Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

openclaw — Vulnerabilities & Security Advisories 449

Browse all 449 CVE security advisories affecting openclaw. AI-powered Chinese analysis, POCs, and references for each vulnerability.

OpenClaw is a specialized software platform designed for automated threat intelligence aggregation and vulnerability management, primarily serving enterprise security operations centers. Historically, its codebase has exhibited a high frequency of critical flaws, with 428 CVEs documented to date. The most prevalent vulnerability classes include remote code execution (RCE) and cross-site scripting (XSS), often stemming from insufficient input validation in its web interface components. Additionally, privilege escalation issues have been frequently reported, allowing unauthorized users to gain administrative access. A notable incident in 2022 involved a critical RCE flaw that enabled attackers to execute arbitrary commands on unpatched servers, leading to widespread data exposure across multiple client networks. These recurring security deficiencies highlight significant challenges in the platform’s secure development lifecycle, necessitating rigorous patching and continuous monitoring for organizations relying on OpenClaw for their security infrastructure.

Top products by openclaw: OpenClaw nextcloud-talk voice-call
CVE IDTitleCVSSSeverityPublished
CVE-2026-41300 OpenClaw < 2026.3.31 - Attacker-Discovered Endpoint Preservation in Remote Onboarding — OpenClawCWE-372 6.5 Medium2026-04-20
CVE-2026-41298 OpenClaw < 2026.4.2 - Authorization Bypass in Session Termination Endpoint — OpenClawCWE-862 5.4 Medium2026-04-20
CVE-2026-41297 OpenClaw < 2026.3.31 - Server-Side Request Forgery via Marketplace Plugin Download Redirect — OpenClawCWE-918 7.6 High2026-04-20
CVE-2026-41295 OpenClaw < 2026.4.2 - Untrusted Workspace Channel Shadow Code Execution during Built-in Channel Setup — OpenClawCWE-829 7.8 High2026-04-20
CVE-2026-41296 OpenClaw < 2026.3.31 - Sandbox Escape via TOCTOU Race in Remote FS Bridge readFile — OpenClawCWE-367 8.2 High2026-04-20
CVE-2026-41294 OpenClaw < 2026.3.28 - Environment Variable Injection via CWD .env File — OpenClawCWE-15 8.6 High2026-04-20
CVE-2026-40045 OpenClaw < 2026.4.2 - Cleartext Credential Transmission via Unencrypted WebSocket Gateway Endpoints — OpenClawCWE-319 5.7 Medium2026-04-20
CVE-2026-41389 OpenClaw 2026.4.7 < 2026.4.15 - Arbitrary File Read via Unvalidated Tool-Result Media Paths — OpenClawCWE-73 5.8 Medium2026-04-20
CVE-2026-3691 OpenClaw Client PKCE Verifier Information Disclosure Vulnerability — OpenClawCWE-200 6.5AIMediumAI2026-04-11
CVE-2026-3690 OpenClaw Canvas Authentication Bypass Vulnerability — OpenClawCWE-291 9.8AICriticalAI2026-04-11
CVE-2026-3689 OpenClaw Canvas Path Traversal Information Disclosure Vulnerability — OpenClawCWE-22 6.5AIMediumAI2026-04-11
CVE-2026-35670 OpenClaw < 2026.3.22 - Webhook Reply Rebinding via Username Resolution in Synology Chat — OpenClawCWE-807 5.9 Medium2026-04-10
CVE-2026-35669 OpenClaw < 2026.3.25 - Privilege Escalation via Gateway Plugin HTTP Authentication Scope — OpenClawCWE-648 8.8 High2026-04-10
CVE-2026-35668 OpenClaw < 2026.3.24 - Sandbox Media Root Bypass via Unnormalized mediaUrl and fileUrl Parameters — OpenClawCWE-22 7.7 High2026-04-10
CVE-2026-35666 OpenClaw < 2026.3.22 - Allowlist Bypass via Unregistered Time Dispatch Wrapper — OpenClawCWE-706 8.8 High2026-04-10
CVE-2026-35667 OpenClaw < 2026.3.24 - Improper Process Termination via Unpatched killProcessTree in shell-utils.ts — OpenClawCWE-404 6.1 Medium2026-04-10
CVE-2026-35665 OpenClaw < 2026.3.24 - Denial of Service via Feishu Webhook Pre-Auth Body Parsing — OpenClawCWE-405 5.3 Medium2026-04-10
CVE-2026-35663 OpenClaw < 2026.3.25 - Privilege Escalation via Backend Reconnect Scope Self-Claim — OpenClawCWE-648 8.8 High2026-04-10
CVE-2026-35664 OpenClaw < 2026.3.25 - DM Pairing Bypass via Legacy Card Callbacks — OpenClawCWE-288 5.3 Medium2026-04-10
CVE-2026-35662 OpenClaw < 2026.3.22 - Missing controlScope Enforcement in Send Action — OpenClawCWE-862 4.3 Medium2026-04-10
CVE-2026-35660 OpenClaw < 2026.3.23 - Insufficient Access Control in Gateway Agent Session Reset — OpenClawCWE-862 8.1 High2026-04-10
CVE-2026-35661 OpenClaw < 2026.3.25 - Telegram DM-Scoped Inline Button Callback Authorization Bypass — OpenClawCWE-288 5.3 Medium2026-04-10
CVE-2026-35659 OpenClaw < 2026.3.22 - Unresolved Service Metadata Routing via Bonjour and DNS-SD Discovery — OpenClawCWE-345 4.6 Medium2026-04-10
CVE-2026-35658 OpenClaw < 2026.3.2 - Filesystem Boundary Bypass in Image Tool — OpenClawCWE-668 6.5 Medium2026-04-10
CVE-2026-35656 OpenClaw < 2026.3.22 - XFF Loopback Spoofing Bypass in Canvas Authentication and Rate Limiter — OpenClawCWE-290 6.5 Medium2026-04-10
CVE-2026-35657 OpenClaw < 2026.3.25 - Authorization Bypass in HTTP Session History Route — OpenClawCWE-863 6.5 Medium2026-04-10
CVE-2026-35655 OpenClaw < 2026.3.22 - Identity Spoofing via rawInput Tool in ACP Permission Resolution — OpenClawCWE-807 5.7 Medium2026-04-10
CVE-2026-35654 OpenClaw < 2026.3.25 - Authorization Bypass in Microsoft Teams Feedback Invoke — OpenClawCWE-288 5.3 Medium2026-04-10
CVE-2026-35653 OpenClaw < 2026.3.24 - Incorrect Authorization in POST /reset-profile via browser.request — OpenClawCWE-863 8.1 High2026-04-10
CVE-2026-35652 OpenClaw < 2026.3.22 - Unauthorized Action Execution via Callback Dispatch — OpenClawCWE-696 6.5 Medium2026-04-10

This page lists every published CVE security advisory associated with openclaw. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.