OpenClawCVEs
Tracking OpenClaw CVEs
Ask AI about OpenClawCVEs
Powered by Claude Β· Grounded in docs
I know everything about OpenClawCVEs. Ask me about installation, configuration, usage, or troubleshooting.
0/500
Reviews
Documentation
π‘οΈ OpenClaw CVE & Security Advisory Tracker
An automated tracker that continuously monitors OpenClaw security advisories across the GitHub Advisory Database, repo-level security advisories, and the CVE V5 (cvelistV5) registry. Every hour it pulls the latest data, reconciles GHSA β CVE publication state, and regenerates this dashboard so you always have an up-to-date picture of the project's vulnerability landscape.
Last updated: 2026-05-08 06:44 UTC Β· MIT License Β· Full Advisory List Β· Security Policy Β· Data: cvelistV5 + Advisory DB Β· Updates hourly
Published CVEs Β· Pipeline Β· Advisories Β· Categories Β· Insights Β· Identity
ποΈ Project Identity
| Field | Value |
|---|---|
| Current Name | OpenClaw |
| Previous Names | Moltbot (second name), Clawdbot (original name) |
| Repository | openclaw/openclaw |
| npm Package | openclaw (formerly clawdbot) |
| Author | Peter Steinberger (steipete) |
Search terms for CVE discovery
To find all CVEs, search for: openclaw, clawdbot, moltbot, clawhub, pkg:npm/clawdbot, pkg:npm/openclaw
π CVEs Published in cvelistV5 (40)
These CVEs have full records in the CVEProject/cvelistV5 repository:
| CVE ID | Severity | CVSS | Title | CWE | Published |
|---|---|---|---|---|---|
| CVE-2026-43534 |  | 9.3 | OpenClaw < 2026.4.10 - Unsanitized External Input in Agent Hook Events | CWE-345 | 2026-05-05 |
| CVE-2026-43566 | | 9.1 | OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events | CWE-184 | 2026-05-05 |
| CVE-2026-43533 |  | 8.9 | OpenClaw < 2026.4.10 - Arbitrary Local File Read via QQBot Media Tags | CWE-23 | 2026-05-05 |
| CVE-2026-25253 | | 8.8 | OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl | CWE-669 | 2026-02-01 |
| CVE-2026-24763 | | 8.8 | OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable | CWE-78 | 2026-02-02 |
| CVE-2026-28478 | | 8.7 | OpenClaw affected by denial of service via unbounded webhook request body buffering | CWE-770 | 2026-03-05 |
| CVE-2026-42435 | | 8.7 | OpenClaw: Shell-wrapper detection missed env-argv assignment injection forms | CWE-184 | 2026-05-05 |
| CVE-2026-42434 | | 8.7 | OpenClaw: Sandboxed agents could escape exec routing via host=node override | CWE-863 | 2026-05-05 |
| CVE-2026-43530 | | 8.7 | OpenClaw: busybox and toybox applet execution weakened exec approval binding | CWE-863 | 2026-05-05 |
| CVE-2026-43526 | | 8.3 | OpenClaw: QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes | CWE-918 | 2026-05-05 |
| CVE-2026-28469 | | 8.2 | OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting | CWE-639 | 2026-03-05 |
| CVE-2026-42437 | | 8.2 | OpenClaw: Voice-call realtime WebSocket accepted oversized frames | CWE-770 | 2026-05-05 |
| CVE-2026-25157 | | 7.8 | OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand | CWE-78 | 2026-02-04 |
| CVE-2026-43571 | | 7.7 | OpenClaw: Channel setup catalog lookups could include untrusted workspace plugin shadows | CWE-829 | 2026-05-05 |
| CVE-2026-43569 | | 7.7 | OpenClaw: Workspace provider auth choices could auto-enable untrusted provider plugins | CWE-829 | 2026-05-05 |
| CVE-2026-43535 | | 7.6 | OpenClaw < 2026.4.14 - Authorization Context Reuse in Collect-Mode Queue Batches | CWE-266 | 2026-05-05 |
| CVE-2026-28458 | | 7.4 | OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access | CWE-306 | 2026-03-05 |
| CVE-2026-26317 | | 7.1 | OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints | CWE-352 | 2026-02-19 |
| CVE-2026-42433 | | 7.1 | OpenClaw: Matrix profile config persistence was reachable from operator.write message tools | CWE-862 | 2026-05-05 |
| CVE-2026-43528 | | 7.1 | OpenClaw: config.get redaction bypass through sourceConfig and runtimeConfig aliases | CWE-212 | 2026-05-05 |
| CVE-2026-43567 | | 7.1 | OpenClaw < 2026.4.10 - Path Traversal in screen_record outPath Parameter | CWE-862 | 2026-05-05 |
| CVE-2026-43568 | | 7.1 | OpenClaw: Memory dreaming config persistence was reachable from operator.write commands | CWE-862 | 2026-05-05 |
| CVE-2026-43531 | | 7 | OpenClaw < 2026.4.9 - Environment Variable Injection via Workspace .env File | CWE-15 | 2026-05-05 |
| CVE-2026-28480 |  | 6.9 | OpenClaw Telegram allowlist authorization accepted mutable usernames | CWE-290 | 2026-03-05 |
| CVE-2026-29612 | | 6.8 | OpenClaw < 2026.2.14 - Denial of Service via Large Base64 Media File Decoding | CWE-770 | 2026-03-05 |
| CVE-2026-28452 | | 6.7 | OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR) | CWE-770 | 2026-03-05 |
| CVE-2026-26328 | | 6.5 | OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities | CWE-284, CWE-863 | 2026-02-19 |
| CVE-2026-41389 | | 6.3 | OpenClaw: Webchat media embedding enforces local-root containment for tool-result files | CWE-73 | 2026-04-20 |
| CVE-2026-43527 | | 6.3 | OpenClaw: Browser SSRF policy default allowed private-network navigation | CWE-918, CWE-1188 | 2026-05-05 |
| CVE-2026-43572 | | 6.3 | OpenClaw: Microsoft Teams SSO invoke handler missed sender authorization checks | CWE-862 | 2026-05-05 |
| CVE-2026-43574 | | 6 | OpenClaw < 2026.4.12 - Improper Authorization via Empty Approver Lists | CWE-183 | 2026-05-05 |
| CVE-2026-42439 | | 4.9 | OpenClaw < 2026.4.10 - SSRF Policy Bypass in Browser Tabs Action Routes | CWE-862 | 2026-05-05 |
| CVE-2026-42436 | | 4.9 | OpenClaw: Browser snapshot and screenshot routes could expose internal page content after navigation | CWE-862 | 2026-05-05 |
| CVE-2026-42438 | | 4.9 | OpenClaw: Sender policy bypass in host media attachment reads allows unauthorized local file disclosure | CWE-863 | 2026-05-05 |
| CVE-2026-43532 | | 4.9 | OpenClaw: Discord event cover images bypassed sandbox media normalization | CWE-184 | 2026-05-05 |
| CVE-2026-43573 | | 4.9 | OpenClaw: Existing-session browser interaction routes bypassed SSRF policy enforcement | CWE-862, CWE-918 | 2026-05-05 |
| CVE-2026-41358 |  | 2.3 | OpenClaw < 2026.4.2 - Sender Allowlist Bypass via Slack Thread Context | CWE-346 | 2026-04-23 |
| CVE-2026-41908 | | 2.3 | OpenClaw < 2026.4.20 - Scope Enforcement Bypass in Assistant-Media Route | CWE-863 | 2026-04-23 |
| CVE-2026-43529 | | 2 | OpenClaw: TOCTOU read in exec script preflight | CWE-367 | 2026-05-05 |
π Detailed CVE Analysis (click to expand)
CVE-2026-43534 β OpenClaw < 2026.4.10 - Unsanitized External Input in Agent Hook Events
| Field | Detail |
|---|---|
| CVSS | 9.3 (CRITICAL) β CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-345 (CWE-345: Insufficient Verification of Data Authenticity) |
| Affected | < 2026.4.10 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-7g8c-cfr3-vqqr |
OpenClaw before 2026.4.10 contains an input validation vulnerability that allows external hook metadata to be enqueued as trusted system events. Attackers can supply malicious hook names to escalate untrusted input into higher-trust agent context.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw < 2026.4.10 - Unsanitized External Input in Agent Hook Events
CVE-2026-43566 β OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events
| Field | Detail |
|---|---|
| CVSS | 9.1 (CRITICAL) β CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-184 (CWE-184: Incomplete List of Disallowed Inputs) |
| Affected | < 2026.4.14 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-g2hm-779g-vm32 |
OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can exploit this by sending untrusted webhook wake events to preserve owner-like execution context when the run should have been downgraded.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw 2026.4.7 < 2026.4.14 - Privilege Escalation via Untrusted Webhook Wake Events
CVE-2026-43533 β OpenClaw < 2026.4.10 - Arbitrary Local File Read via QQBot Media Tags
| Field | Detail |
|---|---|
| CVSS | 8.9 (HIGH) β CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N |
| CWE | CWE-23 (CWE-23: Relative Path Traversal) |
| Affected | < 2026.4.10 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-66r7-m7xm-v49h |
OpenClaw before 2026.4.10 contains an arbitrary file read vulnerability in QQBot media tags that allows attackers to reference host-local paths outside the intended media storage boundary. Attackers can craft malicious reply text containing media tags to disclose arbitrary local files through outbound media handling.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw < 2026.4.10 - Arbitrary Local File Read via QQBot Media Tags
CVE-2026-25253 β OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl
| Field | Detail |
|---|---|
| CVSS | 8.8 (HIGH) β CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| CWE | CWE-669 (CWE-669 Incorrect Resource Transfer Between Spheres) |
| Affected | < 2026.1.29 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-g8p2-7wf7-98mq |
OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value.
Naming note: Uses all three names in description. packageURL still references
pkg:npm/clawdbot. References:
CVE-2026-24763 β OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable
| Field | Detail |
|---|---|
| CVSS | 8.8 (HIGH) β CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-78 (CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) |
| Affected | < 2026.1.29 |
| Vendor/Product | clawdbot / clawdbot |
| Advisory | GHSA-mc68-q9jw-2h3v |
OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026.1.29, a command injection vulnerability existed in OpenClawβs Docker sandbox execution mechanism due to unsafe handling of the PATH environment variable when constructing shell commands. An authenticated user able to control environment variables could influence command execution within the container context. This vulnerability is fixed in 2026.1.29.
Naming note: Uses old name
clawdbot/clawdbotas vendor/product. References:
- https://github.com/openclaw/openclaw/commit/771f23d36b95ec2204cc9a0054045f5d8439ea75
- https://github.com/openclaw/openclaw/releases/tag/v2026.1.29
CVE-2026-28478 β OpenClaw affected by denial of service via unbounded webhook request body buffering
| Field | Detail |
|---|---|
| CVSS | 8.7 (HIGH) β CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
| CWE | CWE-770 (Allocation of Resources Without Limits or Throttling) |
| Affected | < 2026.2.13 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-q447-rj3r-2cgh |
OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies without strict byte or time limits. Remote unauthenticated attackers can send oversized JSON payloads or slow uploads to webhook endpoints causing memory pressure and availability degradation.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw < 2026.2.13 - Denial of Service via Unbounded Webhook Request Body Buffering
CVE-2026-42435 β OpenClaw: Shell-wrapper detection missed env-argv assignment injection forms
| Field | Detail |
|---|---|
| CVSS | 8.7 (HIGH) β CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| CWE | CWE-184 (CWE-184: Incomplete List of Disallowed Inputs) |
| Affected | < 2026.4.12 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-j6c7-3h5x-99g9 |
OpenClaw versions from 2026.2.22 before 2026.4.12 contain an insufficient shell-wrapper detection vulnerability allowing attackers to inject environment variable assignments at the argv level. Attackers can bypass exec preflight handling to manipulate high-risk shell variables like SHELLOPTS and PS4, affecting execution semantics and security controls.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw 2026.2.22 < 2026.4.12 - Shell-Wrapper Detection Bypass via Environment Variable Assignment Injection
CVE-2026-42434 β OpenClaw: Sandboxed agents could escape exec routing via host=node override
| Field | Detail |
|---|---|
| CVSS | 8.7 (HIGH) β CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| CWE | CWE-863 (CWE-863: Incorrect Authorization) |
| Affected | < 2026.4.10 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-736r-jwj6-4w23 |
OpenClaw versions 2026.4.5 before 2026.4.10 contain a sandbox escape vulnerability allowing sandboxed agents to override exec routing by specifying host=node. Attackers can bypass sandbox boundaries and route execution to remote nodes instead of intended sandbox paths.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw 2026.4.5 < 2026.4.10 - Sandbox Escape via host Parameter Override in Exec Routing
CVE-2026-43530 β OpenClaw: busybox and toybox applet execution weakened exec approval binding
| Field | Detail |
|---|---|
| CVSS | 8.7 (HIGH) β CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| CWE | CWE-863 (CWE-863: Incorrect Authorization) |
| Affected | < 2026.4.12 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-2cq5-mf3v-mx44 |
OpenClaw versions 2026.2.23 before 2026.4.12 contain a weakened exec approval binding vulnerability in busybox and toybox applet execution that allows attackers to obscure which applet would actually run. Attackers can exploit opaque multi-call binaries to bypass exec approval mechanisms and weaken risk classification of unsafe applet invocations.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw 2026.2.23 < 2026.4.12 - Weakened Exec Approval Binding via busybox and toybox Applet Execution
CVE-2026-43526 β OpenClaw: QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes
| Field | Detail |
|---|---|
| CVSS | 8.3 (HIGH) β CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-918 (CWE-918 Server-Side Request Forgery (SSRF)) |
| Affected | < 2026.4.12 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-2767-2q9v-9326 |
OpenClaw before 2026.4.12 contains a server-side request forgery vulnerability in QQBot reply media URL handling that allows attackers to fetch arbitrary content. Attackers can exploit this by providing malicious media URLs that trigger SSRF requests, with fetched bytes subsequently re-uploaded through the channel.
References:
- Patch Commit (1)
- Patch Commit (2)
- VulnCheck Advisory: OpenClaw < 2026.4.12 - Server-Side Request Forgery via QQBot Reply Media URL Handling
CVE-2026-28469 β OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting
| Field | Detail |
|---|---|
| CVSS | 8.2 (HIGH) β CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-639 (Authorization Bypass Through User-Controlled Key) |
| Affected | < 2026.2.14 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-rq6g-px6m-c248 |
OpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat monitor component that allows cross-account policy context misrouting when multiple webhook targets share the same HTTP path. Attackers can exploit first-match request verification semantics to process inbound webhook events under incorrect account contexts, bypassing intended allowlists and session policies.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw < 2026.2.14 - Cross-Account Policy Context Misrouting via Shared Webhook Path Ambiguity
CVE-2026-42437 β OpenClaw: Voice-call realtime WebSocket accepted oversized frames
| Field | Detail |
|---|---|
| CVSS | 8.2 (HIGH) β CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
| CWE | CWE-770 (CWE-770: Allocation of Resources Without Limits or Throttling) |
| Affected | < 2026.4.10 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-vw3h-q6xq-jjm5 |
OpenClaw versions 2026.4.9 before 2026.4.10 contain a denial of service vulnerability in the voice-call realtime WebSocket path that accepts oversized frames without proper validation. Remote attackers can send oversized WebSocket frames to cause service unavailability for deployments exposing the webhook path.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw 2026.4.9 < 2026.4.10 - Denial of Service via Oversized WebSocket Frames in Voice-call Realtime Path
CVE-2026-25157 β OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand
| Field | Detail |
|---|---|
| CVSS | 7.8 (HIGH) β CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H |
| CWE | CWE-78 (CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) |
| Affected | < 2026.1.29 |
| Vendor/Product | openclaw / openclaw |
| Advisory | GHSA-q284-4pvr-m585 |
OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vulnerability via the Project Root Path in sshNodeCommand. The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project path in an error message. When the cd command failed, the unescaped path was interpolated directly into an echo statement, allowing arbitrary command execution on the remote SSH host. The parseSSHTarget function did not validate that SSH target strings could not begin with a dash. An attacker-supplied target like -oProxyCommand=... would be interpreted as an SSH configuration flag rather than a hostname, allowing arbitrary command execution on the local machine. This issue has been patched in version 2026.1.29.
CVE-2026-43571 β OpenClaw: Channel setup catalog lookups could include untrusted workspace plugin shadows
| Field | Detail |
|---|---|
| CVSS | 7.7 (HIGH) β CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| CWE | CWE-829 (CWE-829: Inclusion of Functionality from Untrusted Control Sphere) |
| Affected | < 2026.4.10 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-82qx-6vj7-p8m2 |
OpenClaw before 2026.4.10 contains a plugin trust bypass vulnerability that allows channel setup catalog lookups to resolve workspace plugin shadows before bundled channel plugins. Attackers can exploit this by crafting malicious workspace plugins that bypass intended trust gates during setup-time plugin loading.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw < 2026.4.10 - Untrusted Workspace Plugin Shadow Resolution in Channel Setup
CVE-2026-43569 β OpenClaw: Workspace provider auth choices could auto-enable untrusted provider plugins
| Field | Detail |
|---|---|
| CVSS | 7.7 (HIGH) β CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| CWE | CWE-829 (CWE-829: Inclusion of Functionality from Untrusted Control Sphere) |
| Affected | < 2026.4.9 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-939r-rj45-g2rj |
OpenClaw before 2026.4.9 contains an authentication bypass vulnerability allowing untrusted workspace plugins to be auto-enabled during non-interactive onboarding when provider auth choices are shadowed. Attackers can exploit this by crafting malicious workspace plugins that are automatically selected and enabled during authentication setup without explicit user consent.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw < 2026.4.9 - Untrusted Provider Plugin Auto-enablement via Workspace Provider Auth
CVE-2026-43535 β OpenClaw < 2026.4.14 - Authorization Context Reuse in Collect-Mode Queue Batches
| Field | Detail |
|---|---|
| CVSS | 7.6 (HIGH) β CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-266 (CWE-266: Incorrect Privilege Assignment) |
| Affected | < 2026.4.14 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-jwrq-8g5x-5fhm |
OpenClaw before 2026.4.14 contains an authorization context reuse vulnerability in collect-mode queue batches that allows messages from different senders to inherit the final sender's authorization context. Attackers can exploit this by sending multiple queued messages to drain batches using a more privileged sender's context, causing earlier messages to execute with elevated permissions.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw < 2026.4.14 - Authorization Context Reuse in Collect-Mode Queue Batches
CVE-2026-28458 β OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access
| Field | Detail |
|---|---|
| CVSS | 7.4 (HIGH) β CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-306 (Missing Authentication for Critical Function) |
| Affected | < 2026.2.1 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-mr32-vwc2-5j6h |
OpenClaw version 2026.1.20 prior to 2026.2.1 contains a vulnerability in the Browser Relay (extension must be installed and enabled) /cdp WebSocket endpoint in which it does not require authentication tokens, allowing websites to connect via loopback and access sensitive data. Attackers can exploit this by connecting to ws://127.0.0.1:18792/cdp to steal session cookies and execute JavaScript in other browser tabs.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw 2026.1.20 < 2026.2.1 - Missing Authentication in Browser Relay /cdp WebSocket Endpoint
CVE-2026-26317 β OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints
| Field | Detail |
|---|---|
| CVSS | 7.1 (HIGH) β CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L |
| CWE | CWE-352 (CWE-352: Cross-Site Request Forgery (CSRF)) |
| Affected | <= 2026.1.24-3 |
| Vendor/Product | openclaw / clawdbot |
| Advisory | GHSA-3fqr-4cg8-h96q |
OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins. A malicious website can trigger unauthorized state changes against a victim's local OpenClaw browser control plane (for example opening tabs, starting/stopping the browser, mutating storage/cookies) if the browser control service is reachable on loopback in the victim's browser context. Starting in version 2026.2.14, mutating HTTP methods (POST/PUT/PATCH/DELETE) are rejected when the request indicates a non-loopback Origin/Referer (or Sec-Fetch-Site: cross-site). Other mitigations include enabling browser control auth (token/password) and avoid running with auth disabled.
Naming note: Uses old name
openclaw/clawdbotas vendor/product. References:
- https://github.com/openclaw/openclaw/commit/b566b09f81e2b704bf9398d8d97d5f7a90aa94c3
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.14
CVE-2026-42433 β OpenClaw: Matrix profile config persistence was reachable from operator.write message tools
| Field | Detail |
|---|---|
| CVSS | 7.1 (HIGH) β CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-862 (CWE-862 Missing Authorization) |
| Affected | < 2026.4.10 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-7jp6-r74r-995q |
OpenClaw before 2026.4.10 contains an authorization bypass vulnerability allowing operator.write message-tool paths to access Matrix profile persistence requiring admin-level authority. Attackers can exploit insufficient access controls to mutate persistent profile configuration through non-owner message-tool runs.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw < 2026.4.10 - Unauthorized Matrix Profile Config Persistence Access via operator.write Message Tools
CVE-2026-43528 β OpenClaw: config.get redaction bypass through sourceConfig and runtimeConfig aliases
| Field | Detail |
|---|---|
| CVSS | 7.1 (HIGH) β CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-212 (CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer) |
| Affected | < 2026.4.14 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-8372-7vhw-cm6q |
OpenClaw before 2026.4.14 contains a redaction bypass vulnerability that allows authenticated gateway clients to receive unredacted secrets through sourceConfig and runtimeConfig alias fields. Attackers with config read access can exploit this to obtain provider API keys, gateway authentication material, and channel credentials that should have been redacted.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw < 2026.4.14 - Redaction Bypass via sourceConfig and runtimeConfig Aliases
CVE-2026-43567 β OpenClaw < 2026.4.10 - Path Traversal in screen_record outPath Parameter
| Field | Detail |
|---|---|
| CVSS | 7.1 (HIGH) β CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-862 (CWE-862 Missing Authorization) |
| Affected | < 2026.4.10 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-jf25-7968-h2h5 |
OpenClaw before 2026.4.10 contains a path traversal vulnerability in the screen_record tool's outPath parameter that bypasses workspace-only filesystem guards. Attackers can exploit this by specifying an outPath outside the workspace boundary to write files to unintended locations on the system.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw < 2026.4.10 - Path Traversal in screen_record outPath Parameter
CVE-2026-43568 β OpenClaw: Memory dreaming config persistence was reachable from operator.write commands
| Field | Detail |
|---|---|
| CVSS | 7.1 (HIGH) β CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-862 (CWE-862 Missing Authorization) |
| Affected | < 2026.4.10 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-5gjc-grvm-m88j |
OpenClaw versions 2026.4.5 before 2026.4.10 contain a privilege escalation vulnerability allowing write-scoped operators to modify persistent memory dreaming settings. Attackers with write-scoped gateway access can toggle admin-class configuration mutations through the /dreaming endpoint to escalate privileges.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw 2026.4.5 < 2026.4.10 - Privilege Escalation via Memory Dreaming Configuration in /dreaming Endpoint
CVE-2026-43531 β OpenClaw < 2026.4.9 - Environment Variable Injection via Workspace .env File
| Field | Detail |
|---|---|
| CVSS | 7 (HIGH) β CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| CWE | CWE-15 (CWE-15: External Control of System or Configuration Setting) |
| Affected | < 2026.4.9 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-7wv4-cc7p-jhxc |
OpenClaw before 2026.4.9 contains an environment variable injection vulnerability allowing malicious workspace .env files to set runtime-control variables. Attackers can inject variables affecting update sources, gateway URLs, ClawHub resolution, and browser executable paths to compromise application behavior.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw < 2026.4.9 - Environment Variable Injection via Workspace .env File
CVE-2026-28480 β OpenClaw Telegram allowlist authorization accepted mutable usernames
| Field | Detail |
|---|---|
| CVSS | 6.9 (MEDIUM) β CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-290 (Authentication Bypass by Spoofing) |
| Affected | < 2026.2.14 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-mj5r-hh7j-4gxf |
OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram allowlist matching accepts mutable usernames instead of immutable numeric sender IDs. Attackers can spoof identity by obtaining recycled usernames to bypass allowlist restrictions and interact with bots as unauthorized senders.
References:
- Patch Commit #1
- Patch Commit #2
- VulnCheck Advisory: OpenClaw < 2026.2.14 - Identity Spoofing via Mutable Username in Telegram Allowlist Authorization
CVE-2026-29612 β OpenClaw < 2026.2.14 - Denial of Service via Large Base64 Media File Decoding
| Field | Detail |
|---|---|
| CVSS | 6.8 (MEDIUM) β CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
| CWE | CWE-770 (Allocation of Resources Without Limits or Throttling) |
| Affected | < 2026.2.14 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-w2cg-vxx6-5xjg |
OpenClaw versions prior to 2026.2.14 decode base64-backed media inputs into buffers before enforcing decoded-size budget limits, allowing attackers to trigger large memory allocations. Remote attackers can supply oversized base64 payloads to cause memory pressure and denial of service.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw < 2026.2.14 - Denial of Service via Large Base64 Media File Decoding
CVE-2026-28452 β OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR)
| Field | Detail |
|---|---|
| CVSS | 6.7 (MEDIUM) β CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
| CWE | CWE-770 (Allocation of Resources Without Limits or Throttling) |
| Affected | < 2026.2.14 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-h89v-j3x9-8wqj |
OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the extractArchive function within src/infra/archive.ts that allows attackers to consume excessive CPU, memory, and disk resources through high-expansion ZIP and TAR archives. Remote attackers can trigger resource exhaustion by providing maliciously crafted archive files during install or update operations, causing service degradation or system unavailability.
References:
- Patch Commit #1
- Patch Commit #2
- VulnCheck Advisory: OpenClaw < 2026.2.14 - Denial of Service via Unguarded Archive Extraction in extractArchive
CVE-2026-26328 β OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities
| Field | Detail |
|---|---|
| CVSS | 6.5 (MEDIUM) β CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
| CWE | CWE-284 (CWE-284: Improper Access Control), CWE-863 (CWE-863: Incorrect Authorization) |
| Affected | <= 2026.1.24-3 |
| Vendor/Product | openclaw / clawdbot |
| Advisory | GHSA-g34w-4xqq-h79m |
OpenClaw is a personal AI assistant. Prior to version 2026.2.14, under iMessage groupPolicy=allowlist, group authorization could be satisfied by sender identities coming from the DM pairing store, broadening DM trust into group contexts. Version 2026.2.14 fixes the issue.
Naming note: Uses old name
openclaw/clawdbotas vendor/product. References:
- https://github.com/openclaw/openclaw/commit/872079d42fe105ece2900a1dd6ab321b92da2d59
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.14
CVE-2026-41389 β OpenClaw: Webchat media embedding enforces local-root containment for tool-result files
| Field | Detail |
|---|---|
| CVSS | 6.3 (MEDIUM) β CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N |
| CWE | CWE-73 (CWE-73: External Control of File Name or Path) |
| Affected | < 2026.4.15 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-mr34-9552-qr95 |
OpenClaw versions 2026.4.7 before 2026.4.15 fail to enforce local-root containment on tool-result media paths, allowing arbitrary local and UNC file access. Attackers can craft malicious tool-result media references to trigger host-side file reads or Windows network path access, potentially disclosing sensitive files or exposing credentials.
References:
- Patch Commit
- Patch Commit
- Patch Commit
- openclaw-arbitrary-file-read-via-unvalidated-tool-result-media-paths
CVE-2026-43527 β OpenClaw: Browser SSRF policy default allowed private-network navigation
| Field | Detail |
|---|---|
| CVSS | 6.3 (MEDIUM) β CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N |
| CWE | CWE-918 (CWE-918 Server-Side Request Forgery (SSRF)), CWE-1188 (CWE-1188 Initialization of a Resource with an Insecure Default) |
| Affected | < 2026.4.14 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-53vx-pmqw-863c |
OpenClaw before 2026.4.14 contains a server-side request forgery vulnerability in browser SSRF policy that allows private-network navigation by default. Attackers can exploit this misconfiguration to access internal services or metadata endpoints through browser-driven requests.
References:
- Patch Commit (1)
- Patch Commit (2)
- Patch Commit (3)
- Patch Commit (4)
- VulnCheck Advisory: OpenClaw < 2026.4.14 - Server-Side Request Forgery via Private Network Navigation
CVE-2026-43572 β OpenClaw: Microsoft Teams SSO invoke handler missed sender authorization checks
| Field | Detail |
|---|---|
| CVSS | 6.3 (MEDIUM) β CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-862 (CWE-862 Missing Authorization) |
| Affected | < 2026.4.14 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-gc9r-867r-j85f |
OpenClaw versions 2026.4.10 before 2026.4.14 contain a missing authorization vulnerability in the Microsoft Teams SSO invoke handler that fails to apply sender allowlist checks. Attackers can bypass sender authorization by sending SSO invoke requests that are processed without proper validation, allowing unauthorized access to Teams SSO signin functionality.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw 2026.4.10 < 2026.4.14 - Missing Sender Authorization in Microsoft Teams SSO Invoke Handler
CVE-2026-43574 β OpenClaw < 2026.4.12 - Improper Authorization via Empty Approver Lists
| Field | Detail |
|---|---|
| CVSS | 6 (MEDIUM) β CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-183 (CWE-183: Permissive List of Allowed Inputs) |
| Affected | < 2026.4.12 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-49cg-279w-m73x |
OpenClaw before 2026.4.12 contains an improper authorization vulnerability in helper-backed channels where empty resolved approver lists are interpreted as explicit approval authorization. Attackers can resolve pending approvals without proper authorization by exploiting this logic flaw if they know an approval id.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw < 2026.4.12 - Improper Authorization via Empty Approver Lists
CVE-2026-42439 β OpenClaw < 2026.4.10 - SSRF Policy Bypass in Browser Tabs Action Routes
| Field | Detail |
|---|---|
| CVSS | 4.9 (MEDIUM) β CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N |
| CWE | CWE-862 (CWE-862 Missing Authorization) |
| Affected | < 2026.4.10 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-rj2p-j66c-mgqh |
OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in the browser tabs action select and close routes. Attackers can bypass configured browser SSRF policy protections by exploiting the /tabs/action endpoint to perform unauthorized tab navigation operations.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw < 2026.4.10 - SSRF Policy Bypass in Browser Tabs Action Routes
CVE-2026-42436 β OpenClaw: Browser snapshot and screenshot routes could expose internal page content after navigation
| Field | Detail |
|---|---|
| CVSS | 4.9 (MEDIUM) β CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N |
| CWE | CWE-862 (CWE-862 Missing Authorization) |
| Affected | < 2026.4.14 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-c4qm-58hj-j6pj |
OpenClaw before 2026.4.14 contains an improper access control vulnerability in browser snapshot, screenshot, and tab routes that fail to consistently validate the final browser target after navigation. Authenticated callers can bypass SSRF restrictions to expose internal or disallowed page content by exploiting route-driven navigation without proper policy re-validation.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw < 2026.4.14 - Internal Page Content Exposure via Browser Snapshot and Screenshot Routes
CVE-2026-42438 β OpenClaw: Sender policy bypass in host media attachment reads allows unauthorized local file disclosure
| Field | Detail |
|---|---|
| CVSS | 4.9 (MEDIUM) β CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N |
| CWE | CWE-863 (CWE-863: Incorrect Authorization) |
| Affected | < 2026.4.10 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-jhpv-5j76-m56h |
OpenClaw versions 2026.4.9 before 2026.4.10 contain a sender policy bypass vulnerability in the outbound host-media attachment read helper that allows unauthorized local file disclosure. Attackers with denied read access via toolsBySender or group policy can trigger host-media attachment loading to bypass sender and group-scoped authorization boundaries and retrieve readable local files through the outbound media path.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw 2026.4.9 < 2026.4.10 - Sender Policy Bypass in Host Media Attachment Reads
CVE-2026-43532 β OpenClaw: Discord event cover images bypassed sandbox media normalization
| Field | Detail |
|---|---|
| CVSS | 4.9 (MEDIUM) β CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N |
| CWE | CWE-184 (CWE-184: Incomplete List of Disallowed Inputs) |
| Affected | < 2026.4.10 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-c9h3-5p7r-mrjh |
OpenClaw versions 2026.4.7 before 2026.4.10 fail to normalize Discord event cover image parameters in sandbox media processing. Attackers can bypass media normalization to inject host-local media references into channel action paths expecting normalized media.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw 2026.4.7 < 2026.4.10 - Sandbox Media Normalization Bypass via Discord Event Cover Image
CVE-2026-43573 β OpenClaw: Existing-session browser interaction routes bypassed SSRF policy enforcement
| Field | Detail |
|---|---|
| CVSS | 4.9 (MEDIUM) β CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N |
| CWE | CWE-862 (CWE-862 Missing Authorization), CWE-918 (CWE-918 Server-Side Request Forgery (SSRF)) |
| Affected | < 2026.4.10 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-527m-976r-jf79 |
OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in existing-session browser interaction routes. Attackers can bypass SSRF navigation guards to interact with or navigate to unauthorized targets without policy enforcement.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw < 2026.4.10 - SSRF Policy Bypass in Existing-Session Browser Interaction Routes
CVE-2026-41358 β OpenClaw < 2026.4.2 - Sender Allowlist Bypass via Slack Thread Context
| Field | Detail |
|---|---|
| CVSS | 2.3 (LOW) β CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-346 (CWE-346: Origin Validation Error) |
| Affected | < 2026.4.2 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-qm77-8qjp-4vcm |
OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non-allowlisted messages to enter agent context. Attackers can inject unauthorized thread messages through allowlisted user replies to bypass sender access controls and manipulate model context.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw < 2026.4.2 - Sender Allowlist Bypass via Slack Thread Context
CVE-2026-41908 β OpenClaw < 2026.4.20 - Scope Enforcement Bypass in Assistant-Media Route
| Field | Detail |
|---|---|
| CVSS | 2.3 (LOW) β CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-863 (CWE-863 Incorrect Authorization) |
| Affected | < 2026.4.20 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-v8qf-fr4g-28p2 |
OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows trusted-proxy callers without operator.read scope to access protected assistant-media files and metadata. Attackers can bypass identity-bearing HTTP auth path scope validation to retrieve sensitive media content within allowed media roots.
References:
CVE-2026-43529 β OpenClaw: TOCTOU read in exec script preflight
| Field | Detail |
|---|---|
| CVSS | 2 (LOW) β CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-367 (CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition) |
| Affected | < 2026.4.10 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-gj9q-8w99-mp8j |
OpenClaw before 2026.4.10 contains a time-of-check-time-of-use vulnerability in the validateScriptFileForShellBleed function that allows local attackers to bypass workspace boundary checks. An attacker with workspace write access can race-condition swap the target file between validation and preflight read, causing the validator to inspect a different file identity than the one that passed the initial boundary check.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw < 2026.4.10 - Time-of-Check-Time-of-Use (TOCTOU) Race Condition in exec Script Preflight Validator
β³ CVE Publication Pipeline
Of 40 GHSAs with CVE IDs, 40 are fully published and 0 remain RESERVED.
graph LR
A["1οΈβ£ GitHub Reserves<br/>CVE ID<br/><b>RESERVED</b>"] --> B["2οΈβ£ GHSA Goes Public<br/>with CVE ID Shown"]
B --> C["3οΈβ£ CNA Submits<br/>CVE Record via<br/>CVE Services<br/><b>PUBLISHED</b>"]
C --> D["4οΈβ£ cvelistV5 Bot<br/>Commits JSON File"]
style A fill:#fee,stroke:#c33,color:#333
style B fill:#fff3cd,stroke:#856404,color:#333
style C fill:#d4edda,stroke:#155724,color:#333
style D fill:#cce5ff,stroke:#004085,color:#333
| CVE ID | State | cvelistV5 | GHSA Published | CNA |
|---|---|---|---|---|
| CVE-2026-24763 | β PUBLISHED | β | 2026-02-02 | GitHub_M |
| CVE-2026-25157 | β PUBLISHED | β | 2026-02-02 | GitHub_M |
| CVE-2026-25253 | β PUBLISHED | β | 2026-02-02 | mitre |
| CVE-2026-26317 | β PUBLISHED | β | 2026-02-18 | GitHub_M |
| CVE-2026-26328 | β PUBLISHED | β | 2026-02-18 | GitHub_M |
| CVE-2026-28452 | β PUBLISHED | β | 2026-02-18 | VulnCheck |
| CVE-2026-28458 | β PUBLISHED | β | 2026-02-17 | VulnCheck |
| CVE-2026-28469 | β PUBLISHED | β | 2026-02-18 | VulnCheck |
| CVE-2026-28478 | β PUBLISHED | β | 2026-02-18 | VulnCheck |
| CVE-2026-28480 | β PUBLISHED | β | 2026-02-18 | VulnCheck |
| CVE-2026-29612 | β PUBLISHED | β | 2026-02-18 | VulnCheck |
| CVE-2026-41358 | β PUBLISHED | β | 2026-05-04 | VulnCheck |
| CVE-2026-41389 | β PUBLISHED | β | 2026-04-17 | VulnCheck |
| CVE-2026-41908 | β PUBLISHED | β | 2026-04-25 | VulnCheck |
| CVE-2026-42433 | β PUBLISHED | β | 2026-04-17 | VulnCheck |
| CVE-2026-42434 | β PUBLISHED | β | 2026-04-17 | VulnCheck |
| CVE-2026-42435 | β PUBLISHED | β | 2026-04-17 | VulnCheck |
| CVE-2026-42436 | β PUBLISHED | β | 2026-04-17 | VulnCheck |
| CVE-2026-42437 | β PUBLISHED | β | 2026-04-17 | VulnCheck |
| CVE-2026-42438 | β PUBLISHED | β | 2026-04-17 | VulnCheck |
| CVE-2026-42439 | β PUBLISHED | β | 2026-04-17 | VulnCheck |
| CVE-2026-43526 | β PUBLISHED | β | 2026-04-17 | VulnCheck |
| CVE-2026-43527 | β PUBLISHED | β | 2026-04-17 | VulnCheck |
| CVE-2026-43528 | β PUBLISHED | β | 2026-04-17 | VulnCheck |
| CVE-2026-43529 | β PUBLISHED | β | 2026-04-16 | VulnCheck |
| CVE-2026-43530 | β PUBLISHED | β | 2026-04-17 | VulnCheck |
| CVE-2026-43531 | β PUBLISHED | β | 2026-04-17 | VulnCheck |
| CVE-2026-43532 | β PUBLISHED | β | 2026-04-17 | VulnCheck |
| CVE-2026-43533 | β PUBLISHED | β | 2026-04-17 | VulnCheck |
| CVE-2026-43534 | β PUBLISHED | β | 2026-04-17 | VulnCheck |
| CVE-2026-43535 | β PUBLISHED | β | 2026-04-17 | VulnCheck |
| CVE-2026-43566 | β PUBLISHED | β | 2026-04-17 | VulnCheck |
| CVE-2026-43567 | β PUBLISHED | β | 2026-04-17 | VulnCheck |
| CVE-2026-43568 | β PUBLISHED | β | 2026-04-17 | VulnCheck |
| CVE-2026-43569 | β PUBLISHED | β | 2026-04-17 | VulnCheck |
| CVE-2026-43571 | β PUBLISHED | β | 2026-04-17 | VulnCheck |
| CVE-2026-43572 | β PUBLISHED | β | 2026-04-17 | VulnCheck |
| CVE-2026-43573 | β PUBLISHED | β | 2026-04-17 | VulnCheck |
| CVE-2026-43574 | β PUBLISHED | β | 2026-04-17 | VulnCheck |
| CVE-2026-6011 | β PUBLISHED | β | 2026-04-10 | β |
π Key Insights
| Insight | Detail |
|---|---|
| Dominant Weakness | 36% of categorized issues relate to Allowlist Bypass (32/89) |
| V5 Sync Rate | 40/40 CVE IDs (100%) have full cvelistV5 records |
| Advisory Velocity | 148 security advisories across 2026-02-02 β 2026-05-05 |
| Top Severity | 1 Critical + 47 High = 48 high-impact issues (32%) |
Vulnerability Categories
| Category | Count | Examples |
|---|---|---|
| OS Command Injection (CWE-78) | 21 | PATH injection, SSH command injection, Docker exec, keychain writes |
| Path Traversal (CWE-22) | 8 | MEDIA: paths, plugin install, browser downloads, Zip Slip, transcript paths |
| SSRF | 12 | Image tool fetch, Feishu extension, attachment/media URLs, IPv6 bypass |
| Auth Bypass / Missing Auth | 4 | WebSocket config.apply, webhook verification, browser relay, sandbox bridge |
| Allowlist Bypass | 32 | Telegram usernames, Matrix displayName, Slack DM, Twitch, voice-call |
| Injection (XSS/CSRF/Prompt) | 8 | XSS in Control UI, prompt injection via Slack/CWD/logs, CSRF |
| Denial of Service | 4 | Unbounded media fetch, webhook body buffering, archive expansion |
π All Security Advisories (148)
Critical & High Severity
| GHSA | CVE | Severity | Title | Published |
|---|---|---|---|---|
| GHSA-cwj3-vqpp-pmxr | β | | OpenClaw's gateway config mutation guard allowed unsafe model-driven config writes | 2026-05-05 |
| GHSA-r39h-4c2p-3jxp | β | | OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution | 2026-05-05 |
| GHSA-wppj-c6mr-83jj | β | | OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root | 2026-05-04 |
| GHSA-r6xh-pqhr-v4xh | β | | OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens | 2026-05-04 |
| GHSA-5mh4-3rv3-fpcf | β | | Duplicate Advisory: OpenClaw: Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables | 2026-04-28 |
| GHSA-5799-3xg7-rfrv | β | | Duplicate Advisory: OpenClaw: SSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host | 2026-04-28 |
| GHSA-394x-274p-mqc6 | β | | Duplicate Advisory: OpenClaw: Gateway operator.write Can Reach Admin-Class Telegram Config and Cron Persistence via send | 2026-04-24 |
| GHSA-7vq9-42cc-33j4 | β | | Duplicate Advisory: OpenClaw: Device-Paired Node Skips Node Scope Gate β Host RCE.md | 2026-04-24 |
| GHSA-gv2f-q4wp-fvh5 | β | | Duplicate Advisory: OpenClaw: CLI Remote Onboarding Persists Unauthenticated Discovery Endpoint and Exfiltrates Gateway Credentials | 2026-04-24 |
| GHSA-jx3c-247h-cxwp | β | | Duplicate Advisory: OpenClaw: Workspace .env can override the bundled hooks root and load attacker hook code | 2026-04-24 |
| GHSA-66r7-m7xm-v49h | CVE-2026-43533 | | OpenClaw: QQBot media tags could read arbitrary local files through reply text | 2026-04-17 |
| GHSA-2cq5-mf3v-mx44 | CVE-2026-43530 | | OpenClaw: busybox and toybox applet execution weakened exec approval binding | 2026-04-17 |
| GHSA-7jp6-r74r-995q | CVE-2026-42433 | | OpenClaw: Matrix profile config persistence was reachable from operator.write message tools | 2026-04-17 |
| GHSA-736r-jwj6-4w23 | CVE-2026-42434 | | OpenClaw: Sandboxed agents could escape exec routing via host=node override | 2026-04-17 |
| GHSA-939r-rj45-g2rj | CVE-2026-43569 | | OpenClaw: Workspace provider auth choices could auto-enable untrusted provider plugins | 2026-04-17 |
| GHSA-82qx-6vj7-p8m2 | CVE-2026-43571 | | OpenClaw: Channel setup catalog lookups could include untrusted workspace plugin shadows | 2026-04-17 |
| GHSA-vw3h-q6xq-jjm5 | CVE-2026-42437 | | OpenClaw: Voice-call realtime WebSocket accepted oversized frames | 2026-04-17 |
| GHSA-8372-7vhw-cm6q | CVE-2026-43528 | | OpenClaw: config.get redaction bypass through sourceConfig and runtimeConfig aliases | 2026-04-17 |
| GHSA-xh72-v6v9-mwhc | β | | OpenClaw: Feishu webhook and card-action validation now fail closed | 2026-04-17 |
| GHSA-2gvc-4f3c-2855 | β | | OpenClaw: Matrix room control-command authorization no longer trusts DM pairing-store entries | 2026-04-17 |
| GHSA-xmxx-7p24-h892 | β | | OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation | 2026-04-17 |
| GHSA-525j-hqq2-66r4 | β | | OpenClaw: Sandbox browser CDP relay could expose DevTools protocol on 0.0.0.0 | 2026-04-17 |
| GHSA-vfp4-8x56-j7c5 | β | | OpenClaw: Exec environment denylist missed high-risk interpreter startup variables | 2026-04-17 |
| GHSA-r3v5-2grc-429h | β | | Duplicate Advisory: OpenClaw Gateway: RCE and Privilege Escalation from operator.pairing to operator.admin via device.pair.approve | 2026-04-10 |
| GHSA-rq6g-px6m-c248 | CVE-2026-28469 | | OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting | 2026-02-18 |
| GHSA-3fqr-4cg8-h96q | CVE-2026-26317 | | OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints | 2026-02-18 |
| GHSA-q447-rj3r-2cgh | CVE-2026-28478 | | OpenClaw affected by denial of service via unbounded webhook request body buffering | 2026-02-18 |
| GHSA-mr32-vwc2-5j6h | CVE-2026-28458 | | OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access | 2026-02-17 |
| GHSA-q284-4pvr-m585 | CVE-2026-25157 | | OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand | 2026-02-02 |
| GHSA-g8p2-7wf7-98mq | CVE-2026-25253 | | OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl | 2026-02-02 |
| GHSA-mc68-q9jw-2h3v | CVE-2026-24763 | | OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable | 2026-02-02 |
| GHSA-r2c6-8jc8-g32w | β | | Duplicate Advisory: 1-Click RCE via Authentication Token Exfiltration From gatewayUrl | 2026-02-02 |
Medium Severity
| GHSA | CVE | Severity | Title | Published |
|---|---|---|---|---|
| GHSA-q8ff-7ffm-m3r9 | β | | OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload | 2026-05-05 |
| GHSA-93rg-2xm5-2p9v | β | | OpenClaw's Gateway Control UI bootstrap config required Gateway auth | 2026-05-04 |
| GHSA-5h3g-6xhh-rg6p | β | | OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes | 2026-05-04 |
| GHSA-x3h8-jrgh-p8jx | β | | OpenClaw's exec allowlist analysis rejects shell expansion in unquoted heredocs | 2026-05-04 |
| GHSA-55cf-xx38-4p9p | β | | OpenClaw: Workspace dotenv files cannot override connector endpoint hosts | 2026-05-04 |
| GHSA-q3jj-46pq-826r | β | | OpenClaw's ACP child sessions inherit subagent security envelope constraints | 2026-05-04 |
| GHSA-2hh7-c75g-qj2r | β | | OpenClaw validates Zalo outbound photo URLs through the SSRF guard | 2026-05-04 |
| GHSA-gfg9-5357-hv4c | β | | OpenClaw: Webchat audio embedding could read local files without local-root containment | 2026-04-29 |
| GHSA-c28g-vh7m-fm7v | β | | OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners | 2026-04-29 |
| GHSA-f5fm-9jmp-c88r | β | | Duplicate Advisory: OpenClaw: Trailing-dot localhost CDP hosts could bypass remote loopback protections | 2026-04-28 |
| GHSA-8pf2-vj79-4wxg | β | | Duplicate Advisory: OpenClaw: MSTeams thread history bypasses sender allowlist via Graph API | 2026-04-28 |
| GHSA-qp56-gp47-jwj3 | β | | Duplicate Advisory: OpenClaw: Feishu extension resolveUploadInput bypasses file-system sandbox and allows arbitrary file reads via upload_image | 2026-04-28 |
| GHSA-7jm2-g593-4qrc | β | | OpenClaw: Agent gateway config mutations could change protected operator settings | 2026-04-25 |
| GHSA-qrp5-gfw2-gxv4 | β | | OpenClaw: Bundled MCP/LSP tools could bypass configured tool policy | 2026-04-25 |
| GHSA-h2vw-ph2c-jvwf | β | | OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests | 2026-04-25 |
| GHSA-mj59-h3q9-ghfh | β | | OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config | 2026-04-25 |
| GHSA-hxvm-xjvf-93f3 | β | | OpenClaw: Workspace dotenv could override runtime-control environment variables | 2026-04-25 |
| GHSA-72q8-jcmc-97wx | β | | OpenClaw: Feishu card actions could misclassify DMs and skip dmPolicy | 2026-04-25 |
| GHSA-2xcp-x87w-q377 | β | | OpenClaw: Hook mapping templates could bypass hook session-key opt-in | 2026-04-25 |
| GHSA-m563-373q-885c | β | | Duplicate Advisory: OpenClaw: OpenShell mirror mode can convert untrusted sandbox files into explicitly enabled workspace hooks and execute them on the host during gateway startup | 2026-04-24 |
| GHSA-6477-wvjj-47v6 | β | | Duplicate Advisory: OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders | 2026-04-24 |
| GHSA-m958-864j-xq5w | β | | Duplicate Advisory: OpenClaw: Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding | 2026-04-24 |
| GHSA-mf69-r24q-ghhr | β | | Duplicate Advisory: OpenClaw: Pairing pending-request caps were enforced per channel instead of per account | 2026-04-24 |
| GHSA-v3c2-39fm-jq4h | β | | Duplicate Advisory: OpenClaw: Gateway operator.write can reach admin-only persisted verboseLevel via chat.send /verbose | 2026-04-24 |
| GHSA-2hv5-4h3g-4hjv | β | | Duplicate Advisory: OpenClaw: LINE webhook handler lacks shared pre-auth concurrency budget before signature verification | 2026-04-24 |
| GHSA-cw28-63x4-37c3 | β | | Duplicate Advisory: OpenClaw: Voice-call Plivo replay mutates in-process callback origin before replay rejection | 2026-04-24 |
| GHSA-fjm8-mgc9-mf65 | β | | Duplicate Advisory: OpenClaw Has a Gateway Control Interface Information Disclosure Vulnerability | 2026-04-24 |
| GHSA-r7p2-r9g4-4xph | β | | Duplicate Advisory: OpenClaw: Gateway hello snapshots exposed host config and state paths to non-admin clients | 2026-04-24 |
| GHSA-w9f5-8q83-qwpx | β | | Duplicate Advisory: OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting | 2026-04-24 |
| GHSA-wcm7-94wg-h74h | β | | Duplicate Advisory: OpenClaw host-env blocklist missing GIT_TEMPLATE_DIR and AWS_CONFIG_FILE allows code execution via env override | 2026-04-24 |
| GHSA-qc5j-2mqx-x83q | β | | Duplicate Advisory: OpenClaw: Webchat media embedding enforces local-root containment for tool-result files | 2026-04-20 |
| GHSA-mr34-9552-qr95 | CVE-2026-41389 | | OpenClaw: Webchat media embedding enforces local-root containment for tool-result files | 2026-04-17 |
| GHSA-jhpv-5j76-m56h | CVE-2026-42438 | | OpenClaw: Sender policy bypass in host media attachment reads allows unauthorized local file disclosure | 2026-04-17 |
| GHSA-527m-976r-jf79 | CVE-2026-43573 | | OpenClaw: Existing-session browser interaction routes bypassed SSRF policy enforcement | 2026-04-17 |
| GHSA-rj2p-j66c-mgqh | CVE-2026-42439 | | OpenClaw: Browser tabs action select and close routes bypassed SSRF policy | 2026-04-17 |
| GHSA-jf25-7968-h2h5 | CVE-2026-43567 | | OpenClaw: screen_record outPath bypassed workspace-only filesystem guard | 2026-04-17 |
| GHSA-53vx-pmqw-863c | CVE-2026-43527 | | OpenClaw: Browser SSRF policy default allowed private-network navigation | 2026-04-17 |
| GHSA-2767-2q9v-9326 | CVE-2026-43526 | | OpenClaw: QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes | 2026-04-17 |
| GHSA-7wv4-cc7p-jhxc | CVE-2026-43531 | | OpenClaw: Workspace .env could inject OpenClaw runtime-control variables | 2026-04-17 |
| GHSA-c9h3-5p7r-mrjh | CVE-2026-43532 | | OpenClaw: Discord event cover images bypassed sandbox media normalization | 2026-04-17 |
| GHSA-49cg-279w-m73x | CVE-2026-43574 | | OpenClaw: Empty approver lists could grant explicit approval authorization | 2026-04-17 |
| GHSA-7g8c-cfr3-vqqr | CVE-2026-43534 | | OpenClaw: Agent hook events could enqueue trusted system events from unsanitized external input | 2026-04-17 |
| GHSA-j6c7-3h5x-99g9 | CVE-2026-42435 | | OpenClaw: Shell-wrapper detection missed env-argv assignment injection forms | 2026-04-17 |
| GHSA-5gjc-grvm-m88j | CVE-2026-43568 | | OpenClaw: Memory dreaming config persistence was reachable from operator.write commands | 2026-04-17 |
| GHSA-g2hm-779g-vm32 | CVE-2026-43566 | | OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events | 2026-04-17 |
| GHSA-c4qm-58hj-j6pj | CVE-2026-42436 | | OpenClaw: Browser snapshot and screenshot routes could expose internal page content after navigation | 2026-04-17 |
| GHSA-jwrq-8g5x-5fhm | CVE-2026-43535 | | OpenClaw: Collect-mode queue batches could reuse the last sender authorization context | 2026-04-17 |
| GHSA-f934-5rqf-xx47 | β | | OpenClaw: QMD memory_get restricts reads to canonical or indexed memory paths | 2026-04-17 |
| GHSA-f7fh-qg34-x2xh | β | | OpenClaw: CDP /json/version WebSocket URL could pivot to untrusted second-hop targets | 2026-04-17 |
| GHSA-536q-mj95-h29h | β | | OpenClaw: Browser press/type interaction routes missed complete navigation guard coverage | 2026-04-17 |
| GHSA-qmwg-qprg-3j38 | β | | OpenClaw: Browser interaction routes could pivot into local CDP and regain file reads | 2026-04-17 |
| GHSA-f3h5-h452-vp3j | β | | OpenClaw: Nostr profile mutation routes allowed operator.write config persistence | 2026-04-17 |
| GHSA-xq94-r468-qwgj | β | | OpenClaw: Browser SSRF hostname validation could be bypassed by DNS rebinding | 2026-04-17 |
| GHSA-g375-h3v6-4873 | β | | OpenClaw: Heartbeat owner downgrade missed local async exec completion events | 2026-04-17 |
| GHSA-92jp-89mq-4374 | β | | OpenClaw: Sandbox noVNC helper route exposed interactive browser session credentials | 2026-04-17 |
| GHSA-p6j4-wvmc-vx2h | β | | Duplicate Advisory: OpenClaw: Tlon cite expansion happens before channel and DM authorization is complete | 2026-04-10 |
| GHSA-59xc-5v89-r7pr | β | | Duplicate Advisory: OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token | 2026-04-10 |
| GHSA-pmf3-2q63-jmp6 | β | | Duplicate Advisory: OpenClaw: Symlink Traversal via IDENTITY.md appendFile in agents.create/update (Incomplete Fix for CVE-2026-32013) | 2026-04-10 |
| GHSA-m5jp-p3r5-mfqp | β | | Duplicate Advisory: OpenClaw: Gateway Plugin Subagent Fallback deleteSession Uses Synthetic operator.admin | 2026-04-10 |
| GHSA-hm63-vwj4-mj2q | β | | Duplicate Advisory: OpenClaw: Remote media error responses could trigger unbounded memory allocation before failure | 2026-04-10 |
| GHSA-mj5r-hh7j-4gxf | CVE-2026-28480 | | OpenClaw Telegram allowlist authorization accepted mutable usernames | 2026-02-18 |
| GHSA-h89v-j3x9-8wqj | CVE-2026-28452 | | OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR) | 2026-02-18 |
| GHSA-w2cg-vxx6-5xjg | CVE-2026-29612 | | OpenClaw: denial of service through large base64 media files allocating large buffers before limit checks | 2026-02-18 |
| GHSA-g34w-4xqq-h79m | CVE-2026-26328 | | OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities | 2026-02-18 |
Low Severity
| GHSA | CVE | Severity | Title | Published |
|---|---|---|---|---|
| GHSA-qm77-8qjp-4vcm | CVE-2026-41358 | | OpenClaw: Slack thread context could include messages from non-allowlisted senders | 2026-05-04 |
| GHSA-v8qf-fr4g-28p2 | CVE-2026-41908 | | OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization | 2026-04-25 |
| GHSA-j4c5-89f5-f3pm | β | | OpenClaw: Browser CDP profile creation skipped strict-mode SSRF checks | 2026-04-25 |
| GHSA-xrq9-jm7v-g9h7 | β | | OpenClaw: Paired-device pairing actions were not limited to the caller device | 2026-04-25 |
| GHSA-c4qg-j8jg-42q5 | β | | OpenClaw: QQBot direct media upload skipped URL SSRF validation | 2026-04-25 |
| GHSA-57r2-h2wj-g887 | β | | OpenClaw: Isolated cron awareness events were recorded as trusted system events | 2026-04-25 |
| GHSA-7hrg-5w46-5r2x | β | | Duplicate Advisory: OpenClaw: Slack thread context could include messages from non-allowlisted senders | 2026-04-24 |
| GHSA-wwc3-c577-533m | β | | Duplicate Advisory: OpenClaw: Gateway device.token.rotate does not terminate active WebSocket sessions after credential rotation | 2026-04-24 |
| GHSA-qgp3-3rj7-qqq4 | β | | Duplicate Advisory: OpenClaw: Discord Slash Commands Bypass Group DM Channel Allowlist | 2026-04-24 |
| GHSA-2xp4-qhr4-xqm2 | β | | Duplicate Advisory: OpenClaw: HTTP operator endpoints lack browser-origin validation in trusted-proxy mode | 2026-04-24 |
| GHSA-pr66-whqj-rq5p | β | | Duplicate Advisory: OpenClaw: Discord Component Interaction Misclassifies Group DM as Direct Message | 2026-04-24 |
| GHSA-qgx9-6px9-7p75 | β | | Duplicate Advisory: OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization | 2026-04-23 |
| GHSA-gc9r-867r-j85f | CVE-2026-43572 | | OpenClaw: Microsoft Teams SSO invoke handler missed sender authorization checks | 2026-04-17 |
| GHSA-r77c-2cmr-7p47 | β | | OpenClaw: Delivery queue recovery could lose group tool-policy context for media replay | 2026-04-17 |
| GHSA-gj9q-8w99-mp8j | CVE-2026-43529 | | OpenClaw: TOCTOU read in exec script preflight | 2026-04-16 |
| GHSA-52vj-fvrv-7q82 | CVE-2026-6011 | | OpenClaw vulnerable to SSRF in src/agents/tools/web-fetch.ts | 2026-04-10 |
| GHSA-chm2-m3w2-wcxm | β | | OpenClaw Google Chat spoofing access with allowlist authorized mutable email principal despite sender-ID mismatch | 2026-02-17 |
Repo-Only Advisories (~35 more)
These advisories are listed on the repo security page but not yet indexed in the GitHub Advisory Database. See the full advisory list for details.
Show 35 repo-only advisories
| GHSA | Severity | Title | Published |
|---|---|---|---|
| GHSA-3vvq-q2qc-7rmp | | B-M3: ClawHub package downloads are not enforced with integrity verification | 2026-04-08 |
| GHSA-4f8g-77mw-3rxc | | Gateway plugin HTTP auth: gateway widens identity-bearing operator.read requests into runtime operator.write | 2026-04-08 |
| GHSA-5wj5-87vq-39xm | | Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement | 2026-04-08 |
| GHSA-67mf-f936-ppxf | | OpenClaw node.pair.approve placed in operator.write scope instead of operator.pairing allows unprivileged pairing approval | 2026-04-08 |
| GHSA-7437-7hg8-frrw | | HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist β RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class) | 2026-04-08 |
| GHSA-846p-hgpv-vphc | | QQ Bot structured payloads could read arbitrary local files | 2026-04-02 |
| GHSA-cm8v-2vh9-cxf3 | | GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant) | 2026-04-08 |
| GHSA-cmfr-9m2r-xwhq | | OpenClaw node.invoke(browser.proxy) bypasses browser.request persistent profile-mutation guard | 2026-04-08 |
| GHSA-gfmx-pph7-g46x | | Lower-trust background runtime output is injected into trusted System: events, and local async exec completion misses the intended exec-event downgrade | 2026-04-08 |
| GHSA-jf56-mccx-5f3f | | Authenticated /hooks/wake and mapped wake payloads are promoted into the trusted System: prompt channel | 2026-04-08 |
| GHSA-m34q-h93w-vg5x | | OpenShell mirror mode could delete arbitrary remote directories when roots were mis-scoped | 2026-04-02 |
| GHSA-q2gc-xjqw-qp89 | | strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts | 2026-04-08 |
| GHSA-qqq7-4hxc-x63c | | Shared reply MEDIA: paths are treated as trusted and can trigger cross-channel local file exfiltration | 2026-04-08 |
| GHSA-qx8j-g322-qj6m | | fetchWithSsrFGuard replays unsafe request bodies across cross-origin redirects | 2026-04-08 |
| GHSA-w9j9-w4cp-6wgr | | OpenClaw Host-Exec Environment Variable Injection | 2026-04-08 |
| GHSA-whf9-3hcx-gq54 | | OpenClaw device.token.rotate mints tokens for unapproved roles, bypassing device role-upgrade pairing | 2026-04-08 |
| GHSA-25wv-8phj-8p7r | | Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths | 2026-04-08 |
| GHSA-2qrv-rc5x-2g2h | | Untrusted workspace channel shadows could execute during built-in channel setup | 2026-04-02 |
| GHSA-3fv3-6p2v-gxwj | | QQ Bot Extension: Missing SSRF Protection on All Media Fetch Paths | 2026-04-08 |
| GHSA-4p4f-fc8q-84m3 | | iOS A2UI bridge trusted generic local-network pages for agent.request dispatch | 2026-04-02 |
| GHSA-5fc7-f62m-8983 | | Feishu docx upload_file/upload_image Bypasses Workspace-Only Filesystem Policy (GHSA-qf48-qfv4-jjm9 Incomplete Fix) | 2026-04-08 |
| GHSA-5h3f-885m-v22w | | Existing WS sessions survive shared gateway token rotation | 2026-04-08 |
| GHSA-5hff-46vh-rxmw | | Read-scoped identity-bearing HTTP clients could kill sessions via /sessions/:sessionKey/kill | 2026-04-02 |
| GHSA-68x5-xx89-w9mm | | resolvedAuth closure becomes stale after config reload | 2026-04-08 |
| GHSA-98ch-45wp-ch47 | | Windows-compatible env override keys could bypass system.run approval binding | 2026-04-02 |
| GHSA-9jpj-g8vv-j5mf | | Gemini OAuth exposed the PKCE verifier through the OAuth state parameter | 2026-04-02 |
| GHSA-ccx3-fw7q-rr2r | | Multiple Code Paths Missing Base64 Pre-Allocation Size Checks | 2026-04-08 |
| GHSA-cqgw-44wg-44rf | | Discord voice manager bypasses channel-level member access allowlist | 2026-03-31 |
| GHSA-cr8r-7g2h-6wr6 | | Remote marketplace repository paths could escape through symlink traversal | 2026-04-16 |
| GHSA-fvx6-pj3r-5q4q | | Complex interpreter pipelines could skip exec script preflight validation | 2026-04-02 |
| GHSA-rxmx-g7hr-8mx4 | | Zalo replay dedupe keys could suppress messages across chats or senders | 2026-04-02 |
| GHSA-vc32-h5mq-453v | | /allowlist omits owner-only enforcement for cross-channel allowlist writes | 2026-04-08 |
| GHSA-vr5g-mmx7-h897 | | Browser SSRF Policy Bypass via Interaction-Triggered Navigation | 2026-04-08 |
| GHSA-2f7j-rp58-mr42 | | Gateway hello snapshots exposed host config and state paths to non-admin clients | 2026-04-02 |
| GHSA-jj6q-rrrf-h66h | | Shared-secret comparison call sites leaked length information through timing | 2026-04-02 |
Naming Inconsistencies
The OpenClaw project has been renamed multiple times, causing inconsistencies across CVE records:
| CVE | vendor | product | packageURL | Description Names |
|---|---|---|---|---|
| CVE-2026-43534 | OpenClaw | OpenClaw | pkg:npm/openclaw | OpenClaw |
| CVE-2026-43566 | OpenClaw | OpenClaw | pkg:npm/openclaw | OpenClaw |
| CVE-2026-43533 | OpenClaw | OpenClaw | pkg:npm/openclaw | OpenClaw |
| CVE-2026-25253 | OpenClaw | OpenClaw | pkg:npm/clawdbot | OpenClaw / clawdbot / Moltbot |
| CVE-2026-24763 | clawdbot | clawdbot | β | OpenClaw (formerly Clawdbot) |
| CVE-2026-28478 | OpenClaw | OpenClaw | pkg:npm/openclaw | OpenClaw |
| CVE-2026-42435 | OpenClaw | OpenClaw | pkg:npm/openclaw | OpenClaw |
| CVE-2026-42434 | OpenClaw | OpenClaw | pkg:npm/openclaw | OpenClaw |
| CVE-2026-43530 | OpenClaw | OpenClaw | pkg:npm/openclaw | OpenClaw |
| CVE-2026-43526 | OpenClaw | OpenClaw | pkg:npm/openclaw | OpenClaw |
| CVE-2026-28469 | OpenClaw | OpenClaw | pkg:npm/openclaw | OpenClaw |
| CVE-2026-42437 | OpenClaw | OpenClaw | pkg:npm/openclaw | OpenClaw |
| CVE-2026-25157 | openclaw | openclaw | β | OpenClaw |
| CVE-2026-43571 | OpenClaw | OpenClaw | pkg:npm/openclaw | OpenClaw |
| CVE-2026-43569 | OpenClaw | OpenClaw | pkg:npm/openclaw | OpenClaw |
| CVE-2026-43535 | OpenClaw | OpenClaw | pkg:npm/openclaw | OpenClaw |
| CVE-2026-28458 | OpenClaw | OpenClaw | pkg:npm/openclaw | OpenClaw |
| CVE-2026-26317 | openclaw | clawdbot | β | OpenClaw (formerly Clawdbot) |
| CVE-2026-42433 | OpenClaw | OpenClaw | pkg:npm/openclaw | OpenClaw |
| CVE-2026-43528 | OpenClaw | OpenClaw | pkg:npm/openclaw | OpenClaw |
| CVE-2026-43567 | OpenClaw | OpenClaw | pkg:npm/openclaw | OpenClaw |
| CVE-2026-43568 | OpenClaw | OpenClaw | pkg:npm/openclaw | OpenClaw |
| CVE-2026-43531 | OpenClaw | OpenClaw | pkg:npm/openclaw | OpenClaw |
| CVE-2026-28480 | OpenClaw | OpenClaw | pkg:npm/openclaw | OpenClaw |
| CVE-2026-29612 | OpenClaw | OpenClaw | pkg:npm/openclaw | OpenClaw |
| CVE-2026-28452 | OpenClaw | OpenClaw | pkg:npm/openclaw | OpenClaw |
| CVE-2026-26328 | openclaw | clawdbot | β | OpenClaw (formerly Clawdbot) |
| CVE-2026-41389 | OpenClaw | OpenClaw | pkg:npm/openclaw | OpenClaw |
| CVE-2026-43527 | OpenClaw | OpenClaw | pkg:npm/openclaw | OpenClaw |
| CVE-2026-43572 | OpenClaw | OpenClaw | pkg:npm/openclaw | OpenClaw |
| CVE-2026-43574 | OpenClaw | OpenClaw | pkg:npm/openclaw | OpenClaw |
| CVE-2026-42439 | OpenClaw | OpenClaw | pkg:npm/openclaw | OpenClaw |
| CVE-2026-42436 | OpenClaw | OpenClaw | pkg:npm/openclaw | OpenClaw |
| CVE-2026-42438 | OpenClaw | OpenClaw | pkg:npm/openclaw | OpenClaw |
| CVE-2026-43532 | OpenClaw | OpenClaw | pkg:npm/openclaw | OpenClaw |
| CVE-2026-43573 | OpenClaw | OpenClaw | pkg:npm/openclaw | OpenClaw |
| CVE-2026-41358 | OpenClaw | OpenClaw | pkg:npm/openclaw | OpenClaw |
| CVE-2026-41908 | OpenClaw | OpenClaw | pkg:npm/openclaw | OpenClaw |
| CVE-2026-43529 | OpenClaw | OpenClaw | pkg:npm/openclaw | OpenClaw |
Data Sources
| Source | URL |
|---|---|
| CVE List v5 | CVEProject/cvelistV5 |
| GitHub Advisory DB | github.com/advisories |
| Repo Security Tab | openclaw/openclaw/security |
| CVE Services API | https://cveawg.mitre.org/api/cve-id/{CVE-ID} |
Auto-generated by update_readme.py Β· Updated hourly via GitHub Actions
Data: ghsa-advisories.json Β· cves.json Β· cve-pipeline-status.json
Maintained by Jerry Gamblin Β· OpenClawCVEs