Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

OpenClaw — Vulnerabilities & Security Advisories 450

All 450 CVE vulnerabilities found in OpenClaw, with AI-generated Chinese analysis, references, and POCs.

Vendor: OpenClaw

CVE IDTitleCVSSSeverityPublished
CVE-2026-44118 OpenClaw < 2026.4.22 - Owner Context Spoofing via Bearer Token Header CWE-290 7.8 High2026-05-06
CVE-2026-44116 OpenClaw < 2026.4.22 - Server-Side Request Forgery in Zalo Photo URL Validation CWE-918 8.6 High2026-05-06
CVE-2026-44117 OpenClaw < 2026.4.20 - Server-Side Request Forgery in QQBot Direct Media Upload CWE-918 5.8 Medium2026-05-06
CVE-2026-44115 OpenClaw < 2026.4.22 - Shell Expansion Bypass in Unquoted Heredocs via Exec Allowlist CWE-184 8.8 High2026-05-06
CVE-2026-44114 OpenClaw < 2026.4.20 - Environment Variable Namespace Collision via Workspace dotenv CWE-184 7.8 High2026-05-06
CVE-2026-44112 OpenClaw < 2026.4.22 - Symlink Swap Race Condition in OpenShell FS Bridge Writes CWE-367 5.3 Medium2026-05-06
CVE-2026-44113 OpenClaw < 2026.4.22 - Time-of-Check/Time-of-Use Race Condition in OpenShell FS Bridge CWE-367 5.3 Medium2026-05-06
CVE-2026-44111 OpenClaw < 2026.4.15 - Arbitrary Markdown File Read via QMD memory_get CWE-183 4.3 Medium2026-05-06
CVE-2026-44110 OpenClaw < 2026.4.15 - Authorization Bypass in Matrix Room Control Commands via DM Pairing Store CWE-863 8.8 High2026-05-06
CVE-2026-44109 OpenClaw < 2026.4.15 - Authentication Bypass in Feishu Webhook and Card-Action Validation CWE-1188 9.8 Critical2026-05-06
CVE-2026-43585 OpenClaw < 2026.4.15 - Bearer Token Validation Bypass via Stale SecretRef Resolution CWE-672 8.1 High2026-05-06
CVE-2026-43584 OpenClaw < 2026.4.10 - Insufficient Environment Variable Denylist in Exec Policy CWE-184 8.8 High2026-05-06
CVE-2026-43582 OpenClaw < 2026.4.10 - DNS Rebinding SSRF via Hostname Validation Bypass CWE-367 6.3 Medium2026-05-06
CVE-2026-43583 OpenClaw 2026.4.10 < 2026.4.14 - Loss of Group Tool-Policy Context in Delivery Queue Recovery CWE-862 5.3 Medium2026-05-06
CVE-2026-43581 OpenClaw < 2026.4.10 - Chrome DevTools Protocol Exposure via Overly Broad CDP Relay Binding CWE-1188 9.6 Critical2026-05-06
CVE-2026-43580 OpenClaw < 2026.4.10 - Incomplete Navigation Guard Coverage in Browser Interactions CWE-862 7.7 High2026-05-06
CVE-2026-43579 OpenClaw < 2026.4.10 - Insufficient Access Control in Nostr Profile Mutation Routes CWE-862 6.5 Medium2026-05-06
CVE-2026-43578 OpenClaw 2026.3.31 < 2026.4.10 - Privilege Escalation via Missed Async Exec Completion Events in Heartbeat Owner Downgrade CWE-184 9.1 Critical2026-05-06
CVE-2026-43577 OpenClaw < 2026.4.9 - Arbitrary File Read via Browser Interaction Routes CWE-862 6.5 Medium2026-05-06
CVE-2026-43575 OpenClaw 2026.2.21 < 2026.4.10 - Authentication Bypass in Sandbox noVNC Helper Route CWE-862 9.8 Critical2026-05-06
CVE-2026-43576 OpenClaw < 2026.4.5 - Second-hop SSRF via CDP /json/version WebSocket URL CWE-601 7.7 High2026-05-06
CVE-2026-43574 OpenClaw < 2026.4.12 - Improper Authorization via Empty Approver Lists CWE-183 6.5 Medium2026-05-05
CVE-2026-43573 OpenClaw < 2026.4.10 - SSRF Policy Bypass in Existing-Session Browser Interaction Routes CWE-862 7.7 High2026-05-05
CVE-2026-43572 OpenClaw 2026.4.10 < 2026.4.14 - Missing Sender Authorization in Microsoft Teams SSO Invoke Handler CWE-862 5.3 Medium2026-05-05
CVE-2026-43571 OpenClaw < 2026.4.10 - Untrusted Workspace Plugin Shadow Resolution in Channel Setup CWE-829 8.8 High2026-05-05
CVE-2026-43570 OpenClaw 2026.3.22 < 2026.4.5 - Symlink Traversal in Remote Marketplace Repository Path Handling CWE-61 6.5 Medium2026-05-05
CVE-2026-43569 OpenClaw < 2026.4.9 - Untrusted Provider Plugin Auto-enablement via Workspace Provider Auth CWE-829 8.8 High2026-05-05
CVE-2026-43568 OpenClaw 2026.4.5 < 2026.4.10 - Privilege Escalation via Memory Dreaming Configuration in /dreaming Endpoint CWE-862 6.5 Medium2026-05-05
CVE-2026-43567 OpenClaw < 2026.4.10 - Path Traversal in screen_record outPath Parameter CWE-862 6.5 Medium2026-05-05
CVE-2026-43566 OpenClaw 2026.4.7 < 2026.4.14 - Privilege Escalation via Untrusted Webhook Wake Events CWE-184 9.1 Critical2026-05-05

All 450 known CVE vulnerabilities affecting OpenClaw with full Chinese analysis, references, and POCs where available.