Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

openclaw — Vulnerabilities & Security Advisories 470

Browse all 470 CVE security advisories affecting openclaw. AI-powered Chinese analysis, POCs, and references for each vulnerability.

OpenClaw is a specialized software platform designed for automated threat intelligence aggregation and vulnerability management, primarily serving enterprise security operations centers. Historically, its codebase has exhibited a high frequency of critical flaws, with 428 CVEs documented to date. The most prevalent vulnerability classes include remote code execution (RCE) and cross-site scripting (XSS), often stemming from insufficient input validation in its web interface components. Additionally, privilege escalation issues have been frequently reported, allowing unauthorized users to gain administrative access. A notable incident in 2022 involved a critical RCE flaw that enabled attackers to execute arbitrary commands on unpatched servers, leading to widespread data exposure across multiple client networks. These recurring security deficiencies highlight significant challenges in the platform’s secure development lifecycle, necessitating rigorous patching and continuous monitoring for organizations relying on OpenClaw for their security infrastructure.

Found 463 results / 470Clear Filters
Top products by openclaw: OpenClaw crabbox nextcloud-talk voice-call
CVE IDTitleCVSSSeverityPublished
CVE-2026-45006 OpenClaw < 2026.4.23 - Unsafe Config Mutation via Gateway Tool Denylist Bypass — OpenClawCWE-184 8.8 High2026-05-11
CVE-2026-45005 OpenClaw < 2026.4.23 - Webhook Route Secret Cache Not Invalidated After Rotation — OpenClawCWE-672 6.0 Medium2026-05-11
CVE-2026-45004 OpenClaw < 2026.4.23 - Arbitrary Code Execution via setup-api.js in Current Working Directory — OpenClawCWE-427 7.8 High2026-05-11
CVE-2026-45003 OpenClaw < 2026.4.22 - Connector Endpoint Host Override via Workspace dotenv Files — OpenClawCWE-441 5.0 Medium2026-05-11
CVE-2026-45002 OpenClaw < 2026.4.20 - Hook Session-Key Bypass via Template Mapping — OpenClawCWE-863 5.3 Medium2026-05-11
CVE-2026-45001 OpenClaw < 2026.4.20 - Gateway Config Mutation Guard Bypass via Agent Tool Access — OpenClawCWE-862 7.1 High2026-05-11
CVE-2026-45000 OpenClaw < 2026.4.20 - Server-Side Request Forgery via Browser CDP Profile Creation — OpenClawCWE-918 5.0 Medium2026-05-11
CVE-2026-44999 OpenClaw < 2026.4.20 - Improper Trust Labeling in Isolated Cron Awareness Events — OpenClawCWE-345 5.3 Medium2026-05-11
CVE-2026-44998 OpenClaw < 2026.4.20 - Tool Policy Bypass via Bundled MCP/LSP Tools — OpenClawCWE-863 5.4 Medium2026-05-11
CVE-2026-44997 OpenClaw < 2026.4.22 - Security Envelope Constraint Bypass in ACP Child Sessions — OpenClawCWE-266 4.3 Medium2026-05-11
CVE-2026-44996 OpenClaw < 2026.4.15 - Arbitrary Local File Read via Webchat Audio Embedding — OpenClawCWE-22 3.7 Low2026-05-11
CVE-2026-44995 OpenClaw < 2026.4.20 - Arbitrary Code Execution via MCP stdio Environment Variables — OpenClawCWE-829 7.3 High2026-05-11
CVE-2026-44994 OpenClaw < 2026.4.22 - Authentication Bypass in Gateway Control UI Bootstrap Config Endpoint — OpenClawCWE-862 5.3 Medium2026-05-11
CVE-2026-44993 OpenClaw < 2026.4.20 - Direct Message Misclassification in Feishu Card Actions — OpenClawCWE-184 5.4 Medium2026-05-11
CVE-2026-44992 OpenClaw 2026.4.5 < 2026.4.20 - MiniMax API Host Override via Workspace dotenv — OpenClawCWE-441 5.0 Medium2026-05-11
CVE-2026-44991 OpenClaw < 2026.4.21 - Authorization Bypass in Owner-Enforced Commands via Wildcard Channel Senders — OpenClawCWE-863 4.2 Medium2026-05-11
CVE-2026-44118 OpenClaw < 2026.4.22 - Owner Context Spoofing via Bearer Token Header — OpenClawCWE-290 7.8 High2026-05-06
CVE-2026-44117 OpenClaw < 2026.4.20 - Server-Side Request Forgery in QQBot Direct Media Upload — OpenClawCWE-918 5.8 Medium2026-05-06
CVE-2026-44116 OpenClaw < 2026.4.22 - Server-Side Request Forgery in Zalo Photo URL Validation — OpenClawCWE-918 8.6 High2026-05-06
CVE-2026-44115 OpenClaw < 2026.4.22 - Shell Expansion Bypass in Unquoted Heredocs via Exec Allowlist — OpenClawCWE-184 8.8 High2026-05-06
CVE-2026-44114 OpenClaw < 2026.4.20 - Environment Variable Namespace Collision via Workspace dotenv — OpenClawCWE-184 7.8 High2026-05-06
CVE-2026-44112 OpenClaw < 2026.4.22 - Symlink Swap Race Condition in OpenShell FS Bridge Writes — OpenClawCWE-367 9.6 Critical2026-05-06
CVE-2026-44113 OpenClaw < 2026.4.22 - Time-of-Check/Time-of-Use Race Condition in OpenShell FS Bridge — OpenClawCWE-367 7.7 High2026-05-06
CVE-2026-44111 OpenClaw < 2026.4.15 - Arbitrary Markdown File Read via QMD memory_get — OpenClawCWE-183 4.3 Medium2026-05-06
CVE-2026-44109 OpenClaw < 2026.4.15 - Authentication Bypass in Feishu Webhook and Card-Action Validation — OpenClawCWE-1188 9.8 Critical2026-05-06
CVE-2026-44110 OpenClaw < 2026.4.15 - Authorization Bypass in Matrix Room Control Commands via DM Pairing Store — OpenClawCWE-863 8.8 High2026-05-06
CVE-2026-43585 OpenClaw < 2026.4.15 - Bearer Token Validation Bypass via Stale SecretRef Resolution — OpenClawCWE-672 8.1 High2026-05-06
CVE-2026-43584 OpenClaw < 2026.4.10 - Insufficient Environment Variable Denylist in Exec Policy — OpenClawCWE-184 8.8 High2026-05-06
CVE-2026-43583 OpenClaw 2026.4.10 < 2026.4.14 - Loss of Group Tool-Policy Context in Delivery Queue Recovery — OpenClawCWE-862 5.3 Medium2026-05-06
CVE-2026-43582 OpenClaw < 2026.4.10 - DNS Rebinding SSRF via Hostname Validation Bypass — OpenClawCWE-367 6.3 Medium2026-05-06

This page lists every published CVE security advisory associated with openclaw. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.