OpenClaw — Vulnerabilities & Security Advisories 450

All 450 CVE vulnerabilities found in OpenClaw, with AI-generated Chinese analysis, references, and POCs.

CVE ID	Title	CVSS	Severity	Published
CVE-2026-41382	OpenClaw < 2026.3.31 - Discord Voice Ingress Authorization Bypass via Channel and Role Validation Gaps CWE-862	5.4	Medium	2026-04-28
CVE-2026-41381	OpenClaw < 2026.3.31 - Access Control Bypass in Discord Voice Manager via Channel Allowlist CWE-863	5.4	Medium	2026-04-28
CVE-2026-41380	OpenClaw < 2026.3.28 - Arbitrary Execution Allowlist via Wrapper Carrier Executables CWE-807	7.3	High	2026-04-28
CVE-2026-41379	OpenClaw < 2026.3.28 - Privilege Escalation via chat.send to Admin-Class Talk Voice Config CWE-863	7.1	High	2026-04-28
CVE-2026-41378	OpenClaw < 2026.3.31 - Privilege Escalation to Remote Code Execution via Unrestricted node.event Agent Dispatch CWE-862	8.8	High	2026-04-28
CVE-2026-41377	OpenClaw < 2026.3.31 - Fail-Open Security Scan Bypass in Plugin Installation CWE-636	4.6	Medium	2026-04-28
CVE-2026-41376	OpenClaw < 2026.3.31 - Matrix Thread Context Allowlist Bypass via Sender Validation CWE-346	5.4	Medium	2026-04-28
CVE-2026-41375	OpenClaw < 2026.3.28 - Authorization Bypass in /phone arm and /phone disarm Endpoints CWE-863	6.5	Medium	2026-04-28
CVE-2026-41374	OpenClaw < 2026.3.31 - Resource Consumption via Discord Audio Preflight Before Member Authorization CWE-408	5.3	Medium	2026-04-28
CVE-2026-41373	OpenClaw < 2026.3.31 - Compiler Binary Substitution via Environment Variable Override in Host Execution Policy CWE-427	6.1	Medium	2026-04-28
CVE-2026-41372	OpenClaw < 2026.4.2 - Loopback Protection Bypass via Trailing-Dot Localhost in CDP Discovery CWE-639	5.8	Medium	2026-04-27
CVE-2026-41371	OpenClaw < 2026.3.28 - Privilege Escalation via chat.send Reset Command CWE-863	8.5	High	2026-04-27
CVE-2026-41370	OpenClaw < 2026.3.31 - Path Traversal via Inbound Channel Attachment Path in ACP Dispatch CWE-22	6.5	Medium	2026-04-27
CVE-2026-41369	OpenClaw < 2026.3.31 - Insufficient Environment Variable Sanitization in Host Execution CWE-668	6.5	Medium	2026-04-27
CVE-2026-41368	OpenClaw < 2026.3.28 - Environment Variable Disclosure via jq $ENV Filter Bypass CWE-668	6.5	Medium	2026-04-27
CVE-2026-41367	OpenClaw 2026.2.14 < 2026.3.28 - Policy Enforcement Bypass in Discord Component Interactions CWE-863	5.0	Medium	2026-04-27
CVE-2026-41365	OpenClaw < 2026.3.31 - Sender Allowlist Bypass via Graph API Thread History CWE-441	5.4	Medium	2026-04-27
CVE-2026-41366	OpenClaw < 2026.3.31 - Arbitrary Host File Read via appendLocalMediaParentRoots Self-Whitelisting CWE-732	5.5	Medium	2026-04-27
CVE-2026-41364	OpenClaw < 2026.3.31 - Arbitrary File Write via Symlink Following in SSH Sandbox Tar Upload CWE-59	8.1	High	2026-04-27
CVE-2026-41363	OpenClaw 2026.2.6 < 2026.3.28 - Arbitrary File Read via Feishu upload_image Parameter CWE-22	5.3	Medium	2026-04-27
CVE-2026-41362	OpenClaw 2026.2.19 < 2026.3.31 - Webhook Replay Dedupe Cache Event Suppression via Shared Authentication CWE-668	4.3	Medium	2026-04-27
CVE-2026-41361	OpenClaw < 2026.3.28 - SSRF Guard Bypass via IPv6 Special-Use Ranges CWE-184	7.1	High	2026-04-23
CVE-2026-41359	OpenClaw < 2026.3.28 - Privilege Escalation via operator.write to Admin-Class Telegram Config and Cron Persistence CWE-269	7.1	High	2026-04-23
CVE-2026-41360	OpenClaw < 2026.4.2 - Approval Integrity Bypass in pnpm dlx Local Script Binding CWE-367	6.7	Medium	2026-04-23
CVE-2026-41358	OpenClaw < 2026.4.2 - Sender Allowlist Bypass via Slack Thread Context CWE-346	5.4	Medium	2026-04-23
CVE-2026-41357	OpenClaw < 2026.3.31 - Unsanitized Environment Variable Leakage in SSH Sandbox Backends CWE-214	3.3	Low	2026-04-23
CVE-2026-41356	OpenClaw < 2026.3.31 - Incomplete WebSocket Session Termination in device.token.rotate CWE-613	5.4	Medium	2026-04-23
CVE-2026-41355	OpenShell < 2026.3.28 - Arbitrary Code Execution via Mirror Mode Sandbox File Conversion CWE-829	7.3	High	2026-04-23
CVE-2026-41354	OpenClaw < 2026.4.2 - Insufficient Scope in Zalo Webhook Replay Dedupe Keys CWE-706	3.7	Low	2026-04-23
CVE-2026-41353	OpenClaw < 2026.3.22 - allowProfiles Bypass via Profile Mutation and Runtime Selection CWE-472	8.1	High	2026-04-23

All 450 known CVE vulnerabilities affecting OpenClaw with full Chinese analysis, references, and POCs where available.

Goal Reached Thanks to every supporter — we hit 100%!

OpenClaw — Vulnerabilities & Security Advisories 450