Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

OpenClaw — Vulnerabilities & Security Advisories 537

Browse all 537 CVE security advisories affecting OpenClaw. AI-powered Chinese analysis, POCs, and references for each vulnerability.

OpenClaw is a specialized software platform designed for automated threat intelligence aggregation and vulnerability management, primarily serving enterprise security operations centers. Historically, its codebase has exhibited a high frequency of critical flaws, with 428 CVEs documented to date. The most prevalent vulnerability classes include remote code execution (RCE) and cross-site scripting (XSS), often stemming from insufficient input validation in its web interface components. Additionally, privilege escalation issues have been frequently reported, allowing unauthorized users to gain administrative access. A notable incident in 2022 involved a critical RCE flaw that enabled attackers to execute arbitrary commands on unpatched servers, leading to widespread data exposure across multiple client networks. These recurring security deficiencies highlight significant challenges in the platform’s secure development lifecycle, necessitating rigorous patching and continuous monitoring for organizations relying on OpenClaw for their security infrastructure.

Top products by OpenClaw: OpenClaw crabbox nextcloud-talk voice-call
CVE IDTitleCVSSSeverityPublished
CVE-2026-53865 OpenClaw < 2026.5.2 - Arbitrary Command Execution via Workspace-Derived Service PATH — OpenClawCWE-426 7.1 High2026-06-16
CVE-2026-53866 OpenClaw < 2026.5.12 - Allowlist Bypass in Shell Inline-Command Parsing — OpenClawCWE-862 8.1 High2026-06-16
CVE-2026-53864 OpenClaw < 2026.5.26 - Insufficient Environment Variable Sanitization in Node.js Control Variables — OpenClawCWE-184 8.1 High2026-06-16
CVE-2026-53862 OpenClaw < 2026.5.12 - Bootstrap Token Replay via Pending Pairing Scope Widening — OpenClawCWE-266 4.2 Medium2026-06-16
CVE-2026-53863 OpenClaw < 2026.4.25 - Unvalidated Group ID Acceptance in Tool Group Policy — OpenClawCWE-639 7.1 High2026-06-16
CVE-2026-53861 OpenClaw < 2026.5.6 - Allowlist Bypass via Combined POSIX Inline Flags on macOS — OpenClawCWE-184 6.6 Medium2026-06-16
CVE-2026-53860 OpenClaw < 2026.5.7 - Sender Policy Bypass via Mutable Conversation Identifiers in BlueBubbles — OpenClawCWE-807 4.2 Medium2026-06-16
CVE-2026-53859 OpenClaw < 2026.5.26 - Hostname Validation Bypass via Trailing-Dot Inconsistency — OpenClawCWE-1023 6.5 Medium2026-06-16
CVE-2026-53858 OpenClaw < 2026.5.2 - Arbitrary Runtime Dependency Loading via STATE_DIRECTORY Environment Variable — OpenClawCWE-426 7.1 High2026-06-16
CVE-2026-53857 OpenClaw < 2026.5.3 - Mutable Display Name Binding in Zalo allowFrom Policy — OpenClawCWE-290 8.1 High2026-06-16
CVE-2026-53855 OpenClaw < 2026.4.2 - Shell Positional Parameters Bypass in Inline-Eval Checks — OpenClawCWE-184 8.1 High2026-06-16
CVE-2026-53856 OpenClaw 2026.4.23 < 2026.4.24 - Insecure File Permissions in Config Recovery via OpenClaw.json — OpenClawCWE-732 5.5 Medium2026-06-16
CVE-2026-53854 OpenClaw < 2026.4.25 - Privilege Escalation via ownerAllowFrom Wildcard Inheritance in Internal/Webchat Commands — OpenClawCWE-863 6.5 Medium2026-06-16
CVE-2026-53853 OpenClaw < 2026.5.12 - Argument Pattern Bypass in Exec Allowlist via Linux and macOS — OpenClawCWE-693 8.3 High2026-06-16
CVE-2026-53852 OpenClaw < 2026.4.25 - Scope Bypass via Empty-Scope Device Re-pairing — OpenClawCWE-636 5.4 Medium2026-06-16
CVE-2026-53851 OpenClaw < 2026.5.12 - Slack Reaction Event Notification Bypass — OpenClawCWE-862 5.3 Medium2026-06-16
CVE-2026-53849 OpenClaw < 2026.5.7 - Privilege Escalation via Mutable Discord Display Names in allowFrom — OpenClawCWE-290 8.1 High2026-06-16
CVE-2026-53850 OpenClaw < 2026.4.25 - Control Scope Enforcement Bypass in Focus Command — OpenClawCWE-862 5.5 Medium2026-06-16
CVE-2026-53848 OpenClaw < 2026.5.26 - Exec Allowlist Bypass via Transparent Command Wrappers — OpenClawCWE-184 4.3 Medium2026-06-16
CVE-2026-53847 OpenClaw < 2026.5.6 - Privilege Escalation via Active Memory Write Scope — OpenClawCWE-266 5.4 Medium2026-06-16
CVE-2026-53846 OpenClaw < 2026.4.29 - Arbitrary Package Manager Execution via Workspace .env npm_execpath — OpenClawCWE-426 7.1 High2026-06-16
CVE-2026-53845 OpenClaw < 2026.5.6 - Skill-Command Dispatch Hook Bypass via Before-Tool-Call Hook Skipping — OpenClawCWE-693 4.3 Medium2026-06-16
CVE-2026-53844 OpenClaw < 2026.4.29 - Session Visibility Check Bypass in Shared Memory Search — OpenClawCWE-862 6.5 Medium2026-06-16
CVE-2026-53843 OpenClaw < 2026.5.26 - Node Token Revocation Bypass via Pairing-Scoped Device Session — OpenClawCWE-613 8.8 High2026-06-16
CVE-2026-53842 OpenClaw < 2026.5.2 - Arbitrary Python Runtime Execution via CLOUDSDK_PYTHON Environment Variable — OpenClawCWE-426 7.1 High2026-06-16
CVE-2026-53841 OpenClaw < 2026.5.12 - Cross-Site Scripting via Unsafe Markdown Links in Exported Session HTML — OpenClawCWE-83 6.1 Medium2026-06-16
CVE-2026-53840 OpenClaw < 2026.5.12 - Custom Header Leakage via MCP Streamable HTTP Cross-Origin Redirects — OpenClawCWE-522 7.1 High2026-06-16
CVE-2026-53839 OpenClaw < 2026.5.7 - Hostname Prefix Matching Bypass in Trusted Retry Endpoint Validation — OpenClawCWE-1023 6.5 Medium2026-06-12
CVE-2026-53838 OpenClaw < 2026.5.27 - Node Pairing State Mutation via Reconnection — OpenClawCWE-367 9.8 Critical2026-06-12
CVE-2026-53837 OpenClaw < 2026.5.6 - Missing Channel Type Validation in Mattermost Event Handlers — OpenClawCWE-636 3.7 Low2026-06-12

This page lists every published CVE security advisory associated with OpenClaw. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.