Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

OpenClaw — Vulnerabilities & Security Advisories 467

All 467 CVE vulnerabilities found in OpenClaw, with AI-generated Chinese analysis, references, and POCs.

This page aggregates common weaknesses associated with OpenClaw, a software product developed by its vendor. It focuses on vulnerability aggregation for this specific product line, organizing data by weakness type and relevant security tags to facilitate easier analysis for security professionals and developers. The page collects a wide variety of vulnerability reports, ranging from critical remote code execution flaws to minor information disclosure issues. It covers security incidents reported over the past five years, ensuring a comprehensive historical perspective on the product’s security posture. This timeframe allows users to observe trends in patching speed and the emergence of new attack vectors against the software. Readers can discover detailed insights into OpenClaw’s security history by tracking vendor advisories as they are released and updated. The interface enables users to understand specific weakness classes affecting the product, such as buffer overflows or injection flaws, and how they manifest in real-world scenarios. Furthermore, one can look up a product’s vulnerability history to assess past risks and evaluate the effectiveness of recent security updates. This resource serves as a centralized hub for understanding the security landscape surrounding OpenClaw. By providing structured access to these data points, the page supports informed decision-making for system administrators and security auditors who need to prioritize remediation efforts or assess risk exposure. It eliminates the need to search multiple disparate sources for accurate and up-to-date vulnerability information.

Vendor: OpenClaw

CVE IDTitleCVSSSeverityPublished
CVE-2026-42435 OpenClaw 2026.2.22 < 2026.4.12 - Shell-Wrapper Detection Bypass via Environment Variable Assignment Injection CWE-184 8.8 High2026-05-05
CVE-2026-42436 OpenClaw < 2026.4.14 - Internal Page Content Exposure via Browser Snapshot and Screenshot Routes CWE-862 7.7 High2026-05-05
CVE-2026-42434 OpenClaw 2026.4.5 < 2026.4.10 - Sandbox Escape via host Parameter Override in Exec Routing CWE-863 8.8 High2026-05-05
CVE-2026-42433 OpenClaw < 2026.4.10 - Unauthorized Matrix Profile Config Persistence Access via operator.write Message Tools CWE-862 6.5 Medium2026-05-05
CVE-2026-42432 OpenClaw < 2026.4.8 - Command Escalation via Node Pairing Reconnect Bypass CWE-863 7.8 High2026-04-28
CVE-2026-42431 OpenClaw < 2026.4.8 - Persistent Profile Mutation via node.invoke(browser.proxy) Bypass CWE-863 8.1 High2026-04-28
CVE-2026-42430 OpenClaw < 2026.4.8 - Strict Browser SSRF Bypass via Playwright Redirect Handling CWE-918 6.5 Medium2026-04-28
CVE-2026-42428 OpenClaw < 2026.4.8 - Missing Integrity Verification in Package Downloads CWE-353 7.1 High2026-04-28
CVE-2026-42429 OpenClaw < 2026.4.8 - Privilege Escalation via Gateway Plugin HTTP Authentication CWE-863 7.1 High2026-04-28
CVE-2026-42427 OpenClaw < 2026.4.8 - Remote Code Execution via Build Tool Environment Variable Injection CWE-184 5.3 Medium2026-04-28
CVE-2026-42426 OpenClaw < 2026.4.8 - Improper Authorization in node.pair.approve via operator.write Scope CWE-863 8.8 High2026-04-28
CVE-2026-42424 OpenClaw < 2026.4.8 - Local File Exfiltration via Shared Reply MEDIA Paths CWE-73 5.7 Medium2026-04-28
CVE-2026-42423 OpenClaw < 2026.4.8 - strictInlineEval Approval Boundary Bypass via Approval-Timeout Fallback CWE-636 7.5 High2026-04-28
CVE-2026-42421 OpenClaw < 2026.4.8 - WebSocket Session Persistence via Shared Gateway Token Rotation CWE-613 5.4 Medium2026-04-28
CVE-2026-42422 OpenClaw < 2026.4.8 - Role Bypass in device.token.rotate Function CWE-863 8.8 High2026-04-28
CVE-2026-42420 OpenClaw < 2026.4.8 - Improper Base64 Decoding Size Validation CWE-770 4.3 Medium2026-04-28
CVE-2026-41916 OpenClaw < 2026.4.8 - Stale Authentication State via Config Reload CWE-613 5.4 Medium2026-04-28
CVE-2026-41915 OpenClaw < 2026.4.8 - Git Environment Variable Injection via Unfiltered Exec Environment CWE-184 5.3 Medium2026-04-28
CVE-2026-41913 OpenClaw < 2026.4.4 - Rate-Limit Bypass via Concurrent Async Authentication Attempts CWE-362 3.7 Low2026-04-28
CVE-2026-41914 OpenClaw < 2026.4.8 - Server-Side Request Forgery in QQ Bot Media Fetch Paths CWE-918 8.5 High2026-04-28
CVE-2026-41912 OpenClaw < 2026.4.8 - Server-Side Request Forgery Policy Bypass via Interaction-Triggered Navigation CWE-918 7.6 High2026-04-28
CVE-2026-41911 OpenClaw < 2026.4.8 - Workspace-Only Filesystem Policy Bypass via docx upload_file/upload_image CWE-22 6.5 Medium2026-04-28
CVE-2026-41408 OpenClaw < 2026.3.31 - Disk Exhaustion via Media Download Bypass CWE-770 4.3 Medium2026-04-28
CVE-2026-41910 OpenClaw < 2026.4.8 - Missing Owner-Only Enforcement in /allowlist Cross-Channel Writes CWE-863 4.3 Medium2026-04-28
CVE-2026-41407 OpenClaw < 2026.4.2 - Timing Side Channel in Shared-Secret Comparison CWE-208 3.7 Low2026-04-28
CVE-2026-41406 OpenClaw < 2026.3.31 - Sender Allowlist Bypass via Thread History and Quoted Messages CWE-639 5.4 Medium2026-04-28
CVE-2026-41405 OpenClaw < 2026.3.31 - Resource Exhaustion via Unauthenticated MS Teams Webhook Body Parsing CWE-408 7.5 High2026-04-28
CVE-2026-41404 OpenClaw < 2026.3.31 - Operator Admin Privilege Escalation via Trusted-Proxy Authentication CWE-863 8.8 High2026-04-28
CVE-2026-41403 OpenClaw < 2026.3.31 - Access Control Bypass via Proxied Remote Request Misclassification CWE-807 2.9 Low2026-04-28
CVE-2026-41402 OpenClaw < 2026.3.31 - Webhook Replay Cache Cross-Target messageId Scope Bypass CWE-706 4.2 Medium2026-04-28

All 467 known CVE vulnerabilities affecting OpenClaw with full Chinese analysis, references, and POCs where available.