Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

OpenClaw — Vulnerabilities & Security Advisories 534

All 534 CVE vulnerabilities found in OpenClaw, with AI-generated Chinese analysis, references, and POCs.

This page catalogs security vulnerabilities associated with the OpenClaw product, focusing on various weakness types and associated tags. It aggregates data related to open-source software flaws, configuration issues, and logic errors that have been identified within the OpenClaw ecosystem. The content compiled on this page covers vulnerability reports spanning from the initial public release of the software up to the most recent updates. Here, users can discover comprehensive details by tracking the vendor's security advisories to stay informed about patched issues. Visitors can also deepen their understanding of specific weakness classes affecting OpenClaw, such as injection flaws or cross-site scripting risks. Additionally, the resource allows for a thorough look up of a product's vulnerability history, providing context on how security incidents have evolved over time. This aggregation serves as a central reference for developers, security researchers, and system administrators who rely on OpenClaw. By reviewing these entries, stakeholders can better assess the current risk posture of their deployments and prioritize remediation efforts based on historical data and severity assessments. The information is structured to facilitate efficient analysis without overwhelming the reader with unnecessary technical noise, ensuring that key details regarding impact, affected versions, and mitigation strategies are clearly presented for immediate reference and long-term security planning.

Vendor: OpenClaw

CVE IDTitleCVSSSeverityPublished
CVE-2026-4040 OpenClaw File Existence tools.exec.safeBins information exposure CWE-203 3.3 Low2026-03-12
CVE-2026-4039 OpenClaw Skill Env applySkillConfigenvOverrides code injection CWE-94 6.3 Medium2026-03-12
CVE-2026-32063 OpenClaw 2026.2.19-2 < 2026.2.21 - Command Injection via Newline in systemd Unit Generation CWE-77 7.1 High2026-03-11
CVE-2026-32062 OpenClaw 2026.2.21-2 < 2026.2.22 - Unauthenticated WebSocket Resource Exhaustion via Media Stream CWE-770 7.5 High2026-03-11
CVE-2026-32061 OpenClaw < 2026.2.17 - Arbitrary File Read via $include Directive Path Traversal CWE-22 4.4 Medium2026-03-11
CVE-2026-32060 OpenClaw < 2026.2.14 - Path Traversal in apply_patch via Crafted Paths CWE-22 8.8 High2026-03-11
CVE-2026-32059 OpenClaw 2026.2.22-2 < 2026.2.23 - Allowlist Bypass via sort Long-Option Abbreviation in tools.exec.safeBins CWE-863 8.8 High2026-03-11
CVE-2026-29613 OpenClaw < 2026.2.12 - Webhook Authentication Bypass via Loopback remoteAddress Trust CWE-306 5.9 Medium2026-03-05
CVE-2026-29612 OpenClaw < 2026.2.14 - Denial of Service via Large Base64 Media File Decoding CWE-770 5.5 Medium2026-03-05
CVE-2026-29611 OpenClaw < 2026.2.14 - Local File Inclusion via mediaPath Parameter in BlueBubbles Media Handling CWE-73 7.5 High2026-03-05
CVE-2026-29610 OpenClaw < 2026.2.14 - Command Hijacking via Unsafe PATH Handling CWE-427 8.8 High2026-03-05
CVE-2026-29609 OpenClaw < 2026.2.14 - Denial of Service via Unbounded URL-backed Media Fetch CWE-770 7.5 High2026-03-05
CVE-2026-29606 OpenClaw < 2026.2.14 - Webhook Signature Verification Bypass via ngrok Loopback Compatibility CWE-306 6.5 Medium2026-03-05
CVE-2026-28486 OpenClaw 2026.1.16-2 < 2026.2.14 - Path Traversal (Zip Slip) in Archive Extraction via Installation Commands CWE-22 6.1 Medium2026-03-05
CVE-2026-28485 OpenClaw 2026.1.5 < 2026.2.12 - Missing Authentication in Browser Control HTTP Endpoints CWE-306 8.4 High2026-03-05
CVE-2026-28482 OpenClaw < 2026.2.12 - Path Traversal via Unsanitized sessionId and sessionFile Parameters CWE-22 7.1 High2026-03-05
CVE-2026-28481 OpenClaw < 2026.2.1 - Bearer Token Leakage via MS Teams Attachment Downloader Suffix Matching CWE-201 6.5 Medium2026-03-05
CVE-2026-28480 OpenClaw < 2026.2.14 - Identity Spoofing via Mutable Username in Telegram Allowlist Authorization CWE-290 6.5 Medium2026-03-05
CVE-2026-28479 OpenClaw < 2026.2.15 - Cache Poisoning via Deprecated SHA-1 Hash in Sandbox Configuration CWE-327 7.5 High2026-03-05
CVE-2026-28478 OpenClaw < 2026.2.13 - Denial of Service via Unbounded Webhook Request Body Buffering CWE-770 7.5 High2026-03-05
CVE-2026-28477 OpenClaw < 2026.2.14 - OAuth State Validation Bypass in Manual Chutes Login Flow CWE-352 7.1 High2026-03-05
CVE-2026-28476 OpenClaw < 2026.2.14 - Server-Side Request Forgery in Tlon Extension Authentication CWE-918 8.3 High2026-03-05
CVE-2026-28475 OpenClaw < 2026.2.13 - Timing Attack via Hook Token Comparison CWE-208 4.8 Medium2026-03-05
CVE-2026-28473 OpenClaw < 2026.2.2 - Authorization Bypass via /approve Chat Command CWE-863 8.1 High2026-03-05
CVE-2026-28472 OpenClaw < 2026.2.2 - Device Identity Check Bypass in Gateway WebSocket Connect Handshake CWE-306 8.1 High2026-03-05
CVE-2026-28470 OpenClaw < 2026.2.2 - Exec Allowlist Bypass via Command Substitution in Double Quotes CWE-78 9.8 Critical2026-03-05
CVE-2026-28471 OpenClaw 2026.1.14-1 < 2026.2.2 - Allowlist Bypass via displayName and Cross-Homeserver localpart Matching in Matrix Plugin CWE-287 5.3 Medium2026-03-05
CVE-2026-28469 OpenClaw < 2026.2.14 - Cross-Account Policy Context Misrouting via Shared Webhook Path Ambiguity CWE-639 7.5 High2026-03-05
CVE-2026-28468 OpenClaw 2026.1.29-beta.1 < 2026.2.14 - Authentication Bypass in Sandbox Browser Bridge Server CWE-306 7.7 High2026-03-05
CVE-2026-28467 OpenClaw < 2026.2.2 - SSRF via Attachment Media URL Hydration CWE-918 6.5 Medium2026-03-05

All 534 known CVE vulnerabilities affecting OpenClaw with full Chinese analysis, references, and POCs where available.