Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

OpenClaw — Vulnerabilities & Security Advisories 470

Browse all 470 CVE security advisories affecting OpenClaw. AI-powered Chinese analysis, POCs, and references for each vulnerability.

OpenClaw is a specialized software platform designed for automated threat intelligence aggregation and vulnerability management, primarily serving enterprise security operations centers. Historically, its codebase has exhibited a high frequency of critical flaws, with 428 CVEs documented to date. The most prevalent vulnerability classes include remote code execution (RCE) and cross-site scripting (XSS), often stemming from insufficient input validation in its web interface components. Additionally, privilege escalation issues have been frequently reported, allowing unauthorized users to gain administrative access. A notable incident in 2022 involved a critical RCE flaw that enabled attackers to execute arbitrary commands on unpatched servers, leading to widespread data exposure across multiple client networks. These recurring security deficiencies highlight significant challenges in the platform’s secure development lifecycle, necessitating rigorous patching and continuous monitoring for organizations relying on OpenClaw for their security infrastructure.

Found 463 results / 470Clear Filters
Top products by OpenClaw: OpenClaw crabbox nextcloud-talk voice-call
CVE IDTitleCVSSSeverityPublished
CVE-2026-42436 OpenClaw < 2026.4.14 - Internal Page Content Exposure via Browser Snapshot and Screenshot Routes — OpenClawCWE-862 7.7 High2026-05-05
CVE-2026-42434 OpenClaw 2026.4.5 < 2026.4.10 - Sandbox Escape via host Parameter Override in Exec Routing — OpenClawCWE-863 8.8 High2026-05-05
CVE-2026-42433 OpenClaw < 2026.4.10 - Unauthorized Matrix Profile Config Persistence Access via operator.write Message Tools — OpenClawCWE-862 6.5 Medium2026-05-05
CVE-2026-42432 OpenClaw < 2026.4.8 - Command Escalation via Node Pairing Reconnect Bypass — OpenClawCWE-863 7.8 High2026-04-28
CVE-2026-42431 OpenClaw < 2026.4.8 - Persistent Profile Mutation via node.invoke(browser.proxy) Bypass — OpenClawCWE-863 8.1 High2026-04-28
CVE-2026-42430 OpenClaw < 2026.4.8 - Strict Browser SSRF Bypass via Playwright Redirect Handling — OpenClawCWE-918 6.5 Medium2026-04-28
CVE-2026-42428 OpenClaw < 2026.4.8 - Missing Integrity Verification in Package Downloads — OpenClawCWE-353 7.1 High2026-04-28
CVE-2026-42429 OpenClaw < 2026.4.8 - Privilege Escalation via Gateway Plugin HTTP Authentication — OpenClawCWE-863 7.1 High2026-04-28
CVE-2026-42427 OpenClaw < 2026.4.8 - Remote Code Execution via Build Tool Environment Variable Injection — OpenClawCWE-184 5.3 Medium2026-04-28
CVE-2026-42426 OpenClaw < 2026.4.8 - Improper Authorization in node.pair.approve via operator.write Scope — OpenClawCWE-863 8.8 High2026-04-28
CVE-2026-42424 OpenClaw < 2026.4.8 - Local File Exfiltration via Shared Reply MEDIA Paths — OpenClawCWE-73 5.7 Medium2026-04-28
CVE-2026-42423 OpenClaw < 2026.4.8 - strictInlineEval Approval Boundary Bypass via Approval-Timeout Fallback — OpenClawCWE-636 7.5 High2026-04-28
CVE-2026-42421 OpenClaw < 2026.4.8 - WebSocket Session Persistence via Shared Gateway Token Rotation — OpenClawCWE-613 5.4 Medium2026-04-28
CVE-2026-42422 OpenClaw < 2026.4.8 - Role Bypass in device.token.rotate Function — OpenClawCWE-863 8.8 High2026-04-28
CVE-2026-42420 OpenClaw < 2026.4.8 - Improper Base64 Decoding Size Validation — OpenClawCWE-770 4.3 Medium2026-04-28
CVE-2026-41916 OpenClaw < 2026.4.8 - Stale Authentication State via Config Reload — OpenClawCWE-613 5.4 Medium2026-04-28
CVE-2026-41915 OpenClaw < 2026.4.8 - Git Environment Variable Injection via Unfiltered Exec Environment — OpenClawCWE-184 5.3 Medium2026-04-28
CVE-2026-41913 OpenClaw < 2026.4.4 - Rate-Limit Bypass via Concurrent Async Authentication Attempts — OpenClawCWE-362 3.7 Low2026-04-28
CVE-2026-41914 OpenClaw < 2026.4.8 - Server-Side Request Forgery in QQ Bot Media Fetch Paths — OpenClawCWE-918 8.5 High2026-04-28
CVE-2026-41912 OpenClaw < 2026.4.8 - Server-Side Request Forgery Policy Bypass via Interaction-Triggered Navigation — OpenClawCWE-918 7.6 High2026-04-28
CVE-2026-41911 OpenClaw < 2026.4.8 - Workspace-Only Filesystem Policy Bypass via docx upload_file/upload_image — OpenClawCWE-22 6.5 Medium2026-04-28
CVE-2026-41408 OpenClaw < 2026.3.31 - Disk Exhaustion via Media Download Bypass — OpenClawCWE-770 4.3 Medium2026-04-28
CVE-2026-41910 OpenClaw < 2026.4.8 - Missing Owner-Only Enforcement in /allowlist Cross-Channel Writes — OpenClawCWE-863 4.3 Medium2026-04-28
CVE-2026-41407 OpenClaw < 2026.4.2 - Timing Side Channel in Shared-Secret Comparison — OpenClawCWE-208 3.7 Low2026-04-28
CVE-2026-41406 OpenClaw < 2026.3.31 - Sender Allowlist Bypass via Thread History and Quoted Messages — OpenClawCWE-639 5.4 Medium2026-04-28
CVE-2026-41405 OpenClaw < 2026.3.31 - Resource Exhaustion via Unauthenticated MS Teams Webhook Body Parsing — OpenClawCWE-408 7.5 High2026-04-28
CVE-2026-41404 OpenClaw < 2026.3.31 - Operator Admin Privilege Escalation via Trusted-Proxy Authentication — OpenClawCWE-863 8.8 High2026-04-28
CVE-2026-41403 OpenClaw < 2026.3.31 - Access Control Bypass via Proxied Remote Request Misclassification — OpenClawCWE-807 2.9 Low2026-04-28
CVE-2026-41402 OpenClaw < 2026.3.31 - Webhook Replay Cache Cross-Target messageId Scope Bypass — OpenClawCWE-706 4.2 Medium2026-04-28
CVE-2026-41400 OpenClaw < 2026.3.31 - Resource Consumption via Oversized WebSocket Frames in voice-call — OpenClawCWE-770 5.3 Medium2026-04-28

This page lists every published CVE security advisory associated with OpenClaw. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.