Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

openclaw — Vulnerabilities & Security Advisories 467

All 467 CVE vulnerabilities found in openclaw, with AI-generated Chinese analysis, references, and POCs.

This page aggregates common weaknesses associated with OpenClaw, a software product developed by its vendor. It focuses on vulnerability aggregation for this specific product line, organizing data by weakness type and relevant security tags to facilitate easier analysis for security professionals and developers. The page collects a wide variety of vulnerability reports, ranging from critical remote code execution flaws to minor information disclosure issues. It covers security incidents reported over the past five years, ensuring a comprehensive historical perspective on the product’s security posture. This timeframe allows users to observe trends in patching speed and the emergence of new attack vectors against the software. Readers can discover detailed insights into OpenClaw’s security history by tracking vendor advisories as they are released and updated. The interface enables users to understand specific weakness classes affecting the product, such as buffer overflows or injection flaws, and how they manifest in real-world scenarios. Furthermore, one can look up a product’s vulnerability history to assess past risks and evaluate the effectiveness of recent security updates. This resource serves as a centralized hub for understanding the security landscape surrounding OpenClaw. By providing structured access to these data points, the page supports informed decision-making for system administrators and security auditors who need to prioritize remediation efforts or assess risk exposure. It eliminates the need to search multiple disparate sources for accurate and up-to-date vulnerability information.

Vendor: OpenClaw

CVE IDTitleCVSSSeverityPublished
CVE-2026-33581 OpenClaw < 2026.3.24 - Arbitrary File Read via mediaUrl and fileUrl Parameters CWE-22 6.5 Medium2026-03-31
CVE-2026-33580 OpenClaw < 2026.3.28 - Brute Force Attack via Missing Rate Limiting on Webhook Shared Secret Authentication CWE-307 6.5 Medium2026-03-31
CVE-2026-33578 OpenClaw < 2026.3.28 - Sender Policy Allowlist Bypass via Policy Downgrade in Google Chat and Zalouser Extensions CWE-863 4.3 Medium2026-03-31
CVE-2026-33579 OpenClaw < 2026.3.28 - Privilege Escalation via Missing Caller Scope Validation in Device Pair Approval CWE-863 9.9 Critical2026-03-31
CVE-2026-33576 OpenClaw < 2026.3.28 - Unauthorized Media Download via Zalo Channel CWE-863 6.5 Medium2026-03-31
CVE-2026-33577 OpenClaw < 2026.3.28 - Insufficient Scope Validation in node.pair.approve CWE-863 8.1 High2026-03-31
CVE-2026-34505 OpenClaw < 2026.3.12 - Webhook Rate Limiting Bypass via Pre-Authentication Secret Validation CWE-307 6.5 Medium2026-03-31
CVE-2026-34506 OpenClaw < 2026.3.8 - Sender Allowlist Bypass in Microsoft Teams Plugin via Route Allowlist Configuration CWE-863 4.3 Medium2026-03-31
CVE-2026-32988 OpenClaw < 2026.3.11 - Sandbox Boundary Bypass via Unvalidated Temporary File Creation CWE-367 7.5 High2026-03-31
CVE-2026-32977 OpenClaw < 2026.3.11 - Sandbox Boundary Bypass via Unanchored writeFile Commit Path CWE-367 6.3 Medium2026-03-31
CVE-2026-32982 OpenClaw < 2026.3.13 - Telegram Bot Token Exposure in Media Fetch Error Logs CWE-532 7.5 High2026-03-31
CVE-2026-32976 OpenClaw < 2026.3.11 - Account-Scoped configWrites Policy Bypass via Channel Commands CWE-639 6.5 Medium2026-03-31
CVE-2026-32971 OpenClaw < 2026.3.11 - Node-Host Approval UI Mismatch Allows Execution of Unintended Commands CWE-451 7.1 High2026-03-31
CVE-2026-32970 OpenClaw < 2026.3.11 - Credential Fallback Logic Bypass via Unavailable Local Auth SecretRefs CWE-636 2.5 Low2026-03-31
CVE-2026-32921 OpenClaw < 2026.3.8 - Script Content Modification via Mutable Operand Binding in system.run CWE-367 6.3 Medium2026-03-31
CVE-2026-32920 OpenClaw < 2026.3.12 - Arbitrary Code Execution via Auto-Discovery of Workspace Plugins CWE-829 8.4 High2026-03-31
CVE-2026-32917 OpenClaw < 2026.3.13 - Remote Command Injection via Unsanitized iMessage Attachment Paths in SCP CWE-78 9.8 Critical2026-03-31
CVE-2026-32916 OpenClaw 2026.3.7 < 2026.3.11 - Authorization Bypass in Plugin Subagent Routes via Synthetic Admin Scopes CWE-266 9.4 Critical2026-03-31
CVE-2026-33574 OpenClaw < 2026.3.8 - Path Traversal via Tools Root Rebinding in Skills Download CWE-367 6.2 Medium2026-03-29
CVE-2026-33575 OpenClaw < 2026.3.12 - Long-lived Credential Exposure in Pairing Setup Codes CWE-522 7.5 High2026-03-29
CVE-2026-33573 OpenClaw < 2026.3.11 - Workspace Boundary Bypass via Agent RPC Parameters CWE-668 8.8 High2026-03-29
CVE-2026-32987 OpenClaw < 2026.3.13 - Bootstrap Setup Code Replay via Device Pairing CWE-294 9.8 Critical2026-03-29
CVE-2026-33572 OpenClaw < 2026.2.17 - Insufficient File Permissions in Session Transcript Files CWE-378 8.4 High2026-03-29
CVE-2026-32980 OpenClaw < 2026.3.13 - Resource Exhaustion via Unauthenticated Telegram Webhook Request CWE-770 7.5 High2026-03-29
CVE-2026-32979 OpenClaw < 2026.3.11 - Unbound Interpreter and Runtime Commands Bypass in node-host Approval CWE-367 7.3 High2026-03-29
CVE-2026-32978 OpenClaw < 2026.3.11 - Approval Bypass via Unrecognized Script Runners CWE-863 8.0 High2026-03-29
CVE-2026-32975 OpenClaw < 2026.3.12 - Weak Authorization via Mutable Group Names in Zalouser Allowlist CWE-807 9.8 Critical2026-03-29
CVE-2026-32973 OpenClaw < 2026.3.11 - Exec Allowlist Pattern Overmatch via POSIX Path Normalization CWE-625 9.8 Critical2026-03-29
CVE-2026-32974 OpenClaw < 2026.3.12 - Forged Event Injection via Feishu Webhook Verification Token CWE-347 8.6 High2026-03-29
CVE-2026-32972 OpenClaw < 2026.3.11 - Authorization Bypass in Browser Profile Management via browser.request CWE-863 7.1 High2026-03-29

All 467 known CVE vulnerabilities affecting openclaw with full Chinese analysis, references, and POCs where available.