Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

openclaw — Vulnerabilities & Security Advisories 470

Browse all 470 CVE security advisories affecting openclaw. AI-powered Chinese analysis, POCs, and references for each vulnerability.

OpenClaw is a specialized software platform designed for automated threat intelligence aggregation and vulnerability management, primarily serving enterprise security operations centers. Historically, its codebase has exhibited a high frequency of critical flaws, with 428 CVEs documented to date. The most prevalent vulnerability classes include remote code execution (RCE) and cross-site scripting (XSS), often stemming from insufficient input validation in its web interface components. Additionally, privilege escalation issues have been frequently reported, allowing unauthorized users to gain administrative access. A notable incident in 2022 involved a critical RCE flaw that enabled attackers to execute arbitrary commands on unpatched servers, leading to widespread data exposure across multiple client networks. These recurring security deficiencies highlight significant challenges in the platform’s secure development lifecycle, necessitating rigorous patching and continuous monitoring for organizations relying on OpenClaw for their security infrastructure.

Found 463 results / 470Clear Filters
Top products by openclaw: OpenClaw crabbox nextcloud-talk voice-call
CVE IDTitleCVSSSeverityPublished
CVE-2026-43581 OpenClaw < 2026.4.10 - Chrome DevTools Protocol Exposure via Overly Broad CDP Relay Binding — OpenClawCWE-1188 9.6 Critical2026-05-06
CVE-2026-43580 OpenClaw < 2026.4.10 - Incomplete Navigation Guard Coverage in Browser Interactions — OpenClawCWE-862 7.7 High2026-05-06
CVE-2026-43579 OpenClaw < 2026.4.10 - Insufficient Access Control in Nostr Profile Mutation Routes — OpenClawCWE-862 6.5 Medium2026-05-06
CVE-2026-43578 OpenClaw 2026.3.31 < 2026.4.10 - Privilege Escalation via Missed Async Exec Completion Events in Heartbeat Owner Downgrade — OpenClawCWE-184 9.1 Critical2026-05-06
CVE-2026-43577 OpenClaw < 2026.4.9 - Arbitrary File Read via Browser Interaction Routes — OpenClawCWE-862 6.5 Medium2026-05-06
CVE-2026-43575 OpenClaw 2026.2.21 < 2026.4.10 - Authentication Bypass in Sandbox noVNC Helper Route — OpenClawCWE-862 9.8 Critical2026-05-06
CVE-2026-43576 OpenClaw < 2026.4.5 - Second-hop SSRF via CDP /json/version WebSocket URL — OpenClawCWE-601 7.7 High2026-05-06
CVE-2026-43574 OpenClaw < 2026.4.12 - Improper Authorization via Empty Approver Lists — OpenClawCWE-183 6.5 Medium2026-05-05
CVE-2026-43573 OpenClaw < 2026.4.10 - SSRF Policy Bypass in Existing-Session Browser Interaction Routes — OpenClawCWE-862 7.7 High2026-05-05
CVE-2026-43572 OpenClaw 2026.4.10 < 2026.4.14 - Missing Sender Authorization in Microsoft Teams SSO Invoke Handler — OpenClawCWE-862 5.3 Medium2026-05-05
CVE-2026-43571 OpenClaw < 2026.4.10 - Untrusted Workspace Plugin Shadow Resolution in Channel Setup — OpenClawCWE-829 8.8 High2026-05-05
CVE-2026-43570 OpenClaw 2026.3.22 < 2026.4.5 - Symlink Traversal in Remote Marketplace Repository Path Handling — OpenClawCWE-61 6.5 Medium2026-05-05
CVE-2026-43569 OpenClaw < 2026.4.9 - Untrusted Provider Plugin Auto-enablement via Workspace Provider Auth — OpenClawCWE-829 8.8 High2026-05-05
CVE-2026-43568 OpenClaw 2026.4.5 < 2026.4.10 - Privilege Escalation via Memory Dreaming Configuration in /dreaming Endpoint — OpenClawCWE-862 6.5 Medium2026-05-05
CVE-2026-43567 OpenClaw < 2026.4.10 - Path Traversal in screen_record outPath Parameter — OpenClawCWE-862 6.5 Medium2026-05-05
CVE-2026-43566 OpenClaw 2026.4.7 < 2026.4.14 - Privilege Escalation via Untrusted Webhook Wake Events — OpenClawCWE-184 9.1 Critical2026-05-05
CVE-2026-43534 OpenClaw < 2026.4.10 - Unsanitized External Input in Agent Hook Events — OpenClawCWE-345 9.1 Critical2026-05-05
CVE-2026-43535 OpenClaw < 2026.4.14 - Authorization Context Reuse in Collect-Mode Queue Batches — OpenClawCWE-266 6.8 Medium2026-05-05
CVE-2026-43533 OpenClaw < 2026.4.10 - Arbitrary Local File Read via QQBot Media Tags — OpenClawCWE-23 8.6 High2026-05-05
CVE-2026-43532 OpenClaw 2026.4.7 < 2026.4.10 - Sandbox Media Normalization Bypass via Discord Event Cover Image — OpenClawCWE-184 7.7 High2026-05-05
CVE-2026-43531 OpenClaw < 2026.4.9 - Environment Variable Injection via Workspace .env File — OpenClawCWE-15 7.3 High2026-05-05
CVE-2026-43530 OpenClaw 2026.2.23 < 2026.4.12 - Weakened Exec Approval Binding via busybox and toybox Applet Execution — OpenClawCWE-863 8.8 High2026-05-05
CVE-2026-43529 OpenClaw < 2026.4.10 - Time-of-Check-Time-of-Use (TOCTOU) Race Condition in exec Script Preflight Validator — OpenClawCWE-367 2.5 Low2026-05-05
CVE-2026-43528 OpenClaw < 2026.4.14 - Redaction Bypass via sourceConfig and runtimeConfig Aliases — OpenClawCWE-212 6.5 Medium2026-05-05
CVE-2026-43527 OpenClaw < 2026.4.14 - Server-Side Request Forgery via Private Network Navigation — OpenClawCWE-918 7.7 High2026-05-05
CVE-2026-43526 OpenClaw < 2026.4.12 - Server-Side Request Forgery via QQBot Reply Media URL Handling — OpenClawCWE-918 8.2 High2026-05-05
CVE-2026-42438 OpenClaw 2026.4.9 < 2026.4.10 - Sender Policy Bypass in Host Media Attachment Reads — OpenClawCWE-863 7.7 High2026-05-05
CVE-2026-42439 OpenClaw < 2026.4.10 - SSRF Policy Bypass in Browser Tabs Action Routes — OpenClawCWE-862 8.5 High2026-05-05
CVE-2026-42437 OpenClaw 2026.4.9 < 2026.4.10 - Denial of Service via Oversized WebSocket Frames in Voice-call Realtime Path — OpenClawCWE-770 7.5 High2026-05-05
CVE-2026-42436 OpenClaw < 2026.4.14 - Internal Page Content Exposure via Browser Snapshot and Screenshot Routes — OpenClawCWE-862 7.7 High2026-05-05

This page lists every published CVE security advisory associated with openclaw. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.