Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

openclaw — Vulnerabilities & Security Advisories 467

All 467 CVE vulnerabilities found in openclaw, with AI-generated Chinese analysis, references, and POCs.

This page aggregates common weaknesses associated with OpenClaw, a software product developed by its vendor. It focuses on vulnerability aggregation for this specific product line, organizing data by weakness type and relevant security tags to facilitate easier analysis for security professionals and developers. The page collects a wide variety of vulnerability reports, ranging from critical remote code execution flaws to minor information disclosure issues. It covers security incidents reported over the past five years, ensuring a comprehensive historical perspective on the product’s security posture. This timeframe allows users to observe trends in patching speed and the emergence of new attack vectors against the software. Readers can discover detailed insights into OpenClaw’s security history by tracking vendor advisories as they are released and updated. The interface enables users to understand specific weakness classes affecting the product, such as buffer overflows or injection flaws, and how they manifest in real-world scenarios. Furthermore, one can look up a product’s vulnerability history to assess past risks and evaluate the effectiveness of recent security updates. This resource serves as a centralized hub for understanding the security landscape surrounding OpenClaw. By providing structured access to these data points, the page supports informed decision-making for system administrators and security auditors who need to prioritize remediation efforts or assess risk exposure. It eliminates the need to search multiple disparate sources for accurate and up-to-date vulnerability information.

Vendor: OpenClaw

CVE IDTitleCVSSSeverityPublished
CVE-2026-41369 OpenClaw < 2026.3.31 - Insufficient Environment Variable Sanitization in Host Execution CWE-668 6.5 Medium2026-04-27
CVE-2026-41368 OpenClaw < 2026.3.28 - Environment Variable Disclosure via jq $ENV Filter Bypass CWE-668 6.5 Medium2026-04-27
CVE-2026-41367 OpenClaw 2026.2.14 < 2026.3.28 - Policy Enforcement Bypass in Discord Component Interactions CWE-863 5.0 Medium2026-04-27
CVE-2026-41365 OpenClaw < 2026.3.31 - Sender Allowlist Bypass via Graph API Thread History CWE-441 5.4 Medium2026-04-27
CVE-2026-41366 OpenClaw < 2026.3.31 - Arbitrary Host File Read via appendLocalMediaParentRoots Self-Whitelisting CWE-732 5.5 Medium2026-04-27
CVE-2026-41364 OpenClaw < 2026.3.31 - Arbitrary File Write via Symlink Following in SSH Sandbox Tar Upload CWE-59 8.1 High2026-04-27
CVE-2026-41363 OpenClaw 2026.2.6 < 2026.3.28 - Arbitrary File Read via Feishu upload_image Parameter CWE-22 5.3 Medium2026-04-27
CVE-2026-41362 OpenClaw 2026.2.19 through 2026.3.30 - Webhook Replay Dedupe Cache Event Suppression via Shared Authentication CWE-668 4.3 Medium2026-04-27
CVE-2026-41361 OpenClaw < 2026.3.28 - SSRF Guard Bypass via IPv6 Special-Use Ranges CWE-184 7.1 High2026-04-23
CVE-2026-41359 OpenClaw < 2026.3.28 - Privilege Escalation via operator.write to Admin-Class Telegram Config and Cron Persistence CWE-269 7.1 High2026-04-23
CVE-2026-41360 OpenClaw < 2026.4.2 - Approval Integrity Bypass in pnpm dlx Local Script Binding CWE-367 6.7 Medium2026-04-23
CVE-2026-41358 OpenClaw < 2026.4.2 - Sender Allowlist Bypass via Slack Thread Context CWE-346 5.4 Medium2026-04-23
CVE-2026-41357 OpenClaw < 2026.3.31 - Unsanitized Environment Variable Leakage in SSH Sandbox Backends CWE-214 3.3 Low2026-04-23
CVE-2026-41355 OpenClaw < 2026.3.28 - Arbitrary Code Execution via Mirror Mode Sandbox File Conversion CWE-829 7.3 High2026-04-23
CVE-2026-41356 OpenClaw < 2026.3.31 - Incomplete WebSocket Session Termination in device.token.rotate CWE-613 5.4 Medium2026-04-23
CVE-2026-41354 OpenClaw < 2026.4.2 - Insufficient Scope in Zalo Webhook Replay Dedupe Keys CWE-706 3.7 Low2026-04-23
CVE-2026-41353 OpenClaw < 2026.3.22 - allowProfiles Bypass via Profile Mutation and Runtime Selection CWE-472 8.1 High2026-04-23
CVE-2026-41352 OpenClaw < 2026.3.31 - Remote Code Execution via Node Scope Gate Bypass CWE-862 8.8 High2026-04-23
CVE-2026-41351 OpenClaw < 2026.3.31 - Webhook Replay Detection Bypass via Base64 Signature Re-encoding CWE-294 5.3 Medium2026-04-23
CVE-2026-41350 OpenClaw < 2026.3.31 - Session Visibility Bypass via session_status in Unsandboxed Invocations CWE-863 4.3 Medium2026-04-23
CVE-2026-41349 OpenClaw < 2026.3.28 - Agentic Consent Bypass via config.patch CWE-862 8.8 High2026-04-23
CVE-2026-41348 OpenClaw < 2026.3.31 - Group DM Channel Allowlist Bypass via Discord Slash Commands CWE-863 5.4 Medium2026-04-23
CVE-2026-41347 OpenClaw < 2026.3.31 - Cross-Site Request Forgery via Missing Browser-Origin Validation in HTTP Operator Endpoints CWE-352 7.1 High2026-04-23
CVE-2026-41346 OpenClaw 2026.2.26 < 2026.3.31 - Denial of Service via Improper Pending Pairing Request Cap Enforcement CWE-799 5.3 Medium2026-04-23
CVE-2026-41345 OpenClaw < 2026.3.31 - Authorization Header Leak via Cross-Origin Redirect in Media Download CWE-522 5.3 Medium2026-04-23
CVE-2026-41344 OpenClaw < 2026.3.28 - Privilege Escalation via chat.send /verbose Parameter CWE-863 5.4 Medium2026-04-23
CVE-2026-41343 OpenClaw < 2026.3.31 - Denial of Service via LINE Webhook Handler Pre-Auth Concurrency CWE-799 5.3 Medium2026-04-23
CVE-2026-41342 OpenClaw < 2026.3.28 - Unauthenticated Discovery Endpoint Credential Exfiltration via Remote Onboarding CWE-346 7.3 High2026-04-23
CVE-2026-41341 OpenClaw < 2026.3.31 - Component Interaction Misclassification in Discord Extension CWE-351 5.4 Medium2026-04-23
CVE-2026-41340 OpenClaw < 2026.3.31 - Authentication Boundary Bypass via Telegram Legacy allowFrom Migration CWE-372 6.5 Medium2026-04-23

All 467 known CVE vulnerabilities affecting openclaw with full Chinese analysis, references, and POCs where available.