Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

OpenClaw — Vulnerabilities & Security Advisories 449

Browse all 449 CVE security advisories affecting OpenClaw. AI-powered Chinese analysis, POCs, and references for each vulnerability.

OpenClaw is a specialized software platform designed for automated threat intelligence aggregation and vulnerability management, primarily serving enterprise security operations centers. Historically, its codebase has exhibited a high frequency of critical flaws, with 428 CVEs documented to date. The most prevalent vulnerability classes include remote code execution (RCE) and cross-site scripting (XSS), often stemming from insufficient input validation in its web interface components. Additionally, privilege escalation issues have been frequently reported, allowing unauthorized users to gain administrative access. A notable incident in 2022 involved a critical RCE flaw that enabled attackers to execute arbitrary commands on unpatched servers, leading to widespread data exposure across multiple client networks. These recurring security deficiencies highlight significant challenges in the platform’s secure development lifecycle, necessitating rigorous patching and continuous monitoring for organizations relying on OpenClaw for their security infrastructure.

Top products by OpenClaw: OpenClaw nextcloud-talk voice-call
CVE IDTitleCVSSSeverityPublished
CVE-2026-41915 OpenClaw < 2026.4.8 - Git Environment Variable Injection via Unfiltered Exec Environment — OpenClawCWE-184 5.3 Medium2026-04-28
CVE-2026-41913 OpenClaw < 2026.4.4 - Rate-Limit Bypass via Concurrent Async Authentication Attempts — OpenClawCWE-362 3.7 Low2026-04-28
CVE-2026-41914 OpenClaw < 2026.4.8 - Server-Side Request Forgery in QQ Bot Media Fetch Paths — OpenClawCWE-918 8.5 High2026-04-28
CVE-2026-41912 OpenClaw < 2026.4.8 - Server-Side Request Forgery Policy Bypass via Interaction-Triggered Navigation — OpenClawCWE-918 7.6 High2026-04-28
CVE-2026-41911 OpenClaw < 2026.4.8 - Workspace-Only Filesystem Policy Bypass via docx upload_file/upload_image — OpenClawCWE-22 6.5 Medium2026-04-28
CVE-2026-41910 OpenClaw < 2026.4.8 - Missing Owner-Only Enforcement in /allowlist Cross-Channel Writes — OpenClawCWE-863 4.3 Medium2026-04-28
CVE-2026-41408 OpenClaw < 2026.3.31 - Disk Exhaustion via Media Download Bypass — OpenClawCWE-770 4.3 Medium2026-04-28
CVE-2026-41407 OpenClaw < 2026.4.2 - Timing Side Channel in Shared-Secret Comparison — OpenClawCWE-208 3.7 Low2026-04-28
CVE-2026-41406 OpenClaw < 2026.3.31 - Sender Allowlist Bypass via Thread History and Quoted Messages — OpenClawCWE-639 5.4 Medium2026-04-28
CVE-2026-41405 OpenClaw < 2026.3.31 - Resource Exhaustion via Unauthenticated MS Teams Webhook Body Parsing — OpenClawCWE-408 7.5 High2026-04-28
CVE-2026-41404 OpenClaw < 2026.3.31 - Operator Admin Privilege Escalation via Trusted-Proxy Authentication — OpenClawCWE-863 8.8 High2026-04-28
CVE-2026-41403 OpenClaw < 2026.3.31 - Access Control Bypass via Proxied Remote Request Misclassification — OpenClawCWE-807 2.9 Low2026-04-28
CVE-2026-41402 OpenClaw < 2026.3.31 - Webhook Replay Cache Cross-Target messageId Scope Bypass — OpenClawCWE-706 4.2 Medium2026-04-28
CVE-2026-41400 OpenClaw < 2026.3.31 - Resource Consumption via Oversized WebSocket Frames in voice-call — OpenClawCWE-770 5.3 Medium2026-04-28
CVE-2026-41399 OpenClaw < 2026.3.28 - Denial of Service via Unbounded Pre-auth WebSocket Upgrades — OpenClawCWE-770 7.5 High2026-04-28
CVE-2026-41398 OpenClaw - Unauthorized Agent Request Dispatch via Untrusted Local-Network Pages in iOS A2UI Bridge — OpenClawCWE-346 4.6 Medium2026-04-28
CVE-2026-41397 OpenClaw < 2026.3.31 - Sandbox Escape via Unrestricted File Sync and Symlink Traversal — OpenClawCWE-59 6.8 Medium2026-04-28
CVE-2026-41396 OpenClaw < 2026.3.31 - Environment Variable Override of Plugin Trust Root — OpenClawCWE-829 7.8 High2026-04-28
CVE-2026-41395 OpenClaw < 2026.3.28 - Webhook Replay via Query Parameter Reordering in Plivo V3 — OpenClawCWE-325 7.5 High2026-04-28
CVE-2026-41394 OpenClaw < 2026.3.31 - Unauthorized Operator Scope Access in Unauthenticated Plugin-Auth Routes — OpenClawCWE-862 8.2 High2026-04-28
CVE-2026-41392 OpenClaw < 2026.3.31 - Exec Allowlist Bypass via Shell Init-File Options — OpenClawCWE-184 6.7 Medium2026-04-28
CVE-2026-41393 OpenClaw < 2026.3.31 - Arbitrary DNS Authority Acceptance and Credential Exfiltration via Wide-Area Discovery — OpenClawCWE-346 4.8 Medium2026-04-28
CVE-2026-41391 OpenClaw < 2026.3.31 - Environment Variable Bypass in Package Index URL Handling — OpenClawCWE-184 5.3 Medium2026-04-28
CVE-2026-41390 OpenClaw < 2026.3.28 - Exec Allowlist Bypass via Unregistered /usr/bin/script Wrapper — OpenClawCWE-807 7.3 High2026-04-28
CVE-2026-41387 OpenClaw < 2026.3.22 - Supply Chain Redirection via Incomplete Host Environment Sanitization — OpenClawCWE-183 7.8 High2026-04-28
CVE-2026-41388 OpenClaw < 2026.3.31 - Configuration Rehydration via Empty-Array Revocation Handling — OpenClawCWE-372 6.5 Medium2026-04-28
CVE-2026-41386 OpenClaw < 2026.3.22 - Privilege Escalation via Unbound Bootstrap Setup Codes — OpenClawCWE-648 9.1 Critical2026-04-28
CVE-2026-41385 OpenClaw < 2026.3.31 - Nostr Private Key Exposure via config.get Redaction Bypass — OpenClawCWE-312 6.5 Medium2026-04-28
CVE-2026-41384 OpenClaw < 2026.3.24 - Environment Variable Injection via Workspace Config in CLI Backend — OpenClawCWE-15 7.8 High2026-04-28
CVE-2026-41383 OpenClaw < 2026.4.2 - Arbitrary Remote Directory Deletion via Mis-scoped Mirror Mode Paths — OpenClawCWE-22 8.1 High2026-04-28

This page lists every published CVE security advisory associated with OpenClaw. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.