Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

openclaw — Vulnerabilities & Security Advisories 350

All 350 CVE vulnerabilities found in openclaw, with AI-generated Chinese analysis, references, and POCs.

Vendor: OpenClaw

CVE IDTitleCVSSSeverityPublished
CVE-2026-41342 OpenClaw < 2026.3.28 - Unauthenticated Discovery Endpoint Credential Exfiltration via Remote Onboarding CWE-346 7.3 High2026-04-23
CVE-2026-41341 OpenClaw < 2026.3.31 - Component Interaction Misclassification in Discord Extension CWE-351 5.4 Medium2026-04-23
CVE-2026-41340 OpenClaw < 2026.3.31 - Authentication Boundary Bypass via Telegram Legacy allowFrom Migration CWE-372 6.5 Medium2026-04-23
CVE-2026-41339 OpenClaw < 2026.4.2 - Information Disclosure via Gateway Connect Snapshot CWE-497 4.3 Medium2026-04-23
CVE-2026-41338 OpenClaw < 2026.3.31 - Time-of-Check-Time-of-Use (TOCTOU) Vulnerability in Sandbox File Operations CWE-367 5.0 Medium2026-04-23
CVE-2026-41337 OpenClaw < 2026.3.31 - Callback Origin Mutation in Plivo Voice-call Replay CWE-367 5.3 Medium2026-04-23
CVE-2026-41336 OpenClaw < 2026.3.31 - Arbitrary Hook Code Execution via OPENCLAW_BUNDLED_HOOKS_DIR Environment Variable Override CWE-829 7.8 High2026-04-23
CVE-2026-41334 OpenClaw < 2026.3.31 - Decompression Bomb Denial of Service via Image Pixel-Limit Guard Bypass CWE-636 6.5 Medium2026-04-23
CVE-2026-41335 OpenClaw < 2026.3.31 - Information Disclosure via Control UI Bootstrap JSON CWE-497 5.3 Medium2026-04-23
CVE-2026-41333 OpenClaw < 2026.3.31 - Authentication Rate Limiting Bypass via Fake DeviceToken CWE-799 3.7 Low2026-04-23
CVE-2026-41332 OpenClaw < 2026.3.28 - Code Execution via Missing Environment Variable Blocklist CWE-184 5.3 Medium2026-04-23
CVE-2026-41909 OpenClaw < 2026.4.20 - Improper Authorization in Paired-Device Pairing Actions CWE-863 5.4 Medium2026-04-23
CVE-2026-41908 OpenClaw < 2026.4.20 - Scope Enforcement Bypass in Assistant-Media Route CWE-863 4.3 Medium2026-04-23
CVE-2026-41331 OpenClaw < 2026.3.31 - Resource Consumption via Unauthorized Telegram Audio Preflight Transcription CWE-408 5.3 Medium2026-04-20
CVE-2026-41330 OpenClaw < 2026.3.31 - Environment Variable Override via Host Exec Policy CWE-453 4.4 Medium2026-04-20
CVE-2026-41329 OpenClaw < 2026.3.31 - Sandbox Bypass via Heartbeat Context Inheritance and senderIsOwner Escalation CWE-648 9.9 Critical2026-04-20
CVE-2026-41303 OpenClaw < 2026.3.28 - Authorization Bypass in Discord Text Approval Commands CWE-863 8.8 High2026-04-20
CVE-2026-41302 OpenClaw < 2026.3.31 - Server-Side Request Forgery via Unguarded fetch() in Marketplace Plugin Download CWE-918 7.6 High2026-04-20
CVE-2026-41301 OpenClaw 2026.3.22 < 2026.3.31 - Forged Nostr DM Pairing State Creation via Signature Verification Bypass CWE-347 5.3 Medium2026-04-20
CVE-2026-41299 OpenClaw < 2026.3.28 - Client Identity Spoofing in chat.send Gateway Provenance Guard CWE-807 7.1 High2026-04-20
CVE-2026-41300 OpenClaw < 2026.3.31 - Attacker-Discovered Endpoint Preservation in Remote Onboarding CWE-372 6.5 Medium2026-04-20
CVE-2026-41298 OpenClaw < 2026.4.2 - Authorization Bypass in Session Termination Endpoint CWE-862 5.4 Medium2026-04-20
CVE-2026-41297 OpenClaw < 2026.3.31 - Server-Side Request Forgery via Marketplace Plugin Download Redirect CWE-918 7.6 High2026-04-20
CVE-2026-41295 OpenClaw < 2026.4.2 - Untrusted Workspace Channel Shadow Code Execution during Built-in Channel Setup CWE-829 7.8 High2026-04-20
CVE-2026-41296 OpenClaw < 2026.3.31 - Sandbox Escape via TOCTOU Race in Remote FS Bridge readFile CWE-367 8.2 High2026-04-20
CVE-2026-41294 OpenClaw < 2026.3.28 - Environment Variable Injection via CWD .env File CWE-15 8.6 High2026-04-20
CVE-2026-40045 OpenClaw < 2026.4.2 - Cleartext Credential Transmission via Unencrypted WebSocket Gateway Endpoints CWE-319 5.7 Medium2026-04-20
CVE-2026-41389 OpenClaw 2026.4.7 < 2026.4.15 - Arbitrary File Read via Unvalidated Tool-Result Media Paths CWE-73 5.8 Medium2026-04-20
CVE-2026-3691 OpenClaw Client PKCE Verifier Information Disclosure Vulnerability CWE-200 6.5AIMediumAI2026-04-11
CVE-2026-3690 OpenClaw Canvas Authentication Bypass Vulnerability CWE-291 9.8AICriticalAI2026-04-11

All 350 known CVE vulnerabilities affecting openclaw with full Chinese analysis, references, and POCs where available.