OpenClaw — Vulnerabilities & Security Advisories 339

All 339 CVE vulnerabilities found in OpenClaw, with AI-generated Chinese analysis, references, and POCs.

CVE ID	Title	CVSS	Severity	Published
CVE-2026-32008	OpenClaw < 2026.2.21 - Arbitrary Local File Read via Browser Navigation Guard CWE-610	6.5	Medium	2026-03-19
CVE-2026-32007	OpenClaw < 2026.2.23 - Sandbox Bypass in apply_patch Tool via Workspace-Only Check Bypass CWE-22	6.8	Medium	2026-03-19
CVE-2026-32005	OpenClaw < 2026.2.25 - Authorization Bypass in Interactive Callbacks via Sender Check Skip CWE-863	6.8	Medium	2026-03-19
CVE-2026-32006	OpenClaw < 2026.2.26 - Authorization Bypass via DM Pairing-Store Fallback in Group Allowlist CWE-863	3.1	Low	2026-03-19
CVE-2026-32004	OpenClaw < 2026.3.2 - Authentication Bypass via Encoded Path in /api/channels Route CWE-288	6.5	Medium	2026-03-19
CVE-2026-32003	OpenClaw < 2026.2.22 - Remote Code Execution via SHELLOPTS/PS4 Environment Injection in system.run CWE-78	6.6	Medium	2026-03-19
CVE-2026-32002	OpenClaw < 2026.2.23 - Sandbox Boundary Bypass via Image Tool workspaceOnly Bypass CWE-200	5.3	Medium	2026-03-19
CVE-2026-32001	OpenClaw < 2026.2.22 - Node Role Device-Identity Bypass via WebSocket Authentication CWE-863	5.4	Medium	2026-03-19
CVE-2026-32000	OpenClaw < 2026.2.19 - Command Injection via Windows Shell Fallback in Lobster Tool Execution CWE-78	7.1	High	2026-03-19
CVE-2026-31998	OpenClaw 2026.2.22 < 2026.2.24 - Authorization Bypass in Synology Chat Plugin via Empty allowedUserIds CWE-863	8.6	High	2026-03-19
CVE-2026-31999	OpenClaw 2026.2.26 < 2026.3.1 - Current Working Directory Injection via Windows Wrapper Resolution Fallback CWE-78	6.3	Medium	2026-03-19
CVE-2026-31997	OpenClaw < 2026.3.1 - Executable Rebind via Unbound PATH-token in system.run Approvals CWE-367	6.0	Medium	2026-03-19
CVE-2026-31996	OpenClaw < 2026.2.19 - safeBins stdin-only bypass via sort output and recursive grep flags CWE-78	4.4	Medium	2026-03-19
CVE-2026-31994	OpenClaw < 2026.2.19 - Local Command Injection via Unsafe cmd Argument Handling in Windows Scheduled Task Script Generation CWE-78	7.1	High	2026-03-19
CVE-2026-31995	OpenClaw 2026.1.21 < 2026.2.19 - Command Injection via Windows Shell Fallback in Lobster Extension CWE-78	5.3	Medium	2026-03-19
CVE-2026-31993	OpenClaw < 2026.2.22 - Allowlist Parsing Mismatch in system.run Shell Chains CWE-184	4.8	Medium	2026-03-19
CVE-2026-31992	OpenClaw < 2026.2.23 - Allowlist Exec-Guard Bypass via env -S CWE-184	7.1	High	2026-03-19
CVE-2026-31991	OpenClaw < 2026.2.26 - Authorization Bypass via DM Pairing-Store Leakage in Signal Group Allowlist CWE-863	3.7	Low	2026-03-19
CVE-2026-31990	OpenClaw < 2026.3.2 - Symlink Traversal in stageSandboxMedia Destination CWE-59	6.1	Medium	2026-03-19
CVE-2026-31989	OpenClaw < 2026.3.1 - Server-Side Request Forgery via web_search Citation Redirect CWE-918	7.4	High	2026-03-19
CVE-2026-29607	OpenClaw < 2026.2.22 - Authorization Bypass via allow-always Wrapper Persistence CWE-78	6.8	Medium	2026-03-19
CVE-2026-29608	OpenClaw 2026.3.1 < 2026.3.2 - Approval Integrity Bypass via system.run argv Rewriting CWE-88	6.7	Medium	2026-03-19
CVE-2026-28461	OpenClaw < 2026.3.1 - Unbounded Memory Growth in Zalo Webhook via Query String Key Churn CWE-770	7.5	High	2026-03-19
CVE-2026-28460	OpenClaw < 2026.2.22 - Allowlist Bypass via Shell Line-Continuation Command Substitution in system.run CWE-78	7.1	High	2026-03-19
CVE-2026-27670	OpenClaw < 2026.3.2 - Arbitrary File Write via ZIP Extraction Parent Symlink Race Condition CWE-367	5.3	Medium	2026-03-19
CVE-2026-28449	OpenClaw < 2026.2.25 - Webhook Replay Attack via Missing Durable Replay Suppression CWE-294	6.5	Medium	2026-03-19
CVE-2026-27566	OpenClaw < 2026.2.22 - Allowlist Bypass via Wrapper Binary Unwrapping in system.run CWE-78	7.1	High	2026-03-19
CVE-2026-22176	OpenClaw < 2026.2.19 - Command Injection via Unescaped Environment Variables in Windows Scheduled Task Script Generation CWE-78	6.1	Medium	2026-03-19
CVE-2026-27545	OpenClaw < 2026.2.26 - Approval Bypass via Parent Symlink Current Working Directory Rebind CWE-367	6.1	Medium	2026-03-18
CVE-2026-27524	OpenClaw < 2026.2.21 - Prototype Pollution via Debug Override Path CWE-1321	4.3	Medium	2026-03-18

All 339 known CVE vulnerabilities affecting OpenClaw with full Chinese analysis, references, and POCs where available.

Goal Reached Thanks to every supporter — we hit 100%!

OpenClaw — Vulnerabilities & Security Advisories 339