| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-41402 | OpenClaw < 2026.3.31 - Webhook Replay Cache Cross-Target messageId Scope Bypass | OpenClaw | OpenClaw | Medium | 4.2 | 2026-04-28 18:09:59 | Deep Dive |
| CVE-2026-41400 | OpenClaw < 2026.3.31 - Resource Consumption via Oversized WebSocket Frames in voice-call | OpenClaw | OpenClaw | Medium | 5.3 | 2026-04-28 18:09:59 | Deep Dive |
| CVE-2026-41399 | OpenClaw < 2026.3.28 - Denial of Service via Unbounded Pre-auth WebSocket Upgrades | OpenClaw | OpenClaw | High | 7.5 | 2026-04-28 18:09:58 | Deep Dive |
| CVE-2026-41398 | OpenClaw - Unauthorized Agent Request Dispatch via Untrusted Local-Network Pages in iOS A2UI Bridge | OpenClaw | OpenClaw | Medium | 4.6 | 2026-04-28 18:09:57 | Deep Dive |
| CVE-2026-41397 | OpenClaw < 2026.3.31 - Sandbox Escape via Unrestricted File Sync and Symlink Traversal | OpenClaw | OpenClaw | Medium | 6.8 | 2026-04-28 18:09:56 | Deep Dive |
| CVE-2026-41396 | OpenClaw < 2026.3.31 - Environment Variable Override of Plugin Trust Root | OpenClaw | OpenClaw | High | 7.8 | 2026-04-28 18:09:56 | Deep Dive |
| CVE-2026-41395 | OpenClaw < 2026.3.28 - Webhook Replay via Query Parameter Reordering in Plivo V3 | OpenClaw | OpenClaw | High | 7.5 | 2026-04-28 18:09:55 | Deep Dive |
| CVE-2026-41394 | OpenClaw < 2026.3.31 - Unauthorized Operator Scope Access in Unauthenticated Plugin-Auth Routes | OpenClaw | OpenClaw | High | 8.2 | 2026-04-28 18:09:54 | Deep Dive |
| CVE-2026-41393 | OpenClaw < 2026.3.31 - Arbitrary DNS Authority Acceptance and Credential Exfiltration via Wide-Area Discovery | OpenClaw | OpenClaw | Medium | 4.8 | 2026-04-28 18:09:53 | Deep Dive |
| CVE-2026-41392 | OpenClaw < 2026.3.31 - Exec Allowlist Bypass via Shell Init-File Options | OpenClaw | OpenClaw | Medium | 6.7 | 2026-04-28 18:09:53 | Deep Dive |
| CVE-2026-41391 | OpenClaw < 2026.3.31 - Environment Variable Bypass in Package Index URL Handling | OpenClaw | OpenClaw | Medium | 5.3 | 2026-04-28 18:09:52 | Deep Dive |
| CVE-2026-41390 | OpenClaw < 2026.3.28 - Exec Allowlist Bypass via Unregistered /usr/bin/script Wrapper | OpenClaw | OpenClaw | High | 7.3 | 2026-04-28 18:09:51 | Deep Dive |
| CVE-2026-41388 | OpenClaw < 2026.3.31 - Configuration Rehydration via Empty-Array Revocation Handling | OpenClaw | OpenClaw | Medium | 6.5 | 2026-04-28 18:09:50 | Deep Dive |
| CVE-2026-41387 | OpenClaw < 2026.3.22 - Supply Chain Redirection via Incomplete Host Environment Sanitization | OpenClaw | OpenClaw | High | 7.8 | 2026-04-28 18:09:50 | Deep Dive |
| CVE-2026-41386 | OpenClaw < 2026.3.22 - Privilege Escalation via Unbound Bootstrap Setup Codes | OpenClaw | OpenClaw | Critical | 9.1 | 2026-04-28 18:09:49 | Deep Dive |
| CVE-2026-41385 | OpenClaw < 2026.3.31 - Nostr Private Key Exposure via config.get Redaction Bypass | OpenClaw | OpenClaw | Medium | 6.5 | 2026-04-28 18:09:48 | Deep Dive |
| CVE-2026-41384 | OpenClaw < 2026.3.24 - Environment Variable Injection via Workspace Config in CLI Backend | OpenClaw | OpenClaw | High | 7.8 | 2026-04-28 18:09:47 | Deep Dive |
| CVE-2026-41383 | OpenClaw < 2026.4.2 - Arbitrary Remote Directory Deletion via Mis-scoped Mirror Mode Paths | OpenClaw | OpenClaw | High | 8.1 | 2026-04-28 18:09:46 | Deep Dive |
| CVE-2026-41382 | OpenClaw < 2026.3.31 - Discord Voice Ingress Authorization Bypass via Channel and Role Validation Gaps | OpenClaw | OpenClaw | Medium | 5.4 | 2026-04-28 18:09:45 | Deep Dive |
| CVE-2026-41381 | OpenClaw < 2026.3.31 - Access Control Bypass in Discord Voice Manager via Channel Allowlist | OpenClaw | OpenClaw | Medium | 5.4 | 2026-04-28 18:09:44 | Deep Dive |