Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

OpenClaw — Vulnerabilities & Security Advisories 507

All 507 CVE vulnerabilities found in OpenClaw, with AI-generated Chinese analysis, references, and POCs.

This page aggregates common weaknesses associated with OpenClaw, a software product developed by its vendor. It focuses on vulnerability aggregation for this specific product line, organizing data by weakness type and relevant security tags to facilitate easier analysis for security professionals and developers. The page collects a wide variety of vulnerability reports, ranging from critical remote code execution flaws to minor information disclosure issues. It covers security incidents reported over the past five years, ensuring a comprehensive historical perspective on the product’s security posture. This timeframe allows users to observe trends in patching speed and the emergence of new attack vectors against the software. Readers can discover detailed insights into OpenClaw’s security history by tracking vendor advisories as they are released and updated. The interface enables users to understand specific weakness classes affecting the product, such as buffer overflows or injection flaws, and how they manifest in real-world scenarios. Furthermore, one can look up a product’s vulnerability history to assess past risks and evaluate the effectiveness of recent security updates. This resource serves as a centralized hub for understanding the security landscape surrounding OpenClaw. By providing structured access to these data points, the page supports informed decision-making for system administrators and security auditors who need to prioritize remediation efforts or assess risk exposure. It eliminates the need to search multiple disparate sources for accurate and up-to-date vulnerability information.

Vendor: OpenClaw

CVE IDTitleCVSSSeverityPublished
CVE-2026-35622 OpenClaw < 2026.3.22 - Improper Authentication Verification in Google Chat Webhook CWE-290 5.9 Medium2026-04-09
CVE-2026-35617 OpenClaw < 2026.3.25 - Authorization Bypass via Group Policy Rebinding with Mutable Space displayName CWE-807 4.2 Medium2026-04-09
CVE-2026-34512 OpenClaw < 2026.3.25 - Improper Access Control in /sessions/:sessionKey/kill Endpoint CWE-863 8.1 High2026-04-09
CVE-2026-40037 OpenClaw < 2026.3.31 - Unsafe Request Body Replay via fetchWithSsrFGuard Cross-Origin Redirects CWE-601 6.5 Medium2026-04-08
CVE-2026-34511 OpenClaw < 2026.4.2 - PKCE Verifier Exposure via OAuth State Parameter CWE-330 5.3 Medium2026-04-03
CVE-2026-34426 OpenClaw - Approval Bypass via Environment Variable Normalization CWE-184 7.6 High2026-04-02
CVE-2026-34425 OpenClaw - Shell-Bleed Protection Preflight Validation Bypass CWE-184 5.4 Medium2026-04-02
CVE-2026-34510 OpenClaw < 2026.3.22 - Remote File URL Acceptance in Windows Media Loaders CWE-41 5.3 Medium2026-04-01
CVE-2026-34504 OpenClaw < 2026.3.28 - Server-Side Request Forgery via Unguarded Image Download in fal Provider CWE-918 8.3 High2026-03-31
CVE-2026-34503 OpenClaw < 2026.3.28 - Incomplete WebSocket Session Termination on Device Removal and Token Revocation CWE-613 8.1 High2026-03-31
CVE-2026-33581 OpenClaw < 2026.3.24 - Arbitrary File Read via mediaUrl and fileUrl Parameters CWE-22 6.5 Medium2026-03-31
CVE-2026-33580 OpenClaw < 2026.3.28 - Brute Force Attack via Missing Rate Limiting on Webhook Shared Secret Authentication CWE-307 6.5 Medium2026-03-31
CVE-2026-33578 OpenClaw < 2026.3.28 - Sender Policy Allowlist Bypass via Policy Downgrade in Google Chat and Zalouser Extensions CWE-863 4.3 Medium2026-03-31
CVE-2026-33579 OpenClaw < 2026.3.28 - Privilege Escalation via Missing Caller Scope Validation in Device Pair Approval CWE-863 9.9 Critical2026-03-31
CVE-2026-33576 OpenClaw < 2026.3.28 - Unauthorized Media Download via Zalo Channel CWE-863 6.5 Medium2026-03-31
CVE-2026-33577 OpenClaw < 2026.3.28 - Insufficient Scope Validation in node.pair.approve CWE-863 8.1 High2026-03-31
CVE-2026-34505 OpenClaw < 2026.3.12 - Webhook Rate Limiting Bypass via Pre-Authentication Secret Validation CWE-307 6.5 Medium2026-03-31
CVE-2026-34506 OpenClaw < 2026.3.8 - Sender Allowlist Bypass in Microsoft Teams Plugin via Route Allowlist Configuration CWE-863 4.3 Medium2026-03-31
CVE-2026-32988 OpenClaw < 2026.3.11 - Sandbox Boundary Bypass via Unvalidated Temporary File Creation CWE-367 7.5 High2026-03-31
CVE-2026-32977 OpenClaw < 2026.3.11 - Sandbox Boundary Bypass via Unanchored writeFile Commit Path CWE-367 6.3 Medium2026-03-31
CVE-2026-32982 OpenClaw < 2026.3.13 - Telegram Bot Token Exposure in Media Fetch Error Logs CWE-532 7.5 High2026-03-31
CVE-2026-32976 OpenClaw < 2026.3.11 - Account-Scoped configWrites Policy Bypass via Channel Commands CWE-639 6.5 Medium2026-03-31
CVE-2026-32971 OpenClaw < 2026.3.11 - Node-Host Approval UI Mismatch Allows Execution of Unintended Commands CWE-451 7.1 High2026-03-31
CVE-2026-32970 OpenClaw < 2026.3.11 - Credential Fallback Logic Bypass via Unavailable Local Auth SecretRefs CWE-636 2.5 Low2026-03-31
CVE-2026-32921 OpenClaw < 2026.3.8 - Script Content Modification via Mutable Operand Binding in system.run CWE-367 6.3 Medium2026-03-31
CVE-2026-32920 OpenClaw < 2026.3.12 - Arbitrary Code Execution via Auto-Discovery of Workspace Plugins CWE-829 8.4 High2026-03-31
CVE-2026-32917 OpenClaw < 2026.3.13 - Remote Command Injection via Unsanitized iMessage Attachment Paths in SCP CWE-78 9.8 Critical2026-03-31
CVE-2026-32916 OpenClaw 2026.3.7 < 2026.3.11 - Authorization Bypass in Plugin Subagent Routes via Synthetic Admin Scopes CWE-266 9.4 Critical2026-03-31
CVE-2026-33574 OpenClaw < 2026.3.8 - Path Traversal via Tools Root Rebinding in Skills Download CWE-367 6.2 Medium2026-03-29
CVE-2026-33575 OpenClaw < 2026.3.12 - Long-lived Credential Exposure in Pairing Setup Codes CWE-522 7.5 High2026-03-29

All 507 known CVE vulnerabilities affecting OpenClaw with full Chinese analysis, references, and POCs where available.