| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-35645 | OpenClaw < 2026.3.25 - Privilege Escalation via Synthetic operator.admin in deleteSession | OpenClaw | OpenClaw | High | 8.1 | 2026-04-09 21:27:11 | Deep Dive |
| CVE-2026-35644 | OpenClaw < 2026.3.22 - Credential Exposure via baseUrl Fields in Gateway Snapshots | OpenClaw | OpenClaw | Medium | 6.5 | 2026-04-09 21:27:10 | Deep Dive |
| CVE-2026-35640 | OpenClaw < 2026.3.25 - Denial of Service via Unauthenticated Webhook Request Parsing | OpenClaw | OpenClaw | Medium | 5.3 | 2026-04-09 21:27:09 | Deep Dive |
| CVE-2026-35642 | OpenClaw < 2026.3.25 - Authorization Bypass in Group Reactions via requireMention Bypass | OpenClaw | OpenClaw | Medium | 4.3 | 2026-04-09 21:27:09 | Deep Dive |
| CVE-2026-35639 | OpenClaw < 2026.3.22 - Privilege Escalation via device.pair.approve Scope Validation | OpenClaw | OpenClaw | High | 8.8 | 2026-04-09 21:27:08 | Deep Dive |
| CVE-2026-35637 | OpenClaw < 2026.3.22 - Premature Cite Expansion Before Authorization in Channel and DM | OpenClaw | OpenClaw | High | 7.3 | 2026-04-09 21:27:07 | Deep Dive |
| CVE-2026-35638 | OpenClaw < 2026.3.22 - Privilege Escalation via Self-Declared Scopes in Trusted-Proxy Control UI | OpenClaw | OpenClaw | High | 8.8 | 2026-04-09 21:27:07 | Deep Dive |
| CVE-2026-35636 | OpenClaw 2026.3.11 < 2026.3.25 - Session Isolation Bypass via sessionId Resolution | OpenClaw | OpenClaw | Medium | 6.5 | 2026-04-09 21:27:06 | Deep Dive |
| CVE-2026-35635 | OpenClaw < 2026.3.22 - Webhook Path Route Replacement Vulnerability in Synology Chat | OpenClaw | OpenClaw | Medium | 4.8 | 2026-04-09 21:27:05 | Deep Dive |
| CVE-2026-35633 | OpenClaw < 2026.3.22 - Unbounded Memory Allocation via Remote Media Error Responses | OpenClaw | OpenClaw | Medium | 5.3 | 2026-04-09 21:27:04 | Deep Dive |
| CVE-2026-35634 | OpenClaw < 2026.3.23 - Authentication Bypass via Local-Direct Requests in Canvas Gateway | OpenClaw | OpenClaw | Medium | 5.1 | 2026-04-09 21:27:04 | Deep Dive |
| CVE-2026-35632 | OpenClaw <= 2026.2.22 - Symlink Traversal via IDENTITY.md appendFile in agents.create/update | OpenClaw | OpenClaw | High | 7.1 | 2026-04-09 21:27:03 | Deep Dive |
| CVE-2026-35631 | OpenClaw < 2026.3.22 - Missing Authorization Enforcement in Internal ACP Chat Commands | OpenClaw | OpenClaw | Medium | 6.5 | 2026-04-09 21:27:02 | Deep Dive |
| CVE-2026-35629 | OpenClaw < 2026.3.25 - Server-Side Request Forgery via Unguarded Configured Base URLs in Channel Extensions | OpenClaw | OpenClaw | High | 7.4 | 2026-04-09 21:27:01 | Deep Dive |
| CVE-2026-35628 | OpenClaw < 2026.3.25 - Brute-Force Attack via Missing Telegram Webhook Rate Limiting | OpenClaw | OpenClaw | Medium | 4.8 | 2026-04-09 21:27:00 | Deep Dive |
| CVE-2026-35627 | OpenClaw < 2026.3.22 - Unauthenticated Cryptographic Work in Nostr Inbound DM Handling | OpenClaw | OpenClaw | Medium | 6.5 | 2026-04-09 21:26:59 | Deep Dive |
| CVE-2026-35625 | OpenClaw < 2026.3.25 - Privilege Escalation via Silent Local Shared-Auth Reconnect | OpenClaw | OpenClaw | High | 7.8 | 2026-04-09 21:26:58 | Deep Dive |
| CVE-2026-35626 | OpenClaw < 2026.3.22 - Unauthenticated Resource Exhaustion via Voice Call Webhook | OpenClaw | OpenClaw | Medium | 5.3 | 2026-04-09 21:26:58 | Deep Dive |
| CVE-2026-35624 | OpenClaw < 2026.3.22 - Policy Confusion via Room Name Collision in Nextcloud Talk | OpenClaw | OpenClaw | Medium | 4.2 | 2026-04-09 21:26:56 | Deep Dive |
| CVE-2026-35623 | OpenClaw < 2026.3.25 - Brute-Force Attack via Missing Webhook Password Rate Limiting | OpenClaw | OpenClaw | Medium | 4.8 | 2026-04-09 21:26:53 | Deep Dive |