Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

OpenClaw — Vulnerabilities & Security Advisories 534

All 534 CVE vulnerabilities found in OpenClaw, with AI-generated Chinese analysis, references, and POCs.

This page catalogs security vulnerabilities associated with the OpenClaw product, focusing on various weakness types and associated tags. It aggregates data related to open-source software flaws, configuration issues, and logic errors that have been identified within the OpenClaw ecosystem. The content compiled on this page covers vulnerability reports spanning from the initial public release of the software up to the most recent updates. Here, users can discover comprehensive details by tracking the vendor's security advisories to stay informed about patched issues. Visitors can also deepen their understanding of specific weakness classes affecting OpenClaw, such as injection flaws or cross-site scripting risks. Additionally, the resource allows for a thorough look up of a product's vulnerability history, providing context on how security incidents have evolved over time. This aggregation serves as a central reference for developers, security researchers, and system administrators who rely on OpenClaw. By reviewing these entries, stakeholders can better assess the current risk posture of their deployments and prioritize remediation efforts based on historical data and severity assessments. The information is structured to facilitate efficient analysis without overwhelming the reader with unnecessary technical noise, ensuring that key details regarding impact, affected versions, and mitigation strategies are clearly presented for immediate reference and long-term security planning.

Vendor: OpenClaw

CVE IDTitleCVSSSeverityPublished
CVE-2026-28466 OpenClaw < 2026.2.14 - Remote Code Execution via Node Invoke Approval Bypass CWE-863 9.9 Critical2026-03-05
CVE-2026-28464 OpenClaw < 2026.2.12 - Timing Attack in Hooks Token Authentication CWE-208 5.9 Medium2026-03-05
CVE-2026-28463 OpenClaw < 2026.2.14 - Arbitrary File Read via Shell Expansion in Safe Bins Allowlist CWE-78 8.4 High2026-03-05
CVE-2026-28462 OpenClaw < 2026.2.13 - Path Traversal in Trace and Download Output Paths CWE-22 7.5 High2026-03-05
CVE-2026-28459 OpenClaw < 2026.2.12 - Arbitrary File Write via Untrusted sessionFile Path CWE-73 7.1 High2026-03-05
CVE-2026-28458 OpenClaw 2026.1.20 < 2026.2.1 - Missing Authentication in Browser Relay /cdp WebSocket Endpoint CWE-306 8.1 High2026-03-05
CVE-2026-28457 OpenClaw < 2026.2.14 - Path Traversal in Sandbox Skill Mirroring via Name Parameter CWE-22 6.1 Medium2026-03-05
CVE-2026-28456 OpenClaw 2026.1.5 < 2026.2.14 - Arbitrary Code Execution via Unsafe Hook Module Path Handling CWE-427 7.2 High2026-03-05
CVE-2026-28454 OpenClaw < 2026.2.2 - Authorization Bypass via Unauthenticated Telegram Webhook CWE-345 7.5 High2026-03-05
CVE-2026-28453 OpenClaw < 2026.2.14 - Zip Slip Path Traversal in TAR Archive Extraction CWE-22 7.5 High2026-03-05
CVE-2026-28452 OpenClaw < 2026.2.14 - Denial of Service via Unguarded Archive Extraction in extractArchive CWE-770 5.5 Medium2026-03-05
CVE-2026-28451 OpenClaw < 2026.2.14 - SSRF via Feishu Extension Media Fetching 8.3 High2026-03-05
CVE-2026-28450 OpenClaw < 2026.2.12 - Unauthenticated Profile Tampering via Nostr Plugin HTTP Endpoints 6.8 Medium2026-03-05
CVE-2026-28448 OpenClaw 2026.1.29 < 2026.2.1 - Authorization Bypass in Twitch Plugin allowFrom Access Control CWE-285 7.3 High2026-03-05
CVE-2026-28447 OpenClaw 2026.1.29-beta.1 < 2026.2.1 - Path Traversal in Plugin Installation via Package Name CWE-22 8.1 High2026-03-05
CVE-2026-28446 OpenClaw < 2026.2.1 - Inbound Allowlist Policy Bypass in voice-call Extension via Empty Caller ID and Suffix Matching 9.4 Critical2026-03-05
CVE-2026-28395 OpenClaw 2026.1.14-1 < 2026.2.12 - Unintended Public Binding of Chrome Extension Relay via Wildcard cdpUrl CWE-1327 6.5 Medium2026-03-05
CVE-2026-28394 OpenClaw < 2026.2.15 - Denial of Service via Unbounded Response Parsing in web_fetch Tool CWE-770 6.5 Medium2026-03-05
CVE-2026-28393 OpenClaw 2.0.0-beta3 < 2026.2.14 - Arbitrary JavaScript Module Loading via Hook Transform Path Traversal CWE-22 7.7 High2026-03-05
CVE-2026-28392 OpenClaw < 2026.2.14 - Privilege Escalation in Slack Slash Command Handler via Direct Messages 7.5 High2026-03-05
CVE-2026-28391 OpenClaw < 2026.2.2 - Command Injection via cmd.exe Parsing Bypass in Allowlist Enforcement 9.8 Critical2026-03-05
CVE-2026-28363 OpenClaw 安全漏洞 CWE-184 9.9 Critical2026-02-27
CVE-2026-27576 OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs CWE-400 3.3 -2026-02-21
CVE-2026-27488 OpenClaw hardened cron webhook delivery against SSRF CWE-918 7.1 -2026-02-21
CVE-2026-27487 OpenClaw: Prevent shell injection in macOS keychain credential write CWE-78 7.6 High2026-02-21
CVE-2026-27486 OpenClaw: Process Safety - Unvalidated PID Kill via SIGKILL in Process Cleanup CWE-283 6.5AIMediumAI2026-02-21
CVE-2026-27485 OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection CWE-61 5.5 -2026-02-21
CVE-2026-27484 OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows CWE-862 6.5 -2026-02-21
CVE-2026-27009 OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection CWE-79 5.8 Medium2026-02-19
CVE-2026-27008 OpenClaw hardened the skill download target directory validation CWE-73 7.7 -2026-02-19

All 534 known CVE vulnerabilities affecting OpenClaw with full Chinese analysis, references, and POCs where available.