Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

OpenClaw — Vulnerabilities & Security Advisories 470

Browse all 470 CVE security advisories affecting OpenClaw. AI-powered Chinese analysis, POCs, and references for each vulnerability.

OpenClaw is a specialized software platform designed for automated threat intelligence aggregation and vulnerability management, primarily serving enterprise security operations centers. Historically, its codebase has exhibited a high frequency of critical flaws, with 428 CVEs documented to date. The most prevalent vulnerability classes include remote code execution (RCE) and cross-site scripting (XSS), often stemming from insufficient input validation in its web interface components. Additionally, privilege escalation issues have been frequently reported, allowing unauthorized users to gain administrative access. A notable incident in 2022 involved a critical RCE flaw that enabled attackers to execute arbitrary commands on unpatched servers, leading to widespread data exposure across multiple client networks. These recurring security deficiencies highlight significant challenges in the platform’s secure development lifecycle, necessitating rigorous patching and continuous monitoring for organizations relying on OpenClaw for their security infrastructure.

Found 463 results / 470Clear Filters
Top products by OpenClaw: OpenClaw crabbox nextcloud-talk voice-call
CVE IDTitleCVSSSeverityPublished
CVE-2026-41338 OpenClaw < 2026.3.31 - Time-of-Check-Time-of-Use (TOCTOU) Vulnerability in Sandbox File Operations — OpenClawCWE-367 5.0 Medium2026-04-23
CVE-2026-41337 OpenClaw < 2026.3.31 - Callback Origin Mutation in Plivo Voice-call Replay — OpenClawCWE-367 5.3 Medium2026-04-23
CVE-2026-41336 OpenClaw < 2026.3.31 - Arbitrary Hook Code Execution via OPENCLAW_BUNDLED_HOOKS_DIR Environment Variable Override — OpenClawCWE-829 7.8 High2026-04-23
CVE-2026-41334 OpenClaw < 2026.3.31 - Decompression Bomb Denial of Service via Image Pixel-Limit Guard Bypass — OpenClawCWE-636 6.5 Medium2026-04-23
CVE-2026-41335 OpenClaw < 2026.3.31 - Information Disclosure via Control UI Bootstrap JSON — OpenClawCWE-497 5.3 Medium2026-04-23
CVE-2026-41333 OpenClaw < 2026.3.31 - Authentication Rate Limiting Bypass via Fake DeviceToken — OpenClawCWE-799 3.7 Low2026-04-23
CVE-2026-41332 OpenClaw < 2026.3.28 - Code Execution via Missing Environment Variable Blocklist — OpenClawCWE-184 5.3 Medium2026-04-23
CVE-2026-41909 OpenClaw < 2026.4.20 - Improper Authorization in Paired-Device Pairing Actions — OpenClawCWE-863 5.4 Medium2026-04-23
CVE-2026-41908 OpenClaw < 2026.4.20 - Scope Enforcement Bypass in Assistant-Media Route — OpenClawCWE-863 4.3 Medium2026-04-23
CVE-2026-41331 OpenClaw < 2026.3.31 - Resource Consumption via Unauthorized Telegram Audio Preflight Transcription — OpenClawCWE-408 5.3 Medium2026-04-20
CVE-2026-41330 OpenClaw < 2026.3.31 - Environment Variable Override via Host Exec Policy — OpenClawCWE-453 4.4 Medium2026-04-20
CVE-2026-41329 OpenClaw < 2026.3.31 - Sandbox Bypass via Heartbeat Context Inheritance and senderIsOwner Escalation — OpenClawCWE-648 9.9 Critical2026-04-20
CVE-2026-41303 OpenClaw < 2026.3.28 - Authorization Bypass in Discord Text Approval Commands — OpenClawCWE-863 8.8 High2026-04-20
CVE-2026-41302 OpenClaw < 2026.3.31 - Server-Side Request Forgery via Unguarded fetch() in Marketplace Plugin Download — OpenClawCWE-918 7.6 High2026-04-20
CVE-2026-41301 OpenClaw 2026.3.22 < 2026.3.31 - Forged Nostr DM Pairing State Creation via Signature Verification Bypass — OpenClawCWE-347 5.3 Medium2026-04-20
CVE-2026-41300 OpenClaw < 2026.3.31 - Attacker-Discovered Endpoint Preservation in Remote Onboarding — OpenClawCWE-372 6.5 Medium2026-04-20
CVE-2026-41299 OpenClaw < 2026.3.28 - Client Identity Spoofing in chat.send Gateway Provenance Guard — OpenClawCWE-807 7.1 High2026-04-20
CVE-2026-41298 OpenClaw < 2026.4.2 - Authorization Bypass in Session Termination Endpoint — OpenClawCWE-862 5.4 Medium2026-04-20
CVE-2026-41297 OpenClaw < 2026.3.31 - Server-Side Request Forgery via Marketplace Plugin Download Redirect — OpenClawCWE-918 7.6 High2026-04-20
CVE-2026-41295 OpenClaw < 2026.4.2 - Untrusted Workspace Channel Shadow Code Execution during Built-in Channel Setup — OpenClawCWE-829 7.8 High2026-04-20
CVE-2026-41296 OpenClaw < 2026.3.31 - Sandbox Escape via TOCTOU Race in Remote FS Bridge readFile — OpenClawCWE-367 8.2 High2026-04-20
CVE-2026-41294 OpenClaw < 2026.3.28 - Environment Variable Injection via CWD .env File — OpenClawCWE-15 8.6 High2026-04-20
CVE-2026-40045 OpenClaw < 2026.4.2 - Cleartext Credential Transmission via Unencrypted WebSocket Gateway Endpoints — OpenClawCWE-319 5.7 Medium2026-04-20
CVE-2026-41389 OpenClaw 2026.4.7 < 2026.4.15 - Arbitrary File Read via Unvalidated Tool-Result Media Paths — OpenClawCWE-73 5.8 Medium2026-04-20
CVE-2026-3691 OpenClaw Client PKCE Verifier Information Disclosure Vulnerability — OpenClawCWE-200 6.5AIMediumAI2026-04-11
CVE-2026-3690 OpenClaw Canvas Authentication Bypass Vulnerability — OpenClawCWE-291 9.8AICriticalAI2026-04-11
CVE-2026-3689 OpenClaw Canvas Path Traversal Information Disclosure Vulnerability — OpenClawCWE-22 6.5AIMediumAI2026-04-11
CVE-2026-35670 OpenClaw < 2026.3.22 - Webhook Reply Rebinding via Username Resolution in Synology Chat — OpenClawCWE-807 5.9 Medium2026-04-10
CVE-2026-35669 OpenClaw < 2026.3.25 - Privilege Escalation via Gateway Plugin HTTP Authentication Scope — OpenClawCWE-648 8.8 High2026-04-10
CVE-2026-35668 OpenClaw < 2026.3.24 - Sandbox Media Root Bypass via Unnormalized mediaUrl and fileUrl Parameters — OpenClawCWE-22 7.7 High2026-04-10

This page lists every published CVE security advisory associated with OpenClaw. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.