An automated tracker that continuously monitors OpenClaw security advisories across the GitHub Advisory Database, repo-level security advisories, and a full scan of the CVE V5 (cvelistV5) registry covering every CVE affecting OpenClaw regardless of which CNA assigned it. On each run it pulls the latest data, reconciles GHSA → CVE publication state, breaks the totals down by assigning CNA, and regenerates this dashboard so you always have an up-to-date picture of the project's vulnerability landscape.
Last updated: 2026-07-01 13:05 UTC · MIT License · Full Advisory List · Security Policy · Data: cvelistV5 + Advisory DB · Updates every 6h
All CVEs by CNA · Published CVEs · Pipeline · Advisories · Categories · Insights · Identity
| Field | Value |
|---|---|
| Current Name | OpenClaw |
| Previous Names | Moltbot (second name), Clawdbot (original name) |
| Repository | openclaw/openclaw |
| npm Package | openclaw (formerly clawdbot) |
| Author | Peter Steinberger (steipete) |
Search terms for CVE discovery
To find all CVEs, search for: openclaw, clawdbot, moltbot, clawhub, pkg:npm/clawdbot, pkg:npm/openclaw
The sections lower down track CVEs that have an OpenClaw GitHub Security Advisory — i.e. CVEs the project issued itself. That is only part of the picture. A direct scan of the authoritative CVE List V5 registry finds 543 CVEs that name OpenClaw as an affected product, the large majority assigned by third-party researchers rather than the project. Earlier versions of this tracker reported only the ~50 project-issued (GHSA-linked) CVEs and were blind to this external stream.
| Count | |
|---|---|
| Total OpenClaw CVEs (all CNAs) | 543 |
| Project-issued (GitHub as CNA) | 34 |
| Third-party-issued (VulnCheck, ZDI, MITRE, …) | 509 |
| CNA | CVEs | Share |
|---|---|---|
| VulnCheck | 500 | 92.1% |
| GitHub_M | 34 | 6.3% |
| VulDB | 4 | 0.7% |
| zdi | 3 | 0.6% |
| mitre | 2 | 0.4% |
The steady third-party (VulnCheck-led) disclosure cadence across 2026:
| Month | CVEs | |
|---|---|---|
| 2026-02 | 35 | ████ |
| 2026-03 | 198 | ████████████████████ |
| 2026-04 | 174 | ██████████████████ |
| 2026-05 | 75 | ████████ |
| 2026-06 | 61 | ██████ |
Methodology: generated by
reconcile_cnas.py, which scans every record in CVEProject/cvelistV5 and selects those whosecontainers.cna.affected[].vendoror.productisopenclaw(case-insensitive), or that referencegithub.com/openclaw/openclaw.REJECTEDrecords are excluded. VulnCheck is by far the dominant CNA — its researchers drive the bulk of OpenClaw disclosures. The GHSA-based sections below cover the project's own advisories and are unchanged. Full reconciled set:openclaw-cves-all.json· aggregates:cna-breakdown.json.
These CVEs have full records in the CVEProject/cvelistV5 repository:
| CVE ID | Severity | CVSS | Title | CWE | Published |
|---|---|---|---|---|---|
| CVE-2026-25253 | 8.8 | OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl | CWE-669 | 2026-02-01 | |
| CVE-2026-24763 | 8.8 | OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable | CWE-78 | 2026-02-02 | |
| CVE-2026-28478 | 8.7 | OpenClaw affected by denial of service via unbounded webhook request body buffering | CWE-770 | 2026-03-05 | |
| CVE-2026-53843 | 8.7 | OpenClaw: Pairing-scoped device session could restore revoked node token authority | CWE-613 | 2026-06-16 | |
| CVE-2026-53849 | 8.6 | OpenClaw: Discord allowFrom could bind to mutable display names | CWE-290 | 2026-06-16 | |
| CVE-2026-53857 | 8.6 | OpenClaw < 2026.5.3 - Mutable Display Name Binding in Zalo allowFrom Policy | CWE-290 | 2026-06-16 | |
| CVE-2026-44118 | 8.5 | OpenClaw < 2026.4.22 - Owner Context Spoofing via Bearer Token Header | CWE-290 | 2026-05-06 | |
| CVE-2026-45004 | 8.4 | OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution | CWE-427 | 2026-05-11 | |
| CVE-2026-28469 | 8.2 | OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting | CWE-639 | 2026-03-05 | |
| CVE-2026-25157 | 7.8 | OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand | CWE-78 | 2026-02-04 | |
| CVE-2026-53855 | 7.6 | OpenClaw < 2026.4.2 - Shell Positional Parameters Bypass in Inline-Eval Checks | CWE-184, CWE-863 | 2026-06-16 | |
| CVE-2026-53853 | 7.6 | OpenClaw: Linux and macOS exec allowlists skipped configured argument patterns | CWE-693, CWE-863 | 2026-06-16 | |
| CVE-2026-53866 | 7.6 | OpenClaw < 2026.5.12 - Allowlist Bypass in Shell Inline-Command Parsing | CWE-862 | 2026-06-16 | |
| CVE-2026-53864 | 7.6 | OpenClaw: Host environment sanitizer missed two Node.js control variables | CWE-184 | 2026-06-16 | |
| CVE-2026-28458 | 7.4 | OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access | CWE-306 | 2026-03-05 | |
| CVE-2026-53865 | 7.2 | OpenClaw: Workspace-derived service PATH could influence trash command selection | CWE-426 | 2026-06-16 | |
| CVE-2026-26317 | 7.1 | OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints | CWE-352 | 2026-02-19 | |
| CVE-2026-53842 | 7 | OpenClaw: Workspace .env CLOUDSDK_PYTHON could influence Gmail setup gcloud execution | CWE-426 | 2026-06-16 | |
| CVE-2026-53858 | 7 | OpenClaw: Workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots | CWE-426 | 2026-06-16 | |
| CVE-2026-53846 | 7 | OpenClaw: Workspace .env npm_execpath could influence bundled runtime dependency install | CWE-426 | 2026-06-16 | |
| CVE-2026-44116 | 6.9 | OpenClaw < 2026.4.22 - Server-Side Request Forgery in Zalo Photo URL Validation | CWE-918 | 2026-05-06 | |
| CVE-2026-28480 | 6.9 | OpenClaw Telegram allowlist authorization accepted mutable usernames | CWE-290 | 2026-03-05 | |
| CVE-2026-29612 | 6.8 | OpenClaw < 2026.2.14 - Denial of Service via Large Base64 Media File Decoding | CWE-770 | 2026-03-05 | |
| CVE-2026-53850 | 6.8 | OpenClaw < 2026.4.25 - Control Scope Enforcement Bypass in Focus Command | CWE-862 | 2026-06-16 | |
| CVE-2026-28452 | 6.7 | OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR) | CWE-770 | 2026-03-05 | |
| CVE-2026-26328 | 6.5 | OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities | CWE-284, CWE-863 | 2026-02-19 | |
| CVE-2026-53851 | 6.3 | OpenClaw < 2026.5.12 - Slack Reaction Event Notification Bypass | CWE-862 | 2026-06-16 | |
| CVE-2026-44113 | 6 | OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes | CWE-367 | 2026-05-06 | |
| CVE-2026-44112 | 6 | OpenClaw < 2026.4.22 - Symlink Swap Race Condition in OpenShell FS Bridge Writes | CWE-367 | 2026-05-06 | |
| CVE-2026-43570 | 6 | OpenClaw contains a symlink traversal vulnerability | CWE-61 | 2026-05-05 | |
| CVE-2026-53844 | 6 | OpenClaw < 2026.4.29 - Session Visibility Check Bypass in Shared Memory Search | CWE-862 | 2026-06-16 | |
| CVE-2026-53840 | 6 | OpenClaw: MCP Streamable HTTP redirects could forward configured custom headers to another origin | CWE-522 | 2026-06-16 | |
| CVE-2026-53854 | 6 | OpenClaw: Internal/webchat command auth could inherit ownerAllowFrom wildcard state | CWE-863 | 2026-06-16 | |
| CVE-2026-53863 | 6 | OpenClaw < 2026.4.25 - Unvalidated Group ID Acceptance in Tool Group Policy | CWE-639 | 2026-06-16 | |
| CVE-2026-53859 | 6 | OpenClaw < 2026.5.26 - Hostname Validation Bypass via Trailing-Dot Inconsistency | CWE-1023, CWE-918 | 2026-06-16 | |
| CVE-2026-45005 | 5.9 | OpenClaw < 2026.4.23 - Webhook Route Secret Cache Not Invalidated After Rotation | CWE-672 | 2026-05-11 | |
| CVE-2026-53856 | 5.7 | OpenClaw: Config recovery could restore openclaw.json with broad file permissions | CWE-732 | 2026-06-16 | |
| CVE-2026-53847 | 5.3 | OpenClaw < 2026.5.6 - Privilege Escalation via Active Memory Write Scope | CWE-266 | 2026-06-16 | |
| CVE-2026-53861 | 5.3 | OpenClaw < 2026.5.6 - Allowlist Bypass via Combined POSIX Inline Flags on macOS | CWE-184 | 2026-06-16 | |
| CVE-2026-44992 | 4.1 | OpenClaw 2026.4.5 < 2026.4.20 - MiniMax API Host Override via Workspace dotenv | CWE-441 | 2026-05-11 | |
| CVE-2026-45003 | 4.1 | OpenClaw: Workspace dotenv files cannot override connector endpoint hosts | CWE-441 | 2026-05-11 | |
| CVE-2026-41358 | 2.3 | OpenClaw < 2026.4.2 - Sender Allowlist Bypass via Slack Thread Context | CWE-346 | 2026-04-23 | |
| CVE-2026-44991 | 2.3 | OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners | CWE-863 | 2026-05-11 | |
| CVE-2026-44997 | 2.3 | OpenClaw < 2026.4.22 - Security Envelope Constraint Bypass in ACP Child Sessions | CWE-266 | 2026-05-11 | |
| CVE-2026-53848 | 2.3 | OpenClaw < 2026.5.26 - Exec Allowlist Bypass via Transparent Command Wrappers | CWE-184 | 2026-06-16 | |
| CVE-2026-53845 | 2.3 | OpenClaw: Skill-command dispatch could skip before-tool-call hooks | CWE-693 | 2026-06-16 | |
| CVE-2026-53852 | 2.3 | OpenClaw < 2026.4.25 - Scope Bypass via Empty-Scope Device Re-pairing | CWE-636 | 2026-06-16 | |
| CVE-2026-53860 | 2.3 | OpenClaw: BlueBubbles sender policy could match mutable conversation identifiers | CWE-807, CWE-863 | 2026-06-16 | |
| CVE-2026-53862 | 2.3 | OpenClaw < 2026.5.12 - Bootstrap Token Replay via Pending Pairing Scope Widening | CWE-266, CWE-345 | 2026-06-16 | |
| CVE-2026-53841 | 2.1 | OpenClaw: Exported session HTML could keep unsafe markdown links | CWE-83 | 2026-06-16 |
📖 Detailed CVE Analysis (click to expand)
CVE-2026-25253 — OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl
| Field | Detail |
|---|---|
| CVSS | 8.8 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| CWE | CWE-669 (CWE-669 Incorrect Resource Transfer Between Spheres) |
| Affected | < 2026.1.29 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-g8p2-7wf7-98mq |
OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value.
Naming note: Uses all three names in description. packageURL still references
pkg:npm/clawdbot. References:
CVE-2026-24763 — OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable
| Field | Detail |
|---|---|
| CVSS | 8.8 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-78 (CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) |
| Affected | < 2026.1.29 |
| Vendor/Product | clawdbot / clawdbot |
| Advisory | GHSA-mc68-q9jw-2h3v |
OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026.1.29, a command injection vulnerability existed in OpenClaw’s Docker sandbox execution mechanism due to unsafe handling of the PATH environment variable when constructing shell commands. An authenticated user able to control environment variables could influence command execution within the container context. This vulnerability is fixed in 2026.1.29.
Naming note: Uses old name
clawdbot/clawdbotas vendor/product. References:
- https://github.com/openclaw/openclaw/commit/771f23d36b95ec2204cc9a0054045f5d8439ea75
- https://github.com/openclaw/openclaw/releases/tag/v2026.1.29
CVE-2026-28478 — OpenClaw affected by denial of service via unbounded webhook request body buffering
| Field | Detail |
|---|---|
| CVSS | 8.7 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
| CWE | CWE-770 (Allocation of Resources Without Limits or Throttling) |
| Affected | < 2026.2.13 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-q447-rj3r-2cgh |
OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies without strict byte or time limits. Remote unauthenticated attackers can send oversized JSON payloads or slow uploads to webhook endpoints causing memory pressure and availability degradation.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw < 2026.2.13 - Denial of Service via Unbounded Webhook Request Body Buffering
| Field | Detail |
|---|---|
| CVSS | 8.7 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| CWE | CWE-613 (Insufficient Session Expiration) |
| Affected | < 2026.5.26 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-q99w-vh6v-q3v7 |
OpenClaw before 2026.5.26 contains an authorization bypass vulnerability where a surviving pairing-scoped device session can re-establish node token authority after revocation. Attackers with a paired device can regain WebSocket node-level access without renewed approval, weakening revocation controls and maintaining unauthorized access longer than intended.
References:
| Field | Detail |
|---|---|
| CVSS | 8.6 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-290 (Authentication Bypass by Spoofing) |
| Affected | < 2026.5.7 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-cw4q-gqg5-g38h |
OpenClaw before 2026.5.7 contains a privilege escalation vulnerability where the allowFrom feature improperly validates Discord account identity using mutable display names instead of immutable user IDs. Attackers with Discord accounts can change their display name to match a policy entry and gain unauthorized agent access intended for another Discord identity.
References:
| Field | Detail |
|---|---|
| CVSS | 8.6 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-290 (Authentication Bypass by Spoofing) |
| Affected | < 2026.5.3 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-8c59-hr4w-qg69 |
OpenClaw before 2026.5.3 contains a policy enforcement vulnerability where Zalo contacts with mutable display metadata could match allowFrom policy entries through display name changes. Attackers with mutable display names could receive agent responses intended for different Zalo identities when the feature is enabled.
References:
| Field | Detail |
|---|---|
| CVSS | 8.5 (HIGH) — CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| CWE | CWE-290 (CWE-290: Authentication Bypass by Spoofing) |
| Affected | < 2026.4.22 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-r6xh-pqhr-v4xh |
OpenClaw before 2026.4.22 derives loopback MCP owner context from spoofable server-issued bearer tokens in request headers. Non-owner loopback clients can present themselves as owner to bypass owner-gated operations by manipulating the sender-owner header metadata.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw < 2026.4.22 - Owner Context Spoofing via Bearer Token Header
CVE-2026-45004 — OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution
| Field | Detail |
|---|---|
| CVSS | 8.4 (HIGH) — CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| CWE | CWE-427 (Uncontrolled Search Path Element) |
| Affected | < 2026.4.23 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-r39h-4c2p-3jxp |
OpenClaw before 2026.4.23 contains an arbitrary code execution vulnerability in the bundled plugin setup resolver that loads setup-api.js from process.cwd() during provider setup metadata resolution. Attackers can execute arbitrary JavaScript under the current user account by placing a malicious extensions//setup-api.js file in a repository and convincing a user to run OpenClaw commands from that directory.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw < 2026.4.23 - Arbitrary Code Execution via setup-api.js in Current Working Directory
CVE-2026-28469 — OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting
| Field | Detail |
|---|---|
| CVSS | 8.2 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-639 (Authorization Bypass Through User-Controlled Key) |
| Affected | < 2026.2.14 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-rq6g-px6m-c248 |
OpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat monitor component that allows cross-account policy context misrouting when multiple webhook targets share the same HTTP path. Attackers can exploit first-match request verification semantics to process inbound webhook events under incorrect account contexts, bypassing intended allowlists and session policies.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw < 2026.2.14 - Cross-Account Policy Context Misrouting via Shared Webhook Path Ambiguity
| Field | Detail |
|---|---|
| CVSS | 7.8 (HIGH) — CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H |
| CWE | CWE-78 (CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) |
| Affected | < 2026.1.29 |
| Vendor/Product | openclaw / openclaw |
| Advisory | GHSA-q284-4pvr-m585 |
OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vulnerability via the Project Root Path in sshNodeCommand. The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project path in an error message. When the cd command failed, the unescaped path was interpolated directly into an echo statement, allowing arbitrary command execution on the remote SSH host. The parseSSHTarget function did not validate that SSH target strings could not begin with a dash. An attacker-supplied target like -oProxyCommand=... would be interpreted as an SSH configuration flag rather than a hostname, allowing arbitrary command execution on the local machine. This issue has been patched in version 2026.1.29.
| Field | Detail |
|---|---|
| CVSS | 7.6 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-184 (Incomplete List of Disallowed Inputs), CWE-863 (Incorrect Authorization) |
| Affected | < 2026.4.2 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-5cj2-3jr2-5h77 |
OpenClaw before 2026.4.2 contains an inline-eval bypass vulnerability allowing authenticated operators to weaken strict allowlist checks via shell positional parameters. Attackers can combine allowlisted tools with shell positional arguments to place inline-eval content in shell carriers outside intended allowlist rules, enabling execution of unapproved shell-provided content.
References:
| Field | Detail |
|---|---|
| CVSS | 7.6 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N |
| CWE | CWE-693 (Protection Mechanism Failure), CWE-863 (Incorrect Authorization) |
| Affected | < 2026.5.12 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-v2ww-5rh7-2h5v |
OpenClaw before 2026.5.12 contains an argument pattern validation bypass in the exec allowlist that allows attackers to execute disallowed arguments for allowlisted executables on Linux and macOS systems. Attackers can bypass configured argPattern restrictions by directly invoking allowlisted executables with unrestricted arguments, potentially enabling unauthorized file access, network access, or command execution.
References:
| Field | Detail |
|---|---|
| CVSS | 7.6 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-862 (Missing Authorization) |
| Affected | < 2026.5.12 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-f397-5vjw-v2c2 |
OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in shell inline-command parsing that allows authenticated operators to execute unapproved commands. A command request using shell inline-command forms could route through a parser case missing the expected allowlist decision, enabling shell content execution without intended approval prompts.
References:
| Field | Detail |
|---|---|
| CVSS | 7.6 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-184 (Incomplete List of Disallowed Inputs) |
| Affected | < 2026.5.26 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-ccwh-wwpp-6wg5 |
OpenClaw before 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer that allows Node.js control variables to bypass validation. Attackers with access to workspace .env files, tool environment overrides, or skill environment blocks can pass malicious Node.js control variables to influence child processes or coverage output paths.
References:
CVE-2026-28458 — OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access
| Field | Detail |
|---|---|
| CVSS | 7.4 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-306 (Missing Authentication for Critical Function) |
| Affected | < 2026.2.1 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-mr32-vwc2-5j6h |
OpenClaw version 2026.1.20 prior to 2026.2.1 contains a vulnerability in the Browser Relay (extension must be installed and enabled) /cdp WebSocket endpoint in which it does not require authentication tokens, allowing websites to connect via loopback and access sensitive data. Attackers can exploit this by connecting to ws://127.0.0.1:18792/cdp to steal session cookies and execute JavaScript in other browser tabs.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw 2026.1.20 < 2026.2.1 - Missing Authentication in Browser Relay /cdp WebSocket Endpoint
| Field | Detail |
|---|---|
| CVSS | 7.2 (HIGH) — CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-426 (Untrusted Search Path) |
| Affected | < 2026.5.2 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-rx78-29qr-5hq8 |
OpenClaw before 2026.5.2 contains a path traversal vulnerability in maintenance task execution that allows workspace-derived service paths to influence trash command selection. Attackers can execute unintended local executables from operator-unintended paths during maintenance operations by manipulating workspace-derived environment paths.
References:
CVE-2026-26317 — OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints
| Field | Detail |
|---|---|
| CVSS | 7.1 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L |
| CWE | CWE-352 (CWE-352: Cross-Site Request Forgery (CSRF)) |
| Affected | <= 2026.1.24-3 |
| Vendor/Product | openclaw / clawdbot |
| Advisory | GHSA-3fqr-4cg8-h96q |
OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins. A malicious website can trigger unauthorized state changes against a victim's local OpenClaw browser control plane (for example opening tabs, starting/stopping the browser, mutating storage/cookies) if the browser control service is reachable on loopback in the victim's browser context. Starting in version 2026.2.14, mutating HTTP methods (POST/PUT/PATCH/DELETE) are rejected when the request indicates a non-loopback Origin/Referer (or Sec-Fetch-Site: cross-site). Other mitigations include enabling browser control auth (token/password) and avoid running with auth disabled.
Naming note: Uses old name
openclaw/clawdbotas vendor/product. References:
- https://github.com/openclaw/openclaw/commit/b566b09f81e2b704bf9398d8d97d5f7a90aa94c3
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.14
CVE-2026-53842 — OpenClaw: Workspace .env CLOUDSDK_PYTHON could influence Gmail setup gcloud execution
| Field | Detail |
|---|---|
| CVSS | 7 (HIGH) — CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-426 (Untrusted Search Path) |
| Affected | < 2026.5.2 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-fq9j-vw4w-fr6v |
OpenClaw before 2026.5.2 contains an environment variable injection vulnerability allowing workspace .env files to influence Python runtime selection through CLOUDSDK_PYTHON during Gmail setup gcloud execution. Attackers with repository access can manipulate the CLOUDSDK_PYTHON variable to execute setup through unintended local Python paths, potentially enabling arbitrary code execution.
References:
CVE-2026-53858 — OpenClaw: Workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots
| Field | Detail |
|---|---|
| CVSS | 7 (HIGH) — CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-426 (Untrusted Search Path) |
| Affected | < 2026.5.2 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-wc84-j36w-pw4x |
OpenClaw before 2026.5.2 contains an environment variable injection vulnerability where workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots. Attackers can manipulate the STATE_DIRECTORY variable to load runtime dependencies from unintended local paths, potentially executing malicious code during dependency resolution.
References:
CVE-2026-53846 — OpenClaw: Workspace .env npm_execpath could influence bundled runtime dependency install
| Field | Detail |
|---|---|
| CVSS | 7 (HIGH) — CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-426 (Untrusted Search Path) |
| Affected | < 2026.4.29 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-24vr-rprv-67rf |
OpenClaw before 2026.4.29 contains a path traversal vulnerability in the install helper that allows workspace .env files to override the npm_execpath configuration used for bundled runtime dependency installation. Attackers with workspace access can execute unintended local package-manager executables during dependency setup to compromise the build environment.
References:
| Field | Detail |
|---|---|
| CVSS | 6.9 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N |
| CWE | CWE-918 (CWE-918 Server-Side Request Forgery (SSRF)) |
| Affected | < 2026.4.22 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-2hh7-c75g-qj2r |
OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthorized access to internal resources.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw < 2026.4.22 - Server-Side Request Forgery in Zalo Photo URL Validation
| Field | Detail |
|---|---|
| CVSS | 6.9 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-290 (Authentication Bypass by Spoofing) |
| Affected | < 2026.2.14 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-mj5r-hh7j-4gxf |
OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram allowlist matching accepts mutable usernames instead of immutable numeric sender IDs. Attackers can spoof identity by obtaining recycled usernames to bypass allowlist restrictions and interact with bots as unauthorized senders.
References:
- Patch Commit #1
- Patch Commit #2
- VulnCheck Advisory: OpenClaw < 2026.2.14 - Identity Spoofing via Mutable Username in Telegram Allowlist Authorization
| Field | Detail |
|---|---|
| CVSS | 6.8 (MEDIUM) — CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
| CWE | CWE-770 (Allocation of Resources Without Limits or Throttling) |
| Affected | < 2026.2.14 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-w2cg-vxx6-5xjg |
OpenClaw versions prior to 2026.2.14 decode base64-backed media inputs into buffers before enforcing decoded-size budget limits, allowing attackers to trigger large memory allocations. Remote attackers can supply oversized base64 payloads to cause memory pressure and denial of service.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw < 2026.2.14 - Denial of Service via Large Base64 Media File Decoding
| Field | Detail |
|---|---|
| CVSS | 6.8 (MEDIUM) — CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-862 (Missing Authorization) |
| Affected | < 2026.4.25 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-mpc8-jxjh-qpgh |
OpenClaw before 2026.4.25 contains a control scope enforcement bypass vulnerability in the focus command that allows authenticated callers to execute the command without proper authorization checks. Attackers can trigger the focus command to change focus state outside intended caller authority, potentially enabling unauthorized operations depending on gateway configuration and input trust levels.
References:
CVE-2026-28452 — OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR)
| Field | Detail |
|---|---|
| CVSS | 6.7 (MEDIUM) — CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
| CWE | CWE-770 (Allocation of Resources Without Limits or Throttling) |
| Affected | < 2026.2.14 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-h89v-j3x9-8wqj |
OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the extractArchive function within src/infra/archive.ts that allows attackers to consume excessive CPU, memory, and disk resources through high-expansion ZIP and TAR archives. Remote attackers can trigger resource exhaustion by providing maliciously crafted archive files during install or update operations, causing service degradation or system unavailability.
References:
- Patch Commit #1
- Patch Commit #2
- VulnCheck Advisory: OpenClaw < 2026.2.14 - Denial of Service via Unguarded Archive Extraction in extractArchive
CVE-2026-26328 — OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities
| Field | Detail |
|---|---|
| CVSS | 6.5 (MEDIUM) — CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
| CWE | CWE-284 (CWE-284: Improper Access Control), CWE-863 (CWE-863: Incorrect Authorization) |
| Affected | <= 2026.1.24-3 |
| Vendor/Product | openclaw / clawdbot |
| Advisory | GHSA-g34w-4xqq-h79m |
OpenClaw is a personal AI assistant. Prior to version 2026.2.14, under iMessage groupPolicy=allowlist, group authorization could be satisfied by sender identities coming from the DM pairing store, broadening DM trust into group contexts. Version 2026.2.14 fixes the issue.
Naming note: Uses old name
openclaw/clawdbotas vendor/product. References:
- https://github.com/openclaw/openclaw/commit/872079d42fe105ece2900a1dd6ab321b92da2d59
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.14
| Field | Detail |
|---|---|
| CVSS | 6.3 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-862 (Missing Authorization) |
| Affected | < 2026.5.12 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-fcvx-5cxc-v5p8 |
OpenClaw before 2026.5.12 contains a notification bypass vulnerability allowing Slack reaction events to enter the agent pipeline despite disabled reaction notifications. Attackers can trigger unintended agent processing by sending reaction events when the feature is enabled, potentially leading to unauthorized processing of lower-trust input.
References:
CVE-2026-44113 — OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes
| Field | Detail |
|---|---|
| CVSS | 6 (MEDIUM) — CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-367 (CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition) |
| Affected | < 2026.4.22 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-5h3g-6xhh-rg6p |
OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in the OpenShell filesystem bridge that allows attackers to read files outside the intended mount root. Attackers can exploit symlink swaps during filesystem operations to bypass sandbox restrictions and access unauthorized file contents.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw < 2026.4.22 - Time-of-Check/Time-of-Use Race Condition in OpenShell FS Bridge
| Field | Detail |
|---|---|
| CVSS | 6 (MEDIUM) — CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-367 (CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition) |
| Affected | < 2026.4.22 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-wppj-c6mr-83jj |
OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in OpenShell sandbox filesystem writes that allows attackers to redirect writes outside the intended mount root. Attackers can exploit symlink swaps during filesystem operations to bypass sandbox restrictions and write files outside the local mount root.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw < 2026.4.22 - Symlink Swap Race Condition in OpenShell FS Bridge Writes
| Field | Detail |
|---|---|
| CVSS | 6 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-61 (CWE-61 UNIX Symbolic Link (Symlink) Following) |
| Affected | < 2026.4.5 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-cr8r-7g2h-6wr6 |
OpenClaw versions 2026.3.22 before 2026.4.5 contain a symlink traversal vulnerability in remote marketplace repository path handling that allows attackers to escape the expected repository root. Attackers can exploit this by providing crafted symlink paths to access files outside the intended repository directory.
References:
- Patch Commit (1)
- Patch Commit (2)
- VulnCheck Advisory: OpenClaw 2026.3.22 < 2026.4.5 - Symlink Traversal in Remote Marketplace Repository Path Handling
| Field | Detail |
|---|---|
| CVSS | 6 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-862 (Missing Authorization) |
| Affected | < 2026.4.29 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-72fw-cqh5-f324 |
OpenClaw before 2026.4.29 contains a session visibility check bypass vulnerability in shared memory search that allows authenticated callers to access memory entries without proper authorization. Attackers can skip session visibility guards on the search path to retrieve memory entries that should not be visible to their session.
References:
CVE-2026-53840 — OpenClaw: MCP Streamable HTTP redirects could forward configured custom headers to another origin
| Field | Detail |
|---|---|
| CVSS | 6 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-522 (Insufficiently Protected Credentials) |
| Affected | < 2026.5.12 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-rjxq-qqhf-8hwh |
OpenClaw before 2026.5.12 contains an information disclosure vulnerability in streamable-http MCP servers that forwards operator-configured custom headers during cross-origin redirects. Attackers controlling or compromising an MCP endpoint can redirect requests to exfiltrate sensitive headers like API keys or tenant-routing credentials to attacker-controlled origins.
References:
CVE-2026-53854 — OpenClaw: Internal/webchat command auth could inherit ownerAllowFrom wildcard state
| Field | Detail |
|---|---|
| CVSS | 6 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-863 (Incorrect Authorization) |
| Affected | < 2026.4.25 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-4hpg-mp64-x7xq |
OpenClaw before 2026.4.25 contains a privilege escalation vulnerability in internal and webchat command authentication that allows senders to inherit wildcard ownerAllowFrom state across channel boundaries. Attackers can exploit this by sending commands on affected internal or webchat paths to execute owner-style command behavior outside intended channel scope, potentially bypassing access controls.
References:
| Field | Detail |
|---|---|
| CVSS | 6 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-639 (Authorization Bypass Through User-Controlled Key) |
| Affected | < 2026.4.25 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-985f-72mj-8gf7 |
OpenClaw before 2026.4.25 contains an input validation vulnerability in tool group policy callers that accept unvalidated group IDs. Attackers who can supply a group ID to the policy resolver could trigger incorrect group-policy decisions for tool invocations, potentially bypassing intended access controls.
References:
| Field | Detail |
|---|---|
| CVSS | 6 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-1023 (Incomplete Comparison with Missing Factors), CWE-918 (Server-Side Request Forgery (SSRF)) |
| Affected | < 2026.5.26 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-gxg4-2rrr-jhc7 |
OpenClaw before 2026.5.26 contains a hostname validation vulnerability allowing attackers to bypass blocklist comparisons using trailing-dot notation in model or workspace-derived URLs. Attackers can exploit inconsistent hostname checks to reach destinations that operators intended to block through hostname policies.
References:
- VulnCheck Advisory: OpenClaw < 2026.5.26 - Hostname Validation Bypass via Trailing-Dot Inconsistency
| Field | Detail |
|---|---|
| CVSS | 5.9 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N |
| CWE | CWE-672 (Operation on a Resource after Expiration or Release) |
| Affected | < 2026.4.23 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-q8ff-7ffm-m3r9 |
OpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to remain valid after rotation and reload. Attackers with previously valid webhook route secrets can continue authenticating requests and invoking configured webhook task flows until gateway or plugin restart.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw < 2026.4.23 - Webhook Route Secret Cache Not Invalidated After Rotation
| Field | Detail |
|---|---|
| CVSS | 5.7 (MEDIUM) — CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-732 (Incorrect Permission Assignment for Critical Resource) |
| Affected | < 2026.4.24 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-rwp6-7w3q-75fq |
OpenClaw 2026.4.23 before 2026.4.24 contains an insecure file permissions vulnerability in config recovery that restores OpenClaw.json with overly broad permissions. Local attackers on shared hosts can read sensitive configuration data by exploiting the recovery path to access the restored config file.
References:
| Field | Detail |
|---|---|
| CVSS | 5.3 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N |
| CWE | CWE-266 (Incorrect Privilege Assignment) |
| Affected | < 2026.5.6 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-x629-46cc-7xgw |
OpenClaw before 2026.5.6 contains a privilege escalation vulnerability in the Active Memory write scope that allows Gateway operators with operator.write access to modify global configuration without requiring operator.admin privileges. Attackers with operator.write access can exploit insufficient scope validation to apply unauthorized configuration changes beyond the intended write scope.
References:
| Field | Detail |
|---|---|
| CVSS | 5.3 (MEDIUM) — CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-184 (Incomplete List of Disallowed Inputs) |
| Affected | < 2026.5.6 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-c226-q6fx-6j6c |
OpenClaw before 2026.5.6 contains an allowlist bypass vulnerability in the macOS Swift exec feature that misses combined POSIX inline-command flags. Attackers can execute shell content outside the intended allowlist check by using combined flag forms, potentially allowing unauthorized command execution depending on operator configuration.
References:
| Field | Detail |
|---|---|
| CVSS | 4.1 (MEDIUM) — CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-441 (Unintended Proxy or Intermediary ('Confused Deputy')) |
| Affected | < 2026.4.20 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-h2vw-ph2c-jvwf |
OpenClaw versions 2026.4.5 before 2026.4.20 contain an environment variable injection vulnerability allowing workspace dotenv to override MINIMAX_API_HOST. Attackers can redirect credentialed MiniMax API requests to attacker-controlled origins, exposing the MiniMax API key in Authorization headers.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw 2026.4.5 < 2026.4.20 - MiniMax API Host Override via Workspace dotenv
| Field | Detail |
|---|---|
| CVSS | 4.1 (MEDIUM) — CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-441 (Unintended Proxy or Intermediary ('Confused Deputy')) |
| Affected | < 2026.4.22 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-55cf-xx38-4p9p |
OpenClaw before 2026.4.22 allows workspace dotenv files to override connector endpoint hosts for Matrix, Mattermost, IRC, and Synology connectors. Attackers with workspace access can redirect runtime traffic to malicious endpoints by setting endpoint variables in dotenv files.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw < 2026.4.22 - Connector Endpoint Host Override via Workspace dotenv Files
| Field | Detail |
|---|---|
| CVSS | 2.3 (LOW) — CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-346 (CWE-346: Origin Validation Error) |
| Affected | < 2026.4.2 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-qm77-8qjp-4vcm |
OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non-allowlisted messages to enter agent context. Attackers can inject unauthorized thread messages through allowlisted user replies to bypass sender access controls and manipulate model context.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw < 2026.4.2 - Sender Allowlist Bypass via Slack Thread Context
CVE-2026-44991 — OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners
| Field | Detail |
|---|---|
| CVSS | 2.3 (LOW) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-863 (Incorrect Authorization) |
| Affected | < 2026.4.21 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-c28g-vh7m-fm7v |
OpenClaw before 2026.4.21 contains an authorization bypass vulnerability in command-auth.ts that allows non-owner senders to execute owner-enforced slash commands when wildcard inbound senders are configured without explicit owner allowFrom settings. Attackers can exploit this by sending commands like /send, /config, or /debug on affected channels to bypass owner-only command authorization checks.
References:
- Patch Commit (1)
- Patch Commit (2)
- VulnCheck Advisory: OpenClaw < 2026.4.21 - Authorization Bypass in Owner-Enforced Commands via Wildcard Channel Senders
| Field | Detail |
|---|---|
| CVSS | 2.3 (LOW) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-266 (Incorrect Privilege Assignment) |
| Affected | < 2026.4.22 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-q3jj-46pq-826r |
OpenClaw before 2026.4.22 contains a security envelope constraint bypass vulnerability allowing restricted subagents to spawn ACP child sessions that fail to inherit depth, child-count limits, control scope, or target-agent restrictions. Attackers can exploit this by spawning child sessions that bypass subagent-only constraints, potentially escalating privileges or accessing restricted resources.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw < 2026.4.22 - Security Envelope Constraint Bypass in ACP Child Sessions
| Field | Detail |
|---|---|
| CVSS | 2.3 (LOW) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-184 (Incomplete List of Disallowed Inputs) |
| Affected | < 2026.5.26 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-cwpp-5962-q4f6 |
OpenClaw before 2026.5.26 contains an exec allowlist bypass vulnerability allowing authenticated operators to execute wrapper-level side effects outside allowlisted command intent. Attackers can craft command requests that bypass allowlist validation by leveraging transparent command wrappers to perform unintended operations.
References:
| Field | Detail |
|---|---|
| CVSS | 2.3 (LOW) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-693 (Protection Mechanism Failure) |
| Affected | < 2026.5.6 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-68xw-r643-9p5w |
OpenClaw before 2026.5.6 contains a hook bypass vulnerability where skill commands routed through the affected dispatch path skip before-tool-call hook coverage. Attackers can exploit this by sending skill commands through the vulnerable dispatch path to bypass hook-based auditing and policy enforcement mechanisms.
References:
| Field | Detail |
|---|---|
| CVSS | 2.3 (LOW) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-636 (Not Failing Securely ('Failing Open')) |
| Affected | < 2026.4.25 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-8mg9-j9cf-54cj |
OpenClaw before 2026.4.25 contains a scope containment bypass vulnerability in device re-pairing that allows authenticated operators to restore broader scopes than intended by submitting empty-scope re-pairing requests. Attackers can exploit this by sending re-pairing requests with empty scope sets to skip containment guards and retain unauthorized device access.
References:
| Field | Detail |
|---|---|
| CVSS | 2.3 (LOW) — CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-807 (Reliance on Untrusted Inputs in a Security Decision), CWE-863 (Incorrect Authorization) |
| Affected | < 2026.5.7 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-8j37-5w68-wj2g |
OpenClaw before 2026.5.7 contains a sender policy bypass vulnerability in BlueBubbles that allows participants to match allowlist entries through conversation metadata rather than stable sender identity. Attackers can influence conversation-level identifiers to receive agent responses intended for configured senders, potentially bypassing access controls.
References:
| Field | Detail |
|---|---|
| CVSS | 2.3 (LOW) — CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-266 (Incorrect Privilege Assignment), CWE-345 (Insufficient Verification of Data Authenticity) |
| Affected | < 2026.5.12 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-9v8j-9c9g-w66c |
OpenClaw before 2026.5.12 contains a bootstrap token replay vulnerability allowing callers with pending token access to reuse tokens with broader requested scopes. Attackers can replay bootstrap tokens before approval to escalate pairing authority beyond intended scope limits.
References:
- VulnCheck Advisory: OpenClaw < 2026.5.12 - Bootstrap Token Replay via Pending Pairing Scope Widening
| Field | Detail |
|---|---|
| CVSS | 2.1 (LOW) — CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
| CWE | CWE-83 (Improper Neutralization of Script in Attributes in a Web Page) |
| Affected | < 2026.5.12 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-w9hf-3pp7-pvxv |
OpenClaw before 2026.5.12 contains a cross-site scripting vulnerability in exported session HTML that preserves unsafe javascript: and data: links in generated content. Attackers can execute browser-side scripts if a trusted operator opens the exported file and activates a malicious link.
References:
Of 50 GHSAs with CVE IDs, 50 are fully published and 0 remain RESERVED.
graph LR
A["1️⃣ GitHub Reserves<br/>CVE ID<br/><b>RESERVED</b>"] --> B["2️⃣ GHSA Goes Public<br/>with CVE ID Shown"]
B --> C["3️⃣ CNA Submits<br/>CVE Record via<br/>CVE Services<br/><b>PUBLISHED</b>"]
C --> D["4️⃣ cvelistV5 Bot<br/>Commits JSON File"]
style A fill:#fee,stroke:#c33,color:#333
style B fill:#fff3cd,stroke:#856404,color:#333
style C fill:#d4edda,stroke:#155724,color:#333
style D fill:#cce5ff,stroke:#004085,color:#333
| CVE ID | State | cvelistV5 | GHSA Published | CNA |
|---|---|---|---|---|
| CVE-2026-24763 | ✅ PUBLISHED | ✅ | 2026-02-02 | GitHub_M |
| CVE-2026-25157 | ✅ PUBLISHED | ✅ | 2026-02-02 | GitHub_M |
| CVE-2026-25253 | ✅ PUBLISHED | ✅ | 2026-02-02 | mitre |
| CVE-2026-26317 | ✅ PUBLISHED | ✅ | 2026-02-18 | GitHub_M |
| CVE-2026-26328 | ✅ PUBLISHED | ✅ | 2026-02-18 | GitHub_M |
| CVE-2026-28452 | ✅ PUBLISHED | ✅ | 2026-02-18 | VulnCheck |
| CVE-2026-28458 | ✅ PUBLISHED | ✅ | 2026-02-17 | VulnCheck |
| CVE-2026-28469 | ✅ PUBLISHED | ✅ | 2026-02-18 | VulnCheck |
| CVE-2026-28478 | ✅ PUBLISHED | ✅ | 2026-02-18 | VulnCheck |
| CVE-2026-28480 | ✅ PUBLISHED | ✅ | 2026-02-18 | VulnCheck |
| CVE-2026-29612 | ✅ PUBLISHED | ✅ | 2026-02-18 | VulnCheck |
| CVE-2026-41358 | ✅ PUBLISHED | ✅ | 2026-05-04 | VulnCheck |
| CVE-2026-43570 | ✅ PUBLISHED | ✅ | 2026-05-05 | VulnCheck |
| CVE-2026-44112 | ✅ PUBLISHED | ✅ | 2026-05-04 | VulnCheck |
| CVE-2026-44113 | ✅ PUBLISHED | ✅ | 2026-05-04 | VulnCheck |
| CVE-2026-44116 | ✅ PUBLISHED | ✅ | 2026-05-04 | VulnCheck |
| CVE-2026-44118 | ✅ PUBLISHED | ✅ | 2026-05-04 | VulnCheck |
| CVE-2026-44991 | ✅ PUBLISHED | ✅ | 2026-04-29 | VulnCheck |
| CVE-2026-44992 | ✅ PUBLISHED | ✅ | 2026-04-25 | VulnCheck |
| CVE-2026-44997 | ✅ PUBLISHED | ✅ | 2026-05-04 | VulnCheck |
| CVE-2026-45003 | ✅ PUBLISHED | ✅ | 2026-05-04 | VulnCheck |
| CVE-2026-45004 | ✅ PUBLISHED | ✅ | 2026-05-05 | VulnCheck |
| CVE-2026-45005 | ✅ PUBLISHED | ✅ | 2026-05-05 | VulnCheck |
| CVE-2026-53840 | ✅ PUBLISHED | ✅ | 2026-06-17 | VulnCheck |
| CVE-2026-53841 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53842 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53843 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53844 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53845 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53846 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53847 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53848 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53849 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53850 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53851 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53852 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53853 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53854 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53855 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53856 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53857 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53858 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53859 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53860 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53861 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53862 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53863 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53864 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53865 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53866 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| Insight | Detail |
|---|---|
| Dominant Weakness | 57% of categorized issues relate to Allowlist Bypass (45/79) |
| V5 Sync Rate | 50/50 CVE IDs (100%) have full cvelistV5 records |
| Advisory Velocity | 192 security advisories across 2026-02-02 → 2026-06-18 |
| Top Severity | 2 Critical + 84 High = 86 high-impact issues (45%) |
| Category | Count | Examples |
|---|---|---|
| OS Command Injection (CWE-78) | 14 | PATH injection, SSH command injection, Docker exec, keychain writes |
| Path Traversal (CWE-22) | 4 | MEDIA: paths, plugin install, browser downloads, Zip Slip, transcript paths |
| SSRF | 5 | Image tool fetch, Feishu extension, attachment/media URLs, IPv6 bypass |
| Auth Bypass / Missing Auth | 3 | WebSocket config.apply, webhook verification, browser relay, sandbox bridge |
| Allowlist Bypass | 45 | Telegram usernames, Matrix displayName, Slack DM, Twitch, voice-call |
| Injection (XSS/CSRF/Prompt) | 5 | XSS in Control UI, prompt injection via Slack/CWD/logs, CSRF |
| Denial of Service | 3 | Unbounded media fetch, webhook body buffering, archive expansion |
| GHSA | CVE | Severity | Title | Published |
|---|---|---|---|---|
| GHSA-rx78-29qr-5hq8 | CVE-2026-53865 | OpenClaw: Workspace-derived service PATH could influence trash command selection | 2026-06-18 | |
| GHSA-wc84-j36w-pw4x | CVE-2026-53858 | OpenClaw: Workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots | 2026-06-18 | |
| GHSA-cw4q-gqg5-g38h | CVE-2026-53849 | OpenClaw: Discord allowFrom could bind to mutable display names | 2026-06-18 | |
| GHSA-24vr-rprv-67rf | CVE-2026-53846 | OpenClaw: Workspace .env npm_execpath could influence bundled runtime dependency install | 2026-06-18 | |
| GHSA-v2ww-5rh7-2h5v | CVE-2026-53853 | OpenClaw: Linux and macOS exec allowlists skipped configured argument patterns | 2026-06-18 | |
| GHSA-8c59-hr4w-qg69 | CVE-2026-53857 | OpenClaw: Zalo allowFrom could bind to mutable display names | 2026-06-18 | |
| GHSA-5cj2-3jr2-5h77 | CVE-2026-53855 | OpenClaw: Shell positional parameters could weaken strict inline-eval checks | 2026-06-18 | |
| GHSA-fq9j-vw4w-fr6v | CVE-2026-53842 | OpenClaw: Workspace .env CLOUDSDK_PYTHON could influence Gmail setup gcloud execution | 2026-06-18 | |
| GHSA-f397-5vjw-v2c2 | CVE-2026-53866 | OpenClaw: Shell inline-command parsing could miss an allowlist check | 2026-06-18 | |
| GHSA-q99w-vh6v-q3v7 | CVE-2026-53843 | OpenClaw: Pairing-scoped device session could restore revoked node token authority | 2026-06-18 | |
| GHSA-ccwh-wwpp-6wg5 | CVE-2026-53864 | OpenClaw: Host environment sanitizer missed two Node.js control variables | 2026-06-18 | |
| GHSA-rjxq-qqhf-8hwh | CVE-2026-53840 | OpenClaw: MCP Streamable HTTP redirects could forward configured custom headers to another origin | 2026-06-17 | |
| GHSA-2w22-3f6x-3hf4 | — | Duplicate Advisory: Workspace-derived service PATH could influence trash command selection | 2026-06-16 | |
| GHSA-vr6h-vxqj-3pjx | — | Duplicate Advisory: Host environment sanitizer missed two Node.js control variables | 2026-06-16 | |
| GHSA-v383-2wgg-v483 | — | Duplicate Advisory: Shell inline-command parsing could miss an allowlist check | 2026-06-16 | |
| GHSA-3v3j-737j-7g74 | — | Duplicate Advisory: Linux and macOS exec allowlists skipped configured argument patterns | 2026-06-16 | |
| GHSA-4qgr-57jq-93vh | — | Duplicate Advisory: Workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots | 2026-06-16 | |
| GHSA-w7m7-3xcf-mp48 | — | Duplicate Advisory: Zalo allowFrom could bind to mutable display names | 2026-06-16 | |
| GHSA-27pq-2ph8-8x25 | — | Duplicate Advisory: Shell positional parameters could weaken strict inline-eval checks | 2026-06-16 | |
| GHSA-qp5j-jr73-m2pw | — | Duplicate Advisory: Workspace .env npm_execpath could influence bundled runtime dependency install | 2026-06-16 | |
| GHSA-p44v-rx83-vjp4 | — | Duplicate Advisory: Discord allowFrom could bind to mutable display names | 2026-06-16 | |
| GHSA-9fr2-p65v-gqxq | — | Duplicate Advisory: Workspace .env CLOUDSDK_PYTHON could influence Gmail setup gcloud execution | 2026-06-16 | |
| GHSA-wrmq-9fc4-gwwj | — | Duplicate Advisory: Pairing-scoped device session could restore revoked node token authority | 2026-06-16 | |
| GHSA-xpr6-2hgm-4wwp | — | Duplicate Advisory: OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution | 2026-05-11 | |
| GHSA-9r9j-3r2w-fg3v | — | Duplicate Advisory: OpenClaw: Workspace dotenv could override runtime-control environment variables | 2026-05-06 | |
| GHSA-35vf-vw9f-q3cr | — | Duplicate Advisory: OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens | 2026-05-06 | |
| GHSA-m8wm-r5vq-qjpg | — | Duplicate Advisory: OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation | 2026-05-06 | |
| GHSA-xrgf-r9gr-jjjf | — | Duplicate Advisory: OpenClaw: Exec environment denylist missed high-risk interpreter startup variables | 2026-05-06 | |
| GHSA-cjg8-85gj-v9q2 | — | Duplicate Advisory: OpenClaw: Feishu webhook and card-action validation now fail closed | 2026-05-06 | |
| GHSA-79rr-5c85-xvw3 | — | Duplicate Advisory: OpenClaw: Matrix room control-command authorization no longer trusts DM pairing-store entries | 2026-05-06 | |
| GHSA-r39h-4c2p-3jxp | CVE-2026-45004 | OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution | 2026-05-05 | |
| GHSA-cwj3-vqpp-pmxr | — | OpenClaw's gateway config mutation guard allowed unsafe model-driven config writes | 2026-05-05 | |
| GHSA-r6xh-pqhr-v4xh | CVE-2026-44118 | OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens | 2026-05-04 | |
| GHSA-5mh4-3rv3-fpcf | — | Duplicate Advisory: OpenClaw: Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables | 2026-04-28 | |
| GHSA-5799-3xg7-rfrv | — | Duplicate Advisory: OpenClaw: SSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host | 2026-04-28 | |
| GHSA-rq6g-px6m-c248 | CVE-2026-28469 | OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting | 2026-02-18 | |
| GHSA-3fqr-4cg8-h96q | CVE-2026-26317 | OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints | 2026-02-18 | |
| GHSA-q447-rj3r-2cgh | CVE-2026-28478 | OpenClaw affected by denial of service via unbounded webhook request body buffering | 2026-02-18 | |
| GHSA-mr32-vwc2-5j6h | CVE-2026-28458 | OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access | 2026-02-17 | |
| GHSA-q284-4pvr-m585 | CVE-2026-25157 | OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand | 2026-02-02 | |
| GHSA-g8p2-7wf7-98mq | CVE-2026-25253 | OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl | 2026-02-02 | |
| GHSA-mc68-q9jw-2h3v | CVE-2026-24763 | OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable | 2026-02-02 | |
| GHSA-r2c6-8jc8-g32w | — | Duplicate Advisory: 1-Click RCE via Authentication Token Exfiltration From gatewayUrl | 2026-02-02 |
| GHSA | CVE | Severity | Title | Published |
|---|---|---|---|---|
| GHSA-4hpg-mp64-x7xq | CVE-2026-53854 | OpenClaw: Internal/webchat command auth could inherit ownerAllowFrom wildcard state | 2026-06-18 | |
| GHSA-mpc8-jxjh-qpgh | CVE-2026-53850 | OpenClaw: Focus command could miss controlScope enforcement | 2026-06-18 | |
| GHSA-72fw-cqh5-f324 | CVE-2026-53844 | OpenClaw: memory-wiki shared search could miss session visibility checks | 2026-06-18 | |
| GHSA-rwp6-7w3q-75fq | CVE-2026-53856 | OpenClaw: Config recovery could restore openclaw.json with broad file permissions | 2026-06-18 | |
| GHSA-x629-46cc-7xgw | CVE-2026-53847 | OpenClaw: Active Memory write scope could mutate global config | 2026-06-18 | |
| GHSA-w9hf-3pp7-pvxv | CVE-2026-53841 | OpenClaw: Exported session HTML could keep unsafe markdown links | 2026-06-18 | |
| GHSA-fcvx-5cxc-v5p8 | CVE-2026-53851 | OpenClaw: Slack reaction events could ignore reaction notification settings | 2026-06-18 | |
| GHSA-gxg4-2rrr-jhc7 | CVE-2026-53859 | OpenClaw: Hostname checks could treat trailing-dot hosts inconsistently | 2026-06-18 | |
| GHSA-c226-q6fx-6j6c | CVE-2026-53861 | OpenClaw: macOS Swift exec allowlist missed combined POSIX inline flags | 2026-06-18 | |
| GHSA-985f-72mj-8gf7 | CVE-2026-53863 | OpenClaw: Tool group policy callers could accept unvalidated group IDs | 2026-06-18 | |
| GHSA-8wmm-344f-mpjg | — | Duplicate Advisory: Tool group policy callers could accept unvalidated group IDs | 2026-06-16 | |
| GHSA-g796-jqmx-wf9q | — | Duplicate Advisory: macOS Swift exec allowlist missed combined POSIX inline flags | 2026-06-16 | |
| GHSA-vqx6-6j84-2794 | — | Duplicate Advisory: Hostname checks could treat trailing-dot hosts inconsistently | 2026-06-16 | |
| GHSA-r2fx-hp6p-pgrm | — | Duplicate Advisory: Internal/webchat command auth could inherit ownerAllowFrom wildcard state | 2026-06-16 | |
| GHSA-vqj9-vhg4-27mg | — | Duplicate Advisory: Config recovery could restore openclaw.json with broad file permissions | 2026-06-16 | |
| GHSA-c8w7-9w9h-x69q | — | Duplicate Advisory: Slack reaction events could ignore reaction notification settings | 2026-06-16 | |
| GHSA-gw2c-6hcg-5g52 | — | Duplicate Advisory: Focus command could miss controlScope enforcement | 2026-06-16 | |
| GHSA-58wc-8wrv-xp9j | — | Duplicate Advisory: Active Memory write scope could mutate global config | 2026-06-16 | |
| GHSA-x7cf-6gp3-q5f8 | — | Duplicate Advisory: MCP Streamable HTTP redirects could forward configured custom headers to another origin | 2026-06-16 | |
| GHSA-6jm4-83g2-35gv | — | Duplicate Advisory: memory-wiki shared search could miss session visibility checks | 2026-06-16 | |
| GHSA-v8j2-5f9p-fmh4 | — | Duplicate Advisory: OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload | 2026-05-11 | |
| GHSA-5jgm-f9wr-9qm7 | — | Duplicate Advisory: OpenClaw: Workspace dotenv files cannot override connector endpoint hosts | 2026-05-11 | |
| GHSA-9j32-3m66-mc4m | — | Duplicate Advisory: OpenClaw: Hook mapping templates could bypass hook session-key opt-in | 2026-05-11 | |
| GHSA-m5j2-r859-r5cv | — | Duplicate Advisory: OpenClaw: Isolated cron awareness events were recorded as trusted system events | 2026-05-11 | |
| GHSA-4mhr-cxr4-2prm | — | Duplicate Advisory: OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests | 2026-05-11 | |
| GHSA-p3m6-jr2h-hhxj | — | Duplicate Advisory: OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config | 2026-05-11 | |
| GHSA-6f72-9gxx-98mj | — | Duplicate Advisory: OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root | 2026-05-06 | |
| GHSA-frr5-j3mh-h9ch | — | Duplicate Advisory: OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes | 2026-05-06 | |
| GHSA-qvmw-h675-h7qg | — | Duplicate Advisory: OpenClaw validates Zalo outbound photo URLs through the SSRF guard | 2026-05-06 | |
| GHSA-r747-33r4-rmjw | — | Duplicate Advisory: OpenClaw: QQBot direct media upload skipped URL SSRF validation | 2026-05-06 | |
| GHSA-82rm-qcfx-2v78 | — | Duplicate Advisory: OpenClaw: Delivery queue recovery could lose group tool-policy context for media replay | 2026-05-06 | |
| GHSA-w7rc-vvgx-pj45 | — | Duplicate Advisory: OpenClaw: Browser SSRF hostname validation could be bypassed by DNS rebinding | 2026-05-06 | |
| GHSA-3r56-7hhr-vfg9 | — | Duplicate Advisory: OpenClaw: CDP /json/version WebSocket URL could pivot to untrusted second-hop targets | 2026-05-06 | |
| GHSA-wwwc-f646-vj2j | — | Duplicate Advisory: OpenClaw: Browser press/type interaction routes missed complete navigation guard coverage | 2026-05-06 | |
| GHSA-q8ff-7ffm-m3r9 | CVE-2026-45005 | OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload | 2026-05-05 | |
| GHSA-35mw-5vvr-vrxc | CVE-2026-43570 | OpenClaw contains a symlink traversal vulnerability | 2026-05-05 | |
| GHSA-5h3g-6xhh-rg6p | CVE-2026-44113 | OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes | 2026-05-04 | |
| GHSA-wppj-c6mr-83jj | CVE-2026-44112 | OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root | 2026-05-04 | |
| GHSA-55cf-xx38-4p9p | CVE-2026-45003 | OpenClaw: Workspace dotenv files cannot override connector endpoint hosts | 2026-05-04 | |
| GHSA-q3jj-46pq-826r | CVE-2026-44997 | OpenClaw's ACP child sessions inherit subagent security envelope constraints | 2026-05-04 | |
| GHSA-2hh7-c75g-qj2r | CVE-2026-44116 | OpenClaw validates Zalo outbound photo URLs through the SSRF guard | 2026-05-04 | |
| GHSA-93rg-2xm5-2p9v | — | OpenClaw's Gateway Control UI bootstrap config required Gateway auth | 2026-05-04 | |
| GHSA-x3h8-jrgh-p8jx | — | OpenClaw's exec allowlist analysis rejects shell expansion in unquoted heredocs | 2026-05-04 | |
| GHSA-c28g-vh7m-fm7v | CVE-2026-44991 | OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners | 2026-04-29 | |
| GHSA-gfg9-5357-hv4c | — | OpenClaw: Webchat audio embedding could read local files without local-root containment | 2026-04-29 | |
| GHSA-f5fm-9jmp-c88r | — | Duplicate Advisory: OpenClaw: Trailing-dot localhost CDP hosts could bypass remote loopback protections | 2026-04-28 | |
| GHSA-8pf2-vj79-4wxg | — | Duplicate Advisory: OpenClaw: MSTeams thread history bypasses sender allowlist via Graph API | 2026-04-28 | |
| GHSA-qp56-gp47-jwj3 | — | Duplicate Advisory: OpenClaw: Feishu extension resolveUploadInput bypasses file-system sandbox and allows arbitrary file reads via upload_image | 2026-04-28 | |
| GHSA-h2vw-ph2c-jvwf | CVE-2026-44992 | OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests | 2026-04-25 | |
| GHSA-7jm2-g593-4qrc | — | OpenClaw: Agent gateway config mutations could change protected operator settings | 2026-04-25 | |
| GHSA-qrp5-gfw2-gxv4 | — | OpenClaw: Bundled MCP/LSP tools could bypass configured tool policy | 2026-04-25 | |
| GHSA-mj5r-hh7j-4gxf | CVE-2026-28480 | OpenClaw Telegram allowlist authorization accepted mutable usernames | 2026-02-18 | |
| GHSA-h89v-j3x9-8wqj | CVE-2026-28452 | OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR) | 2026-02-18 | |
| GHSA-w2cg-vxx6-5xjg | CVE-2026-29612 | OpenClaw: denial of service through large base64 media files allocating large buffers before limit checks | 2026-02-18 | |
| GHSA-g34w-4xqq-h79m | CVE-2026-26328 | OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities | 2026-02-18 |
| GHSA | CVE | Severity | Title | Published |
|---|---|---|---|---|
| GHSA-8mg9-j9cf-54cj | CVE-2026-53852 | OpenClaw: Empty-scope device re-pairing could confuse caller scope containment | 2026-06-18 | |
| GHSA-8j37-5w68-wj2g | CVE-2026-53860 | OpenClaw: BlueBubbles sender policy could match mutable conversation identifiers | 2026-06-18 | |
| GHSA-68xw-r643-9p5w | CVE-2026-53845 | OpenClaw: Skill-command dispatch could skip before-tool-call hooks | 2026-06-18 | |
| GHSA-9v8j-9c9g-w66c | CVE-2026-53862 | OpenClaw: Bootstrap token replay could widen pending pairing scopes | 2026-06-18 | |
| GHSA-cwpp-5962-q4f6 | CVE-2026-53848 | OpenClaw: Exec allowlist could miss side effects from transparent command wrappers | 2026-06-18 | |
| GHSA-h9h6-pwqv-j9hv | — | Duplicate Advisory: Bootstrap token replay could widen pending pairing scopes | 2026-06-16 | |
| GHSA-8hj2-w4c9-fjfq | — | Duplicate Advisory: BlueBubbles sender policy could match mutable conversation identifiers | 2026-06-16 | |
| GHSA-hc4w-hm59-9w88 | — | Duplicate Advisory: Empty-scope device re-pairing could confuse caller scope containment | 2026-06-16 | |
| GHSA-r7vv-6763-m739 | — | Duplicate Advisory: Skill-command dispatch could skip before-tool-call hooks | 2026-06-16 | |
| GHSA-wrr6-p5r6-474m | — | Duplicate Advisory: Exec allowlist could miss side effects from transparent command wrappers | 2026-06-16 | |
| GHSA-6xcg-6q43-rj2v | — | Duplicate Advisory: Exported session HTML could keep unsafe markdown links | 2026-06-16 | |
| GHSA-p3pv-c954-9m6f | — | Duplicate Advisory: OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners | 2026-05-11 | |
| GHSA-w626-296m-8f85 | — | Duplicate Advisory: OpenClaw's ACP child sessions inherit subagent security envelope constraints | 2026-05-11 | |
| GHSA-qm77-8qjp-4vcm | CVE-2026-41358 | OpenClaw: Slack thread context could include messages from non-allowlisted senders | 2026-05-04 | |
| GHSA-chm2-m3w2-wcxm | — | OpenClaw Google Chat spoofing access with allowlist authorized mutable email principal despite sender-ID mismatch | 2026-02-17 |
These advisories are listed on the repo security page but not yet indexed in the GitHub Advisory Database. See the full advisory list for details.
Show 79 repo-only advisories
| GHSA | Severity | Title | Published |
|---|---|---|---|
| GHSA-2hfg-4fh4-qp7f | Browser act interactions could bypass private-network navigation checks | 2026-05-28 | |
| GHSA-2q7j-2vhx-56g8 | Feishu tools could ignore per-account disablement | 2026-06-30 | |
| GHSA-2x93-h3hg-2xfp | Browser snapshot routes could miss post-navigation SSRF checks | 2026-06-30 | |
| GHSA-34mr-7r3m-gfg7 | Exec allowlist glob matching could allow traversal bypasses | 2026-06-30 | |
| GHSA-3c6j-hq33-3jv4 | Paired nodes could forge exec lifecycle events without system.run provenance | 2026-05-28 | |
| GHSA-3fp5-v549-9v66 | flock wrapper could bypass durable exec approval binding | 2026-06-30 | |
| GHSA-3pmr-x9g8-m55r | Discord guild actions could skip cross-provider requester authorization | 2026-06-30 | |
| GHSA-3x84-qq85-fj65 | Browser CDP discovery could accept blocked WebSocket URLs | 2026-06-30 | |
| GHSA-4pqj-3c56-5fqq | Workspace dotenv files could override provider credentials | 2026-06-30 | |
| GHSA-52xj-c9p8-78cv | MCP loopback could expose owner-only tools to non-owner runs | 2026-06-30 | |
| GHSA-575v-8hfq-m3mc | Sandbox bind mounts could bypass parent-directory denylist checks | 2026-06-30 | |
| GHSA-6fvr-66p3-3qj4 | Hook-triggered CLI runs could receive owner MCP tool authority | 2026-05-28 | |
| GHSA-724r-v4wf-mqc5 | Hooks allowedAgentIds could be bypassed with blank agent IDs | 2026-06-30 | |
| GHSA-7jx6-764p-fgg9 | QQBot exec approvals could allow non-allowlisted senders | 2026-06-30 | |
| GHSA-7vrr-rp4x-4g76 | Plugin install commands could allow non-owner persistence | 2026-06-30 | |
| GHSA-8f46-3xx3-8c9m | Node exec approvals could use different gateway and node environments | 2026-06-30 | |
| GHSA-8v95-qqcm-qp9h | device.pair.approve could bypass role-management checks | 2026-06-30 | |
| GHSA-9969-8g9h-rxwm | Host exec environment filtering could allow Git ext transport | 2026-06-30 | |
| GHSA-cf2p-f286-mphf | Identity-bearing HTTP callers could reach admin-scoped tools | 2026-06-30 | |
| GHSA-chr9-m4q2-76hw | Control UI locality spoofing could mint a durable admin device token | 2026-05-28 | |
| GHSA-f6p7-6326-vf7v | Discord moderation actions could miss trusted requester checks | 2026-06-30 | |
| GHSA-fh38-965w-f6c3 | WhatsApp group IDs could satisfy elevated sender allowlists | 2026-06-30 | |
| GHSA-hjr6-g723-hmfm | Host exec environment filtering could miss interpreter startup variables | 2026-06-30 | |
| GHSA-hw9r-h9mr-4jff | Scoped chat.send route inheritance could bypass admin command scope gates | 2026-05-28 | |
| GHSA-hx85-fgcw-9vrc | Device-pair approval could expose node system.run early | 2026-06-30 | |
| GHSA-jhfx-v2j8-x3m6 | OpenAI-compatible HTTP model overrides could miss admin authorization | 2026-06-30 | |
| GHSA-m38g-vpwj-mpg9 | OpenShell mirror sync could follow remote symlink parents | 2026-06-30 | |
| GHSA-mgq6-vr84-7m2j | QQBot native approval buttons did not enforce configured approver identity | 2026-05-28 | |
| GHSA-mgvr-6gvw-3rgr | Sandbox exec-server HTTP requests could reach internal networks | 2026-06-30 | |
| GHSA-mhq8-78pj-5j79 | POSIX node system.run safe-bin allowlist could be widened by shell expansion | 2026-05-28 | |
| GHSA-mm9g-83wh-mhwj | Isolated cron jobs could regain denied exec tools | 2026-06-30 | |
| GHSA-p5xh-frrh-cmgj | MS Teams message actions could miss requester authorization | 2026-06-30 | |
| GHSA-qjpc-qf9m-xwmr | Trusted-proxy Control UI WebSocket accepted client-declared scopes before pairing | 2026-05-28 | |
| GHSA-rh6r-vvfc-86jq | Setup-mode discovery could load untrusted workspace plugins | 2026-06-30 | |
| GHSA-v7hx-r36p-f68m | Message mutations could skip requester authorization | 2026-06-30 | |
| GHSA-vr7j-7684-7gm5 | HTTP Canvas responses could forge trusted A2UI actions | 2026-06-30 | |
| GHSA-w8wf-3qvj-6xqf | Feishu permission tools could ignore per-account disablement | 2026-06-30 | |
| GHSA-wp73-f3gg-w4vr | ClickClack agent-mode dispatch could ignore toolsAllow | 2026-06-30 | |
| GHSA-wxh3-g47h-q3mc | Host exec environment filtering could miss rustup startup variables | 2026-06-30 | |
| GHSA-wxm8-ghhq-q688 | MS Teams safeFetch could race DNS rebinding checks | 2026-06-30 | |
| GHSA-x863-pqjw-hmgf | Browser act route could miss current-tab URL checks | 2026-06-30 | |
| GHSA-xr4f-mjxj-w6w5 | Non-owner chat senders could issue device-pairing bootstrap codes | 2026-05-28 | |
| GHSA-xww8-gqvh-92x9 | Exec approval display truncation could hide the command being approved | 2026-05-28 | |
| GHSA-2j8v-hwgc-x698 | Shell wrapper argv could change between approval and execution | 2026-05-28 | |
| GHSA-4xwj-mcc7-x7x5 | Remote media URLs could slow-read exhaust tool workers | 2026-06-30 | |
| GHSA-5p6w-wmh3-frfr | WebSocket auth attempts could avoid non-browser rate limits | 2026-06-30 | |
| GHSA-77pv-3w4q-vrj5 | QQBot pre-dispatch slash commands could skip allowFrom checks | 2026-05-28 | |
| GHSA-77q5-rr5v-x43q | Trusted retry endpoint checks could match hostname prefixes | 2026-05-28 | |
| GHSA-7hxm-f538-3xp6 | Matrix allowFrom could bind to mutable display names | 2026-05-28 | |
| GHSA-7w4v-g4m6-j88v | MS Teams allowFrom could bind to mutable display names | 2026-06-30 | |
| GHSA-83w9-h5wv-j9xm | Node pairing reconnection could confuse approval scope state | 2026-05-28 | |
| GHSA-8wg3-5mcm-fjq8 | Workspace .env could override Homebrew executable selection for skill install flows | 2026-05-28 | |
| GHSA-9c3v-684m-579c | MCP SSE redirects could forward Authorization headers | 2026-06-30 | |
| GHSA-c29c-2q9c-pc86 | Slack allowFrom could bind to mutable display names | 2026-05-28 | |
| GHSA-cqwv-9qjx-vxw2 | Skill Workshop apply flow could override pending approval | 2026-05-28 | |
| GHSA-fh8v-vgcv-pwh4 | ClickClack allowFrom could allow non-allowlisted commands | 2026-06-30 | |
| GHSA-fwgr-fpv9-vf5x | QQBot media upload could reach untrusted remote URLs | 2026-06-30 | |
| GHSA-gp79-m99v-gjmh | Mattermost handlers could fall open when channel type was missing | 2026-05-28 | |
| GHSA-grc3-2j34-p6gm | message.action forwarding could send Gateway credentials to model-supplied loopback URLs | 2026-05-28 | |
| GHSA-hcm3-8f6r-6xwg | Browser debug/export routes could reuse already-open blocked tabs | 2026-05-28 | |
| GHSA-j472-gf56-x589 | PowerShell encoded-command aliases could miss exec allowlist checks | 2026-05-28 | |
| GHSA-j4cx-jvq7-79vm | Trajectory export could skip broad credential redaction | 2026-06-30 | |
| GHSA-jvm4-4j77-39p6 | QQBot streaming command could mutate config without explicit allowFrom | 2026-05-28 | |
| GHSA-mhm4-93fw-4qr2 | Skill command dispatch could skip effective tool policy | 2026-06-30 | |
| GHSA-p2fh-f5fc-44hr | memory-wiki ingest could read local files with operator.write scope | 2026-05-28 | |
| GHSA-p73f-w79w-jqr5 | Native command authorization could skip owner-command enforcement | 2026-05-28 | |
| GHSA-prwc-c6w5-mmgr | Bot Framework serviceUrl validation could leak bot tokens | 2026-06-30 | |
| GHSA-q7q8-3mgw-q67r | Message read actions could skip channel allowlist checks | 2026-05-28 | |
| GHSA-qh2f-99mv-mrcf | Bundle MCP loopback could miss its exec denylist on session spawn | 2026-05-28 | |
| GHSA-rggc-m335-3wvj | Same-host trusted-proxy deployments could accept local forged identity headers | 2026-05-28 | |
| GHSA-v4f6-x5g5-2g4g | Native web search could ignore OpenClaw tool policy | 2026-06-30 | |
| GHSA-v54h-q2vx-vgg4 | MS Teams outbound requests could leak Bot Framework tokens | 2026-06-30 | |
| GHSA-v6r2-jh58-xx6w | Marketplace runtime extension metadata could point at unscanned payloads | 2026-05-28 | |
| GHSA-vxx3-6hc9-7cc3 | Combined POSIX shell options could confuse exec revalidation | 2026-05-28 | |
| GHSA-w4v6-g3wm-w36c | QQBot admin commands could skip DM-only and allowFrom policy | 2026-05-28 | |
| GHSA-w5ww-7chg-mxcq | Telegram interactive callbacks could skip commands.allowFrom | 2026-05-28 | |
| GHSA-wgq8-x5wm-g4rw | Plugin install wrappers could skip install policy | 2026-06-30 | |
| GHSA-wv26-j37q-2g7p | Slack plugin approvals used the exec approver gate for plugin actions | 2026-05-28 | |
| GHSA-3wqp-prf6-2m72 | Feishu dynamic-agent bindings could miss configWrites enforcement | 2026-05-28 |
The OpenClaw project has been renamed multiple times, causing inconsistencies across CVE records:
| CVE | vendor | product | packageURL | Description Names |
|---|---|---|---|---|
| CVE-2026-25253 | OpenClaw |
OpenClaw |
pkg:npm/clawdbot |
OpenClaw / clawdbot / Moltbot |
| CVE-2026-24763 | clawdbot |
clawdbot |
— | OpenClaw (formerly Clawdbot) |
| CVE-2026-28478 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53843 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53849 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53857 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-44118 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-45004 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-28469 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-25157 | openclaw |
openclaw |
— | OpenClaw |
| CVE-2026-53855 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53853 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53866 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53864 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-28458 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53865 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-26317 | openclaw |
clawdbot |
— | OpenClaw (formerly Clawdbot) |
| CVE-2026-53842 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53858 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53846 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-44116 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-28480 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-29612 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53850 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-28452 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-26328 | openclaw |
clawdbot |
— | OpenClaw (formerly Clawdbot) |
| CVE-2026-53851 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-44113 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-44112 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-43570 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53844 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53840 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53854 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53863 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53859 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-45005 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53856 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53847 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53861 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-44992 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-45003 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-41358 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-44991 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-44997 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53848 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53845 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53852 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53860 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53862 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53841 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| Source | URL |
|---|---|
| CVE List v5 (full scan, all CNAs) | CVEProject/cvelistV5 — every record affecting OpenClaw, any assigner |
| GitHub Advisory DB | github.com/advisories |
| Repo Security Tab | openclaw/openclaw/security |
| CVE Services API | https://cveawg.mitre.org/api/cve-id/{CVE-ID} |
Auto-generated by update_readme.py · Updated every 6h via GitHub Actions
Data: ghsa-advisories.json · cves.json · cve-pipeline-status.json
Maintained by Jerry Gamblin · OpenClawCVEs