Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

openclaw — Vulnerabilities & Security Advisories 350

All 350 CVE vulnerabilities found in openclaw, with AI-generated Chinese analysis, references, and POCs.

Vendor: OpenClaw

CVE IDTitleCVSSSeverityPublished
CVE-2026-28459 OpenClaw < 2026.2.12 - Arbitrary File Write via Untrusted sessionFile Path CWE-73 7.1 High2026-03-05
CVE-2026-28458 OpenClaw 2026.1.20 < 2026.2.1 - Missing Authentication in Browser Relay /cdp WebSocket Endpoint CWE-306 8.1 High2026-03-05
CVE-2026-28457 OpenClaw < 2026.2.14 - Path Traversal in Sandbox Skill Mirroring via Name Parameter CWE-22 6.1 Medium2026-03-05
CVE-2026-28456 OpenClaw 2026.1.5 < 2026.2.14 - Arbitrary Code Execution via Unsafe Hook Module Path Handling CWE-427 7.2 High2026-03-05
CVE-2026-28454 OpenClaw < 2026.2.2 - Authorization Bypass via Unauthenticated Telegram Webhook CWE-345 7.5 High2026-03-05
CVE-2026-28453 OpenClaw < 2026.2.14 - Zip Slip Path Traversal in TAR Archive Extraction CWE-22 7.5 High2026-03-05
CVE-2026-28452 OpenClaw < 2026.2.14 - Denial of Service via Unguarded Archive Extraction in extractArchive CWE-770 5.5 Medium2026-03-05
CVE-2026-28451 OpenClaw < 2026.2.14 - SSRF via Feishu Extension Media Fetching 8.3 High2026-03-05
CVE-2026-28450 OpenClaw < 2026.2.12 - Unauthenticated Profile Tampering via Nostr Plugin HTTP Endpoints 6.8 Medium2026-03-05
CVE-2026-28448 OpenClaw 2026.1.29 < 2026.2.1 - Authorization Bypass in Twitch Plugin allowFrom Access Control CWE-285 7.3 High2026-03-05
CVE-2026-28447 OpenClaw 2026.1.29-beta.1 < 2026.2.1 - Path Traversal in Plugin Installation via Package Name CWE-22 8.1 High2026-03-05
CVE-2026-28446 OpenClaw < 2026.2.1 - Inbound Allowlist Policy Bypass in voice-call Extension via Empty Caller ID and Suffix Matching 9.4 Critical2026-03-05
CVE-2026-28395 OpenClaw 2026.1.14-1 < 2026.2.12 - Unintended Public Binding of Chrome Extension Relay via Wildcard cdpUrl CWE-1327 6.5 Medium2026-03-05
CVE-2026-28394 OpenClaw < 2026.2.15 - Denial of Service via Unbounded Response Parsing in web_fetch Tool CWE-770 6.5 Medium2026-03-05
CVE-2026-28393 OpenClaw 2.0.0-beta3 < 2026.2.14 - Arbitrary JavaScript Module Loading via Hook Transform Path Traversal CWE-22 7.7 High2026-03-05
CVE-2026-28392 OpenClaw < 2026.2.14 - Privilege Escalation in Slack Slash Command Handler via Direct Messages 7.5 High2026-03-05
CVE-2026-28391 OpenClaw < 2026.2.2 - Command Injection via cmd.exe Parsing Bypass in Allowlist Enforcement 9.8 Critical2026-03-05
CVE-2026-28363 OpenClaw 安全漏洞 CWE-184 9.9 Critical2026-02-27
CVE-2026-27576 OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs CWE-400 3.3 -2026-02-21
CVE-2026-27488 OpenClaw hardened cron webhook delivery against SSRF CWE-918 7.1 -2026-02-21
CVE-2026-27487 OpenClaw: Prevent shell injection in macOS keychain credential write CWE-78 7.6 High2026-02-21
CVE-2026-27486 OpenClaw: Process Safety - Unvalidated PID Kill via SIGKILL in Process Cleanup CWE-283 6.5AIMediumAI2026-02-21
CVE-2026-27485 OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection CWE-61 5.5 -2026-02-21
CVE-2026-27484 OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows CWE-862 6.5 -2026-02-21
CVE-2026-27009 OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection CWE-79 5.8 Medium2026-02-19
CVE-2026-27008 OpenClaw hardened the skill download target directory validation CWE-73 7.7 -2026-02-19
CVE-2026-27007 OpenClaw's sandbox config hash sorted primitive arrays and suppressed needed container recreation CWE-1254 7.1 -2026-02-19
CVE-2026-27004 OpenClaw session tool visibility hardening and Telegram webhook secret fallback CWE-209 6.5 -2026-02-19
CVE-2026-27003 OpenClaw: Telegram bot token exposure via logs CWE-522 9.8 -2026-02-19
CVE-2026-27002 OpenClaw: Docker container escape via unvalidated bind mount config injection CWE-250 9.6 -2026-02-19

All 350 known CVE vulnerabilities affecting openclaw with full Chinese analysis, references, and POCs where available.