Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

OpenClaw — Vulnerabilities & Security Advisories 470

Browse all 470 CVE security advisories affecting OpenClaw. AI-powered Chinese analysis, POCs, and references for each vulnerability.

OpenClaw is a specialized software platform designed for automated threat intelligence aggregation and vulnerability management, primarily serving enterprise security operations centers. Historically, its codebase has exhibited a high frequency of critical flaws, with 428 CVEs documented to date. The most prevalent vulnerability classes include remote code execution (RCE) and cross-site scripting (XSS), often stemming from insufficient input validation in its web interface components. Additionally, privilege escalation issues have been frequently reported, allowing unauthorized users to gain administrative access. A notable incident in 2022 involved a critical RCE flaw that enabled attackers to execute arbitrary commands on unpatched servers, leading to widespread data exposure across multiple client networks. These recurring security deficiencies highlight significant challenges in the platform’s secure development lifecycle, necessitating rigorous patching and continuous monitoring for organizations relying on OpenClaw for their security infrastructure.

Found 463 results / 470Clear Filters
Top products by OpenClaw: OpenClaw crabbox nextcloud-talk voice-call
CVE IDTitleCVSSSeverityPublished
CVE-2026-35640 OpenClaw < 2026.3.25 - Denial of Service via Unauthenticated Webhook Request Parsing — OpenClawCWE-696 5.3 Medium2026-04-09
CVE-2026-35639 OpenClaw < 2026.3.22 - Privilege Escalation via device.pair.approve Scope Validation — OpenClawCWE-648 8.8 High2026-04-09
CVE-2026-35637 OpenClaw < 2026.3.22 - Premature Cite Expansion Before Authorization in Channel and DM — OpenClawCWE-696 7.3 High2026-04-09
CVE-2026-35638 OpenClaw < 2026.3.22 - Privilege Escalation via Self-Declared Scopes in Trusted-Proxy Control UI — OpenClawCWE-286 8.8 High2026-04-09
CVE-2026-35636 OpenClaw 2026.3.11 < 2026.3.25 - Session Isolation Bypass via sessionId Resolution — OpenClawCWE-696 6.5 Medium2026-04-09
CVE-2026-35635 OpenClaw < 2026.3.22 - Webhook Path Route Replacement Vulnerability in Synology Chat — OpenClawCWE-706 4.8 Medium2026-04-09
CVE-2026-35634 OpenClaw < 2026.3.23 - Authentication Bypass via Local-Direct Requests in Canvas Gateway — OpenClawCWE-288 5.1 Medium2026-04-09
CVE-2026-35633 OpenClaw < 2026.3.22 - Unbounded Memory Allocation via Remote Media Error Responses — OpenClawCWE-789 5.3 Medium2026-04-09
CVE-2026-35632 OpenClaw <= 2026.2.22 - Symlink Traversal via IDENTITY.md appendFile in agents.create/update — OpenClawCWE-61 7.1 High2026-04-09
CVE-2026-35631 OpenClaw < 2026.3.22 - Missing Authorization Enforcement in Internal ACP Chat Commands — OpenClawCWE-862 6.5 Medium2026-04-09
CVE-2026-35629 OpenClaw < 2026.3.25 - Server-Side Request Forgery via Unguarded Configured Base URLs in Channel Extensions — OpenClawCWE-918 7.4 High2026-04-09
CVE-2026-35628 OpenClaw < 2026.3.25 - Brute-Force Attack via Missing Telegram Webhook Rate Limiting — OpenClawCWE-307 4.8 Medium2026-04-09
CVE-2026-35627 OpenClaw < 2026.3.22 - Unauthenticated Cryptographic Work in Nostr Inbound DM Handling — OpenClawCWE-696 6.5 Medium2026-04-09
CVE-2026-35625 OpenClaw < 2026.3.25 - Privilege Escalation via Silent Local Shared-Auth Reconnect — OpenClawCWE-648 7.8 High2026-04-09
CVE-2026-35626 OpenClaw < 2026.3.22 - Unauthenticated Resource Exhaustion via Voice Call Webhook — OpenClawCWE-405 5.3 Medium2026-04-09
CVE-2026-35624 OpenClaw < 2026.3.22 - Policy Confusion via Room Name Collision in Nextcloud Talk — OpenClawCWE-807 4.2 Medium2026-04-09
CVE-2026-35623 OpenClaw < 2026.3.25 - Brute-Force Attack via Missing Webhook Password Rate Limiting — OpenClawCWE-307 4.8 Medium2026-04-09
CVE-2026-35618 OpenClaw < 2026.3.23 - Replay Identity Drift via Query-Only Variants in Plivo V2 Verification — OpenClawCWE-294 6.5 Medium2026-04-09
CVE-2026-35622 OpenClaw < 2026.3.22 - Improper Authentication Verification in Google Chat Webhook — OpenClawCWE-290 5.9 Medium2026-04-09
CVE-2026-35617 OpenClaw < 2026.3.25 - Authorization Bypass via Group Policy Rebinding with Mutable Space displayName — OpenClawCWE-807 4.2 Medium2026-04-09
CVE-2026-34512 OpenClaw < 2026.3.25 - Improper Access Control in /sessions/:sessionKey/kill Endpoint — OpenClawCWE-863 8.1 High2026-04-09
CVE-2026-40037 OpenClaw < 2026.3.31 - Unsafe Request Body Replay via fetchWithSsrFGuard Cross-Origin Redirects — OpenClawCWE-601 6.5 Medium2026-04-08
CVE-2026-34511 OpenClaw < 2026.4.2 - PKCE Verifier Exposure via OAuth State Parameter — OpenClawCWE-330 5.3 Medium2026-04-03
CVE-2026-34426 OpenClaw - Approval Bypass via Environment Variable Normalization — OpenClawCWE-184 7.6 High2026-04-02
CVE-2026-34425 OpenClaw - Shell-Bleed Protection Preflight Validation Bypass — OpenClawCWE-184 5.4 Medium2026-04-02
CVE-2026-34510 OpenClaw < 2026.3.22 - Remote File URL Acceptance in Windows Media Loaders — OpenClawCWE-41 5.3 Medium2026-04-01
CVE-2026-34504 OpenClaw < 2026.3.28 - Server-Side Request Forgery via Unguarded Image Download in fal Provider — OpenClawCWE-918 8.3 High2026-03-31
CVE-2026-34503 OpenClaw < 2026.3.28 - Incomplete WebSocket Session Termination on Device Removal and Token Revocation — OpenClawCWE-613 8.1 High2026-03-31
CVE-2026-33581 OpenClaw < 2026.3.24 - Arbitrary File Read via mediaUrl and fileUrl Parameters — OpenClawCWE-22 6.5 Medium2026-03-31
CVE-2026-33580 OpenClaw < 2026.3.28 - Brute Force Attack via Missing Rate Limiting on Webhook Shared Secret Authentication — OpenClawCWE-307 6.5 Medium2026-03-31

This page lists every published CVE security advisory associated with OpenClaw. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.