Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

openclaw — Vulnerabilities & Security Advisories 449

Browse all 449 CVE security advisories affecting openclaw. AI-powered Chinese analysis, POCs, and references for each vulnerability.

OpenClaw is a specialized software platform designed for automated threat intelligence aggregation and vulnerability management, primarily serving enterprise security operations centers. Historically, its codebase has exhibited a high frequency of critical flaws, with 428 CVEs documented to date. The most prevalent vulnerability classes include remote code execution (RCE) and cross-site scripting (XSS), often stemming from insufficient input validation in its web interface components. Additionally, privilege escalation issues have been frequently reported, allowing unauthorized users to gain administrative access. A notable incident in 2022 involved a critical RCE flaw that enabled attackers to execute arbitrary commands on unpatched servers, leading to widespread data exposure across multiple client networks. These recurring security deficiencies highlight significant challenges in the platform’s secure development lifecycle, necessitating rigorous patching and continuous monitoring for organizations relying on OpenClaw for their security infrastructure.

Top products by openclaw: OpenClaw nextcloud-talk voice-call
CVE IDTitleCVSSSeverityPublished
CVE-2026-32064 OpenClaw < 2026.2.21 - Missing VNC Authentication in Sandbox Browser noVNC Observer — OpenClawCWE-306 7.7 High2026-03-21
CVE-2026-32058 OpenClaw < 2026.2.26 - Approval Context-Binding Weakness in system.run via host=node — OpenClawCWE-863 2.6 Low2026-03-21
CVE-2026-32057 OpenClaw < 2026.2.25 - Authentication Bypass via Control UI client.id Parameter — OpenClawCWE-807 7.1 High2026-03-21
CVE-2026-32056 OpenClaw < 2026.2.22 - Remote Code Execution via Shell Startup Environment Variable Injection in system.run — OpenClawCWE-78 7.5 High2026-03-21
CVE-2026-32055 OpenClaw < 2026.2.26 - Workspace Path Boundary Bypass via Non-existent Symlink — OpenClawCWE-22 7.6 High2026-03-21
CVE-2026-32054 OpenClaw < 2026.2.25 - Symlink Traversal in Browser Trace/Download Path Handling — OpenClawCWE-59 6.5 Medium2026-03-21
CVE-2026-32053 OpenClaw < 2026.2.23 - Twilio Webhook Replay Bypass via Randomized Event ID Normalization — OpenClawCWE-294 6.5 Medium2026-03-21
CVE-2026-32052 OpenClaw < 2026.2.24 - Hidden Command Execution via Shell-Wrapper Positional argv Carriers — OpenClawCWE-436 6.4 Medium2026-03-21
CVE-2026-32051 OpenClaw < 2026.3.1 - Authorization Bypass in Agent Runs via Owner-Only Tool Access — OpenClawCWE-863 8.8 High2026-03-21
CVE-2026-32050 OpenClaw < 2026.2.25 - Unauthorized Reaction Status Event Enqueue via Access Check Bypass — OpenClawCWE-863 3.7 Low2026-03-21
CVE-2026-32049 OpenClaw < 2026.2.22 - Denial of Service via Inbound Media Download Byte Limit Bypass — OpenClawCWE-770 7.5 High2026-03-21
CVE-2026-32048 OpenClaw < 2026.3.1 - Sandbox Escape via Cross-Agent sessions_spawn — OpenClawCWE-732 7.5 High2026-03-21
CVE-2026-32046 OpenClaw < 2026.2.21 - OS-level Sandbox Bypass via --no-sandbox Flag — OpenClawCWE-1188 5.3 Medium2026-03-21
CVE-2026-32045 OpenClaw < 2026.2.21 - Authentication Bypass in HTTP Gateway Routes via Tokenless Tailscale Auth — OpenClawCWE-290 5.9 Medium2026-03-21
CVE-2026-32044 OpenClaw < 2026.3.2 - Tar Archive Safety Bypass in Skills Installation — OpenClawCWE-409 5.5 Medium2026-03-21
CVE-2026-32043 OpenClaw < 2026.2.25 - Time-of-Check-Time-of-Use via Mutable Symlink in system.run cwd Parameter — OpenClawCWE-367 6.5 Medium2026-03-21
CVE-2026-32042 OpenClaw < 2026.2.25 - Privilege Escalation via Unpaired Device Identity in Shared Gateway Authentication — OpenClawCWE-863 8.8 High2026-03-21
CVE-2026-22172 OpenClaw < 2026.3.12 - Scope Elevation in WebSocket Shared-Auth Connections — OpenClawCWE-862 9.9 Critical2026-03-20
CVE-2026-32041 OpenClaw < 2026.3.1 - Unauthenticated Browser Control Access via Failed Auth Bootstrap — OpenClawCWE-306 6.9 Medium2026-03-19
CVE-2026-32040 OpenClaw < 2026.2.23 - HTML Injection via Unvalidated Image MIME Type in Data-URL Interpolation — OpenClawCWE-79 4.6 Medium2026-03-19
CVE-2026-32039 OpenClaw < 2026.2.22 - Sender Authorization Bypass via Identity Collision in toolsBySender — OpenClawCWE-639 5.9 Medium2026-03-19
CVE-2026-32037 OpenClaw < 2026.2.22 - Redirect Chain Bypass of Media Host Allowlist in MSTeams Attachment Handling — OpenClawCWE-918 6.0 Medium2026-03-19
CVE-2026-32038 OpenClaw - Sandbox Network Isolation Bypass via docker.network=container Parameter — OpenClawCWE-284 9.8 Critical2026-03-19
CVE-2026-32036 OpenClaw < 2026.2.26- Authentication Bypass via Encoded Dot-Segment Traversal in /api/channels — OpenClawCWE-289 6.5 Medium2026-03-19
CVE-2026-32035 OpenClaw < 2026.3.2 - Missing Owner Flag Validation in Discord Voice Transcript Handler — OpenClawCWE-863 5.9 Medium2026-03-19
CVE-2026-32034 OpenClaw < 2026.2.21 - Insecure Control UI Authentication over Plaintext HTTP — OpenClawCWE-78 8.1 High2026-03-19
CVE-2026-32033 OpenClaw < 2026.2.24 - Path Traversal via @-prefixed Absolute Paths in Workspace Boundary Validation — OpenClawCWE-22 6.5 Medium2026-03-19
CVE-2026-32032 OpenClaw < 2026.2.22 - Arbitrary Shell Execution via Unvalidated SHELL Environment Variable — OpenClawCWE-426 7.8 High2026-03-19
CVE-2026-32031 OpenClaw < 2026.2.26 - Authentication Bypass via Path Canonicalization Mismatch in /api/channels Gateway — OpenClawCWE-288 4.8 Medium2026-03-19
CVE-2026-32030 OpenClaw < 2026.2.19 - Sensitive File Disclosure via stageSandboxMedia Path Traversal — OpenClawCWE-22 7.5 High2026-03-19

This page lists every published CVE security advisory associated with openclaw. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.