Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

openclaw — Vulnerabilities & Security Advisories 470

Browse all 470 CVE security advisories affecting openclaw. AI-powered Chinese analysis, POCs, and references for each vulnerability.

OpenClaw is a specialized software platform designed for automated threat intelligence aggregation and vulnerability management, primarily serving enterprise security operations centers. Historically, its codebase has exhibited a high frequency of critical flaws, with 428 CVEs documented to date. The most prevalent vulnerability classes include remote code execution (RCE) and cross-site scripting (XSS), often stemming from insufficient input validation in its web interface components. Additionally, privilege escalation issues have been frequently reported, allowing unauthorized users to gain administrative access. A notable incident in 2022 involved a critical RCE flaw that enabled attackers to execute arbitrary commands on unpatched servers, leading to widespread data exposure across multiple client networks. These recurring security deficiencies highlight significant challenges in the platform’s secure development lifecycle, necessitating rigorous patching and continuous monitoring for organizations relying on OpenClaw for their security infrastructure.

Found 463 results / 470Clear Filters
Top products by openclaw: OpenClaw crabbox nextcloud-talk voice-call
CVE IDTitleCVSSSeverityPublished
CVE-2026-28451 OpenClaw < 2026.2.14 - SSRF via Feishu Extension Media Fetching — OpenClaw 8.3 High2026-03-05
CVE-2026-28450 OpenClaw < 2026.2.12 - Unauthenticated Profile Tampering via Nostr Plugin HTTP Endpoints — OpenClaw 6.8 Medium2026-03-05
CVE-2026-28448 OpenClaw 2026.1.29 < 2026.2.1 - Authorization Bypass in Twitch Plugin allowFrom Access Control — OpenClawCWE-285 7.3 High2026-03-05
CVE-2026-28447 OpenClaw 2026.1.29-beta.1 < 2026.2.1 - Path Traversal in Plugin Installation via Package Name — OpenClawCWE-22 8.1 High2026-03-05
CVE-2026-28446 OpenClaw < 2026.2.1 - Inbound Allowlist Policy Bypass in voice-call Extension via Empty Caller ID and Suffix Matching — OpenClaw 9.4 Critical2026-03-05
CVE-2026-28395 OpenClaw 2026.1.14-1 < 2026.2.12 - Unintended Public Binding of Chrome Extension Relay via Wildcard cdpUrl — OpenClawCWE-1327 6.5 Medium2026-03-05
CVE-2026-28394 OpenClaw < 2026.2.15 - Denial of Service via Unbounded Response Parsing in web_fetch Tool — OpenClawCWE-770 6.5 Medium2026-03-05
CVE-2026-28393 OpenClaw 2.0.0-beta3 < 2026.2.14 - Arbitrary JavaScript Module Loading via Hook Transform Path Traversal — OpenClawCWE-22 7.7 High2026-03-05
CVE-2026-28392 OpenClaw < 2026.2.14 - Privilege Escalation in Slack Slash Command Handler via Direct Messages — OpenClaw 7.5 High2026-03-05
CVE-2026-28391 OpenClaw < 2026.2.2 - Command Injection via cmd.exe Parsing Bypass in Allowlist Enforcement — OpenClaw 9.8 Critical2026-03-05
CVE-2026-28363 OpenClaw 安全漏洞 — OpenClawCWE-184 9.9 Critical2026-02-27
CVE-2026-27576 OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs — openclawCWE-400 3.3 -2026-02-21
CVE-2026-27488 OpenClaw hardened cron webhook delivery against SSRF — openclawCWE-918 7.1 -2026-02-21
CVE-2026-27487 OpenClaw: Prevent shell injection in macOS keychain credential write — openclawCWE-78 7.6 High2026-02-21
CVE-2026-27486 OpenClaw: Process Safety - Unvalidated PID Kill via SIGKILL in Process Cleanup — openclawCWE-283 6.5AIMediumAI2026-02-21
CVE-2026-27485 OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection — openclawCWE-61 5.5 -2026-02-21
CVE-2026-27484 OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows — openclawCWE-862 6.5 -2026-02-21
CVE-2026-27009 OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection — openclawCWE-79 5.8 Medium2026-02-19
CVE-2026-27008 OpenClaw hardened the skill download target directory validation — openclawCWE-73 7.7 -2026-02-19
CVE-2026-27007 OpenClaw's sandbox config hash sorted primitive arrays and suppressed needed container recreation — openclawCWE-1254 7.1 -2026-02-19
CVE-2026-27004 OpenClaw session tool visibility hardening and Telegram webhook secret fallback — openclawCWE-209 6.5 -2026-02-19
CVE-2026-27003 OpenClaw: Telegram bot token exposure via logs — openclawCWE-522 9.8 -2026-02-19
CVE-2026-27002 OpenClaw: Docker container escape via unvalidated bind mount config injection — openclawCWE-250 9.6 -2026-02-19
CVE-2026-27001 OpenClaw: Unsanitized CWD path injection into LLM prompts — openclawCWE-77 7.6 -2026-02-19
CVE-2026-26972 OpenClaw has a Path Traversal in Browser Download Functionality — openclawCWE-22 6.7 Medium2026-02-19
CVE-2026-26329 OpenClaw has a path traversal in browser upload allows local file read — openclawCWE-22 6.5 -2026-02-19
CVE-2026-26328 OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities — openclawCWE-284 6.5 Medium2026-02-19
CVE-2026-26327 OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning — openclawCWE-345 9.3 -2026-02-19
CVE-2026-26326 OpenClaw skills.status could leak secrets to operator.read clients — openclawCWE-200 6.5 -2026-02-19
CVE-2026-26325 OpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals — openclawCWE-284 7.2 High2026-02-19

This page lists every published CVE security advisory associated with openclaw. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.