Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

OpenClaw — Vulnerabilities & Security Advisories 449

Browse all 449 CVE security advisories affecting OpenClaw. AI-powered Chinese analysis, POCs, and references for each vulnerability.

OpenClaw is a specialized software platform designed for automated threat intelligence aggregation and vulnerability management, primarily serving enterprise security operations centers. Historically, its codebase has exhibited a high frequency of critical flaws, with 428 CVEs documented to date. The most prevalent vulnerability classes include remote code execution (RCE) and cross-site scripting (XSS), often stemming from insufficient input validation in its web interface components. Additionally, privilege escalation issues have been frequently reported, allowing unauthorized users to gain administrative access. A notable incident in 2022 involved a critical RCE flaw that enabled attackers to execute arbitrary commands on unpatched servers, leading to widespread data exposure across multiple client networks. These recurring security deficiencies highlight significant challenges in the platform’s secure development lifecycle, necessitating rigorous patching and continuous monitoring for organizations relying on OpenClaw for their security infrastructure.

Top products by OpenClaw: OpenClaw nextcloud-talk voice-call
CVE IDTitleCVSSSeverityPublished
CVE-2026-43535 OpenClaw < 2026.4.14 - Authorization Context Reuse in Collect-Mode Queue Batches — OpenClawCWE-266 6.8 Medium2026-05-05
CVE-2026-43534 OpenClaw < 2026.4.10 - Unsanitized External Input in Agent Hook Events — OpenClawCWE-345 9.1 Critical2026-05-05
CVE-2026-43533 OpenClaw < 2026.4.10 - Arbitrary Local File Read via QQBot Media Tags — OpenClawCWE-23 8.6 High2026-05-05
CVE-2026-43532 OpenClaw 2026.4.7 < 2026.4.10 - Sandbox Media Normalization Bypass via Discord Event Cover Image — OpenClawCWE-184 7.7 High2026-05-05
CVE-2026-43531 OpenClaw < 2026.4.9 - Environment Variable Injection via Workspace .env File — OpenClawCWE-15 7.3 High2026-05-05
CVE-2026-43530 OpenClaw 2026.2.23 < 2026.4.12 - Weakened Exec Approval Binding via busybox and toybox Applet Execution — OpenClawCWE-863 8.8 High2026-05-05
CVE-2026-43529 OpenClaw < 2026.4.10 - Time-of-Check-Time-of-Use (TOCTOU) Race Condition in exec Script Preflight Validator — OpenClawCWE-367 2.5 Low2026-05-05
CVE-2026-43527 OpenClaw < 2026.4.14 - Server-Side Request Forgery via Private Network Navigation — OpenClawCWE-918 7.7 High2026-05-05
CVE-2026-43528 OpenClaw < 2026.4.14 - Redaction Bypass via sourceConfig and runtimeConfig Aliases — OpenClawCWE-212 6.5 Medium2026-05-05
CVE-2026-43526 OpenClaw < 2026.4.12 - Server-Side Request Forgery via QQBot Reply Media URL Handling — OpenClawCWE-918 8.2 High2026-05-05
CVE-2026-42439 OpenClaw < 2026.4.10 - SSRF Policy Bypass in Browser Tabs Action Routes — OpenClawCWE-862 8.5 High2026-05-05
CVE-2026-42438 OpenClaw 2026.4.9 < 2026.4.10 - Sender Policy Bypass in Host Media Attachment Reads — OpenClawCWE-863 7.7 High2026-05-05
CVE-2026-42437 OpenClaw 2026.4.9 < 2026.4.10 - Denial of Service via Oversized WebSocket Frames in Voice-call Realtime Path — OpenClawCWE-770 7.5 High2026-05-05
CVE-2026-42435 OpenClaw 2026.2.22 < 2026.4.12 - Shell-Wrapper Detection Bypass via Environment Variable Assignment Injection — OpenClawCWE-184 8.8 High2026-05-05
CVE-2026-42436 OpenClaw < 2026.4.14 - Internal Page Content Exposure via Browser Snapshot and Screenshot Routes — OpenClawCWE-862 7.7 High2026-05-05
CVE-2026-42434 OpenClaw 2026.4.5 < 2026.4.10 - Sandbox Escape via host Parameter Override in Exec Routing — OpenClawCWE-863 8.8 High2026-05-05
CVE-2026-42433 OpenClaw < 2026.4.10 - Unauthorized Matrix Profile Config Persistence Access via operator.write Message Tools — OpenClawCWE-862 6.5 Medium2026-05-05
CVE-2026-42432 OpenClaw < 2026.4.8 - Command Escalation via Node Pairing Reconnect Bypass — OpenClawCWE-863 7.8 High2026-04-28
CVE-2026-42431 OpenClaw < 2026.4.8 - Persistent Profile Mutation via node.invoke(browser.proxy) Bypass — OpenClawCWE-863 8.1 High2026-04-28
CVE-2026-42430 OpenClaw < 2026.4.8 - Strict Browser SSRF Bypass via Playwright Redirect Handling — OpenClawCWE-918 6.5 Medium2026-04-28
CVE-2026-42428 OpenClaw < 2026.4.8 - Missing Integrity Verification in Package Downloads — OpenClawCWE-353 7.1 High2026-04-28
CVE-2026-42429 OpenClaw < 2026.4.8 - Privilege Escalation via Gateway Plugin HTTP Authentication — OpenClawCWE-863 7.1 High2026-04-28
CVE-2026-42427 OpenClaw < 2026.4.8 - Remote Code Execution via Build Tool Environment Variable Injection — OpenClawCWE-184 5.3 Medium2026-04-28
CVE-2026-42426 OpenClaw < 2026.4.8 - Improper Authorization in node.pair.approve via operator.write Scope — OpenClawCWE-863 8.8 High2026-04-28
CVE-2026-42424 OpenClaw < 2026.4.8 - Local File Exfiltration via Shared Reply MEDIA Paths — OpenClawCWE-73 5.7 Medium2026-04-28
CVE-2026-42423 OpenClaw < 2026.4.8 - strictInlineEval Approval Boundary Bypass via Approval-Timeout Fallback — OpenClawCWE-636 7.5 High2026-04-28
CVE-2026-42421 OpenClaw < 2026.4.8 - WebSocket Session Persistence via Shared Gateway Token Rotation — OpenClawCWE-613 5.4 Medium2026-04-28
CVE-2026-42422 OpenClaw < 2026.4.8 - Role Bypass in device.token.rotate Function — OpenClawCWE-863 8.8 High2026-04-28
CVE-2026-42420 OpenClaw < 2026.4.8 - Improper Base64 Decoding Size Validation — OpenClawCWE-770 4.3 Medium2026-04-28
CVE-2026-41916 OpenClaw < 2026.4.8 - Stale Authentication State via Config Reload — OpenClawCWE-613 5.4 Medium2026-04-28

This page lists every published CVE security advisory associated with OpenClaw. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.