Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

openclaw — Vulnerabilities & Security Advisories 470

Browse all 470 CVE security advisories affecting openclaw. AI-powered Chinese analysis, POCs, and references for each vulnerability.

OpenClaw is a specialized software platform designed for automated threat intelligence aggregation and vulnerability management, primarily serving enterprise security operations centers. Historically, its codebase has exhibited a high frequency of critical flaws, with 428 CVEs documented to date. The most prevalent vulnerability classes include remote code execution (RCE) and cross-site scripting (XSS), often stemming from insufficient input validation in its web interface components. Additionally, privilege escalation issues have been frequently reported, allowing unauthorized users to gain administrative access. A notable incident in 2022 involved a critical RCE flaw that enabled attackers to execute arbitrary commands on unpatched servers, leading to widespread data exposure across multiple client networks. These recurring security deficiencies highlight significant challenges in the platform’s secure development lifecycle, necessitating rigorous patching and continuous monitoring for organizations relying on OpenClaw for their security infrastructure.

Found 463 results / 470Clear Filters
Top products by openclaw: OpenClaw crabbox nextcloud-talk voice-call
CVE IDTitleCVSSSeverityPublished
CVE-2026-41368 OpenClaw < 2026.3.28 - Environment Variable Disclosure via jq $ENV Filter Bypass — OpenClawCWE-668 6.5 Medium2026-04-27
CVE-2026-41367 OpenClaw 2026.2.14 < 2026.3.28 - Policy Enforcement Bypass in Discord Component Interactions — OpenClawCWE-863 5.0 Medium2026-04-27
CVE-2026-41365 OpenClaw < 2026.3.31 - Sender Allowlist Bypass via Graph API Thread History — OpenClawCWE-441 5.4 Medium2026-04-27
CVE-2026-41366 OpenClaw < 2026.3.31 - Arbitrary Host File Read via appendLocalMediaParentRoots Self-Whitelisting — OpenClawCWE-732 5.5 Medium2026-04-27
CVE-2026-41364 OpenClaw < 2026.3.31 - Arbitrary File Write via Symlink Following in SSH Sandbox Tar Upload — OpenClawCWE-59 8.1 High2026-04-27
CVE-2026-41363 OpenClaw 2026.2.6 < 2026.3.28 - Arbitrary File Read via Feishu upload_image Parameter — OpenClawCWE-22 5.3 Medium2026-04-27
CVE-2026-41362 OpenClaw 2026.2.19 < 2026.3.31 - Webhook Replay Dedupe Cache Event Suppression via Shared Authentication — OpenClawCWE-668 4.3 Medium2026-04-27
CVE-2026-41361 OpenClaw < 2026.3.28 - SSRF Guard Bypass via IPv6 Special-Use Ranges — OpenClawCWE-184 7.1 High2026-04-23
CVE-2026-41359 OpenClaw < 2026.3.28 - Privilege Escalation via operator.write to Admin-Class Telegram Config and Cron Persistence — OpenClawCWE-269 7.1 High2026-04-23
CVE-2026-41360 OpenClaw < 2026.4.2 - Approval Integrity Bypass in pnpm dlx Local Script Binding — OpenClawCWE-367 6.7 Medium2026-04-23
CVE-2026-41358 OpenClaw < 2026.4.2 - Sender Allowlist Bypass via Slack Thread Context — OpenClawCWE-346 5.4 Medium2026-04-23
CVE-2026-41357 OpenClaw < 2026.3.31 - Unsanitized Environment Variable Leakage in SSH Sandbox Backends — OpenClawCWE-214 3.3 Low2026-04-23
CVE-2026-41355 OpenClaw < 2026.3.28 - Arbitrary Code Execution via Mirror Mode Sandbox File Conversion — OpenClawCWE-829 7.3 High2026-04-23
CVE-2026-41356 OpenClaw < 2026.3.31 - Incomplete WebSocket Session Termination in device.token.rotate — OpenClawCWE-613 5.4 Medium2026-04-23
CVE-2026-41354 OpenClaw < 2026.4.2 - Insufficient Scope in Zalo Webhook Replay Dedupe Keys — OpenClawCWE-706 3.7 Low2026-04-23
CVE-2026-41353 OpenClaw < 2026.3.22 - allowProfiles Bypass via Profile Mutation and Runtime Selection — OpenClawCWE-472 8.1 High2026-04-23
CVE-2026-41352 OpenClaw < 2026.3.31 - Remote Code Execution via Node Scope Gate Bypass — OpenClawCWE-862 8.8 High2026-04-23
CVE-2026-41351 OpenClaw < 2026.3.31 - Webhook Replay Detection Bypass via Base64 Signature Re-encoding — OpenClawCWE-294 5.3 Medium2026-04-23
CVE-2026-41350 OpenClaw < 2026.3.31 - Session Visibility Bypass via session_status in Unsandboxed Invocations — OpenClawCWE-863 4.3 Medium2026-04-23
CVE-2026-41349 OpenClaw < 2026.3.28 - Agentic Consent Bypass via config.patch — OpenClawCWE-862 8.8 High2026-04-23
CVE-2026-41348 OpenClaw < 2026.3.31 - Group DM Channel Allowlist Bypass via Discord Slash Commands — OpenClawCWE-863 5.4 Medium2026-04-23
CVE-2026-41347 OpenClaw < 2026.3.31 - Cross-Site Request Forgery via Missing Browser-Origin Validation in HTTP Operator Endpoints — OpenClawCWE-352 7.1 High2026-04-23
CVE-2026-41346 OpenClaw 2026.2.26 < 2026.3.31 - Denial of Service via Improper Pending Pairing Request Cap Enforcement — OpenClawCWE-799 5.3 Medium2026-04-23
CVE-2026-41345 OpenClaw < 2026.3.31 - Authorization Header Leak via Cross-Origin Redirect in Media Download — OpenClawCWE-522 5.3 Medium2026-04-23
CVE-2026-41344 OpenClaw < 2026.3.28 - Privilege Escalation via chat.send /verbose Parameter — OpenClawCWE-863 5.4 Medium2026-04-23
CVE-2026-41343 OpenClaw < 2026.3.31 - Denial of Service via LINE Webhook Handler Pre-Auth Concurrency — OpenClawCWE-799 5.3 Medium2026-04-23
CVE-2026-41342 OpenClaw < 2026.3.28 - Unauthenticated Discovery Endpoint Credential Exfiltration via Remote Onboarding — OpenClawCWE-346 7.3 High2026-04-23
CVE-2026-41341 OpenClaw < 2026.3.31 - Component Interaction Misclassification in Discord Extension — OpenClawCWE-351 5.4 Medium2026-04-23
CVE-2026-41340 OpenClaw < 2026.3.31 - Authentication Boundary Bypass via Telegram Legacy allowFrom Migration — OpenClawCWE-372 6.5 Medium2026-04-23
CVE-2026-41339 OpenClaw < 2026.4.2 - Information Disclosure via Gateway Connect Snapshot — OpenClawCWE-497 4.3 Medium2026-04-23

This page lists every published CVE security advisory associated with openclaw. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.