Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

openclaw — Vulnerabilities & Security Advisories 450

All 450 CVE vulnerabilities found in openclaw, with AI-generated Chinese analysis, references, and POCs.

Vendor: OpenClaw

CVE IDTitleCVSSSeverityPublished
CVE-2026-41300 OpenClaw < 2026.3.31 - Attacker-Discovered Endpoint Preservation in Remote Onboarding CWE-372 6.5 Medium2026-04-20
CVE-2026-41298 OpenClaw < 2026.4.2 - Authorization Bypass in Session Termination Endpoint CWE-862 5.4 Medium2026-04-20
CVE-2026-41297 OpenClaw < 2026.3.31 - Server-Side Request Forgery via Marketplace Plugin Download Redirect CWE-918 7.6 High2026-04-20
CVE-2026-41295 OpenClaw < 2026.4.2 - Untrusted Workspace Channel Shadow Code Execution during Built-in Channel Setup CWE-829 7.8 High2026-04-20
CVE-2026-41296 OpenClaw < 2026.3.31 - Sandbox Escape via TOCTOU Race in Remote FS Bridge readFile CWE-367 8.2 High2026-04-20
CVE-2026-41294 OpenClaw < 2026.3.28 - Environment Variable Injection via CWD .env File CWE-15 8.6 High2026-04-20
CVE-2026-40045 OpenClaw < 2026.4.2 - Cleartext Credential Transmission via Unencrypted WebSocket Gateway Endpoints CWE-319 5.7 Medium2026-04-20
CVE-2026-41389 OpenClaw 2026.4.7 < 2026.4.15 - Arbitrary File Read via Unvalidated Tool-Result Media Paths CWE-73 5.8 Medium2026-04-20
CVE-2026-3691 OpenClaw Client PKCE Verifier Information Disclosure Vulnerability CWE-200 6.5AIMediumAI2026-04-11
CVE-2026-3690 OpenClaw Canvas Authentication Bypass Vulnerability CWE-291 9.8AICriticalAI2026-04-11
CVE-2026-3689 OpenClaw Canvas Path Traversal Information Disclosure Vulnerability CWE-22 6.5AIMediumAI2026-04-11
CVE-2026-35670 OpenClaw < 2026.3.22 - Webhook Reply Rebinding via Username Resolution in Synology Chat CWE-807 5.9 Medium2026-04-10
CVE-2026-35669 OpenClaw < 2026.3.25 - Privilege Escalation via Gateway Plugin HTTP Authentication Scope CWE-648 8.8 High2026-04-10
CVE-2026-35668 OpenClaw < 2026.3.24 - Sandbox Media Root Bypass via Unnormalized mediaUrl and fileUrl Parameters CWE-22 7.7 High2026-04-10
CVE-2026-35666 OpenClaw < 2026.3.22 - Allowlist Bypass via Unregistered Time Dispatch Wrapper CWE-706 8.8 High2026-04-10
CVE-2026-35667 OpenClaw < 2026.3.24 - Improper Process Termination via Unpatched killProcessTree in shell-utils.ts CWE-404 6.1 Medium2026-04-10
CVE-2026-35665 OpenClaw < 2026.3.24 - Denial of Service via Feishu Webhook Pre-Auth Body Parsing CWE-405 5.3 Medium2026-04-10
CVE-2026-35663 OpenClaw < 2026.3.25 - Privilege Escalation via Backend Reconnect Scope Self-Claim CWE-648 8.8 High2026-04-10
CVE-2026-35664 OpenClaw < 2026.3.25 - DM Pairing Bypass via Legacy Card Callbacks CWE-288 5.3 Medium2026-04-10
CVE-2026-35662 OpenClaw < 2026.3.22 - Missing controlScope Enforcement in Send Action CWE-862 4.3 Medium2026-04-10
CVE-2026-35661 OpenClaw < 2026.3.25 - Telegram DM-Scoped Inline Button Callback Authorization Bypass CWE-288 5.3 Medium2026-04-10
CVE-2026-35660 OpenClaw < 2026.3.23 - Insufficient Access Control in Gateway Agent Session Reset CWE-862 8.1 High2026-04-10
CVE-2026-35659 OpenClaw < 2026.3.22 - Unresolved Service Metadata Routing via Bonjour and DNS-SD Discovery CWE-345 4.6 Medium2026-04-10
CVE-2026-35658 OpenClaw < 2026.3.2 - Filesystem Boundary Bypass in Image Tool CWE-668 6.5 Medium2026-04-10
CVE-2026-35656 OpenClaw < 2026.3.22 - XFF Loopback Spoofing Bypass in Canvas Authentication and Rate Limiter CWE-290 6.5 Medium2026-04-10
CVE-2026-35657 OpenClaw < 2026.3.25 - Authorization Bypass in HTTP Session History Route CWE-863 6.5 Medium2026-04-10
CVE-2026-35655 OpenClaw < 2026.3.22 - Identity Spoofing via rawInput Tool in ACP Permission Resolution CWE-807 5.7 Medium2026-04-10
CVE-2026-35654 OpenClaw < 2026.3.25 - Authorization Bypass in Microsoft Teams Feedback Invoke CWE-288 5.3 Medium2026-04-10
CVE-2026-35653 OpenClaw < 2026.3.24 - Incorrect Authorization in POST /reset-profile via browser.request CWE-863 8.1 High2026-04-10
CVE-2026-35652 OpenClaw < 2026.3.22 - Unauthorized Action Execution via Callback Dispatch CWE-696 6.5 Medium2026-04-10

All 450 known CVE vulnerabilities affecting openclaw with full Chinese analysis, references, and POCs where available.