| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-35659 | OpenClaw < 2026.3.22 - Unresolved Service Metadata Routing via Bonjour and DNS-SD Discovery | OpenClaw | OpenClaw | Medium | 4.6 | 2026-04-10 16:03:21 | Deep Dive |
| CVE-2026-35658 | OpenClaw < 2026.3.2 - Filesystem Boundary Bypass in Image Tool | OpenClaw | OpenClaw | Medium | 6.5 | 2026-04-10 16:03:20 | Deep Dive |
| CVE-2026-35657 | OpenClaw < 2026.3.25 - Authorization Bypass in HTTP Session History Route | OpenClaw | OpenClaw | Medium | 6.5 | 2026-04-10 16:03:19 | Deep Dive |
| CVE-2026-35656 | OpenClaw < 2026.3.22 - XFF Loopback Spoofing Bypass in Canvas Authentication and Rate Limiter | OpenClaw | OpenClaw | Medium | 6.5 | 2026-04-10 16:03:19 | Deep Dive |
| CVE-2026-35655 | OpenClaw < 2026.3.22 - Identity Spoofing via rawInput Tool in ACP Permission Resolution | OpenClaw | OpenClaw | Medium | 5.7 | 2026-04-10 16:03:18 | Deep Dive |
| CVE-2026-35654 | OpenClaw < 2026.3.25 - Authorization Bypass in Microsoft Teams Feedback Invoke | OpenClaw | OpenClaw | Medium | 5.3 | 2026-04-10 16:03:17 | Deep Dive |
| CVE-2026-35653 | OpenClaw < 2026.3.24 - Incorrect Authorization in POST /reset-profile via browser.request | OpenClaw | OpenClaw | High | 8.1 | 2026-04-10 16:03:16 | Deep Dive |
| CVE-2026-35652 | OpenClaw < 2026.3.22 - Unauthorized Action Execution via Callback Dispatch | OpenClaw | OpenClaw | Medium | 6.5 | 2026-04-10 16:03:16 | Deep Dive |
| CVE-2026-35651 | OpenClaw 2026.2.13 < 2026.3.25 - ANSI Escape Sequence Injection in Approval Prompt | OpenClaw | OpenClaw | Medium | 4.3 | 2026-04-10 16:03:15 | Deep Dive |
| CVE-2026-35650 | OpenClaw < 2026.3.22 - Environment Variable Override Bypass via Inconsistent Sanitization | OpenClaw | OpenClaw | High | 7.5 | 2026-04-10 16:03:14 | Deep Dive |
| CVE-2026-35649 | OpenClaw < 2026.3.22 - Settings Reconciliation Bypass via Empty Allowlist | OpenClaw | OpenClaw | Medium | 6.5 | 2026-04-10 16:03:13 | Deep Dive |
| CVE-2026-35648 | OpenClaw < 2026.3.22 - Policy Bypass via Unvalidated Queued Node Actions | OpenClaw | OpenClaw | Low | 3.7 | 2026-04-10 16:03:13 | Deep Dive |
| CVE-2026-35647 | OpenClaw < 2026.3.25 - Direct Message Policy Bypass via Verification Notices | OpenClaw | OpenClaw | Medium | 5.3 | 2026-04-10 16:03:12 | Deep Dive |
| CVE-2026-35643 | OpenClaw < 2026.3.22 - Arbitrary Code Execution via Unvalidated WebView JavascriptInterface | OpenClaw | OpenClaw | High | 8.8 | 2026-04-10 16:03:11 | Deep Dive |
| CVE-2026-35641 | OpenClaw < 2026.3.24 - Arbitrary Code Execution via .npmrc in Local Plugin/Hook Installation | OpenClaw | OpenClaw | High | 7.8 | 2026-04-10 16:03:10 | Deep Dive |
| CVE-2026-35621 | OpenClaw < 2026.3.24 - Privilege Escalation via chat.send to Allowlist Persistence | OpenClaw | OpenClaw | Medium | 6.5 | 2026-04-10 16:03:10 | Deep Dive |
| CVE-2026-35620 | OpenClaw < 2026.3.24 - Missing Authorization in /send and /allowlist Chat Commands | OpenClaw | OpenClaw | Medium | 5.4 | 2026-04-10 16:03:09 | Deep Dive |
| CVE-2026-35619 | OpenClaw < 2026.3.24 - Authorization Bypass via HTTP /v1/models Endpoint | OpenClaw | OpenClaw | Medium | 4.3 | 2026-04-10 16:03:08 | Deep Dive |
| CVE-2026-6011 | OpenClaw assertPublicHostname web-fetch.ts server-side request forgery | - | OpenClaw | Medium | 5.6 | 2026-04-10 03:45:14 | Deep Dive |
| CVE-2026-35646 | OpenClaw < 2026.3.25 - Pre-Authentication Rate-Limit Bypass in Webhook Token Validation | OpenClaw | OpenClaw | Medium | 4.8 | 2026-04-09 21:27:12 | Deep Dive |