| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-41350 | OpenClaw < 2026.3.31 - Session Visibility Bypass via session_status in Unsandboxed Invocations | OpenClaw | OpenClaw | Medium | 4.3 | 2026-04-23 21:58:11 | Deep Dive |
| CVE-2026-41351 | OpenClaw < 2026.3.31 - Webhook Replay Detection Bypass via Base64 Signature Re-encoding | OpenClaw | OpenClaw | Medium | 5.3 | 2026-04-23 21:58:11 | Deep Dive |
| CVE-2026-41349 | OpenClaw < 2026.3.28 - Agentic Consent Bypass via config.patch | OpenClaw | OpenClaw | High | 8.8 | 2026-04-23 21:58:10 | Deep Dive |
| CVE-2026-41348 | OpenClaw < 2026.3.31 - Group DM Channel Allowlist Bypass via Discord Slash Commands | OpenClaw | OpenClaw | Medium | 5.4 | 2026-04-23 21:58:09 | Deep Dive |
| CVE-2026-41347 | OpenClaw < 2026.3.31 - Cross-Site Request Forgery via Missing Browser-Origin Validation in HTTP Operator Endpoints | OpenClaw | OpenClaw | High | 7.1 | 2026-04-23 21:58:08 | Deep Dive |
| CVE-2026-41346 | OpenClaw 2026.2.26 < 2026.3.31 - Denial of Service via Improper Pending Pairing Request Cap Enforcement | OpenClaw | OpenClaw | Medium | 5.3 | 2026-04-23 21:58:05 | Deep Dive |
| CVE-2026-41345 | OpenClaw < 2026.3.31 - Authorization Header Leak via Cross-Origin Redirect in Media Download | OpenClaw | OpenClaw | Medium | 5.3 | 2026-04-23 21:58:04 | Deep Dive |
| CVE-2026-41344 | OpenClaw < 2026.3.28 - Privilege Escalation via chat.send /verbose Parameter | OpenClaw | OpenClaw | Medium | 5.4 | 2026-04-23 21:58:03 | Deep Dive |
| CVE-2026-41343 | OpenClaw < 2026.3.31 - Denial of Service via LINE Webhook Handler Pre-Auth Concurrency | OpenClaw | OpenClaw | Medium | 5.3 | 2026-04-23 21:58:02 | Deep Dive |
| CVE-2026-41342 | OpenClaw < 2026.3.28 - Unauthenticated Discovery Endpoint Credential Exfiltration via Remote Onboarding | OpenClaw | OpenClaw | High | 7.3 | 2026-04-23 21:58:01 | Deep Dive |
| CVE-2026-41341 | OpenClaw < 2026.3.31 - Component Interaction Misclassification in Discord Extension | OpenClaw | OpenClaw | Medium | 5.4 | 2026-04-23 21:58:00 | Deep Dive |
| CVE-2026-41340 | OpenClaw < 2026.3.31 - Authentication Boundary Bypass via Telegram Legacy allowFrom Migration | OpenClaw | OpenClaw | Medium | 6.5 | 2026-04-23 21:57:59 | Deep Dive |
| CVE-2026-41339 | OpenClaw < 2026.4.2 - Information Disclosure via Gateway Connect Snapshot | OpenClaw | OpenClaw | Medium | 4.3 | 2026-04-23 21:57:59 | Deep Dive |
| CVE-2026-41338 | OpenClaw < 2026.3.31 - Time-of-Check-Time-of-Use (TOCTOU) Vulnerability in Sandbox File Operations | OpenClaw | OpenClaw | Medium | 5.0 | 2026-04-23 21:57:58 | Deep Dive |
| CVE-2026-41337 | OpenClaw < 2026.3.31 - Callback Origin Mutation in Plivo Voice-call Replay | OpenClaw | OpenClaw | Medium | 5.3 | 2026-04-23 21:57:57 | Deep Dive |
| CVE-2026-41336 | OpenClaw < 2026.3.31 - Arbitrary Hook Code Execution via OPENCLAW_BUNDLED_HOOKS_DIR Environment Variable Override | OpenClaw | OpenClaw | High | 7.8 | 2026-04-23 21:57:56 | Deep Dive |
| CVE-2026-41335 | OpenClaw < 2026.3.31 - Information Disclosure via Control UI Bootstrap JSON | OpenClaw | OpenClaw | Medium | 5.3 | 2026-04-23 21:57:55 | Deep Dive |
| CVE-2026-41334 | OpenClaw < 2026.3.31 - Decompression Bomb Denial of Service via Image Pixel-Limit Guard Bypass | OpenClaw | OpenClaw | Medium | 6.5 | 2026-04-23 21:57:55 | Deep Dive |
| CVE-2026-41333 | OpenClaw < 2026.3.31 - Authentication Rate Limiting Bypass via Fake DeviceToken | OpenClaw | OpenClaw | Low | 3.7 | 2026-04-23 21:57:54 | Deep Dive |
| CVE-2026-41332 | OpenClaw < 2026.3.28 - Code Execution via Missing Environment Variable Blocklist | OpenClaw | OpenClaw | Medium | 5.3 | 2026-04-23 21:57:53 | Deep Dive |