Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

OpenClaw — Vulnerabilities & Security Advisories 467

All 467 CVE vulnerabilities found in OpenClaw, with AI-generated Chinese analysis, references, and POCs.

This page aggregates common weaknesses associated with OpenClaw, a software product developed by its vendor. It focuses on vulnerability aggregation for this specific product line, organizing data by weakness type and relevant security tags to facilitate easier analysis for security professionals and developers. The page collects a wide variety of vulnerability reports, ranging from critical remote code execution flaws to minor information disclosure issues. It covers security incidents reported over the past five years, ensuring a comprehensive historical perspective on the product’s security posture. This timeframe allows users to observe trends in patching speed and the emergence of new attack vectors against the software. Readers can discover detailed insights into OpenClaw’s security history by tracking vendor advisories as they are released and updated. The interface enables users to understand specific weakness classes affecting the product, such as buffer overflows or injection flaws, and how they manifest in real-world scenarios. Furthermore, one can look up a product’s vulnerability history to assess past risks and evaluate the effectiveness of recent security updates. This resource serves as a centralized hub for understanding the security landscape surrounding OpenClaw. By providing structured access to these data points, the page supports informed decision-making for system administrators and security auditors who need to prioritize remediation efforts or assess risk exposure. It eliminates the need to search multiple disparate sources for accurate and up-to-date vulnerability information.

Vendor: OpenClaw

CVE IDTitleCVSSSeverityPublished
CVE-2026-32923 OpenClaw < 2026.3.11 - Authorization Bypass in Discord Guild Reaction Allowlist Enforcement CWE-863 5.4 Medium2026-03-29
CVE-2026-32924 OpenClaw < 2026.3.12 - Authorization Bypass via Misclassified Reaction Events in Feishu CWE-863 9.8 Critical2026-03-29
CVE-2026-32922 OpenClaw < 2026.3.11 - Privilege Escalation via Unvalidated Scope in device.token.rotate CWE-266 9.9 Critical2026-03-29
CVE-2026-32919 OpenClaw < 2026.3.11 - Unauthorized Session Reset via agent Slash Commands CWE-863 6.1 Medium2026-03-29
CVE-2026-32915 OpenClaw < 2026.3.11 - Sandbox Boundary Bypass via Subagent Control Surface CWE-863 8.8 High2026-03-29
CVE-2026-32918 OpenClaw < 2026.3.11 - Session Sandbox Escape via session_status Tool CWE-863 8.4 High2026-03-29
CVE-2026-32914 OpenClaw < 2026.3.12 - Insufficient Access Control in /config and /debug Endpoints CWE-863 8.8 High2026-03-29
CVE-2026-32846 OpenClaw < 2026.3.28 Media Parsing Path Traversal to Arbitrary File Read CWE-22 8.6 -2026-03-26
CVE-2026-32913 OpenClaw < 2026.3.7 - Custom Authorization Header Leakage via Cross-Origin Redirects CWE-522 9.3 Critical2026-03-23
CVE-2026-27646 OpenClaw < 2026.3.7 - Sandbox Escape via /acp spawn Command CWE-863 6.1 Medium2026-03-23
CVE-2026-27183 OpenClaw < 2026.3.7 - Shell Approval Gating Bypass via Dispatch Wrapper Depth Mismatch CWE-863 5.3 Medium2026-03-23
CVE-2026-32899 OpenClaw < 2026.2.25 - Sender Policy Bypass in Slack Reaction and Pin Event Handlers CWE-863 4.3 Medium2026-03-21
CVE-2026-32898 OpenClaw < 2026.2.23 - ACP Permission Auto-Approval Bypass via Untrusted Tool Metadata CWE-807 5.4 Medium2026-03-21
CVE-2026-32897 OpenClaw < 2026.2.22 - Authentication Token Reuse in Owner ID Prompt Hashing Fallback CWE-320 3.7 Low2026-03-21
CVE-2026-32896 OpenClaw < 2026.2.21 - Unauthenticated Webhook Access via Passwordless Fallback in BlueBubbles Plugin CWE-306 4.8 Medium2026-03-21
CVE-2026-32895 OpenClaw < 2026.2.26 - Sender Authorization Bypass in Slack System Event Handlers CWE-863 5.4 Medium2026-03-21
CVE-2026-32067 OpenClaw < 2026.2.26 - Cross-Account Authorization Bypass in DM Pairing Store CWE-863 3.7 Low2026-03-21
CVE-2026-32065 OpenClaw < 2026.2.25 - Approval Identity Mismatch in system.run Command Execution CWE-436 4.8 Medium2026-03-21
CVE-2026-32064 OpenClaw < 2026.2.21 - Missing VNC Authentication in Sandbox Browser noVNC Observer CWE-306 7.7 High2026-03-21
CVE-2026-32058 OpenClaw < 2026.2.26 - Approval Context-Binding Weakness in system.run via host=node CWE-863 2.6 Low2026-03-21
CVE-2026-32057 OpenClaw < 2026.2.25 - Authentication Bypass via Control UI client.id Parameter CWE-807 7.1 High2026-03-21
CVE-2026-32056 OpenClaw < 2026.2.22 - Remote Code Execution via Shell Startup Environment Variable Injection in system.run CWE-78 7.5 High2026-03-21
CVE-2026-32055 OpenClaw < 2026.2.26 - Workspace Path Boundary Bypass via Non-existent Symlink CWE-22 7.6 High2026-03-21
CVE-2026-32054 OpenClaw < 2026.2.25 - Symlink Traversal in Browser Trace/Download Path Handling CWE-59 6.5 Medium2026-03-21
CVE-2026-32053 OpenClaw < 2026.2.23 - Twilio Webhook Replay Bypass via Randomized Event ID Normalization CWE-294 6.5 Medium2026-03-21
CVE-2026-32052 OpenClaw < 2026.2.24 - Hidden Command Execution via Shell-Wrapper Positional argv Carriers CWE-436 6.4 Medium2026-03-21
CVE-2026-32051 OpenClaw < 2026.3.1 - Authorization Bypass in Agent Runs via Owner-Only Tool Access CWE-863 8.8 High2026-03-21
CVE-2026-32050 OpenClaw < 2026.2.25 - Unauthorized Reaction Status Event Enqueue via Access Check Bypass CWE-863 3.7 Low2026-03-21
CVE-2026-32049 OpenClaw < 2026.2.22 - Denial of Service via Inbound Media Download Byte Limit Bypass CWE-770 7.5 High2026-03-21
CVE-2026-32048 OpenClaw < 2026.3.1 - Sandbox Escape via Cross-Agent sessions_spawn CWE-732 7.5 High2026-03-21

All 467 known CVE vulnerabilities affecting OpenClaw with full Chinese analysis, references, and POCs where available.