| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-35618 | OpenClaw < 2026.3.23 - Replay Identity Drift via Query-Only Variants in Plivo V2 Verification | OpenClaw | OpenClaw | Medium | 6.5 | 2026-04-09 21:26:52 | Deep Dive |
| CVE-2026-35622 | OpenClaw < 2026.3.22 - Improper Authentication Verification in Google Chat Webhook | OpenClaw | OpenClaw | Medium | 5.9 | 2026-04-09 21:26:52 | Deep Dive |
| CVE-2026-35617 | OpenClaw < 2026.3.25 - Authorization Bypass via Group Policy Rebinding with Mutable Space displayName | OpenClaw | OpenClaw | Medium | 4.2 | 2026-04-09 21:26:51 | Deep Dive |
| CVE-2026-34512 | OpenClaw < 2026.3.25 - Improper Access Control in /sessions/:sessionKey/kill Endpoint | OpenClaw | OpenClaw | High | 8.1 | 2026-04-09 21:26:50 | Deep Dive |
| CVE-2026-40037 | OpenClaw < 2026.3.31 - Unsafe Request Body Replay via fetchWithSsrFGuard Cross-Origin Redirects | OpenClaw | OpenClaw | Medium | 6.5 | 2026-04-08 21:35:29 | Deep Dive |
| CVE-2026-34511 | OpenClaw < 2026.4.2 - PKCE Verifier Exposure via OAuth State Parameter | OpenClaw | OpenClaw | Medium | 5.3 | 2026-04-03 20:45:41 | Deep Dive |
| CVE-2026-34426 | OpenClaw - Approval Bypass via Environment Variable Normalization | OpenClaw | OpenClaw | High | 7.6 | 2026-04-02 18:25:14 | Deep Dive |
| CVE-2026-34425 | OpenClaw - Shell-Bleed Protection Preflight Validation Bypass | OpenClaw | OpenClaw | Medium | 5.4 | 2026-04-02 18:15:07 | Deep Dive |
| CVE-2026-34510 | OpenClaw < 2026.3.22 - Remote File URL Acceptance in Windows Media Loaders | OpenClaw | OpenClaw | Medium | 5.3 | 2026-04-01 15:29:36 | Deep Dive |
| CVE-2026-34504 | OpenClaw < 2026.3.28 - Server-Side Request Forgery via Unguarded Image Download in fal Provider | OpenClaw | OpenClaw | High | 8.3 | 2026-03-31 14:10:36 | Deep Dive |
| CVE-2026-34503 | OpenClaw < 2026.3.28 - Incomplete WebSocket Session Termination on Device Removal and Token Revocation | OpenClaw | OpenClaw | High | 8.1 | 2026-03-31 14:10:35 | Deep Dive |
| CVE-2026-33581 | OpenClaw < 2026.3.24 - Arbitrary File Read via mediaUrl and fileUrl Parameters | OpenClaw | OpenClaw | Medium | 6.5 | 2026-03-31 14:10:34 | Deep Dive |
| CVE-2026-33580 | OpenClaw < 2026.3.28 - Brute Force Attack via Missing Rate Limiting on Webhook Shared Secret Authentication | OpenClaw | OpenClaw | Medium | 6.5 | 2026-03-31 14:10:33 | Deep Dive |
| CVE-2026-33578 | OpenClaw < 2026.3.28 - Sender Policy Allowlist Bypass via Policy Downgrade in Google Chat and Zalouser Extensions | OpenClaw | OpenClaw | Medium | 4.3 | 2026-03-31 14:10:32 | Deep Dive |
| CVE-2026-33579 | OpenClaw < 2026.3.28 - Privilege Escalation via Missing Caller Scope Validation in Device Pair Approval | OpenClaw | OpenClaw | Critical | 9.9 | 2026-03-31 14:10:32 | Deep Dive |
| CVE-2026-33576 | OpenClaw < 2026.3.28 - Unauthorized Media Download via Zalo Channel | OpenClaw | OpenClaw | Medium | 6.5 | 2026-03-31 14:10:31 | Deep Dive |
| CVE-2026-33577 | OpenClaw < 2026.3.28 - Insufficient Scope Validation in node.pair.approve | OpenClaw | OpenClaw | High | 8.1 | 2026-03-31 14:10:31 | Deep Dive |
| CVE-2026-34505 | OpenClaw < 2026.3.12 - Webhook Rate Limiting Bypass via Pre-Authentication Secret Validation | OpenClaw | OpenClaw | Medium | 6.5 | 2026-03-31 11:17:21 | Deep Dive |
| CVE-2026-34506 | OpenClaw < 2026.3.8 - Sender Allowlist Bypass in Microsoft Teams Plugin via Route Allowlist Configuration | OpenClaw | OpenClaw | Medium | 4.3 | 2026-03-31 11:17:21 | Deep Dive |
| CVE-2026-32988 | OpenClaw < 2026.3.11 - Sandbox Boundary Bypass via Unvalidated Temporary File Creation | OpenClaw | OpenClaw | High | 7.5 | 2026-03-31 11:17:20 | Deep Dive |