Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

OpenClaw — Vulnerabilities & Security Advisories 470

Browse all 470 CVE security advisories affecting OpenClaw. AI-powered Chinese analysis, POCs, and references for each vulnerability.

OpenClaw is a specialized software platform designed for automated threat intelligence aggregation and vulnerability management, primarily serving enterprise security operations centers. Historically, its codebase has exhibited a high frequency of critical flaws, with 428 CVEs documented to date. The most prevalent vulnerability classes include remote code execution (RCE) and cross-site scripting (XSS), often stemming from insufficient input validation in its web interface components. Additionally, privilege escalation issues have been frequently reported, allowing unauthorized users to gain administrative access. A notable incident in 2022 involved a critical RCE flaw that enabled attackers to execute arbitrary commands on unpatched servers, leading to widespread data exposure across multiple client networks. These recurring security deficiencies highlight significant challenges in the platform’s secure development lifecycle, necessitating rigorous patching and continuous monitoring for organizations relying on OpenClaw for their security infrastructure.

Top products by OpenClaw: OpenClaw crabbox nextcloud-talk voice-call
CVE IDTitleCVSSSeverityPublished
CVE-2026-27001 OpenClaw: Unsanitized CWD path injection into LLM prompts — openclawCWE-77 7.6 -2026-02-19
CVE-2026-26972 OpenClaw has a Path Traversal in Browser Download Functionality — openclawCWE-22 6.7 Medium2026-02-19
CVE-2026-26329 OpenClaw has a path traversal in browser upload allows local file read — openclawCWE-22 6.5 -2026-02-19
CVE-2026-26328 OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities — openclawCWE-284 6.5 Medium2026-02-19
CVE-2026-26327 OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning — openclawCWE-345 9.3 -2026-02-19
CVE-2026-26326 OpenClaw skills.status could leak secrets to operator.read clients — openclawCWE-200 6.5 -2026-02-19
CVE-2026-26325 OpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals — openclawCWE-284 7.2 High2026-02-19
CVE-2026-26324 OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reachable) — openclawCWE-918 7.5 High2026-02-19
CVE-2026-26323 OpenClaw has a command injection in maintainer clawtributors updater — openclawCWE-78 8.8 -2026-02-19
CVE-2026-26322 OpenClaw Gateway tool allowed unrestricted gatewayUrl override — openclawCWE-918 7.6 High2026-02-19
CVE-2026-26321 OpenClaw has a local file disclosure via sendMediaFeishu in Feishu extension — openclawCWE-22 7.5 High2026-02-19
CVE-2026-26320 OpenClaw macOS deep link confirmation truncation can conceal executed agent message — openclawCWE-451 4.3 -2026-02-19
CVE-2026-26319 OpenClaw has Missing Webhook Authentication in Telnyx Provider Allowing Unauthenticated Requests — openclawCWE-306 7.5 High2026-02-19
CVE-2026-26317 OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints — openclawCWE-352 7.1 High2026-02-19
CVE-2026-26316 OpenClaw has BlueBubbles webhook auth bypass via loopback proxy trust — openclawCWE-863 7.5 High2026-02-19
CVE-2026-25474 OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass — openclawCWE-345 7.5 High2026-02-19
CVE-2026-25593 OpenClaw Affected by Unauthenticated Local RCE via WebSocket config.apply — openclawCWE-78 8.4 High2026-02-06
CVE-2026-25157 OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand — openclawCWE-78 7.8 High2026-02-04
CVE-2026-25475 OpenClaw Vulnerable to Local File Inclusion via MEDIA: Path Extraction — openclawCWE-200 6.5 Medium2026-02-04
CVE-2026-25253 OpenClaw 安全漏洞 — OpenClawCWE-669 8.8 High2026-02-01

This page lists every published CVE security advisory associated with OpenClaw. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.