Support Us — Your donation helps us keep running

Goal: 1000 CNY,Raised: 1000 CNY

100.0%
Donate Now

OpenClaw — Vulnerabilities & Security Advisories 339

All 339 CVE vulnerabilities found in OpenClaw, with AI-generated Chinese analysis, references, and POCs.

Vendor: OpenClaw

CVE IDTitleCVSSSeverityPaused
CVE-2026-35633 OpenClaw < 2026.3.22 - Unbounded Memory Allocation via Remote Media Error Responses CWE-789 5.3 Medium2026-04-09
CVE-2026-35634 OpenClaw < 2026.3.23 - Authentication Bypass via Local-Direct Requests in Canvas Gateway CWE-288 5.1 Medium2026-04-09
CVE-2026-35632 OpenClaw < 2026.2.22 - Symlink Traversal via IDENTITY.md appendFile in agents.create/update CWE-61 7.1 High2026-04-09
CVE-2026-35631 OpenClaw < 2026.3.22 - Missing Authorization Enforcement in Internal ACP Chat Commands CWE-862 6.5 Medium2026-04-09
CVE-2026-35629 OpenClaw < 2026.3.25 - Server-Side Request Forgery via Unguarded Configured Base URLs in Channel Extensions CWE-918 7.4 High2026-04-09
CVE-2026-35628 OpenClaw < 2026.3.25 - Brute-Force Attack via Missing Telegram Webhook Rate Limiting CWE-307 4.8 Medium2026-04-09
CVE-2026-35627 OpenClaw < 2026.3.22 - Unauthenticated Cryptographic Work in Nostr Inbound DM Handling CWE-696 6.5 Medium2026-04-09
CVE-2026-35626 OpenClaw < 2026.3.22 - Unauthenticated Resource Exhaustion via Voice Call Webhook CWE-405 5.3 Medium2026-04-09
CVE-2026-35625 OpenClaw < 2026.3.25 - Privilege Escalation via Silent Local Shared-Auth Reconnect CWE-648 7.8 High2026-04-09
CVE-2026-35624 OpenClaw < 2026.3.22 - Policy Confusion via Room Name Collision in Nextcloud Talk CWE-807 4.2 Medium2026-04-09
CVE-2026-35623 OpenClaw < 2026.3.25 - Brute-Force Attack via Missing Webhook Password Rate Limiting CWE-307 4.8 Medium2026-04-09
CVE-2026-35622 OpenClaw < 2026.3.22 - Improper Authentication Verification in Google Chat Webhook CWE-290 5.9 Medium2026-04-09
CVE-2026-35618 OpenClaw < 2026.3.23 - Replay Identity Drift via Query-Only Variants in Plivo V2 Verification CWE-294 6.5 Medium2026-04-09
CVE-2026-35617 OpenClaw < 2026.3.25 - Authorization Bypass via Group Policy Rebinding with Mutable Space displayName CWE-807 4.2 Medium2026-04-09
CVE-2026-34512 OpenClaw < 2026.3.25 - Improper Access Control in /sessions/:sessionKey/kill Endpoint CWE-863 8.1 High2026-04-09
CVE-2026-40037 OpenClaw < 2026.3.31 - Unsafe Request Body Replay via fetchWithSsrFGuard Cross-Origin Redirects CWE-601 6.5 Medium2026-04-08
CVE-2026-34511 OpenClaw < 2026.4.2 - PKCE Verifier Exposure via OAuth State Parameter CWE-330 5.3 Medium2026-04-03
CVE-2026-34426 OpenClaw - Approval Bypass via Environment Variable Normalization CWE-184 7.6 High2026-04-02
CVE-2026-34425 OpenClaw - Shell-Bleed Protection Preflight Validation Bypass CWE-184 5.4 Medium2026-04-02
CVE-2026-34510 OpenClaw < 2026.3.22 - Remote File URL Acceptance in Windows Media Loaders CWE-41 5.3 Medium2026-04-01
CVE-2026-34504 OpenClaw < 2026.3.28 - Server-Side Request Forgery via Unguarded Image Download in fal Provider CWE-918 8.3 High2026-03-31
CVE-2026-34503 OpenClaw < 2026.3.28 - Incomplete WebSocket Session Termination on Device Removal and Token Revocation CWE-613 8.1 High2026-03-31
CVE-2026-33581 OpenClaw < 2026.3.24 - Arbitrary File Read via mediaUrl and fileUrl Parameters CWE-22 6.5 Medium2026-03-31
CVE-2026-33580 OpenClaw < 2026.3.28 - Brute Force Attack via Missing Rate Limiting on Webhook Shared Secret Authentication CWE-307 6.5 Medium2026-03-31
CVE-2026-33578 OpenClaw < 2026.3.28 - Sender Policy Allowlist Bypass via Policy Downgrade in Google Chat and Zalouser Extensions CWE-863 4.3 Medium2026-03-31
CVE-2026-33579 OpenClaw < 2026.3.28 - Privilege Escalation via Missing Caller Scope Validation in Device Pair Approval CWE-863 9.9 Critical2026-03-31
CVE-2026-33576 OpenClaw < 2026.3.28 - Unauthorized Media Download via Zalo Channel CWE-863 6.5 Medium2026-03-31
CVE-2026-33577 OpenClaw < 2026.3.28 - Insufficient Scope Validation in node.pair.approve CWE-863 8.1 High2026-03-31
CVE-2026-34505 OpenClaw < 2026.3.12 - Webhook Rate Limiting Bypass via Pre-Authentication Secret Validation CWE-307 6.5 Medium2026-03-31
CVE-2026-34506 OpenClaw < 2026.3.8 - Sender Allowlist Bypass in Microsoft Teams Plugin via Route Allowlist Configuration CWE-863 4.3 Medium2026-03-31

All 339 known CVE vulnerabilities affecting OpenClaw with full Chinese analysis, references, and POCs where available.