Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

openclaw — Vulnerabilities & Security Advisories 470

Browse all 470 CVE security advisories affecting openclaw. AI-powered Chinese analysis, POCs, and references for each vulnerability.

OpenClaw is a specialized software platform designed for automated threat intelligence aggregation and vulnerability management, primarily serving enterprise security operations centers. Historically, its codebase has exhibited a high frequency of critical flaws, with 428 CVEs documented to date. The most prevalent vulnerability classes include remote code execution (RCE) and cross-site scripting (XSS), often stemming from insufficient input validation in its web interface components. Additionally, privilege escalation issues have been frequently reported, allowing unauthorized users to gain administrative access. A notable incident in 2022 involved a critical RCE flaw that enabled attackers to execute arbitrary commands on unpatched servers, leading to widespread data exposure across multiple client networks. These recurring security deficiencies highlight significant challenges in the platform’s secure development lifecycle, necessitating rigorous patching and continuous monitoring for organizations relying on OpenClaw for their security infrastructure.

Top products by openclaw: OpenClaw crabbox nextcloud-talk voice-call
CVE IDTitleCVSSSeverityPublished
CVE-2026-32059 OpenClaw 2026.2.22-2 < 2026.2.23 - Allowlist Bypass via sort Long-Option Abbreviation in tools.exec.safeBins — openclawCWE-863 8.8 High2026-03-11
CVE-2026-29613 OpenClaw < 2026.2.12 - Webhook Authentication Bypass via Loopback remoteAddress Trust — OpenClawCWE-306 5.9 Medium2026-03-05
CVE-2026-29612 OpenClaw < 2026.2.14 - Denial of Service via Large Base64 Media File Decoding — OpenClawCWE-770 5.5 Medium2026-03-05
CVE-2026-29611 OpenClaw < 2026.2.14 - Local File Inclusion via mediaPath Parameter in BlueBubbles Media Handling — OpenClawCWE-73 7.5 High2026-03-05
CVE-2026-29610 OpenClaw < 2026.2.14 - Command Hijacking via Unsafe PATH Handling — OpenClawCWE-427 8.8 High2026-03-05
CVE-2026-29609 OpenClaw < 2026.2.14 - Denial of Service via Unbounded URL-backed Media Fetch — OpenClawCWE-770 7.5 High2026-03-05
CVE-2026-29606 OpenClaw < 2026.2.14 - Webhook Signature Verification Bypass via ngrok Loopback Compatibility — OpenClawCWE-306 6.5 Medium2026-03-05
CVE-2026-28486 OpenClaw 2026.1.16-2 < 2026.2.14 - Path Traversal (Zip Slip) in Archive Extraction via Installation Commands — OpenClawCWE-22 6.1 Medium2026-03-05
CVE-2026-28485 OpenClaw 2026.1.5 < 2026.2.12 - Missing Authentication in Browser Control HTTP Endpoints — OpenClawCWE-306 8.4 High2026-03-05
CVE-2026-28482 OpenClaw < 2026.2.12 - Path Traversal via Unsanitized sessionId and sessionFile Parameters — OpenClawCWE-22 7.1 High2026-03-05
CVE-2026-28481 OpenClaw < 2026.2.1 - Bearer Token Leakage via MS Teams Attachment Downloader Suffix Matching — OpenClawCWE-201 6.5 Medium2026-03-05
CVE-2026-28480 OpenClaw < 2026.2.14 - Identity Spoofing via Mutable Username in Telegram Allowlist Authorization — OpenClawCWE-290 6.5 Medium2026-03-05
CVE-2026-28479 OpenClaw < 2026.2.15 - Cache Poisoning via Deprecated SHA-1 Hash in Sandbox Configuration — OpenClawCWE-327 7.5 High2026-03-05
CVE-2026-28478 OpenClaw < 2026.2.13 - Denial of Service via Unbounded Webhook Request Body Buffering — OpenClawCWE-770 7.5 High2026-03-05
CVE-2026-28477 OpenClaw < 2026.2.14 - OAuth State Validation Bypass in Manual Chutes Login Flow — OpenClawCWE-352 7.1 High2026-03-05
CVE-2026-28476 OpenClaw < 2026.2.14 - Server-Side Request Forgery in Tlon Extension Authentication — OpenClawCWE-918 8.3 High2026-03-05
CVE-2026-28475 OpenClaw < 2026.2.13 - Timing Attack via Hook Token Comparison — OpenClawCWE-208 4.8 Medium2026-03-05
CVE-2026-28474 OpenClaw Nextcloud Talk < 2026.2.6 - Allowlist Bypass via actor.name Display Name Spoofing — nextcloud-talkCWE-863 9.8 Critical2026-03-05
CVE-2026-28473 OpenClaw < 2026.2.2 - Authorization Bypass via /approve Chat Command — OpenClawCWE-863 8.1 High2026-03-05
CVE-2026-28472 OpenClaw < 2026.2.2 - Device Identity Check Bypass in Gateway WebSocket Connect Handshake — OpenClawCWE-306 8.1 High2026-03-05
CVE-2026-28470 OpenClaw < 2026.2.2 - Exec Allowlist Bypass via Command Substitution in Double Quotes — OpenClawCWE-78 9.8 Critical2026-03-05
CVE-2026-28471 OpenClaw 2026.1.14-1 < 2026.2.2 - Allowlist Bypass via displayName and Cross-Homeserver localpart Matching in Matrix Plugin — OpenClawCWE-287 5.3 Medium2026-03-05
CVE-2026-28469 OpenClaw < 2026.2.14 - Cross-Account Policy Context Misrouting via Shared Webhook Path Ambiguity — OpenClawCWE-639 7.5 High2026-03-05
CVE-2026-28468 OpenClaw 2026.1.29-beta.1 < 2026.2.14 - Authentication Bypass in Sandbox Browser Bridge Server — OpenClawCWE-306 7.7 High2026-03-05
CVE-2026-28467 OpenClaw < 2026.2.2 - SSRF via Attachment Media URL Hydration — OpenClawCWE-918 6.5 Medium2026-03-05
CVE-2026-28466 OpenClaw < 2026.2.14 - Remote Code Execution via Node Invoke Approval Bypass — OpenClawCWE-863 9.9 Critical2026-03-05
CVE-2026-28465 OpenClaw voice-call < 2026.2.3 - Webhook Verification Bypass via Forwarded Headers — voice-callCWE-290 5.9 Medium2026-03-05
CVE-2026-28464 OpenClaw < 2026.2.12 - Timing Attack in Hooks Token Authentication — OpenClawCWE-208 5.9 Medium2026-03-05
CVE-2026-28463 OpenClaw < 2026.2.14 - Arbitrary File Read via Shell Expansion in Safe Bins Allowlist — OpenClawCWE-78 8.4 High2026-03-05
CVE-2026-28462 OpenClaw < 2026.2.13 - Path Traversal in Trace and Download Output Paths — OpenClawCWE-22 7.5 High2026-03-05

This page lists every published CVE security advisory associated with openclaw. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.