| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-43583 | OpenClaw 2026.4.10 < 2026.4.14 - Loss of Group Tool-Policy Context in Delivery Queue Recovery | OpenClaw | OpenClaw | Medium | 5.3 | 2026-05-06 19:49:25 | Deep Dive |
| CVE-2026-43582 | OpenClaw < 2026.4.10 - DNS Rebinding SSRF via Hostname Validation Bypass | OpenClaw | OpenClaw | Medium | 6.3 | 2026-05-06 19:49:25 | Deep Dive |
| CVE-2026-43581 | OpenClaw < 2026.4.10 - Chrome DevTools Protocol Exposure via Overly Broad CDP Relay Binding | OpenClaw | OpenClaw | Critical | 9.6 | 2026-05-06 19:49:24 | Deep Dive |
| CVE-2026-43580 | OpenClaw < 2026.4.10 - Incomplete Navigation Guard Coverage in Browser Interactions | OpenClaw | OpenClaw | High | 7.7 | 2026-05-06 19:49:23 | Deep Dive |
| CVE-2026-43579 | OpenClaw < 2026.4.10 - Insufficient Access Control in Nostr Profile Mutation Routes | OpenClaw | OpenClaw | Medium | 6.5 | 2026-05-06 19:49:23 | Deep Dive |
| CVE-2026-43578 | OpenClaw 2026.3.31 < 2026.4.10 - Privilege Escalation via Missed Async Exec Completion Events in Heartbeat Owner Downgrade | OpenClaw | OpenClaw | Critical | 9.1 | 2026-05-06 19:49:22 | Deep Dive |
| CVE-2026-43577 | OpenClaw < 2026.4.9 - Arbitrary File Read via Browser Interaction Routes | OpenClaw | OpenClaw | Medium | 6.5 | 2026-05-06 19:49:21 | Deep Dive |
| CVE-2026-43576 | OpenClaw < 2026.4.5 - Second-hop SSRF via CDP /json/version WebSocket URL | OpenClaw | OpenClaw | High | 7.7 | 2026-05-06 19:49:20 | Deep Dive |
| CVE-2026-43575 | OpenClaw 2026.2.21 < 2026.4.10 - Authentication Bypass in Sandbox noVNC Helper Route | OpenClaw | OpenClaw | Critical | 9.8 | 2026-05-06 19:49:20 | Deep Dive |
| CVE-2026-43574 | OpenClaw < 2026.4.12 - Improper Authorization via Empty Approver Lists | OpenClaw | OpenClaw | Medium | 6.5 | 2026-05-05 11:25:14 | Deep Dive |
| CVE-2026-43573 | OpenClaw < 2026.4.10 - SSRF Policy Bypass in Existing-Session Browser Interaction Routes | OpenClaw | OpenClaw | High | 7.7 | 2026-05-05 11:25:13 | Deep Dive |
| CVE-2026-43571 | OpenClaw < 2026.4.10 - Untrusted Workspace Plugin Shadow Resolution in Channel Setup | OpenClaw | OpenClaw | High | 8.8 | 2026-05-05 11:25:12 | Deep Dive |
| CVE-2026-43572 | OpenClaw 2026.4.10 < 2026.4.14 - Missing Sender Authorization in Microsoft Teams SSO Invoke Handler | OpenClaw | OpenClaw | Medium | 5.3 | 2026-05-05 11:25:12 | Deep Dive |
| CVE-2026-43570 | OpenClaw 2026.3.22 < 2026.4.5 - Symlink Traversal in Remote Marketplace Repository Path Handling | OpenClaw | OpenClaw | Medium | 6.5 | 2026-05-05 11:25:11 | Deep Dive |
| CVE-2026-43569 | OpenClaw < 2026.4.9 - Untrusted Provider Plugin Auto-enablement via Workspace Provider Auth | OpenClaw | OpenClaw | High | 8.8 | 2026-05-05 11:25:10 | Deep Dive |
| CVE-2026-43568 | OpenClaw 2026.4.5 through 2026.4.9 - Privilege Escalation via Memory Dreaming Configuration in /dreaming Endpoint | OpenClaw | OpenClaw | Medium | 6.5 | 2026-05-05 11:25:10 | Deep Dive |
| CVE-2026-43567 | OpenClaw < 2026.4.10 - Path Traversal in screen_record outPath Parameter | OpenClaw | OpenClaw | Medium | 6.5 | 2026-05-05 11:25:09 | Deep Dive |
| CVE-2026-43566 | OpenClaw 2026.4.7 < 2026.4.14 - Privilege Escalation via Untrusted Webhook Wake Events | OpenClaw | OpenClaw | Critical | 9.1 | 2026-05-05 11:25:08 | Deep Dive |
| CVE-2026-43534 | OpenClaw < 2026.4.10 - Unsanitized External Input in Agent Hook Events | OpenClaw | OpenClaw | Critical | 9.1 | 2026-05-05 11:25:07 | Deep Dive |
| CVE-2026-43535 | OpenClaw < 2026.4.14 - Authorization Context Reuse in Collect-Mode Queue Batches | OpenClaw | OpenClaw | Medium | 6.8 | 2026-05-05 11:25:07 | Deep Dive |