Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

OpenClaw — Vulnerabilities & Security Advisories 449

Browse all 449 CVE security advisories affecting OpenClaw. AI-powered Chinese analysis, POCs, and references for each vulnerability.

OpenClaw is a specialized software platform designed for automated threat intelligence aggregation and vulnerability management, primarily serving enterprise security operations centers. Historically, its codebase has exhibited a high frequency of critical flaws, with 428 CVEs documented to date. The most prevalent vulnerability classes include remote code execution (RCE) and cross-site scripting (XSS), often stemming from insufficient input validation in its web interface components. Additionally, privilege escalation issues have been frequently reported, allowing unauthorized users to gain administrative access. A notable incident in 2022 involved a critical RCE flaw that enabled attackers to execute arbitrary commands on unpatched servers, leading to widespread data exposure across multiple client networks. These recurring security deficiencies highlight significant challenges in the platform’s secure development lifecycle, necessitating rigorous patching and continuous monitoring for organizations relying on OpenClaw for their security infrastructure.

Top products by OpenClaw: OpenClaw nextcloud-talk voice-call
CVE IDTitleCVSSSeverityPublished
CVE-2026-28471 OpenClaw 2026.1.14-1 < 2026.2.2 - Allowlist Bypass via displayName and Cross-Homeserver localpart Matching in Matrix Plugin — OpenClawCWE-287 5.3 Medium2026-03-05
CVE-2026-28469 OpenClaw < 2026.2.14 - Cross-Account Policy Context Misrouting via Shared Webhook Path Ambiguity — OpenClawCWE-639 7.5 High2026-03-05
CVE-2026-28468 OpenClaw 2026.1.29-beta.1 < 2026.2.14 - Authentication Bypass in Sandbox Browser Bridge Server — OpenClawCWE-306 7.7 High2026-03-05
CVE-2026-28467 OpenClaw < 2026.2.2 - SSRF via Attachment Media URL Hydration — OpenClawCWE-918 6.5 Medium2026-03-05
CVE-2026-28466 OpenClaw < 2026.2.14 - Remote Code Execution via Node Invoke Approval Bypass — OpenClawCWE-863 9.9 Critical2026-03-05
CVE-2026-28465 OpenClaw voice-call < 2026.2.3 - Webhook Verification Bypass via Forwarded Headers — voice-callCWE-290 5.9 Medium2026-03-05
CVE-2026-28464 OpenClaw < 2026.2.12 - Timing Attack in Hooks Token Authentication — OpenClawCWE-208 5.9 Medium2026-03-05
CVE-2026-28463 OpenClaw < 2026.2.14 - Arbitrary File Read via Shell Expansion in Safe Bins Allowlist — OpenClawCWE-78 8.4 High2026-03-05
CVE-2026-28462 OpenClaw < 2026.2.13 - Path Traversal in Trace and Download Output Paths — OpenClawCWE-22 7.5 High2026-03-05
CVE-2026-28459 OpenClaw < 2026.2.12 - Arbitrary File Write via Untrusted sessionFile Path — OpenClawCWE-73 7.1 High2026-03-05
CVE-2026-28458 OpenClaw 2026.1.20 < 2026.2.1 - Missing Authentication in Browser Relay /cdp WebSocket Endpoint — OpenClawCWE-306 8.1 High2026-03-05
CVE-2026-28457 OpenClaw < 2026.2.14 - Path Traversal in Sandbox Skill Mirroring via Name Parameter — OpenClawCWE-22 6.1 Medium2026-03-05
CVE-2026-28456 OpenClaw 2026.1.5 < 2026.2.14 - Arbitrary Code Execution via Unsafe Hook Module Path Handling — OpenClawCWE-427 7.2 High2026-03-05
CVE-2026-28454 OpenClaw < 2026.2.2 - Authorization Bypass via Unauthenticated Telegram Webhook — OpenClawCWE-345 7.5 High2026-03-05
CVE-2026-28453 OpenClaw < 2026.2.14 - Zip Slip Path Traversal in TAR Archive Extraction — OpenClawCWE-22 7.5 High2026-03-05
CVE-2026-28452 OpenClaw < 2026.2.14 - Denial of Service via Unguarded Archive Extraction in extractArchive — OpenClawCWE-770 5.5 Medium2026-03-05
CVE-2026-28451 OpenClaw < 2026.2.14 - SSRF via Feishu Extension Media Fetching — OpenClaw 8.3 High2026-03-05
CVE-2026-28450 OpenClaw < 2026.2.12 - Unauthenticated Profile Tampering via Nostr Plugin HTTP Endpoints — OpenClaw 6.8 Medium2026-03-05
CVE-2026-28448 OpenClaw 2026.1.29 < 2026.2.1 - Authorization Bypass in Twitch Plugin allowFrom Access Control — OpenClawCWE-285 7.3 High2026-03-05
CVE-2026-28447 OpenClaw 2026.1.29-beta.1 < 2026.2.1 - Path Traversal in Plugin Installation via Package Name — OpenClawCWE-22 8.1 High2026-03-05
CVE-2026-28446 OpenClaw < 2026.2.1 - Inbound Allowlist Policy Bypass in voice-call Extension via Empty Caller ID and Suffix Matching — OpenClaw 9.4 Critical2026-03-05
CVE-2026-28395 OpenClaw 2026.1.14-1 < 2026.2.12 - Unintended Public Binding of Chrome Extension Relay via Wildcard cdpUrl — OpenClawCWE-1327 6.5 Medium2026-03-05
CVE-2026-28394 OpenClaw < 2026.2.15 - Denial of Service via Unbounded Response Parsing in web_fetch Tool — OpenClawCWE-770 6.5 Medium2026-03-05
CVE-2026-28393 OpenClaw 2.0.0-beta3 < 2026.2.14 - Arbitrary JavaScript Module Loading via Hook Transform Path Traversal — OpenClawCWE-22 7.7 High2026-03-05
CVE-2026-28392 OpenClaw < 2026.2.14 - Privilege Escalation in Slack Slash Command Handler via Direct Messages — OpenClaw 7.5 High2026-03-05
CVE-2026-28391 OpenClaw < 2026.2.2 - Command Injection via cmd.exe Parsing Bypass in Allowlist Enforcement — OpenClaw 9.8 Critical2026-03-05
CVE-2026-28363 OpenClaw 安全漏洞 — OpenClawCWE-184 9.9 Critical2026-02-27
CVE-2026-27576 OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs — openclawCWE-400 3.3 -2026-02-21
CVE-2026-27488 OpenClaw hardened cron webhook delivery against SSRF — openclawCWE-918 7.1 -2026-02-21
CVE-2026-27487 OpenClaw: Prevent shell injection in macOS keychain credential write — openclawCWE-78 7.6 High2026-02-21

This page lists every published CVE security advisory associated with OpenClaw. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.