Skip to content

jgamblin/OpenClawCVEs

Repository files navigation

🛡️ OpenClaw CVE & Security Advisory Tracker

Total Advisories All-CNA CVEs Project CVEs Assigned CVEs Published Reserved
Critical High Medium Low Awaiting CVE

An automated tracker that continuously monitors OpenClaw security advisories across the GitHub Advisory Database, repo-level security advisories, and a full scan of the CVE V5 (cvelistV5) registry covering every CVE affecting OpenClaw regardless of which CNA assigned it. On each run it pulls the latest data, reconciles GHSA → CVE publication state, breaks the totals down by assigning CNA, and regenerates this dashboard so you always have an up-to-date picture of the project's vulnerability landscape.

Last updated: 2026-07-01 13:05 UTC · MIT License · Full Advisory List · Security Policy · Data: cvelistV5 + Advisory DB · Updates every 6h


All CVEs by CNA · Published CVEs · Pipeline · Advisories · Categories · Insights · Identity


🏗️ Project Identity

Field Value
Current Name OpenClaw
Previous Names Moltbot (second name), Clawdbot (original name)
Repository openclaw/openclaw
npm Package openclaw (formerly clawdbot)
Author Peter Steinberger (steipete)
Search terms for CVE discovery

To find all CVEs, search for: openclaw, clawdbot, moltbot, clawhub, pkg:npm/clawdbot, pkg:npm/openclaw


🌐 All OpenClaw CVEs by Assigning CNA (CVE List V5)

The sections lower down track CVEs that have an OpenClaw GitHub Security Advisory — i.e. CVEs the project issued itself. That is only part of the picture. A direct scan of the authoritative CVE List V5 registry finds 543 CVEs that name OpenClaw as an affected product, the large majority assigned by third-party researchers rather than the project. Earlier versions of this tracker reported only the ~50 project-issued (GHSA-linked) CVEs and were blind to this external stream.

Count
Total OpenClaw CVEs (all CNAs) 543
Project-issued (GitHub as CNA) 34
Third-party-issued (VulnCheck, ZDI, MITRE, …) 509

By Assigning CNA

CNA CVEs Share
VulnCheck 500 92.1%
GitHub_M 34 6.3%
VulDB 4 0.7%
zdi 3 0.6%
mitre 2 0.4%

2026 Monthly Publish Trend

The steady third-party (VulnCheck-led) disclosure cadence across 2026:

Month CVEs
2026-02 35 ████
2026-03 198 ████████████████████
2026-04 174 ██████████████████
2026-05 75 ████████
2026-06 61 ██████

Methodology: generated by reconcile_cnas.py, which scans every record in CVEProject/cvelistV5 and selects those whose containers.cna.affected[].vendor or .product is openclaw (case-insensitive), or that reference github.com/openclaw/openclaw. REJECTED records are excluded. VulnCheck is by far the dominant CNA — its researchers drive the bulk of OpenClaw disclosures. The GHSA-based sections below cover the project's own advisories and are unchanged. Full reconciled set: openclaw-cves-all.json · aggregates: cna-breakdown.json.


🚀 CVEs Published in cvelistV5 (50)

These CVEs have full records in the CVEProject/cvelistV5 repository:

CVE ID Severity CVSS Title CWE Published
CVE-2026-25253 High 8.8 OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl CWE-669 2026-02-01
CVE-2026-24763 High 8.8 OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable CWE-78 2026-02-02
CVE-2026-28478 High 8.7 OpenClaw affected by denial of service via unbounded webhook request body buffering CWE-770 2026-03-05
CVE-2026-53843 High 8.7 OpenClaw: Pairing-scoped device session could restore revoked node token authority CWE-613 2026-06-16
CVE-2026-53849 High 8.6 OpenClaw: Discord allowFrom could bind to mutable display names CWE-290 2026-06-16
CVE-2026-53857 High 8.6 OpenClaw < 2026.5.3 - Mutable Display Name Binding in Zalo allowFrom Policy CWE-290 2026-06-16
CVE-2026-44118 High 8.5 OpenClaw < 2026.4.22 - Owner Context Spoofing via Bearer Token Header CWE-290 2026-05-06
CVE-2026-45004 High 8.4 OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution CWE-427 2026-05-11
CVE-2026-28469 High 8.2 OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting CWE-639 2026-03-05
CVE-2026-25157 High 7.8 OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand CWE-78 2026-02-04
CVE-2026-53855 High 7.6 OpenClaw < 2026.4.2 - Shell Positional Parameters Bypass in Inline-Eval Checks CWE-184, CWE-863 2026-06-16
CVE-2026-53853 High 7.6 OpenClaw: Linux and macOS exec allowlists skipped configured argument patterns CWE-693, CWE-863 2026-06-16
CVE-2026-53866 High 7.6 OpenClaw < 2026.5.12 - Allowlist Bypass in Shell Inline-Command Parsing CWE-862 2026-06-16
CVE-2026-53864 High 7.6 OpenClaw: Host environment sanitizer missed two Node.js control variables CWE-184 2026-06-16
CVE-2026-28458 High 7.4 OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access CWE-306 2026-03-05
CVE-2026-53865 High 7.2 OpenClaw: Workspace-derived service PATH could influence trash command selection CWE-426 2026-06-16
CVE-2026-26317 High 7.1 OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints CWE-352 2026-02-19
CVE-2026-53842 High 7 OpenClaw: Workspace .env CLOUDSDK_PYTHON could influence Gmail setup gcloud execution CWE-426 2026-06-16
CVE-2026-53858 High 7 OpenClaw: Workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots CWE-426 2026-06-16
CVE-2026-53846 High 7 OpenClaw: Workspace .env npm_execpath could influence bundled runtime dependency install CWE-426 2026-06-16
CVE-2026-44116 Medium 6.9 OpenClaw < 2026.4.22 - Server-Side Request Forgery in Zalo Photo URL Validation CWE-918 2026-05-06
CVE-2026-28480 Medium 6.9 OpenClaw Telegram allowlist authorization accepted mutable usernames CWE-290 2026-03-05
CVE-2026-29612 Medium 6.8 OpenClaw < 2026.2.14 - Denial of Service via Large Base64 Media File Decoding CWE-770 2026-03-05
CVE-2026-53850 Medium 6.8 OpenClaw < 2026.4.25 - Control Scope Enforcement Bypass in Focus Command CWE-862 2026-06-16
CVE-2026-28452 Medium 6.7 OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR) CWE-770 2026-03-05
CVE-2026-26328 Medium 6.5 OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities CWE-284, CWE-863 2026-02-19
CVE-2026-53851 Medium 6.3 OpenClaw < 2026.5.12 - Slack Reaction Event Notification Bypass CWE-862 2026-06-16
CVE-2026-44113 Medium 6 OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes CWE-367 2026-05-06
CVE-2026-44112 Medium 6 OpenClaw < 2026.4.22 - Symlink Swap Race Condition in OpenShell FS Bridge Writes CWE-367 2026-05-06
CVE-2026-43570 Medium 6 OpenClaw contains a symlink traversal vulnerability CWE-61 2026-05-05
CVE-2026-53844 Medium 6 OpenClaw < 2026.4.29 - Session Visibility Check Bypass in Shared Memory Search CWE-862 2026-06-16
CVE-2026-53840 Medium 6 OpenClaw: MCP Streamable HTTP redirects could forward configured custom headers to another origin CWE-522 2026-06-16
CVE-2026-53854 Medium 6 OpenClaw: Internal/webchat command auth could inherit ownerAllowFrom wildcard state CWE-863 2026-06-16
CVE-2026-53863 Medium 6 OpenClaw < 2026.4.25 - Unvalidated Group ID Acceptance in Tool Group Policy CWE-639 2026-06-16
CVE-2026-53859 Medium 6 OpenClaw < 2026.5.26 - Hostname Validation Bypass via Trailing-Dot Inconsistency CWE-1023, CWE-918 2026-06-16
CVE-2026-45005 Medium 5.9 OpenClaw < 2026.4.23 - Webhook Route Secret Cache Not Invalidated After Rotation CWE-672 2026-05-11
CVE-2026-53856 Medium 5.7 OpenClaw: Config recovery could restore openclaw.json with broad file permissions CWE-732 2026-06-16
CVE-2026-53847 Medium 5.3 OpenClaw < 2026.5.6 - Privilege Escalation via Active Memory Write Scope CWE-266 2026-06-16
CVE-2026-53861 Medium 5.3 OpenClaw < 2026.5.6 - Allowlist Bypass via Combined POSIX Inline Flags on macOS CWE-184 2026-06-16
CVE-2026-44992 Medium 4.1 OpenClaw 2026.4.5 < 2026.4.20 - MiniMax API Host Override via Workspace dotenv CWE-441 2026-05-11
CVE-2026-45003 Medium 4.1 OpenClaw: Workspace dotenv files cannot override connector endpoint hosts CWE-441 2026-05-11
CVE-2026-41358 Low 2.3 OpenClaw < 2026.4.2 - Sender Allowlist Bypass via Slack Thread Context CWE-346 2026-04-23
CVE-2026-44991 Low 2.3 OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners CWE-863 2026-05-11
CVE-2026-44997 Low 2.3 OpenClaw < 2026.4.22 - Security Envelope Constraint Bypass in ACP Child Sessions CWE-266 2026-05-11
CVE-2026-53848 Low 2.3 OpenClaw < 2026.5.26 - Exec Allowlist Bypass via Transparent Command Wrappers CWE-184 2026-06-16
CVE-2026-53845 Low 2.3 OpenClaw: Skill-command dispatch could skip before-tool-call hooks CWE-693 2026-06-16
CVE-2026-53852 Low 2.3 OpenClaw < 2026.4.25 - Scope Bypass via Empty-Scope Device Re-pairing CWE-636 2026-06-16
CVE-2026-53860 Low 2.3 OpenClaw: BlueBubbles sender policy could match mutable conversation identifiers CWE-807, CWE-863 2026-06-16
CVE-2026-53862 Low 2.3 OpenClaw < 2026.5.12 - Bootstrap Token Replay via Pending Pairing Scope Widening CWE-266, CWE-345 2026-06-16
CVE-2026-53841 Low 2.1 OpenClaw: Exported session HTML could keep unsafe markdown links CWE-83 2026-06-16
📖 Detailed CVE Analysis (click to expand)

CVE-2026-25253 — OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl

Field Detail
CVSS 8.8 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE CWE-669 (CWE-669 Incorrect Resource Transfer Between Spheres)
Affected < 2026.1.29
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-g8p2-7wf7-98mq

OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value.

Naming note: Uses all three names in description. packageURL still references pkg:npm/clawdbot. References:


CVE-2026-24763 — OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable

Field Detail
CVSS 8.8 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE CWE-78 (CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))
Affected < 2026.1.29
Vendor/Product clawdbot / clawdbot
Advisory GHSA-mc68-q9jw-2h3v

OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026.1.29, a command injection vulnerability existed in OpenClaw’s Docker sandbox execution mechanism due to unsafe handling of the PATH environment variable when constructing shell commands. An authenticated user able to control environment variables could influence command execution within the container context. This vulnerability is fixed in 2026.1.29.

Naming note: Uses old name clawdbot/clawdbot as vendor/product. References:


CVE-2026-28478 — OpenClaw affected by denial of service via unbounded webhook request body buffering

Field Detail
CVSS 8.7 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE CWE-770 (Allocation of Resources Without Limits or Throttling)
Affected < 2026.2.13
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-q447-rj3r-2cgh

OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies without strict byte or time limits. Remote unauthenticated attackers can send oversized JSON payloads or slow uploads to webhook endpoints causing memory pressure and availability degradation.

References:


CVE-2026-53843 — OpenClaw: Pairing-scoped device session could restore revoked node token authority

Field Detail
CVSS 8.7 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE CWE-613 (Insufficient Session Expiration)
Affected < 2026.5.26
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-q99w-vh6v-q3v7

OpenClaw before 2026.5.26 contains an authorization bypass vulnerability where a surviving pairing-scoped device session can re-establish node token authority after revocation. Attackers with a paired device can regain WebSocket node-level access without renewed approval, weakening revocation controls and maintaining unauthorized access longer than intended.

References:


CVE-2026-53849 — OpenClaw: Discord allowFrom could bind to mutable display names

Field Detail
CVSS 8.6 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CWE CWE-290 (Authentication Bypass by Spoofing)
Affected < 2026.5.7
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-cw4q-gqg5-g38h

OpenClaw before 2026.5.7 contains a privilege escalation vulnerability where the allowFrom feature improperly validates Discord account identity using mutable display names instead of immutable user IDs. Attackers with Discord accounts can change their display name to match a policy entry and gain unauthorized agent access intended for another Discord identity.

References:


CVE-2026-53857 — OpenClaw < 2026.5.3 - Mutable Display Name Binding in Zalo allowFrom Policy

Field Detail
CVSS 8.6 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CWE CWE-290 (Authentication Bypass by Spoofing)
Affected < 2026.5.3
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-8c59-hr4w-qg69

OpenClaw before 2026.5.3 contains a policy enforcement vulnerability where Zalo contacts with mutable display metadata could match allowFrom policy entries through display name changes. Attackers with mutable display names could receive agent responses intended for different Zalo identities when the feature is enabled.

References:


CVE-2026-44118 — OpenClaw < 2026.4.22 - Owner Context Spoofing via Bearer Token Header

Field Detail
CVSS 8.5 (HIGH) — CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE CWE-290 (CWE-290: Authentication Bypass by Spoofing)
Affected < 2026.4.22
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-r6xh-pqhr-v4xh

OpenClaw before 2026.4.22 derives loopback MCP owner context from spoofable server-issued bearer tokens in request headers. Non-owner loopback clients can present themselves as owner to bypass owner-gated operations by manipulating the sender-owner header metadata.

References:


CVE-2026-45004 — OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution

Field Detail
CVSS 8.4 (HIGH) — CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE CWE-427 (Uncontrolled Search Path Element)
Affected < 2026.4.23
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-r39h-4c2p-3jxp

OpenClaw before 2026.4.23 contains an arbitrary code execution vulnerability in the bundled plugin setup resolver that loads setup-api.js from process.cwd() during provider setup metadata resolution. Attackers can execute arbitrary JavaScript under the current user account by placing a malicious extensions//setup-api.js file in a repository and convincing a user to run OpenClaw commands from that directory.

References:


CVE-2026-28469 — OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting

Field Detail
CVSS 8.2 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
CWE CWE-639 (Authorization Bypass Through User-Controlled Key)
Affected < 2026.2.14
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-rq6g-px6m-c248

OpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat monitor component that allows cross-account policy context misrouting when multiple webhook targets share the same HTTP path. Attackers can exploit first-match request verification semantics to process inbound webhook events under incorrect account contexts, bypassing intended allowlists and session policies.

References:


CVE-2026-25157 — OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand

Field Detail
CVSS 7.8 (HIGH) — CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE CWE-78 (CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))
Affected < 2026.1.29
Vendor/Product openclaw / openclaw
Advisory GHSA-q284-4pvr-m585

OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vulnerability via the Project Root Path in sshNodeCommand. The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project path in an error message. When the cd command failed, the unescaped path was interpolated directly into an echo statement, allowing arbitrary command execution on the remote SSH host. The parseSSHTarget function did not validate that SSH target strings could not begin with a dash. An attacker-supplied target like -oProxyCommand=... would be interpreted as an SSH configuration flag rather than a hostname, allowing arbitrary command execution on the local machine. This issue has been patched in version 2026.1.29.


CVE-2026-53855 — OpenClaw < 2026.4.2 - Shell Positional Parameters Bypass in Inline-Eval Checks

Field Detail
CVSS 7.6 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CWE CWE-184 (Incomplete List of Disallowed Inputs), CWE-863 (Incorrect Authorization)
Affected < 2026.4.2
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-5cj2-3jr2-5h77

OpenClaw before 2026.4.2 contains an inline-eval bypass vulnerability allowing authenticated operators to weaken strict allowlist checks via shell positional parameters. Attackers can combine allowlisted tools with shell positional arguments to place inline-eval content in shell carriers outside intended allowlist rules, enabling execution of unapproved shell-provided content.

References:


CVE-2026-53853 — OpenClaw: Linux and macOS exec allowlists skipped configured argument patterns

Field Detail
CVSS 7.6 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
CWE CWE-693 (Protection Mechanism Failure), CWE-863 (Incorrect Authorization)
Affected < 2026.5.12
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-v2ww-5rh7-2h5v

OpenClaw before 2026.5.12 contains an argument pattern validation bypass in the exec allowlist that allows attackers to execute disallowed arguments for allowlisted executables on Linux and macOS systems. Attackers can bypass configured argPattern restrictions by directly invoking allowlisted executables with unrestricted arguments, potentially enabling unauthorized file access, network access, or command execution.

References:


CVE-2026-53866 — OpenClaw < 2026.5.12 - Allowlist Bypass in Shell Inline-Command Parsing

Field Detail
CVSS 7.6 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CWE CWE-862 (Missing Authorization)
Affected < 2026.5.12
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-f397-5vjw-v2c2

OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in shell inline-command parsing that allows authenticated operators to execute unapproved commands. A command request using shell inline-command forms could route through a parser case missing the expected allowlist decision, enabling shell content execution without intended approval prompts.

References:


CVE-2026-53864 — OpenClaw: Host environment sanitizer missed two Node.js control variables

Field Detail
CVSS 7.6 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CWE CWE-184 (Incomplete List of Disallowed Inputs)
Affected < 2026.5.26
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-ccwh-wwpp-6wg5

OpenClaw before 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer that allows Node.js control variables to bypass validation. Attackers with access to workspace .env files, tool environment overrides, or skill environment blocks can pass malicious Node.js control variables to influence child processes or coverage output paths.

References:


CVE-2026-28458 — OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access

Field Detail
CVSS 7.4 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CWE CWE-306 (Missing Authentication for Critical Function)
Affected < 2026.2.1
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-mr32-vwc2-5j6h

OpenClaw version 2026.1.20 prior to 2026.2.1 contains a vulnerability in the Browser Relay (extension must be installed and enabled) /cdp WebSocket endpoint in which it does not require authentication tokens, allowing websites to connect via loopback and access sensitive data. Attackers can exploit this by connecting to ws://127.0.0.1:18792/cdp to steal session cookies and execute JavaScript in other browser tabs.

References:


CVE-2026-53865 — OpenClaw: Workspace-derived service PATH could influence trash command selection

Field Detail
CVSS 7.2 (HIGH) — CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CWE CWE-426 (Untrusted Search Path)
Affected < 2026.5.2
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-rx78-29qr-5hq8

OpenClaw before 2026.5.2 contains a path traversal vulnerability in maintenance task execution that allows workspace-derived service paths to influence trash command selection. Attackers can execute unintended local executables from operator-unintended paths during maintenance operations by manipulating workspace-derived environment paths.

References:


CVE-2026-26317 — OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints

Field Detail
CVSS 7.1 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
CWE CWE-352 (CWE-352: Cross-Site Request Forgery (CSRF))
Affected <= 2026.1.24-3
Vendor/Product openclaw / clawdbot
Advisory GHSA-3fqr-4cg8-h96q

OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins. A malicious website can trigger unauthorized state changes against a victim's local OpenClaw browser control plane (for example opening tabs, starting/stopping the browser, mutating storage/cookies) if the browser control service is reachable on loopback in the victim's browser context. Starting in version 2026.2.14, mutating HTTP methods (POST/PUT/PATCH/DELETE) are rejected when the request indicates a non-loopback Origin/Referer (or Sec-Fetch-Site: cross-site). Other mitigations include enabling browser control auth (token/password) and avoid running with auth disabled.

Naming note: Uses old name openclaw/clawdbot as vendor/product. References:


CVE-2026-53842 — OpenClaw: Workspace .env CLOUDSDK_PYTHON could influence Gmail setup gcloud execution

Field Detail
CVSS 7 (HIGH) — CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CWE CWE-426 (Untrusted Search Path)
Affected < 2026.5.2
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-fq9j-vw4w-fr6v

OpenClaw before 2026.5.2 contains an environment variable injection vulnerability allowing workspace .env files to influence Python runtime selection through CLOUDSDK_PYTHON during Gmail setup gcloud execution. Attackers with repository access can manipulate the CLOUDSDK_PYTHON variable to execute setup through unintended local Python paths, potentially enabling arbitrary code execution.

References:


CVE-2026-53858 — OpenClaw: Workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots

Field Detail
CVSS 7 (HIGH) — CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CWE CWE-426 (Untrusted Search Path)
Affected < 2026.5.2
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-wc84-j36w-pw4x

OpenClaw before 2026.5.2 contains an environment variable injection vulnerability where workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots. Attackers can manipulate the STATE_DIRECTORY variable to load runtime dependencies from unintended local paths, potentially executing malicious code during dependency resolution.

References:


CVE-2026-53846 — OpenClaw: Workspace .env npm_execpath could influence bundled runtime dependency install

Field Detail
CVSS 7 (HIGH) — CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CWE CWE-426 (Untrusted Search Path)
Affected < 2026.4.29
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-24vr-rprv-67rf

OpenClaw before 2026.4.29 contains a path traversal vulnerability in the install helper that allows workspace .env files to override the npm_execpath configuration used for bundled runtime dependency installation. Attackers with workspace access can execute unintended local package-manager executables during dependency setup to compromise the build environment.

References:


CVE-2026-44116 — OpenClaw < 2026.4.22 - Server-Side Request Forgery in Zalo Photo URL Validation

Field Detail
CVSS 6.9 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N
CWE CWE-918 (CWE-918 Server-Side Request Forgery (SSRF))
Affected < 2026.4.22
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-2hh7-c75g-qj2r

OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthorized access to internal resources.

References:


CVE-2026-28480 — OpenClaw Telegram allowlist authorization accepted mutable usernames

Field Detail
CVSS 6.9 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CWE CWE-290 (Authentication Bypass by Spoofing)
Affected < 2026.2.14
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-mj5r-hh7j-4gxf

OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram allowlist matching accepts mutable usernames instead of immutable numeric sender IDs. Attackers can spoof identity by obtaining recycled usernames to bypass allowlist restrictions and interact with bots as unauthorized senders.

References:


CVE-2026-29612 — OpenClaw < 2026.2.14 - Denial of Service via Large Base64 Media File Decoding

Field Detail
CVSS 6.8 (MEDIUM) — CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE CWE-770 (Allocation of Resources Without Limits or Throttling)
Affected < 2026.2.14
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-w2cg-vxx6-5xjg

OpenClaw versions prior to 2026.2.14 decode base64-backed media inputs into buffers before enforcing decoded-size budget limits, allowing attackers to trigger large memory allocations. Remote attackers can supply oversized base64 payloads to cause memory pressure and denial of service.

References:


CVE-2026-53850 — OpenClaw < 2026.4.25 - Control Scope Enforcement Bypass in Focus Command

Field Detail
CVSS 6.8 (MEDIUM) — CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
CWE CWE-862 (Missing Authorization)
Affected < 2026.4.25
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-mpc8-jxjh-qpgh

OpenClaw before 2026.4.25 contains a control scope enforcement bypass vulnerability in the focus command that allows authenticated callers to execute the command without proper authorization checks. Attackers can trigger the focus command to change focus state outside intended caller authority, potentially enabling unauthorized operations depending on gateway configuration and input trust levels.

References:


CVE-2026-28452 — OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR)

Field Detail
CVSS 6.7 (MEDIUM) — CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE CWE-770 (Allocation of Resources Without Limits or Throttling)
Affected < 2026.2.14
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-h89v-j3x9-8wqj

OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the extractArchive function within src/infra/archive.ts that allows attackers to consume excessive CPU, memory, and disk resources through high-expansion ZIP and TAR archives. Remote attackers can trigger resource exhaustion by providing maliciously crafted archive files during install or update operations, causing service degradation or system unavailability.

References:


CVE-2026-26328 — OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities

Field Detail
CVSS 6.5 (MEDIUM) — CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CWE CWE-284 (CWE-284: Improper Access Control), CWE-863 (CWE-863: Incorrect Authorization)
Affected <= 2026.1.24-3
Vendor/Product openclaw / clawdbot
Advisory GHSA-g34w-4xqq-h79m

OpenClaw is a personal AI assistant. Prior to version 2026.2.14, under iMessage groupPolicy=allowlist, group authorization could be satisfied by sender identities coming from the DM pairing store, broadening DM trust into group contexts. Version 2026.2.14 fixes the issue.

Naming note: Uses old name openclaw/clawdbot as vendor/product. References:


CVE-2026-53851 — OpenClaw < 2026.5.12 - Slack Reaction Event Notification Bypass

Field Detail
CVSS 6.3 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
CWE CWE-862 (Missing Authorization)
Affected < 2026.5.12
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-fcvx-5cxc-v5p8

OpenClaw before 2026.5.12 contains a notification bypass vulnerability allowing Slack reaction events to enter the agent pipeline despite disabled reaction notifications. Attackers can trigger unintended agent processing by sending reaction events when the feature is enabled, potentially leading to unauthorized processing of lower-trust input.

References:


CVE-2026-44113 — OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes

Field Detail
CVSS 6 (MEDIUM) — CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE CWE-367 (CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition)
Affected < 2026.4.22
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-5h3g-6xhh-rg6p

OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in the OpenShell filesystem bridge that allows attackers to read files outside the intended mount root. Attackers can exploit symlink swaps during filesystem operations to bypass sandbox restrictions and access unauthorized file contents.

References:


CVE-2026-44112 — OpenClaw < 2026.4.22 - Symlink Swap Race Condition in OpenShell FS Bridge Writes

Field Detail
CVSS 6 (MEDIUM) — CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
CWE CWE-367 (CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition)
Affected < 2026.4.22
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-wppj-c6mr-83jj

OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in OpenShell sandbox filesystem writes that allows attackers to redirect writes outside the intended mount root. Attackers can exploit symlink swaps during filesystem operations to bypass sandbox restrictions and write files outside the local mount root.

References:


CVE-2026-43570 — OpenClaw contains a symlink traversal vulnerability

Field Detail
CVSS 6 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE CWE-61 (CWE-61 UNIX Symbolic Link (Symlink) Following)
Affected < 2026.4.5
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-cr8r-7g2h-6wr6

OpenClaw versions 2026.3.22 before 2026.4.5 contain a symlink traversal vulnerability in remote marketplace repository path handling that allows attackers to escape the expected repository root. Attackers can exploit this by providing crafted symlink paths to access files outside the intended repository directory.

References:


CVE-2026-53844 — OpenClaw < 2026.4.29 - Session Visibility Check Bypass in Shared Memory Search

Field Detail
CVSS 6 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE CWE-862 (Missing Authorization)
Affected < 2026.4.29
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-72fw-cqh5-f324

OpenClaw before 2026.4.29 contains a session visibility check bypass vulnerability in shared memory search that allows authenticated callers to access memory entries without proper authorization. Attackers can skip session visibility guards on the search path to retrieve memory entries that should not be visible to their session.

References:


CVE-2026-53840 — OpenClaw: MCP Streamable HTTP redirects could forward configured custom headers to another origin

Field Detail
CVSS 6 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
CWE CWE-522 (Insufficiently Protected Credentials)
Affected < 2026.5.12
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-rjxq-qqhf-8hwh

OpenClaw before 2026.5.12 contains an information disclosure vulnerability in streamable-http MCP servers that forwards operator-configured custom headers during cross-origin redirects. Attackers controlling or compromising an MCP endpoint can redirect requests to exfiltrate sensitive headers like API keys or tenant-routing credentials to attacker-controlled origins.

References:


CVE-2026-53854 — OpenClaw: Internal/webchat command auth could inherit ownerAllowFrom wildcard state

Field Detail
CVSS 6 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
CWE CWE-863 (Incorrect Authorization)
Affected < 2026.4.25
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-4hpg-mp64-x7xq

OpenClaw before 2026.4.25 contains a privilege escalation vulnerability in internal and webchat command authentication that allows senders to inherit wildcard ownerAllowFrom state across channel boundaries. Attackers can exploit this by sending commands on affected internal or webchat paths to execute owner-style command behavior outside intended channel scope, potentially bypassing access controls.

References:


CVE-2026-53863 — OpenClaw < 2026.4.25 - Unvalidated Group ID Acceptance in Tool Group Policy

Field Detail
CVSS 6 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N
CWE CWE-639 (Authorization Bypass Through User-Controlled Key)
Affected < 2026.4.25
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-985f-72mj-8gf7

OpenClaw before 2026.4.25 contains an input validation vulnerability in tool group policy callers that accept unvalidated group IDs. Attackers who can supply a group ID to the policy resolver could trigger incorrect group-policy decisions for tool invocations, potentially bypassing intended access controls.

References:


CVE-2026-53859 — OpenClaw < 2026.5.26 - Hostname Validation Bypass via Trailing-Dot Inconsistency

Field Detail
CVSS 6 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE CWE-1023 (Incomplete Comparison with Missing Factors), CWE-918 (Server-Side Request Forgery (SSRF))
Affected < 2026.5.26
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-gxg4-2rrr-jhc7

OpenClaw before 2026.5.26 contains a hostname validation vulnerability allowing attackers to bypass blocklist comparisons using trailing-dot notation in model or workspace-derived URLs. Attackers can exploit inconsistent hostname checks to reach destinations that operators intended to block through hostname policies.

References:


CVE-2026-45005 — OpenClaw < 2026.4.23 - Webhook Route Secret Cache Not Invalidated After Rotation

Field Detail
CVSS 5.9 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N
CWE CWE-672 (Operation on a Resource after Expiration or Release)
Affected < 2026.4.23
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-q8ff-7ffm-m3r9

OpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to remain valid after rotation and reload. Attackers with previously valid webhook route secrets can continue authenticating requests and invoking configured webhook task flows until gateway or plugin restart.

References:


CVE-2026-53856 — OpenClaw: Config recovery could restore openclaw.json with broad file permissions

Field Detail
CVSS 5.7 (MEDIUM) — CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE CWE-732 (Incorrect Permission Assignment for Critical Resource)
Affected < 2026.4.24
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-rwp6-7w3q-75fq

OpenClaw 2026.4.23 before 2026.4.24 contains an insecure file permissions vulnerability in config recovery that restores OpenClaw.json with overly broad permissions. Local attackers on shared hosts can read sensitive configuration data by exploiting the recovery path to access the restored config file.

References:


CVE-2026-53847 — OpenClaw < 2026.5.6 - Privilege Escalation via Active Memory Write Scope

Field Detail
CVSS 5.3 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
CWE CWE-266 (Incorrect Privilege Assignment)
Affected < 2026.5.6
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-x629-46cc-7xgw

OpenClaw before 2026.5.6 contains a privilege escalation vulnerability in the Active Memory write scope that allows Gateway operators with operator.write access to modify global configuration without requiring operator.admin privileges. Attackers with operator.write access can exploit insufficient scope validation to apply unauthorized configuration changes beyond the intended write scope.

References:


CVE-2026-53861 — OpenClaw < 2026.5.6 - Allowlist Bypass via Combined POSIX Inline Flags on macOS

Field Detail
CVSS 5.3 (MEDIUM) — CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CWE CWE-184 (Incomplete List of Disallowed Inputs)
Affected < 2026.5.6
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-c226-q6fx-6j6c

OpenClaw before 2026.5.6 contains an allowlist bypass vulnerability in the macOS Swift exec feature that misses combined POSIX inline-command flags. Attackers can execute shell content outside the intended allowlist check by using combined flag forms, potentially allowing unauthorized command execution depending on operator configuration.

References:


CVE-2026-44992 — OpenClaw 2026.4.5 < 2026.4.20 - MiniMax API Host Override via Workspace dotenv

Field Detail
CVSS 4.1 (MEDIUM) — CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE CWE-441 (Unintended Proxy or Intermediary ('Confused Deputy'))
Affected < 2026.4.20
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-h2vw-ph2c-jvwf

OpenClaw versions 2026.4.5 before 2026.4.20 contain an environment variable injection vulnerability allowing workspace dotenv to override MINIMAX_API_HOST. Attackers can redirect credentialed MiniMax API requests to attacker-controlled origins, exposing the MiniMax API key in Authorization headers.

References:


CVE-2026-45003 — OpenClaw: Workspace dotenv files cannot override connector endpoint hosts

Field Detail
CVSS 4.1 (MEDIUM) — CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE CWE-441 (Unintended Proxy or Intermediary ('Confused Deputy'))
Affected < 2026.4.22
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-55cf-xx38-4p9p

OpenClaw before 2026.4.22 allows workspace dotenv files to override connector endpoint hosts for Matrix, Mattermost, IRC, and Synology connectors. Attackers with workspace access can redirect runtime traffic to malicious endpoints by setting endpoint variables in dotenv files.

References:


CVE-2026-41358 — OpenClaw < 2026.4.2 - Sender Allowlist Bypass via Slack Thread Context

Field Detail
CVSS 2.3 (LOW) — CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CWE CWE-346 (CWE-346: Origin Validation Error)
Affected < 2026.4.2
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-qm77-8qjp-4vcm

OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non-allowlisted messages to enter agent context. Attackers can inject unauthorized thread messages through allowlisted user replies to bypass sender access controls and manipulate model context.

References:


CVE-2026-44991 — OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners

Field Detail
CVSS 2.3 (LOW) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CWE CWE-863 (Incorrect Authorization)
Affected < 2026.4.21
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-c28g-vh7m-fm7v

OpenClaw before 2026.4.21 contains an authorization bypass vulnerability in command-auth.ts that allows non-owner senders to execute owner-enforced slash commands when wildcard inbound senders are configured without explicit owner allowFrom settings. Attackers can exploit this by sending commands like /send, /config, or /debug on affected channels to bypass owner-only command authorization checks.

References:


CVE-2026-44997 — OpenClaw < 2026.4.22 - Security Envelope Constraint Bypass in ACP Child Sessions

Field Detail
CVSS 2.3 (LOW) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
CWE CWE-266 (Incorrect Privilege Assignment)
Affected < 2026.4.22
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-q3jj-46pq-826r

OpenClaw before 2026.4.22 contains a security envelope constraint bypass vulnerability allowing restricted subagents to spawn ACP child sessions that fail to inherit depth, child-count limits, control scope, or target-agent restrictions. Attackers can exploit this by spawning child sessions that bypass subagent-only constraints, potentially escalating privileges or accessing restricted resources.

References:


CVE-2026-53848 — OpenClaw < 2026.5.26 - Exec Allowlist Bypass via Transparent Command Wrappers

Field Detail
CVSS 2.3 (LOW) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
CWE CWE-184 (Incomplete List of Disallowed Inputs)
Affected < 2026.5.26
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-cwpp-5962-q4f6

OpenClaw before 2026.5.26 contains an exec allowlist bypass vulnerability allowing authenticated operators to execute wrapper-level side effects outside allowlisted command intent. Attackers can craft command requests that bypass allowlist validation by leveraging transparent command wrappers to perform unintended operations.

References:


CVE-2026-53845 — OpenClaw: Skill-command dispatch could skip before-tool-call hooks

Field Detail
CVSS 2.3 (LOW) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
CWE CWE-693 (Protection Mechanism Failure)
Affected < 2026.5.6
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-68xw-r643-9p5w

OpenClaw before 2026.5.6 contains a hook bypass vulnerability where skill commands routed through the affected dispatch path skip before-tool-call hook coverage. Attackers can exploit this by sending skill commands through the vulnerable dispatch path to bypass hook-based auditing and policy enforcement mechanisms.

References:


CVE-2026-53852 — OpenClaw < 2026.4.25 - Scope Bypass via Empty-Scope Device Re-pairing

Field Detail
CVSS 2.3 (LOW) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CWE CWE-636 (Not Failing Securely ('Failing Open'))
Affected < 2026.4.25
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-8mg9-j9cf-54cj

OpenClaw before 2026.4.25 contains a scope containment bypass vulnerability in device re-pairing that allows authenticated operators to restore broader scopes than intended by submitting empty-scope re-pairing requests. Attackers can exploit this by sending re-pairing requests with empty scope sets to skip containment guards and retain unauthorized device access.

References:


CVE-2026-53860 — OpenClaw: BlueBubbles sender policy could match mutable conversation identifiers

Field Detail
CVSS 2.3 (LOW) — CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CWE CWE-807 (Reliance on Untrusted Inputs in a Security Decision), CWE-863 (Incorrect Authorization)
Affected < 2026.5.7
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-8j37-5w68-wj2g

OpenClaw before 2026.5.7 contains a sender policy bypass vulnerability in BlueBubbles that allows participants to match allowlist entries through conversation metadata rather than stable sender identity. Attackers can influence conversation-level identifiers to receive agent responses intended for configured senders, potentially bypassing access controls.

References:


CVE-2026-53862 — OpenClaw < 2026.5.12 - Bootstrap Token Replay via Pending Pairing Scope Widening

Field Detail
CVSS 2.3 (LOW) — CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CWE CWE-266 (Incorrect Privilege Assignment), CWE-345 (Insufficient Verification of Data Authenticity)
Affected < 2026.5.12
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-9v8j-9c9g-w66c

OpenClaw before 2026.5.12 contains a bootstrap token replay vulnerability allowing callers with pending token access to reuse tokens with broader requested scopes. Attackers can replay bootstrap tokens before approval to escalate pairing authority beyond intended scope limits.

References:


CVE-2026-53841 — OpenClaw: Exported session HTML could keep unsafe markdown links

Field Detail
CVSS 2.1 (LOW) — CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
CWE CWE-83 (Improper Neutralization of Script in Attributes in a Web Page)
Affected < 2026.5.12
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-w9hf-3pp7-pvxv

OpenClaw before 2026.5.12 contains a cross-site scripting vulnerability in exported session HTML that preserves unsafe javascript: and data: links in generated content. Attackers can execute browser-side scripts if a trusted operator opens the exported file and activates a malicious link.

References:



⏳ CVE Publication Pipeline

Of 50 GHSAs with CVE IDs, 50 are fully published and 0 remain RESERVED.

graph LR
    A["1️⃣ GitHub Reserves<br/>CVE ID<br/><b>RESERVED</b>"] --> B["2️⃣ GHSA Goes Public<br/>with CVE ID Shown"]
    B --> C["3️⃣ CNA Submits<br/>CVE Record via<br/>CVE Services<br/><b>PUBLISHED</b>"]
    C --> D["4️⃣ cvelistV5 Bot<br/>Commits JSON File"]

    style A fill:#fee,stroke:#c33,color:#333
    style B fill:#fff3cd,stroke:#856404,color:#333
    style C fill:#d4edda,stroke:#155724,color:#333
    style D fill:#cce5ff,stroke:#004085,color:#333
Loading
CVE ID State cvelistV5 GHSA Published CNA
CVE-2026-24763 PUBLISHED 2026-02-02 GitHub_M
CVE-2026-25157 PUBLISHED 2026-02-02 GitHub_M
CVE-2026-25253 PUBLISHED 2026-02-02 mitre
CVE-2026-26317 PUBLISHED 2026-02-18 GitHub_M
CVE-2026-26328 PUBLISHED 2026-02-18 GitHub_M
CVE-2026-28452 PUBLISHED 2026-02-18 VulnCheck
CVE-2026-28458 PUBLISHED 2026-02-17 VulnCheck
CVE-2026-28469 PUBLISHED 2026-02-18 VulnCheck
CVE-2026-28478 PUBLISHED 2026-02-18 VulnCheck
CVE-2026-28480 PUBLISHED 2026-02-18 VulnCheck
CVE-2026-29612 PUBLISHED 2026-02-18 VulnCheck
CVE-2026-41358 PUBLISHED 2026-05-04 VulnCheck
CVE-2026-43570 PUBLISHED 2026-05-05 VulnCheck
CVE-2026-44112 PUBLISHED 2026-05-04 VulnCheck
CVE-2026-44113 PUBLISHED 2026-05-04 VulnCheck
CVE-2026-44116 PUBLISHED 2026-05-04 VulnCheck
CVE-2026-44118 PUBLISHED 2026-05-04 VulnCheck
CVE-2026-44991 PUBLISHED 2026-04-29 VulnCheck
CVE-2026-44992 PUBLISHED 2026-04-25 VulnCheck
CVE-2026-44997 PUBLISHED 2026-05-04 VulnCheck
CVE-2026-45003 PUBLISHED 2026-05-04 VulnCheck
CVE-2026-45004 PUBLISHED 2026-05-05 VulnCheck
CVE-2026-45005 PUBLISHED 2026-05-05 VulnCheck
CVE-2026-53840 PUBLISHED 2026-06-17 VulnCheck
CVE-2026-53841 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53842 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53843 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53844 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53845 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53846 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53847 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53848 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53849 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53850 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53851 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53852 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53853 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53854 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53855 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53856 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53857 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53858 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53859 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53860 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53861 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53862 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53863 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53864 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53865 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53866 PUBLISHED 2026-06-18 VulnCheck

🔑 Key Insights

Insight Detail
Dominant Weakness 57% of categorized issues relate to Allowlist Bypass (45/79)
V5 Sync Rate 50/50 CVE IDs (100%) have full cvelistV5 records
Advisory Velocity 192 security advisories across 2026-02-02 → 2026-06-18
Top Severity 2 Critical + 84 High = 86 high-impact issues (45%)

Vulnerability Categories

Category Count Examples
OS Command Injection (CWE-78) 14 PATH injection, SSH command injection, Docker exec, keychain writes
Path Traversal (CWE-22) 4 MEDIA: paths, plugin install, browser downloads, Zip Slip, transcript paths
SSRF 5 Image tool fetch, Feishu extension, attachment/media URLs, IPv6 bypass
Auth Bypass / Missing Auth 3 WebSocket config.apply, webhook verification, browser relay, sandbox bridge
Allowlist Bypass 45 Telegram usernames, Matrix displayName, Slack DM, Twitch, voice-call
Injection (XSS/CSRF/Prompt) 5 XSS in Control UI, prompt injection via Slack/CWD/logs, CSRF
Denial of Service 3 Unbounded media fetch, webhook body buffering, archive expansion

📋 All Security Advisories (192)

Critical & High Severity

GHSA CVE Severity Title Published
GHSA-rx78-29qr-5hq8 CVE-2026-53865 High OpenClaw: Workspace-derived service PATH could influence trash command selection 2026-06-18
GHSA-wc84-j36w-pw4x CVE-2026-53858 High OpenClaw: Workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots 2026-06-18
GHSA-cw4q-gqg5-g38h CVE-2026-53849 High OpenClaw: Discord allowFrom could bind to mutable display names 2026-06-18
GHSA-24vr-rprv-67rf CVE-2026-53846 High OpenClaw: Workspace .env npm_execpath could influence bundled runtime dependency install 2026-06-18
GHSA-v2ww-5rh7-2h5v CVE-2026-53853 High OpenClaw: Linux and macOS exec allowlists skipped configured argument patterns 2026-06-18
GHSA-8c59-hr4w-qg69 CVE-2026-53857 High OpenClaw: Zalo allowFrom could bind to mutable display names 2026-06-18
GHSA-5cj2-3jr2-5h77 CVE-2026-53855 High OpenClaw: Shell positional parameters could weaken strict inline-eval checks 2026-06-18
GHSA-fq9j-vw4w-fr6v CVE-2026-53842 High OpenClaw: Workspace .env CLOUDSDK_PYTHON could influence Gmail setup gcloud execution 2026-06-18
GHSA-f397-5vjw-v2c2 CVE-2026-53866 High OpenClaw: Shell inline-command parsing could miss an allowlist check 2026-06-18
GHSA-q99w-vh6v-q3v7 CVE-2026-53843 High OpenClaw: Pairing-scoped device session could restore revoked node token authority 2026-06-18
GHSA-ccwh-wwpp-6wg5 CVE-2026-53864 High OpenClaw: Host environment sanitizer missed two Node.js control variables 2026-06-18
GHSA-rjxq-qqhf-8hwh CVE-2026-53840 High OpenClaw: MCP Streamable HTTP redirects could forward configured custom headers to another origin 2026-06-17
GHSA-2w22-3f6x-3hf4 High Duplicate Advisory: Workspace-derived service PATH could influence trash command selection 2026-06-16
GHSA-vr6h-vxqj-3pjx High Duplicate Advisory: Host environment sanitizer missed two Node.js control variables 2026-06-16
GHSA-v383-2wgg-v483 High Duplicate Advisory: Shell inline-command parsing could miss an allowlist check 2026-06-16
GHSA-3v3j-737j-7g74 High Duplicate Advisory: Linux and macOS exec allowlists skipped configured argument patterns 2026-06-16
GHSA-4qgr-57jq-93vh High Duplicate Advisory: Workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots 2026-06-16
GHSA-w7m7-3xcf-mp48 High Duplicate Advisory: Zalo allowFrom could bind to mutable display names 2026-06-16
GHSA-27pq-2ph8-8x25 High Duplicate Advisory: Shell positional parameters could weaken strict inline-eval checks 2026-06-16
GHSA-qp5j-jr73-m2pw High Duplicate Advisory: Workspace .env npm_execpath could influence bundled runtime dependency install 2026-06-16
GHSA-p44v-rx83-vjp4 High Duplicate Advisory: Discord allowFrom could bind to mutable display names 2026-06-16
GHSA-9fr2-p65v-gqxq High Duplicate Advisory: Workspace .env CLOUDSDK_PYTHON could influence Gmail setup gcloud execution 2026-06-16
GHSA-wrmq-9fc4-gwwj High Duplicate Advisory: Pairing-scoped device session could restore revoked node token authority 2026-06-16
GHSA-xpr6-2hgm-4wwp High Duplicate Advisory: OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution 2026-05-11
GHSA-9r9j-3r2w-fg3v High Duplicate Advisory: OpenClaw: Workspace dotenv could override runtime-control environment variables 2026-05-06
GHSA-35vf-vw9f-q3cr High Duplicate Advisory: OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens 2026-05-06
GHSA-m8wm-r5vq-qjpg Critical Duplicate Advisory: OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation 2026-05-06
GHSA-xrgf-r9gr-jjjf High Duplicate Advisory: OpenClaw: Exec environment denylist missed high-risk interpreter startup variables 2026-05-06
GHSA-cjg8-85gj-v9q2 Critical Duplicate Advisory: OpenClaw: Feishu webhook and card-action validation now fail closed 2026-05-06
GHSA-79rr-5c85-xvw3 High Duplicate Advisory: OpenClaw: Matrix room control-command authorization no longer trusts DM pairing-store entries 2026-05-06
GHSA-r39h-4c2p-3jxp CVE-2026-45004 High OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution 2026-05-05
GHSA-cwj3-vqpp-pmxr High OpenClaw's gateway config mutation guard allowed unsafe model-driven config writes 2026-05-05
GHSA-r6xh-pqhr-v4xh CVE-2026-44118 High OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens 2026-05-04
GHSA-5mh4-3rv3-fpcf High Duplicate Advisory: OpenClaw: Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables 2026-04-28
GHSA-5799-3xg7-rfrv High Duplicate Advisory: OpenClaw: SSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host 2026-04-28
GHSA-rq6g-px6m-c248 CVE-2026-28469 High OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting 2026-02-18
GHSA-3fqr-4cg8-h96q CVE-2026-26317 High OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints 2026-02-18
GHSA-q447-rj3r-2cgh CVE-2026-28478 High OpenClaw affected by denial of service via unbounded webhook request body buffering 2026-02-18
GHSA-mr32-vwc2-5j6h CVE-2026-28458 High OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access 2026-02-17
GHSA-q284-4pvr-m585 CVE-2026-25157 High OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand 2026-02-02
GHSA-g8p2-7wf7-98mq CVE-2026-25253 High OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl 2026-02-02
GHSA-mc68-q9jw-2h3v CVE-2026-24763 High OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable 2026-02-02
GHSA-r2c6-8jc8-g32w High Duplicate Advisory: 1-Click RCE via Authentication Token Exfiltration From gatewayUrl 2026-02-02

Medium Severity

GHSA CVE Severity Title Published
GHSA-4hpg-mp64-x7xq CVE-2026-53854 Medium OpenClaw: Internal/webchat command auth could inherit ownerAllowFrom wildcard state 2026-06-18
GHSA-mpc8-jxjh-qpgh CVE-2026-53850 Medium OpenClaw: Focus command could miss controlScope enforcement 2026-06-18
GHSA-72fw-cqh5-f324 CVE-2026-53844 Medium OpenClaw: memory-wiki shared search could miss session visibility checks 2026-06-18
GHSA-rwp6-7w3q-75fq CVE-2026-53856 Medium OpenClaw: Config recovery could restore openclaw.json with broad file permissions 2026-06-18
GHSA-x629-46cc-7xgw CVE-2026-53847 Medium OpenClaw: Active Memory write scope could mutate global config 2026-06-18
GHSA-w9hf-3pp7-pvxv CVE-2026-53841 Medium OpenClaw: Exported session HTML could keep unsafe markdown links 2026-06-18
GHSA-fcvx-5cxc-v5p8 CVE-2026-53851 Medium OpenClaw: Slack reaction events could ignore reaction notification settings 2026-06-18
GHSA-gxg4-2rrr-jhc7 CVE-2026-53859 Medium OpenClaw: Hostname checks could treat trailing-dot hosts inconsistently 2026-06-18
GHSA-c226-q6fx-6j6c CVE-2026-53861 Medium OpenClaw: macOS Swift exec allowlist missed combined POSIX inline flags 2026-06-18
GHSA-985f-72mj-8gf7 CVE-2026-53863 Medium OpenClaw: Tool group policy callers could accept unvalidated group IDs 2026-06-18
GHSA-8wmm-344f-mpjg Medium Duplicate Advisory: Tool group policy callers could accept unvalidated group IDs 2026-06-16
GHSA-g796-jqmx-wf9q Medium Duplicate Advisory: macOS Swift exec allowlist missed combined POSIX inline flags 2026-06-16
GHSA-vqx6-6j84-2794 Medium Duplicate Advisory: Hostname checks could treat trailing-dot hosts inconsistently 2026-06-16
GHSA-r2fx-hp6p-pgrm Medium Duplicate Advisory: Internal/webchat command auth could inherit ownerAllowFrom wildcard state 2026-06-16
GHSA-vqj9-vhg4-27mg Medium Duplicate Advisory: Config recovery could restore openclaw.json with broad file permissions 2026-06-16
GHSA-c8w7-9w9h-x69q Medium Duplicate Advisory: Slack reaction events could ignore reaction notification settings 2026-06-16
GHSA-gw2c-6hcg-5g52 Medium Duplicate Advisory: Focus command could miss controlScope enforcement 2026-06-16
GHSA-58wc-8wrv-xp9j Medium Duplicate Advisory: Active Memory write scope could mutate global config 2026-06-16
GHSA-x7cf-6gp3-q5f8 Medium Duplicate Advisory: MCP Streamable HTTP redirects could forward configured custom headers to another origin 2026-06-16
GHSA-6jm4-83g2-35gv Medium Duplicate Advisory: memory-wiki shared search could miss session visibility checks 2026-06-16
GHSA-v8j2-5f9p-fmh4 Medium Duplicate Advisory: OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload 2026-05-11
GHSA-5jgm-f9wr-9qm7 Medium Duplicate Advisory: OpenClaw: Workspace dotenv files cannot override connector endpoint hosts 2026-05-11
GHSA-9j32-3m66-mc4m Medium Duplicate Advisory: OpenClaw: Hook mapping templates could bypass hook session-key opt-in 2026-05-11
GHSA-m5j2-r859-r5cv Medium Duplicate Advisory: OpenClaw: Isolated cron awareness events were recorded as trusted system events 2026-05-11
GHSA-4mhr-cxr4-2prm Medium Duplicate Advisory: OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests 2026-05-11
GHSA-p3m6-jr2h-hhxj Medium Duplicate Advisory: OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config 2026-05-11
GHSA-6f72-9gxx-98mj Medium Duplicate Advisory: OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root 2026-05-06
GHSA-frr5-j3mh-h9ch Medium Duplicate Advisory: OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes 2026-05-06
GHSA-qvmw-h675-h7qg Medium Duplicate Advisory: OpenClaw validates Zalo outbound photo URLs through the SSRF guard 2026-05-06
GHSA-r747-33r4-rmjw Medium Duplicate Advisory: OpenClaw: QQBot direct media upload skipped URL SSRF validation 2026-05-06
GHSA-82rm-qcfx-2v78 Medium Duplicate Advisory: OpenClaw: Delivery queue recovery could lose group tool-policy context for media replay 2026-05-06
GHSA-w7rc-vvgx-pj45 Medium Duplicate Advisory: OpenClaw: Browser SSRF hostname validation could be bypassed by DNS rebinding 2026-05-06
GHSA-3r56-7hhr-vfg9 Medium Duplicate Advisory: OpenClaw: CDP /json/version WebSocket URL could pivot to untrusted second-hop targets 2026-05-06
GHSA-wwwc-f646-vj2j Medium Duplicate Advisory: OpenClaw: Browser press/type interaction routes missed complete navigation guard coverage 2026-05-06
GHSA-q8ff-7ffm-m3r9 CVE-2026-45005 Medium OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload 2026-05-05
GHSA-35mw-5vvr-vrxc CVE-2026-43570 Medium OpenClaw contains a symlink traversal vulnerability 2026-05-05
GHSA-5h3g-6xhh-rg6p CVE-2026-44113 Medium OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes 2026-05-04
GHSA-wppj-c6mr-83jj CVE-2026-44112 Medium OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root 2026-05-04
GHSA-55cf-xx38-4p9p CVE-2026-45003 Medium OpenClaw: Workspace dotenv files cannot override connector endpoint hosts 2026-05-04
GHSA-q3jj-46pq-826r CVE-2026-44997 Medium OpenClaw's ACP child sessions inherit subagent security envelope constraints 2026-05-04
GHSA-2hh7-c75g-qj2r CVE-2026-44116 Medium OpenClaw validates Zalo outbound photo URLs through the SSRF guard 2026-05-04
GHSA-93rg-2xm5-2p9v Medium OpenClaw's Gateway Control UI bootstrap config required Gateway auth 2026-05-04
GHSA-x3h8-jrgh-p8jx Medium OpenClaw's exec allowlist analysis rejects shell expansion in unquoted heredocs 2026-05-04
GHSA-c28g-vh7m-fm7v CVE-2026-44991 Medium OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners 2026-04-29
GHSA-gfg9-5357-hv4c Medium OpenClaw: Webchat audio embedding could read local files without local-root containment 2026-04-29
GHSA-f5fm-9jmp-c88r Medium Duplicate Advisory: OpenClaw: Trailing-dot localhost CDP hosts could bypass remote loopback protections 2026-04-28
GHSA-8pf2-vj79-4wxg Medium Duplicate Advisory: OpenClaw: MSTeams thread history bypasses sender allowlist via Graph API 2026-04-28
GHSA-qp56-gp47-jwj3 Medium Duplicate Advisory: OpenClaw: Feishu extension resolveUploadInput bypasses file-system sandbox and allows arbitrary file reads via upload_image 2026-04-28
GHSA-h2vw-ph2c-jvwf CVE-2026-44992 Medium OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests 2026-04-25
GHSA-7jm2-g593-4qrc Medium OpenClaw: Agent gateway config mutations could change protected operator settings 2026-04-25
GHSA-qrp5-gfw2-gxv4 Medium OpenClaw: Bundled MCP/LSP tools could bypass configured tool policy 2026-04-25
GHSA-mj5r-hh7j-4gxf CVE-2026-28480 Medium OpenClaw Telegram allowlist authorization accepted mutable usernames 2026-02-18
GHSA-h89v-j3x9-8wqj CVE-2026-28452 Medium OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR) 2026-02-18
GHSA-w2cg-vxx6-5xjg CVE-2026-29612 Medium OpenClaw: denial of service through large base64 media files allocating large buffers before limit checks 2026-02-18
GHSA-g34w-4xqq-h79m CVE-2026-26328 Medium OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities 2026-02-18

Low Severity

GHSA CVE Severity Title Published
GHSA-8mg9-j9cf-54cj CVE-2026-53852 Low OpenClaw: Empty-scope device re-pairing could confuse caller scope containment 2026-06-18
GHSA-8j37-5w68-wj2g CVE-2026-53860 Low OpenClaw: BlueBubbles sender policy could match mutable conversation identifiers 2026-06-18
GHSA-68xw-r643-9p5w CVE-2026-53845 Low OpenClaw: Skill-command dispatch could skip before-tool-call hooks 2026-06-18
GHSA-9v8j-9c9g-w66c CVE-2026-53862 Low OpenClaw: Bootstrap token replay could widen pending pairing scopes 2026-06-18
GHSA-cwpp-5962-q4f6 CVE-2026-53848 Low OpenClaw: Exec allowlist could miss side effects from transparent command wrappers 2026-06-18
GHSA-h9h6-pwqv-j9hv Low Duplicate Advisory: Bootstrap token replay could widen pending pairing scopes 2026-06-16
GHSA-8hj2-w4c9-fjfq Low Duplicate Advisory: BlueBubbles sender policy could match mutable conversation identifiers 2026-06-16
GHSA-hc4w-hm59-9w88 Low Duplicate Advisory: Empty-scope device re-pairing could confuse caller scope containment 2026-06-16
GHSA-r7vv-6763-m739 Low Duplicate Advisory: Skill-command dispatch could skip before-tool-call hooks 2026-06-16
GHSA-wrr6-p5r6-474m Low Duplicate Advisory: Exec allowlist could miss side effects from transparent command wrappers 2026-06-16
GHSA-6xcg-6q43-rj2v Low Duplicate Advisory: Exported session HTML could keep unsafe markdown links 2026-06-16
GHSA-p3pv-c954-9m6f Low Duplicate Advisory: OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners 2026-05-11
GHSA-w626-296m-8f85 Low Duplicate Advisory: OpenClaw's ACP child sessions inherit subagent security envelope constraints 2026-05-11
GHSA-qm77-8qjp-4vcm CVE-2026-41358 Low OpenClaw: Slack thread context could include messages from non-allowlisted senders 2026-05-04
GHSA-chm2-m3w2-wcxm Low OpenClaw Google Chat spoofing access with allowlist authorized mutable email principal despite sender-ID mismatch 2026-02-17

Repo-Only Advisories (~79 more)

These advisories are listed on the repo security page but not yet indexed in the GitHub Advisory Database. See the full advisory list for details.

Show 79 repo-only advisories
GHSA Severity Title Published
GHSA-2hfg-4fh4-qp7f High Browser act interactions could bypass private-network navigation checks 2026-05-28
GHSA-2q7j-2vhx-56g8 High Feishu tools could ignore per-account disablement 2026-06-30
GHSA-2x93-h3hg-2xfp High Browser snapshot routes could miss post-navigation SSRF checks 2026-06-30
GHSA-34mr-7r3m-gfg7 High Exec allowlist glob matching could allow traversal bypasses 2026-06-30
GHSA-3c6j-hq33-3jv4 High Paired nodes could forge exec lifecycle events without system.run provenance 2026-05-28
GHSA-3fp5-v549-9v66 High flock wrapper could bypass durable exec approval binding 2026-06-30
GHSA-3pmr-x9g8-m55r High Discord guild actions could skip cross-provider requester authorization 2026-06-30
GHSA-3x84-qq85-fj65 High Browser CDP discovery could accept blocked WebSocket URLs 2026-06-30
GHSA-4pqj-3c56-5fqq High Workspace dotenv files could override provider credentials 2026-06-30
GHSA-52xj-c9p8-78cv High MCP loopback could expose owner-only tools to non-owner runs 2026-06-30
GHSA-575v-8hfq-m3mc High Sandbox bind mounts could bypass parent-directory denylist checks 2026-06-30
GHSA-6fvr-66p3-3qj4 High Hook-triggered CLI runs could receive owner MCP tool authority 2026-05-28
GHSA-724r-v4wf-mqc5 High Hooks allowedAgentIds could be bypassed with blank agent IDs 2026-06-30
GHSA-7jx6-764p-fgg9 High QQBot exec approvals could allow non-allowlisted senders 2026-06-30
GHSA-7vrr-rp4x-4g76 High Plugin install commands could allow non-owner persistence 2026-06-30
GHSA-8f46-3xx3-8c9m High Node exec approvals could use different gateway and node environments 2026-06-30
GHSA-8v95-qqcm-qp9h High device.pair.approve could bypass role-management checks 2026-06-30
GHSA-9969-8g9h-rxwm High Host exec environment filtering could allow Git ext transport 2026-06-30
GHSA-cf2p-f286-mphf High Identity-bearing HTTP callers could reach admin-scoped tools 2026-06-30
GHSA-chr9-m4q2-76hw High Control UI locality spoofing could mint a durable admin device token 2026-05-28
GHSA-f6p7-6326-vf7v High Discord moderation actions could miss trusted requester checks 2026-06-30
GHSA-fh38-965w-f6c3 High WhatsApp group IDs could satisfy elevated sender allowlists 2026-06-30
GHSA-hjr6-g723-hmfm High Host exec environment filtering could miss interpreter startup variables 2026-06-30
GHSA-hw9r-h9mr-4jff High Scoped chat.send route inheritance could bypass admin command scope gates 2026-05-28
GHSA-hx85-fgcw-9vrc High Device-pair approval could expose node system.run early 2026-06-30
GHSA-jhfx-v2j8-x3m6 High OpenAI-compatible HTTP model overrides could miss admin authorization 2026-06-30
GHSA-m38g-vpwj-mpg9 High OpenShell mirror sync could follow remote symlink parents 2026-06-30
GHSA-mgq6-vr84-7m2j High QQBot native approval buttons did not enforce configured approver identity 2026-05-28
GHSA-mgvr-6gvw-3rgr High Sandbox exec-server HTTP requests could reach internal networks 2026-06-30
GHSA-mhq8-78pj-5j79 High POSIX node system.run safe-bin allowlist could be widened by shell expansion 2026-05-28
GHSA-mm9g-83wh-mhwj High Isolated cron jobs could regain denied exec tools 2026-06-30
GHSA-p5xh-frrh-cmgj High MS Teams message actions could miss requester authorization 2026-06-30
GHSA-qjpc-qf9m-xwmr High Trusted-proxy Control UI WebSocket accepted client-declared scopes before pairing 2026-05-28
GHSA-rh6r-vvfc-86jq High Setup-mode discovery could load untrusted workspace plugins 2026-06-30
GHSA-v7hx-r36p-f68m High Message mutations could skip requester authorization 2026-06-30
GHSA-vr7j-7684-7gm5 High HTTP Canvas responses could forge trusted A2UI actions 2026-06-30
GHSA-w8wf-3qvj-6xqf High Feishu permission tools could ignore per-account disablement 2026-06-30
GHSA-wp73-f3gg-w4vr High ClickClack agent-mode dispatch could ignore toolsAllow 2026-06-30
GHSA-wxh3-g47h-q3mc High Host exec environment filtering could miss rustup startup variables 2026-06-30
GHSA-wxm8-ghhq-q688 High MS Teams safeFetch could race DNS rebinding checks 2026-06-30
GHSA-x863-pqjw-hmgf High Browser act route could miss current-tab URL checks 2026-06-30
GHSA-xr4f-mjxj-w6w5 High Non-owner chat senders could issue device-pairing bootstrap codes 2026-05-28
GHSA-xww8-gqvh-92x9 High Exec approval display truncation could hide the command being approved 2026-05-28
GHSA-2j8v-hwgc-x698 Medium Shell wrapper argv could change between approval and execution 2026-05-28
GHSA-4xwj-mcc7-x7x5 Medium Remote media URLs could slow-read exhaust tool workers 2026-06-30
GHSA-5p6w-wmh3-frfr Medium WebSocket auth attempts could avoid non-browser rate limits 2026-06-30
GHSA-77pv-3w4q-vrj5 Medium QQBot pre-dispatch slash commands could skip allowFrom checks 2026-05-28
GHSA-77q5-rr5v-x43q Medium Trusted retry endpoint checks could match hostname prefixes 2026-05-28
GHSA-7hxm-f538-3xp6 Medium Matrix allowFrom could bind to mutable display names 2026-05-28
GHSA-7w4v-g4m6-j88v Medium MS Teams allowFrom could bind to mutable display names 2026-06-30
GHSA-83w9-h5wv-j9xm Medium Node pairing reconnection could confuse approval scope state 2026-05-28
GHSA-8wg3-5mcm-fjq8 Medium Workspace .env could override Homebrew executable selection for skill install flows 2026-05-28
GHSA-9c3v-684m-579c Medium MCP SSE redirects could forward Authorization headers 2026-06-30
GHSA-c29c-2q9c-pc86 Medium Slack allowFrom could bind to mutable display names 2026-05-28
GHSA-cqwv-9qjx-vxw2 Medium Skill Workshop apply flow could override pending approval 2026-05-28
GHSA-fh8v-vgcv-pwh4 Medium ClickClack allowFrom could allow non-allowlisted commands 2026-06-30
GHSA-fwgr-fpv9-vf5x Medium QQBot media upload could reach untrusted remote URLs 2026-06-30
GHSA-gp79-m99v-gjmh Medium Mattermost handlers could fall open when channel type was missing 2026-05-28
GHSA-grc3-2j34-p6gm Medium message.action forwarding could send Gateway credentials to model-supplied loopback URLs 2026-05-28
GHSA-hcm3-8f6r-6xwg Medium Browser debug/export routes could reuse already-open blocked tabs 2026-05-28
GHSA-j472-gf56-x589 Medium PowerShell encoded-command aliases could miss exec allowlist checks 2026-05-28
GHSA-j4cx-jvq7-79vm Medium Trajectory export could skip broad credential redaction 2026-06-30
GHSA-jvm4-4j77-39p6 Medium QQBot streaming command could mutate config without explicit allowFrom 2026-05-28
GHSA-mhm4-93fw-4qr2 Medium Skill command dispatch could skip effective tool policy 2026-06-30
GHSA-p2fh-f5fc-44hr Medium memory-wiki ingest could read local files with operator.write scope 2026-05-28
GHSA-p73f-w79w-jqr5 Medium Native command authorization could skip owner-command enforcement 2026-05-28
GHSA-prwc-c6w5-mmgr Medium Bot Framework serviceUrl validation could leak bot tokens 2026-06-30
GHSA-q7q8-3mgw-q67r Medium Message read actions could skip channel allowlist checks 2026-05-28
GHSA-qh2f-99mv-mrcf Medium Bundle MCP loopback could miss its exec denylist on session spawn 2026-05-28
GHSA-rggc-m335-3wvj Medium Same-host trusted-proxy deployments could accept local forged identity headers 2026-05-28
GHSA-v4f6-x5g5-2g4g Medium Native web search could ignore OpenClaw tool policy 2026-06-30
GHSA-v54h-q2vx-vgg4 Medium MS Teams outbound requests could leak Bot Framework tokens 2026-06-30
GHSA-v6r2-jh58-xx6w Medium Marketplace runtime extension metadata could point at unscanned payloads 2026-05-28
GHSA-vxx3-6hc9-7cc3 Medium Combined POSIX shell options could confuse exec revalidation 2026-05-28
GHSA-w4v6-g3wm-w36c Medium QQBot admin commands could skip DM-only and allowFrom policy 2026-05-28
GHSA-w5ww-7chg-mxcq Medium Telegram interactive callbacks could skip commands.allowFrom 2026-05-28
GHSA-wgq8-x5wm-g4rw Medium Plugin install wrappers could skip install policy 2026-06-30
GHSA-wv26-j37q-2g7p Medium Slack plugin approvals used the exec approver gate for plugin actions 2026-05-28
GHSA-3wqp-prf6-2m72 Low Feishu dynamic-agent bindings could miss configWrites enforcement 2026-05-28

Naming Inconsistencies

The OpenClaw project has been renamed multiple times, causing inconsistencies across CVE records:

CVE vendor product packageURL Description Names
CVE-2026-25253 OpenClaw OpenClaw pkg:npm/clawdbot OpenClaw / clawdbot / Moltbot
CVE-2026-24763 clawdbot clawdbot OpenClaw (formerly Clawdbot)
CVE-2026-28478 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53843 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53849 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53857 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-44118 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-45004 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-28469 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-25157 openclaw openclaw OpenClaw
CVE-2026-53855 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53853 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53866 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53864 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-28458 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53865 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-26317 openclaw clawdbot OpenClaw (formerly Clawdbot)
CVE-2026-53842 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53858 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53846 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-44116 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-28480 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-29612 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53850 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-28452 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-26328 openclaw clawdbot OpenClaw (formerly Clawdbot)
CVE-2026-53851 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-44113 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-44112 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-43570 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53844 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53840 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53854 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53863 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53859 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-45005 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53856 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53847 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53861 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-44992 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-45003 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-41358 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-44991 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-44997 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53848 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53845 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53852 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53860 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53862 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53841 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw

Data Sources

Source URL
CVE List v5 (full scan, all CNAs) CVEProject/cvelistV5 — every record affecting OpenClaw, any assigner
GitHub Advisory DB github.com/advisories
Repo Security Tab openclaw/openclaw/security
CVE Services API https://cveawg.mitre.org/api/cve-id/{CVE-ID}

Auto-generated by update_readme.py · Updated every 6h via GitHub Actions
Data: ghsa-advisories.json · cves.json · cve-pipeline-status.json

Maintained by Jerry Gamblin · OpenClawCVEs

About

Tracking OpenClaw CVEs

Resources

License

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors