Support Us — Your donation helps us keep running

Goal: 1000 CNY,Raised: 1000 CNY

100.0%
Donate Now

OpenClaw — Vulnerabilities & Security Advisories 339

All 339 CVE vulnerabilities found in OpenClaw, with AI-generated Chinese analysis, references, and POCs.

Vendor: OpenClaw

CVE IDTitleCVSSSeverityPaused
CVE-2026-27523 OpenClaw < 2026.2.24 - Sandbox Bind Validation Bypass via Symlink-Parent Missing-Leaf Paths CWE-22 6.1 Medium2026-03-18
CVE-2026-22217 OpenClaw 2026.2.22 < 2026.2.23 - Arbitrary Binary Execution via $SHELL Environment Variable Trusted Prefix Fallback CWE-829 6.1 Medium2026-03-18
CVE-2026-27522 OpenClaw < 2026.2.24 - Arbitrary File Read via sendAttachment and setGroupIcon Message Actions CWE-22 6.5 Medium2026-03-18
CVE-2026-22181 OpenClaw < 2026.3.2 - DNS Pinning Bypass via Environment Proxy Configuration in web_fetch CWE-918 7.6 High2026-03-18
CVE-2026-22180 OpenClaw < 2026.3.2 - Path Confinement Bypass in Browser Output and File Write Operations CWE-59 5.3 Medium2026-03-18
CVE-2026-22179 OpenClaw < 2026.2.22 - Allowlist Bypass via Command Substitution in system.run CWE-78 7.2 High2026-03-18
CVE-2026-22178 OpenClaw < 2026.2.19 - ReDoS and Regex Injection via Unescaped Feishu Mention Metadata CWE-1333 6.5 Medium2026-03-18
CVE-2026-22177 OpenClaw < 2026.2.21 - Environment Variable Injection via Config env.vars CWE-15 6.1 Medium2026-03-18
CVE-2026-22175 OpenClaw < 2026.2.23 - Exec Approval Bypass via Unrecognized Multiplexer Shell Wrappers CWE-184 7.1 High2026-03-18
CVE-2026-22174 OpenClaw < 2026.2.22 - Gateway Token Disclosure via Chrome CDP Probe CWE-306 6.8 Medium2026-03-18
CVE-2026-22171 OpenClaw < 2026.2.19 - Path Traversal in Feishu Media Temporary File Naming CWE-22 8.2 High2026-03-18
CVE-2026-22169 OpenClaw < 2026.2.22 - Allowlist Bypass via sort Configuration in safeBins CWE-78 6.7 Medium2026-03-18
CVE-2026-22170 OpenClaw < 2026.2.22 BlueBubbles - Access Control Bypass via Empty allowFrom Configuration CWE-863 6.5 Medium2026-03-18
CVE-2026-22168 OpenClaw < 2026.2.21 - Command Injection via cmd.exe /c Trailing Arguments in system.run CWE-88 6.5 Medium2026-03-18
CVE-2026-32302 OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode CWE-346 8.1 High2026-03-12
CVE-2026-4040 OpenClaw File Existence tools.exec.safeBins information exposure CWE-203 3.3 Low2026-03-12
CVE-2026-4039 OpenClaw Skill Env applySkillConfigenvOverrides code injection CWE-94 6.3 Medium2026-03-12
CVE-2026-32063 OpenClaw 2026.2.19-2 < 2026.2.21 - Command Injection via Newline in systemd Unit Generation CWE-77 7.1 High2026-03-11
CVE-2026-32062 OpenClaw 2026.2.21-2 < 2026.2.22 - Unauthenticated WebSocket Resource Exhaustion via Media Stream CWE-770 7.5 High2026-03-11
CVE-2026-32061 OpenClaw < 2026.2.17 - Arbitrary File Read via $include Directive Path Traversal CWE-22 4.4 Medium2026-03-11
CVE-2026-32060 OpenClaw < 2026.2.14 - Path Traversal in apply_patch via Crafted Paths CWE-22 8.8 High2026-03-11
CVE-2026-32059 OpenClaw 2026.2.22-2 < 2026.2.23 - Allowlist Bypass via sort Long-Option Abbreviation in tools.exec.safeBins CWE-863 8.8 High2026-03-11
CVE-2026-29613 OpenClaw < 2026.2.12 - Webhook Authentication Bypass via Loopback remoteAddress Trust CWE-306 5.9 Medium2026-03-05
CVE-2026-29612 OpenClaw < 2026.2.14 - Denial of Service via Large Base64 Media File Decoding CWE-770 5.5 Medium2026-03-05
CVE-2026-29611 OpenClaw < 2026.2.14 - Local File Inclusion via mediaPath Parameter in BlueBubbles Media Handling CWE-73 7.5 High2026-03-05
CVE-2026-29610 OpenClaw < 2026.2.14 - Command Hijacking via Unsafe PATH Handling CWE-427 8.8 High2026-03-05
CVE-2026-29609 OpenClaw < 2026.2.14 - Denial of Service via Unbounded URL-backed Media Fetch CWE-770 7.5 High2026-03-05
CVE-2026-29606 OpenClaw < 2026.2.14 - Webhook Signature Verification Bypass via ngrok Loopback Compatibility CWE-306 6.5 Medium2026-03-05
CVE-2026-28486 OpenClaw 2026.1.16-2 < 2026.2.14 - Path Traversal (Zip Slip) in Archive Extraction via Installation Commands CWE-22 6.1 Medium2026-03-05
CVE-2026-28485 OpenClaw 2026.1.5 < 2026.2.12 - Missing Authentication in Browser Control HTTP Endpoints CWE-306 8.4 High2026-03-05

All 339 known CVE vulnerabilities affecting OpenClaw with full Chinese analysis, references, and POCs where available.