Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

openclaw — Vulnerabilities & Security Advisories 449

Browse all 449 CVE security advisories affecting openclaw. AI-powered Chinese analysis, POCs, and references for each vulnerability.

OpenClaw is a specialized software platform designed for automated threat intelligence aggregation and vulnerability management, primarily serving enterprise security operations centers. Historically, its codebase has exhibited a high frequency of critical flaws, with 428 CVEs documented to date. The most prevalent vulnerability classes include remote code execution (RCE) and cross-site scripting (XSS), often stemming from insufficient input validation in its web interface components. Additionally, privilege escalation issues have been frequently reported, allowing unauthorized users to gain administrative access. A notable incident in 2022 involved a critical RCE flaw that enabled attackers to execute arbitrary commands on unpatched servers, leading to widespread data exposure across multiple client networks. These recurring security deficiencies highlight significant challenges in the platform’s secure development lifecycle, necessitating rigorous patching and continuous monitoring for organizations relying on OpenClaw for their security infrastructure.

Top products by openclaw: OpenClaw nextcloud-talk voice-call
CVE IDTitleCVSSSeverityPublished
CVE-2026-22171 OpenClaw < 2026.2.19 - Path Traversal in Feishu Media Temporary File Naming — OpenClawCWE-22 8.2 High2026-03-18
CVE-2026-22169 OpenClaw < 2026.2.22 - Allowlist Bypass via sort Configuration in safeBins — OpenClawCWE-78 6.7 Medium2026-03-18
CVE-2026-22170 OpenClaw < 2026.2.22 BlueBubbles - Access Control Bypass via Empty allowFrom Configuration — OpenClawCWE-863 6.5 Medium2026-03-18
CVE-2026-22168 OpenClaw < 2026.2.21 - Command Injection via cmd.exe /c Trailing Arguments in system.run — OpenClawCWE-88 6.5 Medium2026-03-18
CVE-2026-32302 OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode — openclawCWE-346 8.1 High2026-03-12
CVE-2026-32063 OpenClaw 2026.2.19-2 < 2026.2.21 - Command Injection via Newline in systemd Unit Generation — openclawCWE-77 7.1 High2026-03-11
CVE-2026-32062 OpenClaw 2026.2.21-2 < 2026.2.22 - Unauthenticated WebSocket Resource Exhaustion via Media Stream — openclawCWE-770 7.5 High2026-03-11
CVE-2026-32061 OpenClaw < 2026.2.17 - Arbitrary File Read via $include Directive Path Traversal — openclawCWE-22 4.4 Medium2026-03-11
CVE-2026-32060 OpenClaw < 2026.2.14 - Path Traversal in apply_patch via Crafted Paths — openclawCWE-22 8.8 High2026-03-11
CVE-2026-32059 OpenClaw 2026.2.22-2 < 2026.2.23 - Allowlist Bypass via sort Long-Option Abbreviation in tools.exec.safeBins — openclawCWE-863 8.8 High2026-03-11
CVE-2026-29613 OpenClaw < 2026.2.12 - Webhook Authentication Bypass via Loopback remoteAddress Trust — OpenClawCWE-306 5.9 Medium2026-03-05
CVE-2026-29612 OpenClaw < 2026.2.14 - Denial of Service via Large Base64 Media File Decoding — OpenClawCWE-770 5.5 Medium2026-03-05
CVE-2026-29611 OpenClaw < 2026.2.14 - Local File Inclusion via mediaPath Parameter in BlueBubbles Media Handling — OpenClawCWE-73 7.5 High2026-03-05
CVE-2026-29610 OpenClaw < 2026.2.14 - Command Hijacking via Unsafe PATH Handling — OpenClawCWE-427 8.8 High2026-03-05
CVE-2026-29609 OpenClaw < 2026.2.14 - Denial of Service via Unbounded URL-backed Media Fetch — OpenClawCWE-770 7.5 High2026-03-05
CVE-2026-29606 OpenClaw < 2026.2.14 - Webhook Signature Verification Bypass via ngrok Loopback Compatibility — OpenClawCWE-306 6.5 Medium2026-03-05
CVE-2026-28486 OpenClaw 2026.1.16-2 < 2026.2.14 - Path Traversal (Zip Slip) in Archive Extraction via Installation Commands — OpenClawCWE-22 6.1 Medium2026-03-05
CVE-2026-28485 OpenClaw 2026.1.5 < 2026.2.12 - Missing Authentication in Browser Control HTTP Endpoints — OpenClawCWE-306 8.4 High2026-03-05
CVE-2026-28482 OpenClaw < 2026.2.12 - Path Traversal via Unsanitized sessionId and sessionFile Parameters — OpenClawCWE-22 7.1 High2026-03-05
CVE-2026-28481 OpenClaw < 2026.2.1 - Bearer Token Leakage via MS Teams Attachment Downloader Suffix Matching — OpenClawCWE-201 6.5 Medium2026-03-05
CVE-2026-28480 OpenClaw < 2026.2.14 - Identity Spoofing via Mutable Username in Telegram Allowlist Authorization — OpenClawCWE-290 6.5 Medium2026-03-05
CVE-2026-28479 OpenClaw < 2026.2.15 - Cache Poisoning via Deprecated SHA-1 Hash in Sandbox Configuration — OpenClawCWE-327 7.5 High2026-03-05
CVE-2026-28478 OpenClaw < 2026.2.13 - Denial of Service via Unbounded Webhook Request Body Buffering — OpenClawCWE-770 7.5 High2026-03-05
CVE-2026-28477 OpenClaw < 2026.2.14 - OAuth State Validation Bypass in Manual Chutes Login Flow — OpenClawCWE-352 7.1 High2026-03-05
CVE-2026-28476 OpenClaw < 2026.2.14 - Server-Side Request Forgery in Tlon Extension Authentication — OpenClawCWE-918 8.3 High2026-03-05
CVE-2026-28475 OpenClaw < 2026.2.13 - Timing Attack via Hook Token Comparison — OpenClawCWE-208 4.8 Medium2026-03-05
CVE-2026-28474 OpenClaw Nextcloud Talk < 2026.2.6 - Allowlist Bypass via actor.name Display Name Spoofing — nextcloud-talkCWE-863 9.8 Critical2026-03-05
CVE-2026-28473 OpenClaw < 2026.2.2 - Authorization Bypass via /approve Chat Command — OpenClawCWE-863 8.1 High2026-03-05
CVE-2026-28472 OpenClaw < 2026.2.2 - Device Identity Check Bypass in Gateway WebSocket Connect Handshake — OpenClawCWE-306 8.1 High2026-03-05
CVE-2026-28470 OpenClaw < 2026.2.2 - Exec Allowlist Bypass via Command Substitution in Double Quotes — OpenClawCWE-78 9.8 Critical2026-03-05

This page lists every published CVE security advisory associated with openclaw. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.