Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

OpenClaw — Vulnerabilities & Security Advisories 470

Browse all 470 CVE security advisories affecting OpenClaw. AI-powered Chinese analysis, POCs, and references for each vulnerability.

OpenClaw is a specialized software platform designed for automated threat intelligence aggregation and vulnerability management, primarily serving enterprise security operations centers. Historically, its codebase has exhibited a high frequency of critical flaws, with 428 CVEs documented to date. The most prevalent vulnerability classes include remote code execution (RCE) and cross-site scripting (XSS), often stemming from insufficient input validation in its web interface components. Additionally, privilege escalation issues have been frequently reported, allowing unauthorized users to gain administrative access. A notable incident in 2022 involved a critical RCE flaw that enabled attackers to execute arbitrary commands on unpatched servers, leading to widespread data exposure across multiple client networks. These recurring security deficiencies highlight significant challenges in the platform’s secure development lifecycle, necessitating rigorous patching and continuous monitoring for organizations relying on OpenClaw for their security infrastructure.

Found 463 results / 470Clear Filters
Top products by OpenClaw: OpenClaw crabbox nextcloud-talk voice-call
CVE IDTitleCVSSSeverityPublished
CVE-2026-27670 OpenClaw < 2026.3.2 - Arbitrary File Write via ZIP Extraction Parent Symlink Race Condition — OpenClawCWE-367 5.3 Medium2026-03-19
CVE-2026-28449 OpenClaw < 2026.2.25 - Webhook Replay Attack via Missing Durable Replay Suppression — OpenClawCWE-294 6.5 Medium2026-03-19
CVE-2026-27566 OpenClaw < 2026.2.22 - Allowlist Bypass via Wrapper Binary Unwrapping in system.run — OpenClawCWE-78 7.1 High2026-03-19
CVE-2026-22176 OpenClaw < 2026.2.19 - Command Injection via Unescaped Environment Variables in Windows Scheduled Task Script Generation — OpenClawCWE-78 6.1 Medium2026-03-19
CVE-2026-27545 OpenClaw < 2026.2.26 - Approval Bypass via Parent Symlink Current Working Directory Rebind — OpenClawCWE-367 6.1 Medium2026-03-18
CVE-2026-27524 OpenClaw < 2026.2.21 - Prototype Pollution via Debug Override Path — OpenClawCWE-1321 4.3 Medium2026-03-18
CVE-2026-27523 OpenClaw < 2026.2.24 - Sandbox Bind Validation Bypass via Symlink-Parent Missing-Leaf Paths — OpenClawCWE-22 6.1 Medium2026-03-18
CVE-2026-22217 OpenClaw 2026.2.22 < 2026.2.23 - Arbitrary Binary Execution via $SHELL Environment Variable Trusted Prefix Fallback — OpenClawCWE-829 6.1 Medium2026-03-18
CVE-2026-27522 OpenClaw < 2026.2.24 - Arbitrary File Read via sendAttachment and setGroupIcon Message Actions — OpenClawCWE-22 6.5 Medium2026-03-18
CVE-2026-22181 OpenClaw < 2026.3.2 - DNS Pinning Bypass via Environment Proxy Configuration in web_fetch — OpenClawCWE-918 7.6 High2026-03-18
CVE-2026-22180 OpenClaw < 2026.3.2 - Path Confinement Bypass in Browser Output and File Write Operations — OpenClawCWE-59 5.3 Medium2026-03-18
CVE-2026-22179 OpenClaw < 2026.2.22 - Allowlist Bypass via Command Substitution in system.run — OpenClawCWE-78 7.2 High2026-03-18
CVE-2026-22178 OpenClaw < 2026.2.19 - ReDoS and Regex Injection via Unescaped Feishu Mention Metadata — OpenClawCWE-1333 6.5 Medium2026-03-18
CVE-2026-22177 OpenClaw < 2026.2.21 - Environment Variable Injection via Config env.vars — OpenClawCWE-15 6.1 Medium2026-03-18
CVE-2026-22175 OpenClaw < 2026.2.23 - Exec Approval Bypass via Unrecognized Multiplexer Shell Wrappers — OpenClawCWE-184 7.1 High2026-03-18
CVE-2026-22174 OpenClaw < 2026.2.22 - Gateway Token Disclosure via Chrome CDP Probe — OpenClawCWE-306 6.8 Medium2026-03-18
CVE-2026-22171 OpenClaw < 2026.2.19 - Path Traversal in Feishu Media Temporary File Naming — OpenClawCWE-22 8.2 High2026-03-18
CVE-2026-22169 OpenClaw < 2026.2.22 - Allowlist Bypass via sort Configuration in safeBins — OpenClawCWE-78 6.7 Medium2026-03-18
CVE-2026-22170 OpenClaw < 2026.2.22 BlueBubbles - Access Control Bypass via Empty allowFrom Configuration — OpenClawCWE-863 6.5 Medium2026-03-18
CVE-2026-22168 OpenClaw < 2026.2.21 - Command Injection via cmd.exe /c Trailing Arguments in system.run — OpenClawCWE-88 6.5 Medium2026-03-18
CVE-2026-32302 OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode — openclawCWE-346 8.1 High2026-03-12
CVE-2026-32063 OpenClaw 2026.2.19-2 < 2026.2.21 - Command Injection via Newline in systemd Unit Generation — openclawCWE-77 7.1 High2026-03-11
CVE-2026-32062 OpenClaw 2026.2.21-2 < 2026.2.22 - Unauthenticated WebSocket Resource Exhaustion via Media Stream — openclawCWE-770 7.5 High2026-03-11
CVE-2026-32061 OpenClaw < 2026.2.17 - Arbitrary File Read via $include Directive Path Traversal — openclawCWE-22 4.4 Medium2026-03-11
CVE-2026-32060 OpenClaw < 2026.2.14 - Path Traversal in apply_patch via Crafted Paths — openclawCWE-22 8.8 High2026-03-11
CVE-2026-32059 OpenClaw 2026.2.22-2 < 2026.2.23 - Allowlist Bypass via sort Long-Option Abbreviation in tools.exec.safeBins — openclawCWE-863 8.8 High2026-03-11
CVE-2026-29613 OpenClaw < 2026.2.12 - Webhook Authentication Bypass via Loopback remoteAddress Trust — OpenClawCWE-306 5.9 Medium2026-03-05
CVE-2026-29612 OpenClaw < 2026.2.14 - Denial of Service via Large Base64 Media File Decoding — OpenClawCWE-770 5.5 Medium2026-03-05
CVE-2026-29611 OpenClaw < 2026.2.14 - Local File Inclusion via mediaPath Parameter in BlueBubbles Media Handling — OpenClawCWE-73 7.5 High2026-03-05
CVE-2026-29610 OpenClaw < 2026.2.14 - Command Hijacking via Unsafe PATH Handling — OpenClawCWE-427 8.8 High2026-03-05

This page lists every published CVE security advisory associated with OpenClaw. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.