Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

OpenClaw — Vulnerabilities & Security Advisories 507

All 507 CVE vulnerabilities found in OpenClaw, with AI-generated Chinese analysis, references, and POCs.

This page aggregates common weaknesses associated with OpenClaw, a software product developed by its vendor. It focuses on vulnerability aggregation for this specific product line, organizing data by weakness type and relevant security tags to facilitate easier analysis for security professionals and developers. The page collects a wide variety of vulnerability reports, ranging from critical remote code execution flaws to minor information disclosure issues. It covers security incidents reported over the past five years, ensuring a comprehensive historical perspective on the product’s security posture. This timeframe allows users to observe trends in patching speed and the emergence of new attack vectors against the software. Readers can discover detailed insights into OpenClaw’s security history by tracking vendor advisories as they are released and updated. The interface enables users to understand specific weakness classes affecting the product, such as buffer overflows or injection flaws, and how they manifest in real-world scenarios. Furthermore, one can look up a product’s vulnerability history to assess past risks and evaluate the effectiveness of recent security updates. This resource serves as a centralized hub for understanding the security landscape surrounding OpenClaw. By providing structured access to these data points, the page supports informed decision-making for system administrators and security auditors who need to prioritize remediation efforts or assess risk exposure. It eliminates the need to search multiple disparate sources for accurate and up-to-date vulnerability information.

Vendor: OpenClaw

CVE IDTitleCVSSSeverityPublished
CVE-2026-53839 OpenClaw < 2026.5.7 - Hostname Prefix Matching Bypass in Trusted Retry Endpoint Validation CWE-1023 6.5 Medium2026-06-12
CVE-2026-53837 OpenClaw < 2026.5.6 - Missing Channel Type Validation in Mattermost Event Handlers CWE-636 3.7 Low2026-06-12
CVE-2026-53838 OpenClaw < 2026.5.27 - Node Pairing State Mutation via Reconnection CWE-367 9.8 Critical2026-06-12
CVE-2026-53836 OpenClaw < 2026.5.12 - Allowlist Bypass via PowerShell Encoded-Command Aliases CWE-184 8.8 High2026-06-12
CVE-2026-53835 OpenClaw < 2026.5.6 - Config-Write Enforcement Bypass in Feishu Dynamic-Agent Bindings CWE-863 4.3 Medium2026-06-12
CVE-2026-53834 OpenClaw < 2026.4.27 - Authorization Bypass in QQBot Pre-dispatch Slash Commands CWE-863 7.5 High2026-06-12
CVE-2026-53833 QQBot for OpenClaw < 2026.4.29 - Authorization Bypass via QQBot Streaming Command CWE-290 7.7 High2026-06-12
CVE-2026-53832 OpenClaw < 2026.5.18 - Identity Header Forgery via Trusted-Proxy Configuration CWE-290 7.7 High2026-06-12
CVE-2026-53831 OpenClaw < 2026.5.18 - Arbitrary File Read via Shell Expansion in system.run Safe-bin Allowlist CWE-367 8.3 High2026-06-12
CVE-2026-53830 OpenClaw < 2026.4.22 - Webhook Secret Revocation Bypass via secrets.reload CWE-613 6.5 Medium2026-06-12
CVE-2026-53829 OpenClaw < 2026.5.18 - Command Truncation in Exec Approval Display CWE-451 8.0 High2026-06-12
CVE-2026-53827 OpenClaw < 2026.5.2 - Credential Exposure via Model-Supplied Loopback URLs in message.action Forwarding CWE-918 6.5 Medium2026-06-12
CVE-2026-53828 OpenClaw < 2026.5.6 - Native Command Authorization Bypass via Owner-Command Enforcement CWE-863 8.8 High2026-06-12
CVE-2026-53826 OpenClaw < 2026.4.26 - Information Disclosure via Sandboxed Session Spawn CWE-668 4.3 Medium2026-06-12
CVE-2026-53825 OpenClaw < 2026.4.7 - Arbitrary Local File Read via memory-wiki Ingest with operator.write Scope CWE-22 6.5 Medium2026-06-12
CVE-2026-53824 Mattermost plugin for OpenClaw < 2026.4.24 - Slash Token Revocation Lag via Monitor Refresh Delay CWE-613 6.5 Medium2026-06-12
CVE-2026-53823 OpenClaw < 2026.5.3 - Privilege Escalation via Mutable Slack Display Names in allowFrom CWE-290 8.1 High2026-06-12
CVE-2026-53822 OpenClaw < 2026.5.18 - Command Argument Modification via Shell Wrapper Between Approval and Execution CWE-367 8.8 High2026-06-12
CVE-2026-53821 OpenClaw < 2026.5.18 - Scope Elevation in trusted-proxy Control UI WebSocket CWE-862 8.8 High2026-06-12
CVE-2026-53820 OpenClaw < 2026.5.12 - Exec Denylist Bypass in Bundle MCP Loopback Session Spawn CWE-862 6.6 Medium2026-06-12
CVE-2026-53819 OpenClaw < 2026.5.27 - Arbitrary Homebrew Executable Execution via Workspace .env Override CWE-426 8.8 High2026-06-11
CVE-2026-53818 OpenClaw < 2026.4.24 - Owner-Only Tool Policy Bypass via MCP Loopback CWE-862 6.6 Medium2026-06-11
CVE-2026-53817 OpenClaw < 2026.5.22 - Control UI Locality Spoofing in Device Pairing CWE-290 8.8 High2026-06-11
CVE-2026-53816 OpenClaw < 2026.5.18 - Exec Lifecycle Event Forgery via Paired Node CWE-862 7.2 High2026-06-11
CVE-2026-53815 OpenClaw < 2026.5.19 - Channel Allowlist Bypass in Message Read Actions CWE-862 6.5 Medium2026-06-11
CVE-2026-53814 OpenClaw < 2026.5.20 - Privilege Escalation via Hook-Triggered CLI MCP Tool Authority CWE-266 8.3 High2026-06-11
CVE-2026-53813 OpenClaw < 2026.4.25 - Arbitrary Artifact Loading via Fake Package Root Resolution CWE-427 7.8 High2026-06-11
CVE-2026-53812 OpenClaw < 2026.5.18 - Private-Network Navigation Bypass via Browser Act Interactions CWE-918 7.7 High2026-06-11
CVE-2026-53811 OpenClaw < 2026.5.7 - Privilege Escalation via Mutable Display Names in Matrix allowFrom CWE-290 8.8 High2026-06-11
CVE-2026-53810 OpenClaw < 2026.5.18 - Arbitrary Code Execution via Unscanned Marketplace Runtime Extension Metadata CWE-829 8.8 High2026-06-11

All 507 known CVE vulnerabilities affecting OpenClaw with full Chinese analysis, references, and POCs where available.