Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

openclaw — Vulnerabilities & Security Advisories 467

All 467 CVE vulnerabilities found in openclaw, with AI-generated Chinese analysis, references, and POCs.

This page aggregates common weaknesses associated with OpenClaw, a software product developed by its vendor. It focuses on vulnerability aggregation for this specific product line, organizing data by weakness type and relevant security tags to facilitate easier analysis for security professionals and developers. The page collects a wide variety of vulnerability reports, ranging from critical remote code execution flaws to minor information disclosure issues. It covers security incidents reported over the past five years, ensuring a comprehensive historical perspective on the product’s security posture. This timeframe allows users to observe trends in patching speed and the emergence of new attack vectors against the software. Readers can discover detailed insights into OpenClaw’s security history by tracking vendor advisories as they are released and updated. The interface enables users to understand specific weakness classes affecting the product, such as buffer overflows or injection flaws, and how they manifest in real-world scenarios. Furthermore, one can look up a product’s vulnerability history to assess past risks and evaluate the effectiveness of recent security updates. This resource serves as a centralized hub for understanding the security landscape surrounding OpenClaw. By providing structured access to these data points, the page supports informed decision-making for system administrators and security auditors who need to prioritize remediation efforts or assess risk exposure. It eliminates the need to search multiple disparate sources for accurate and up-to-date vulnerability information.

Vendor: OpenClaw

CVE IDTitleCVSSSeverityPublished
CVE-2026-28461 OpenClaw < 2026.3.1 - Unbounded Memory Growth in Zalo Webhook via Query String Key Churn CWE-770 7.5 High2026-03-19
CVE-2026-28460 OpenClaw < 2026.2.22 - Allowlist Bypass via Shell Line-Continuation Command Substitution in system.run CWE-78 7.1 High2026-03-19
CVE-2026-27670 OpenClaw < 2026.3.2 - Arbitrary File Write via ZIP Extraction Parent Symlink Race Condition CWE-367 5.3 Medium2026-03-19
CVE-2026-28449 OpenClaw < 2026.2.25 - Webhook Replay Attack via Missing Durable Replay Suppression CWE-294 6.5 Medium2026-03-19
CVE-2026-27566 OpenClaw < 2026.2.22 - Allowlist Bypass via Wrapper Binary Unwrapping in system.run CWE-78 7.1 High2026-03-19
CVE-2026-22176 OpenClaw < 2026.2.19 - Command Injection via Unescaped Environment Variables in Windows Scheduled Task Script Generation CWE-78 6.1 Medium2026-03-19
CVE-2026-27545 OpenClaw < 2026.2.26 - Approval Bypass via Parent Symlink Current Working Directory Rebind CWE-367 6.1 Medium2026-03-18
CVE-2026-27524 OpenClaw < 2026.2.21 - Prototype Pollution via Debug Override Path CWE-1321 4.3 Medium2026-03-18
CVE-2026-27523 OpenClaw < 2026.2.24 - Sandbox Bind Validation Bypass via Symlink-Parent Missing-Leaf Paths CWE-22 6.1 Medium2026-03-18
CVE-2026-22217 OpenClaw 2026.2.22 < 2026.2.23 - Arbitrary Binary Execution via $SHELL Environment Variable Trusted Prefix Fallback CWE-829 6.1 Medium2026-03-18
CVE-2026-27522 OpenClaw < 2026.2.24 - Arbitrary File Read via sendAttachment and setGroupIcon Message Actions CWE-22 6.5 Medium2026-03-18
CVE-2026-22181 OpenClaw < 2026.3.2 - DNS Pinning Bypass via Environment Proxy Configuration in web_fetch CWE-918 7.6 High2026-03-18
CVE-2026-22180 OpenClaw < 2026.3.2 - Path Confinement Bypass in Browser Output and File Write Operations CWE-59 5.3 Medium2026-03-18
CVE-2026-22179 OpenClaw < 2026.2.22 - Allowlist Bypass via Command Substitution in system.run CWE-78 7.2 High2026-03-18
CVE-2026-22178 OpenClaw < 2026.2.19 - ReDoS and Regex Injection via Unescaped Feishu Mention Metadata CWE-1333 6.5 Medium2026-03-18
CVE-2026-22177 OpenClaw < 2026.2.21 - Environment Variable Injection via Config env.vars CWE-15 6.1 Medium2026-03-18
CVE-2026-22175 OpenClaw < 2026.2.23 - Exec Approval Bypass via Unrecognized Multiplexer Shell Wrappers CWE-184 7.1 High2026-03-18
CVE-2026-22174 OpenClaw < 2026.2.22 - Gateway Token Disclosure via Chrome CDP Probe CWE-306 6.8 Medium2026-03-18
CVE-2026-22171 OpenClaw < 2026.2.19 - Path Traversal in Feishu Media Temporary File Naming CWE-22 8.2 High2026-03-18
CVE-2026-22169 OpenClaw < 2026.2.22 - Allowlist Bypass via sort Configuration in safeBins CWE-78 6.7 Medium2026-03-18
CVE-2026-22170 OpenClaw < 2026.2.22 BlueBubbles - Access Control Bypass via Empty allowFrom Configuration CWE-863 6.5 Medium2026-03-18
CVE-2026-22168 OpenClaw < 2026.2.21 - Command Injection via cmd.exe /c Trailing Arguments in system.run CWE-88 6.5 Medium2026-03-18
CVE-2026-32302 OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode CWE-346 8.1 High2026-03-12
CVE-2026-4040 OpenClaw File Existence tools.exec.safeBins information exposure CWE-203 3.3 Low2026-03-12
CVE-2026-4039 OpenClaw Skill Env applySkillConfigenvOverrides code injection CWE-94 6.3 Medium2026-03-12
CVE-2026-32063 OpenClaw 2026.2.19-2 < 2026.2.21 - Command Injection via Newline in systemd Unit Generation CWE-77 7.1 High2026-03-11
CVE-2026-32062 OpenClaw 2026.2.21-2 < 2026.2.22 - Unauthenticated WebSocket Resource Exhaustion via Media Stream CWE-770 7.5 High2026-03-11
CVE-2026-32061 OpenClaw < 2026.2.17 - Arbitrary File Read via $include Directive Path Traversal CWE-22 4.4 Medium2026-03-11
CVE-2026-32060 OpenClaw < 2026.2.14 - Path Traversal in apply_patch via Crafted Paths CWE-22 8.8 High2026-03-11
CVE-2026-32059 OpenClaw 2026.2.22-2 < 2026.2.23 - Allowlist Bypass via sort Long-Option Abbreviation in tools.exec.safeBins CWE-863 8.8 High2026-03-11

All 467 known CVE vulnerabilities affecting openclaw with full Chinese analysis, references, and POCs where available.