Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

openclaw — Vulnerabilities & Security Advisories 350

All 350 CVE vulnerabilities found in openclaw, with AI-generated Chinese analysis, references, and POCs.

Vendor: OpenClaw

CVE IDTitleCVSSSeverityPublished
CVE-2026-6011 OpenClaw assertPublicHostname web-fetch.ts server-side request forgery CWE-918 5.6 Medium2026-04-10
CVE-2026-35646 OpenClaw < 2026.3.25 - Pre-Authentication Rate-Limit Bypass in Webhook Token Validation CWE-307 4.8 Medium2026-04-09
CVE-2026-35645 OpenClaw < 2026.3.25 - Privilege Escalation via Synthetic operator.admin in deleteSession CWE-648 8.1 High2026-04-09
CVE-2026-35644 OpenClaw < 2026.3.22 - Credential Exposure via baseUrl Fields in Gateway Snapshots CWE-312 6.5 Medium2026-04-09
CVE-2026-35642 OpenClaw < 2026.3.25 - Authorization Bypass in Group Reactions via requireMention Bypass CWE-288 4.3 Medium2026-04-09
CVE-2026-35640 OpenClaw < 2026.3.25 - Denial of Service via Unauthenticated Webhook Request Parsing CWE-696 5.3 Medium2026-04-09
CVE-2026-35639 OpenClaw < 2026.3.22 - Privilege Escalation via device.pair.approve Scope Validation CWE-648 8.8 High2026-04-09
CVE-2026-35637 OpenClaw < 2026.3.22 - Premature Cite Expansion Before Authorization in Channel and DM CWE-696 7.3 High2026-04-09
CVE-2026-35638 OpenClaw < 2026.3.22 - Privilege Escalation via Self-Declared Scopes in Trusted-Proxy Control UI CWE-286 8.8 High2026-04-09
CVE-2026-35636 OpenClaw 2026.3.11 < 2026.3.25 - Session Isolation Bypass via sessionId Resolution CWE-696 6.5 Medium2026-04-09
CVE-2026-35635 OpenClaw < 2026.3.22 - Webhook Path Route Replacement Vulnerability in Synology Chat CWE-706 4.8 Medium2026-04-09
CVE-2026-35633 OpenClaw < 2026.3.22 - Unbounded Memory Allocation via Remote Media Error Responses CWE-789 5.3 Medium2026-04-09
CVE-2026-35634 OpenClaw < 2026.3.23 - Authentication Bypass via Local-Direct Requests in Canvas Gateway CWE-288 5.1 Medium2026-04-09
CVE-2026-35632 OpenClaw < 2026.2.22 - Symlink Traversal via IDENTITY.md appendFile in agents.create/update CWE-61 7.1 High2026-04-09
CVE-2026-35631 OpenClaw < 2026.3.22 - Missing Authorization Enforcement in Internal ACP Chat Commands CWE-862 6.5 Medium2026-04-09
CVE-2026-35629 OpenClaw < 2026.3.25 - Server-Side Request Forgery via Unguarded Configured Base URLs in Channel Extensions CWE-918 7.4 High2026-04-09
CVE-2026-35628 OpenClaw < 2026.3.25 - Brute-Force Attack via Missing Telegram Webhook Rate Limiting CWE-307 4.8 Medium2026-04-09
CVE-2026-35627 OpenClaw < 2026.3.22 - Unauthenticated Cryptographic Work in Nostr Inbound DM Handling CWE-696 6.5 Medium2026-04-09
CVE-2026-35625 OpenClaw < 2026.3.25 - Privilege Escalation via Silent Local Shared-Auth Reconnect CWE-648 7.8 High2026-04-09
CVE-2026-35626 OpenClaw < 2026.3.22 - Unauthenticated Resource Exhaustion via Voice Call Webhook CWE-405 5.3 Medium2026-04-09
CVE-2026-35624 OpenClaw < 2026.3.22 - Policy Confusion via Room Name Collision in Nextcloud Talk CWE-807 4.2 Medium2026-04-09
CVE-2026-35623 OpenClaw < 2026.3.25 - Brute-Force Attack via Missing Webhook Password Rate Limiting CWE-307 4.8 Medium2026-04-09
CVE-2026-35618 OpenClaw < 2026.3.23 - Replay Identity Drift via Query-Only Variants in Plivo V2 Verification CWE-294 6.5 Medium2026-04-09
CVE-2026-35622 OpenClaw < 2026.3.22 - Improper Authentication Verification in Google Chat Webhook CWE-290 5.9 Medium2026-04-09
CVE-2026-35617 OpenClaw < 2026.3.25 - Authorization Bypass via Group Policy Rebinding with Mutable Space displayName CWE-807 4.2 Medium2026-04-09
CVE-2026-34512 OpenClaw < 2026.3.25 - Improper Access Control in /sessions/:sessionKey/kill Endpoint CWE-863 8.1 High2026-04-09
CVE-2026-40037 OpenClaw < 2026.3.31 - Unsafe Request Body Replay via fetchWithSsrFGuard Cross-Origin Redirects CWE-601 6.5 Medium2026-04-08
CVE-2026-34511 OpenClaw < 2026.4.2 - PKCE Verifier Exposure via OAuth State Parameter CWE-330 5.3 Medium2026-04-03
CVE-2026-34426 OpenClaw - Approval Bypass via Environment Variable Normalization CWE-184 7.6 High2026-04-02
CVE-2026-34425 OpenClaw - Shell-Bleed Protection Preflight Validation Bypass CWE-184 5.4 Medium2026-04-02

All 350 known CVE vulnerabilities affecting openclaw with full Chinese analysis, references, and POCs where available.