Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

openclaw — Vulnerabilities & Security Advisories 450

All 450 CVE vulnerabilities found in openclaw, with AI-generated Chinese analysis, references, and POCs.

Vendor: OpenClaw

CVE IDTitleCVSSSeverityPublished
CVE-2026-41915 OpenClaw < 2026.4.8 - Git Environment Variable Injection via Unfiltered Exec Environment CWE-184 5.3 Medium2026-04-28
CVE-2026-41914 OpenClaw < 2026.4.8 - Server-Side Request Forgery in QQ Bot Media Fetch Paths CWE-918 8.5 High2026-04-28
CVE-2026-41913 OpenClaw < 2026.4.4 - Rate-Limit Bypass via Concurrent Async Authentication Attempts CWE-362 3.7 Low2026-04-28
CVE-2026-41912 OpenClaw < 2026.4.8 - Server-Side Request Forgery Policy Bypass via Interaction-Triggered Navigation CWE-918 7.6 High2026-04-28
CVE-2026-41911 OpenClaw < 2026.4.8 - Workspace-Only Filesystem Policy Bypass via docx upload_file/upload_image CWE-22 6.5 Medium2026-04-28
CVE-2026-41408 OpenClaw < 2026.3.31 - Disk Exhaustion via Media Download Bypass CWE-770 4.3 Medium2026-04-28
CVE-2026-41910 OpenClaw < 2026.4.8 - Missing Owner-Only Enforcement in /allowlist Cross-Channel Writes CWE-863 4.3 Medium2026-04-28
CVE-2026-41407 OpenClaw < 2026.4.2 - Timing Side Channel in Shared-Secret Comparison CWE-208 3.7 Low2026-04-28
CVE-2026-41406 OpenClaw < 2026.3.31 - Sender Allowlist Bypass via Thread History and Quoted Messages CWE-639 5.4 Medium2026-04-28
CVE-2026-41405 OpenClaw < 2026.3.31 - Resource Exhaustion via Unauthenticated MS Teams Webhook Body Parsing CWE-408 7.5 High2026-04-28
CVE-2026-41404 OpenClaw < 2026.3.31 - Operator Admin Privilege Escalation via Trusted-Proxy Authentication CWE-863 8.8 High2026-04-28
CVE-2026-41403 OpenClaw < 2026.3.31 - Access Control Bypass via Proxied Remote Request Misclassification CWE-807 2.9 Low2026-04-28
CVE-2026-41400 OpenClaw < 2026.3.31 - Resource Consumption via Oversized WebSocket Frames in voice-call CWE-770 5.3 Medium2026-04-28
CVE-2026-41402 OpenClaw < 2026.3.31 - Webhook Replay Cache Cross-Target messageId Scope Bypass CWE-706 4.2 Medium2026-04-28
CVE-2026-41399 OpenClaw < 2026.3.28 - Denial of Service via Unbounded Pre-auth WebSocket Upgrades CWE-770 7.5 High2026-04-28
CVE-2026-41398 OpenClaw - Unauthorized Agent Request Dispatch via Untrusted Local-Network Pages in iOS A2UI Bridge CWE-346 4.6 Medium2026-04-28
CVE-2026-41397 OpenClaw < 2026.3.31 - Sandbox Escape via Unrestricted File Sync and Symlink Traversal CWE-59 6.8 Medium2026-04-28
CVE-2026-41396 OpenClaw < 2026.3.31 - Environment Variable Override of Plugin Trust Root CWE-829 7.8 High2026-04-28
CVE-2026-41395 OpenClaw < 2026.3.28 - Webhook Replay via Query Parameter Reordering in Plivo V3 CWE-325 7.5 High2026-04-28
CVE-2026-41394 OpenClaw < 2026.3.31 - Unauthorized Operator Scope Access in Unauthenticated Plugin-Auth Routes CWE-862 8.2 High2026-04-28
CVE-2026-41392 OpenClaw < 2026.3.31 - Exec Allowlist Bypass via Shell Init-File Options CWE-184 6.7 Medium2026-04-28
CVE-2026-41393 OpenClaw < 2026.3.31 - Arbitrary DNS Authority Acceptance and Credential Exfiltration via Wide-Area Discovery CWE-346 4.8 Medium2026-04-28
CVE-2026-41391 OpenClaw < 2026.3.31 - Environment Variable Bypass in Package Index URL Handling CWE-184 5.3 Medium2026-04-28
CVE-2026-41390 OpenClaw < 2026.3.28 - Exec Allowlist Bypass via Unregistered /usr/bin/script Wrapper CWE-807 7.3 High2026-04-28
CVE-2026-41387 OpenClaw < 2026.3.22 - Supply Chain Redirection via Incomplete Host Environment Sanitization CWE-183 7.8 High2026-04-28
CVE-2026-41388 OpenClaw < 2026.3.31 - Configuration Rehydration via Empty-Array Revocation Handling CWE-372 6.5 Medium2026-04-28
CVE-2026-41386 OpenClaw < 2026.3.22 - Privilege Escalation via Unbound Bootstrap Setup Codes CWE-648 9.1 Critical2026-04-28
CVE-2026-41385 OpenClaw < 2026.3.31 - Nostr Private Key Exposure via config.get Redaction Bypass CWE-312 6.5 Medium2026-04-28
CVE-2026-41384 OpenClaw < 2026.3.24 - Environment Variable Injection via Workspace Config in CLI Backend CWE-15 7.8 High2026-04-28
CVE-2026-41383 OpenClaw < 2026.4.2 - Arbitrary Remote Directory Deletion via Mis-scoped Mirror Mode Paths CWE-22 8.1 High2026-04-28

All 450 known CVE vulnerabilities affecting openclaw with full Chinese analysis, references, and POCs where available.