openclaw — Vulnerabilities & Security Advisories 350

All 350 CVE vulnerabilities found in openclaw, with AI-generated Chinese analysis, references, and POCs.

CVE ID	Title	CVSS	Severity	Published
CVE-2026-41372	OpenClaw < 2026.4.2 - Loopback Protection Bypass via Trailing-Dot Localhost in CDP Discovery CWE-639	5.8	Medium	2026-04-27
CVE-2026-41371	OpenClaw < 2026.3.28 - Privilege Escalation via chat.send Reset Command CWE-863	8.5	High	2026-04-27
CVE-2026-41370	OpenClaw < 2026.3.31 - Path Traversal via Inbound Channel Attachment Path in ACP Dispatch CWE-22	6.5	Medium	2026-04-27
CVE-2026-41369	OpenClaw < 2026.3.31 - Insufficient Environment Variable Sanitization in Host Execution CWE-668	6.5	Medium	2026-04-27
CVE-2026-41368	OpenClaw < 2026.3.28 - Environment Variable Disclosure via jq $ENV Filter Bypass CWE-668	6.5	Medium	2026-04-27
CVE-2026-41367	OpenClaw 2026.2.14 < 2026.3.28 - Policy Enforcement Bypass in Discord Component Interactions CWE-863	5.0	Medium	2026-04-27
CVE-2026-41365	OpenClaw < 2026.3.31 - Sender Allowlist Bypass via Graph API Thread History CWE-441	5.4	Medium	2026-04-27
CVE-2026-41366	OpenClaw < 2026.3.31 - Arbitrary Host File Read via appendLocalMediaParentRoots Self-Whitelisting CWE-732	5.5	Medium	2026-04-27
CVE-2026-41364	OpenClaw < 2026.3.31 - Arbitrary File Write via Symlink Following in SSH Sandbox Tar Upload CWE-59	8.1	High	2026-04-27
CVE-2026-41363	OpenClaw 2026.2.6 < 2026.3.28 - Arbitrary File Read via Feishu upload_image Parameter CWE-22	5.3	Medium	2026-04-27
CVE-2026-41362	OpenClaw 2026.2.19 < 2026.3.31 - Webhook Replay Dedupe Cache Event Suppression via Shared Authentication CWE-668	4.3	Medium	2026-04-27
CVE-2026-41361	OpenClaw < 2026.3.28 - SSRF Guard Bypass via IPv6 Special-Use Ranges CWE-184	7.1	High	2026-04-23
CVE-2026-41359	OpenClaw < 2026.3.28 - Privilege Escalation via operator.write to Admin-Class Telegram Config and Cron Persistence CWE-269	7.1	High	2026-04-23
CVE-2026-41360	OpenClaw < 2026.4.2 - Approval Integrity Bypass in pnpm dlx Local Script Binding CWE-367	6.7	Medium	2026-04-23
CVE-2026-41358	OpenClaw < 2026.4.2 - Sender Allowlist Bypass via Slack Thread Context CWE-346	5.4	Medium	2026-04-23
CVE-2026-41357	OpenClaw < 2026.3.31 - Unsanitized Environment Variable Leakage in SSH Sandbox Backends CWE-214	3.3	Low	2026-04-23
CVE-2026-41355	OpenShell < 2026.3.28 - Arbitrary Code Execution via Mirror Mode Sandbox File Conversion CWE-829	7.3	High	2026-04-23
CVE-2026-41356	OpenClaw < 2026.3.31 - Incomplete WebSocket Session Termination in device.token.rotate CWE-613	5.4	Medium	2026-04-23
CVE-2026-41354	OpenClaw < 2026.4.2 - Insufficient Scope in Zalo Webhook Replay Dedupe Keys CWE-706	3.7	Low	2026-04-23
CVE-2026-41353	OpenClaw < 2026.3.22 - allowProfiles Bypass via Profile Mutation and Runtime Selection CWE-472	8.1	High	2026-04-23
CVE-2026-41352	OpenClaw < 2026.3.31 - Remote Code Execution via Node Scope Gate Bypass CWE-862	8.8	High	2026-04-23
CVE-2026-41351	OpenClaw < 2026.3.31 - Webhook Replay Detection Bypass via Base64 Signature Re-encoding CWE-294	5.3	Medium	2026-04-23
CVE-2026-41350	OpenClaw < 2026.3.31 - Session Visibility Bypass via session_status in Unsandboxed Invocations CWE-863	4.3	Medium	2026-04-23
CVE-2026-41349	OpenClaw < 2026.3.28 - Agentic Consent Bypass via config.patch CWE-862	8.8	High	2026-04-23
CVE-2026-41348	OpenClaw < 2026.3.31 - Group DM Channel Allowlist Bypass via Discord Slash Commands CWE-863	5.4	Medium	2026-04-23
CVE-2026-41347	OpenClaw < 2026.3.31 - Cross-Site Request Forgery via Missing Browser-Origin Validation in HTTP Operator Endpoints CWE-352	7.1	High	2026-04-23
CVE-2026-41346	OpenClaw 2026.2.26 < 2026.3.31 - Denial of Service via Improper Pending Pairing Request Cap Enforcement CWE-799	5.3	Medium	2026-04-23
CVE-2026-41345	OpenClaw < 2026.3.31 - Authorization Header Leak via Cross-Origin Redirect in Media Download CWE-522	5.3	Medium	2026-04-23
CVE-2026-41344	OpenClaw < 2026.3.28 - Privilege Escalation via chat.send /verbose Parameter CWE-863	5.4	Medium	2026-04-23
CVE-2026-41343	OpenClaw < 2026.3.31 - Denial of Service via LINE Webhook Handler Pre-Auth Concurrency CWE-799	5.3	Medium	2026-04-23

All 350 known CVE vulnerabilities affecting openclaw with full Chinese analysis, references, and POCs where available.

Goal Reached Thanks to every supporter — we hit 100%!

openclaw — Vulnerabilities & Security Advisories 350