OpenClaw — Vulnerabilities & Security Advisories 339

All 339 CVE vulnerabilities found in OpenClaw, with AI-generated Chinese analysis, references, and POCs.

CVE ID	Title	CVSS	Severity	Paused
CVE-2026-41361	OpenClaw < 2026.3.28 - SSRF Guard Bypass via IPv6 Special-Use Ranges CWE-184	7.1	High	2026-04-23
CVE-2026-41359	OpenClaw < 2026.3.28 - Privilege Escalation via operator.write to Admin-Class Telegram Config and Cron Persistence CWE-269	7.1	High	2026-04-23
CVE-2026-41360	OpenClaw < 2026.4.2 - Approval Integrity Bypass in pnpm dlx Local Script Binding CWE-367	6.7	Medium	2026-04-23
CVE-2026-41358	OpenClaw < 2026.4.2 - Sender Allowlist Bypass via Slack Thread Context CWE-346	5.4	Medium	2026-04-23
CVE-2026-41357	OpenClaw < 2026.3.31 - Unsanitized Environment Variable Leakage in SSH Sandbox Backends CWE-214	3.3	Low	2026-04-23
CVE-2026-41355	OpenShell < 2026.3.28 - Arbitrary Code Execution via Mirror Mode Sandbox File Conversion CWE-829	7.3	High	2026-04-23
CVE-2026-41356	OpenClaw < 2026.3.31 - Incomplete WebSocket Session Termination in device.token.rotate CWE-613	5.4	Medium	2026-04-23
CVE-2026-41354	OpenClaw < 2026.4.2 - Insufficient Scope in Zalo Webhook Replay Dedupe Keys CWE-706	3.7	Low	2026-04-23
CVE-2026-41353	OpenClaw < 2026.3.22 - allowProfiles Bypass via Profile Mutation and Runtime Selection CWE-472	8.1	High	2026-04-23
CVE-2026-41352	OpenClaw < 2026.3.31 - Remote Code Execution via Node Scope Gate Bypass CWE-862	8.8	High	2026-04-23
CVE-2026-41351	OpenClaw < 2026.3.31 - Webhook Replay Detection Bypass via Base64 Signature Re-encoding CWE-294	5.3	Medium	2026-04-23
CVE-2026-41350	OpenClaw < 2026.3.31 - Session Visibility Bypass via session_status in Unsandboxed Invocations CWE-863	4.3	Medium	2026-04-23
CVE-2026-41349	OpenClaw < 2026.3.28 - Agentic Consent Bypass via config.patch CWE-862	8.8	High	2026-04-23
CVE-2026-41348	OpenClaw < 2026.3.31 - Group DM Channel Allowlist Bypass via Discord Slash Commands CWE-863	5.4	Medium	2026-04-23
CVE-2026-41347	OpenClaw < 2026.3.31 - Cross-Site Request Forgery via Missing Browser-Origin Validation in HTTP Operator Endpoints CWE-352	7.1	High	2026-04-23
CVE-2026-41346	OpenClaw 2026.2.26 < 2026.3.31 - Denial of Service via Improper Pending Pairing Request Cap Enforcement CWE-799	5.3	Medium	2026-04-23
CVE-2026-41345	OpenClaw < 2026.3.31 - Authorization Header Leak via Cross-Origin Redirect in Media Download CWE-522	5.3	Medium	2026-04-23
CVE-2026-41344	OpenClaw < 2026.3.28 - Privilege Escalation via chat.send /verbose Parameter CWE-863	5.4	Medium	2026-04-23
CVE-2026-41343	OpenClaw < 2026.3.31 - Denial of Service via LINE Webhook Handler Pre-Auth Concurrency CWE-799	5.3	Medium	2026-04-23
CVE-2026-41342	OpenClaw < 2026.3.28 - Unauthenticated Discovery Endpoint Credential Exfiltration via Remote Onboarding CWE-346	7.3	High	2026-04-23
CVE-2026-41341	OpenClaw < 2026.3.31 - Component Interaction Misclassification in Discord Extension CWE-351	5.4	Medium	2026-04-23
CVE-2026-41339	OpenClaw < 2026.4.2 - Information Disclosure via Gateway Connect Snapshot CWE-497	4.3	Medium	2026-04-23
CVE-2026-41340	OpenClaw < 2026.3.31 - Authentication Boundary Bypass via Telegram Legacy allowFrom Migration CWE-372	6.5	Medium	2026-04-23
CVE-2026-41338	OpenClaw < 2026.3.31 - Time-of-Check-Time-of-Use (TOCTOU) Vulnerability in Sandbox File Operations CWE-367	5.0	Medium	2026-04-23
CVE-2026-41337	OpenClaw < 2026.3.31 - Callback Origin Mutation in Plivo Voice-call Replay CWE-367	5.3	Medium	2026-04-23
CVE-2026-41336	OpenClaw < 2026.3.31 - Arbitrary Hook Code Execution via OPENCLAW_BUNDLED_HOOKS_DIR Environment Variable Override CWE-829	7.8	High	2026-04-23
CVE-2026-41334	OpenClaw < 2026.3.31 - Decompression Bomb Denial of Service via Image Pixel-Limit Guard Bypass CWE-636	6.5	Medium	2026-04-23
CVE-2026-41335	OpenClaw < 2026.3.31 - Information Disclosure via Control UI Bootstrap JSON CWE-497	5.3	Medium	2026-04-23
CVE-2026-41333	OpenClaw < 2026.3.31 - Authentication Rate Limiting Bypass via Fake DeviceToken CWE-799	3.7	Low	2026-04-23
CVE-2026-41332	OpenClaw < 2026.3.28 - Code Execution via Missing Environment Variable Blocklist CWE-184	5.3	Medium	2026-04-23

All 339 known CVE vulnerabilities affecting OpenClaw with full Chinese analysis, references, and POCs where available.

Support Us — Your donation helps us keep running

OpenClaw — Vulnerabilities & Security Advisories 339