGH |
| OpenClaw before 2026.5.18 contains an authorization bypass vulnerability in QQBot native approval buttons that fails to enforce configured approver identity. Non-approver users can click approval buttons to resolve pending exec or plugin approval requests without proper authorization. | |||||
| CVE-2026-35673 | 1 Openclaw | 1 Openclaw | 2026-06-01 | N/A | 6.5 MEDIUM |
| OpenClaw before 2026.4.29 contains an SSRF policy bypass vulnerability in browser debug and export routes that allows reuse of already-open blocked tabs. Attackers with access to these routes can bypass private-network SSRF policies by reusing blocked tabs to export or inspect content that should remain protected. | |||||
| CVE-2026-35674 | 1 Openclaw | 1 Openclaw | 2026-06-01 | N/A | 8.8 HIGH |
| OpenClaw before 2026.5.18 contains a scope bypass vulnerability in the Gateway chat.send route that allows scoped clients to execute privileged commands. Attackers with operator.write scope can deliver commands through inherited external routes to bypass operator.approvals and operator.admin scope requirements, enabling unauthorized plugin, config, MCP, allowlist, and ACP mutations. | |||||
| CVE-2026-42432 | 1 Openclaw | 1 Openclaw | 2026-05-26 | N/A | 7.8 HIGH |
| OpenClaw before 2026.4.8 contains a privilege escalation vulnerability allowing previously paired nodes to reconnect with exec-capable commands without the operator.admin scope requirement. Attackers can bypass re-pairing authentication to execute privileged commands on the local assistant system. | |||||
| CVE-2026-42429 | 1 Openclaw | 1 Openclaw | 2026-05-26 | N/A | 7.1 HIGH |
| OpenClaw before 2026.4.8 contains a privilege escalation vulnerability in the gateway plugin HTTP authentication mechanism that escalates identity-bearing operator.read requests to runtime operator.write permissions. Attackers can exploit this by sending read-scoped requests through the gateway auth route to gain unauthorized write access to runtime operations. | |||||
| CVE-2026-32896 | 1 Openclaw | 1 Openclaw | 2026-05-26 | N/A | 4.8 MEDIUM |
| The BlueBubbles webhook handler in OpenClaw versions prior to 2026.2.21 contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local routing configurations. Attackers can bypass webhook authentication by exploiting the loopback/proxy heuristics to send unauthenticated webhook events to the BlueBubbles plugin. | |||||
| CVE-2026-32067 | 1 Openclaw | 1 Openclaw | 2026-05-26 | N/A | 3.7 LOW |
| OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability in the pairing-store access control for direct message pairing policy that allows attackers to reuse pairing approvals across multiple accounts. An attacker approved as a sender in one account can be automatically accepted in another account in multi-account deployments without explicit approval, bypassing authorization boundaries. | |||||
| CVE-2026-32062 | 1 Openclaw | 2 Openclaw, Openclaw\/voice-call | 2026-05-26 | N/A | 7.5 HIGH |
| OpenClaw versions 2026.2.21-2 up to, but not including, 2026.2.22, and @openclaw/voice-call versions 2026.2.21 up to, but not including, 2026.2.22 accept media-stream WebSocket upgrades before stream validation, allowing unauthenticated clients to establish connections. Remote attackers can hold idle pre-authenticated sockets open to consume connection resources and degrade service availability for legitimate streams. | |||||
| CVE-2026-32022 | 1 Openclaw | 1 Openclaw | 2026-05-26 | N/A | 6.5 MEDIUM |
| OpenClaw versions prior to 2026.2.21 contain a stdin-only policy bypass vulnerability in the grep tool within tools.exec.safeBins that allows attackers to read arbitrary files by supplying a pattern via the -e flag parameter. Attackers can include a positional filename operand to bypass file access restrictions and read sensitive files.env from the working directory. | |||||
| CVE-2026-28395 | 1 Openclaw | 1 Openclaw | 2026-05-26 | N/A | 6.5 MEDIUM |
| OpenClaw version 2026.1.14-1 prior to 2026.2.12 contains an improper network binding vulnerability in the Chrome extension (must be installed and enabled) relay server that treats wildcard hosts as loopback addresses, allowing the relay HTTP/WS server to bind to all interfaces when a wildcard cdpUrl is configured. Remote attackers can access relay HTTP endpoints off-host to leak service presence and port information, or conduct denial-of-service and brute-force attacks against the relay token header. | |||||
| CVE-2026-22217 | 1 Openclaw | 1 Openclaw | 2026-05-26 | N/A | 6.1 MEDIUM |
| OpenClaw version 2026.2.22 prior to 2026.2.23 contains an arbitrary code execution vulnerability in shell-env that allows attackers to execute attacker-controlled binaries by exploiting trusted-prefix fallback logic for the $SHELL variable. An attacker can influence the $SHELL environment variable on systems with writable trusted-prefix directories such as /opt/homebrew/bin to execute arbitrary binaries in the OpenClaw process context. | |||||
| CVE-2026-32846 | 1 Openclaw | 1 Openclaw | 2026-05-20 | N/A | 7.5 HIGH |
| OpenClaw before 2026.3.28 contains a path traversal vulnerability in media parsing that allows attackers to read arbitrary files by bypassing path validation in the isLikelyLocalPath() and isValidMedia() functions. Attackers can exploit incomplete validation and the allowBareFilename bypass to reference files outside the intended application sandbox, resulting in disclosure of sensitive information including system files, environment files, and SSH keys. | |||||
| CVE-2026-8305 | 1 Openclaw | 1 Openclaw | 2026-05-16 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was detected in OpenClaw up to 2026.1.24. The impacted element is the function handleBlueBubblesWebhookRequest of the file extensions/bluebubbles/src/monitor.ts of the component bluebubbles Webhook. Performing a manipulation results in improper authentication. It is possible to initiate the attack remotely. The exploit is now public and may be used. Upgrading to version 2026.2.12 is sufficient to resolve this issue. The patch is named a6653be0265f1f02b9de46c06f52ea7c81a836e6. The affected component should be upgraded. | |||||
| CVE-2026-44112 | 1 Openclaw | 1 Openclaw | 2026-05-13 | N/A | 9.6 CRITICAL |
| OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in OpenShell sandbox filesystem writes that allows attackers to redirect writes outside the intended mount root. Attackers can exploit symlink swaps during filesystem operations to bypass sandbox restrictions and write files outside the local mount root. | |||||
| CVE-2026-44113 | 1 Openclaw | 1 Openclaw | 2026-05-13 | N/A | 7.7 HIGH |
| OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in the OpenShell filesystem bridge that allows attackers to read files outside the intended mount root. Attackers can exploit symlink swaps during filesystem operations to bypass sandbox restrictions and access unauthorized file contents. | |||||
| CVE-2026-45006 | 1 Openclaw | 1 Openclaw | 2026-05-13 | N/A | 8.8 HIGH |
| OpenClaw before 2026.4.23 contains an improper access control vulnerability in the gateway tool's config.apply and config.patch operations that allows compromised models to write unsafe configuration changes by bypassing an incomplete denylist protection. Attackers can persist malicious config modifications affecting command execution, network behavior, credentials, and operator policies that survive restart. | |||||
| CVE-2026-45005 | 1 Openclaw | 1 Openclaw | 2026-05-13 | N/A | 6.0 MEDIUM |
| OpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to remain valid after rotation and reload. Attackers with previously valid webhook route secrets can continue authenticating requests and invoking configured webhook task flows until gateway or plugin restart. | |||||