Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

openclaw — Vulnerabilities & Security Advisories 350

All 350 CVE vulnerabilities found in openclaw, with AI-generated Chinese analysis, references, and POCs.

Vendor: OpenClaw

CVE IDTitleCVSSSeverityPublished
CVE-2026-31989 OpenClaw < 2026.3.1 - Server-Side Request Forgery via web_search Citation Redirect CWE-918 7.4 High2026-03-19
CVE-2026-29607 OpenClaw < 2026.2.22 - Authorization Bypass via allow-always Wrapper Persistence CWE-78 6.8 Medium2026-03-19
CVE-2026-29608 OpenClaw 2026.3.1 < 2026.3.2 - Approval Integrity Bypass via system.run argv Rewriting CWE-88 6.7 Medium2026-03-19
CVE-2026-28461 OpenClaw < 2026.3.1 - Unbounded Memory Growth in Zalo Webhook via Query String Key Churn CWE-770 7.5 High2026-03-19
CVE-2026-28460 OpenClaw < 2026.2.22 - Allowlist Bypass via Shell Line-Continuation Command Substitution in system.run CWE-78 7.1 High2026-03-19
CVE-2026-27670 OpenClaw < 2026.3.2 - Arbitrary File Write via ZIP Extraction Parent Symlink Race Condition CWE-367 5.3 Medium2026-03-19
CVE-2026-28449 OpenClaw < 2026.2.25 - Webhook Replay Attack via Missing Durable Replay Suppression CWE-294 6.5 Medium2026-03-19
CVE-2026-27566 OpenClaw < 2026.2.22 - Allowlist Bypass via Wrapper Binary Unwrapping in system.run CWE-78 7.1 High2026-03-19
CVE-2026-22176 OpenClaw < 2026.2.19 - Command Injection via Unescaped Environment Variables in Windows Scheduled Task Script Generation CWE-78 6.1 Medium2026-03-19
CVE-2026-27545 OpenClaw < 2026.2.26 - Approval Bypass via Parent Symlink Current Working Directory Rebind CWE-367 6.1 Medium2026-03-18
CVE-2026-27524 OpenClaw < 2026.2.21 - Prototype Pollution via Debug Override Path CWE-1321 4.3 Medium2026-03-18
CVE-2026-27523 OpenClaw < 2026.2.24 - Sandbox Bind Validation Bypass via Symlink-Parent Missing-Leaf Paths CWE-22 6.1 Medium2026-03-18
CVE-2026-22217 OpenClaw 2026.2.22 < 2026.2.23 - Arbitrary Binary Execution via $SHELL Environment Variable Trusted Prefix Fallback CWE-829 6.1 Medium2026-03-18
CVE-2026-27522 OpenClaw < 2026.2.24 - Arbitrary File Read via sendAttachment and setGroupIcon Message Actions CWE-22 6.5 Medium2026-03-18
CVE-2026-22181 OpenClaw < 2026.3.2 - DNS Pinning Bypass via Environment Proxy Configuration in web_fetch CWE-918 7.6 High2026-03-18
CVE-2026-22180 OpenClaw < 2026.3.2 - Path Confinement Bypass in Browser Output and File Write Operations CWE-59 5.3 Medium2026-03-18
CVE-2026-22179 OpenClaw < 2026.2.22 - Allowlist Bypass via Command Substitution in system.run CWE-78 7.2 High2026-03-18
CVE-2026-22178 OpenClaw < 2026.2.19 - ReDoS and Regex Injection via Unescaped Feishu Mention Metadata CWE-1333 6.5 Medium2026-03-18
CVE-2026-22177 OpenClaw < 2026.2.21 - Environment Variable Injection via Config env.vars CWE-15 6.1 Medium2026-03-18
CVE-2026-22175 OpenClaw < 2026.2.23 - Exec Approval Bypass via Unrecognized Multiplexer Shell Wrappers CWE-184 7.1 High2026-03-18
CVE-2026-22174 OpenClaw < 2026.2.22 - Gateway Token Disclosure via Chrome CDP Probe CWE-306 6.8 Medium2026-03-18
CVE-2026-22171 OpenClaw < 2026.2.19 - Path Traversal in Feishu Media Temporary File Naming CWE-22 8.2 High2026-03-18
CVE-2026-22169 OpenClaw < 2026.2.22 - Allowlist Bypass via sort Configuration in safeBins CWE-78 6.7 Medium2026-03-18
CVE-2026-22170 OpenClaw < 2026.2.22 BlueBubbles - Access Control Bypass via Empty allowFrom Configuration CWE-863 6.5 Medium2026-03-18
CVE-2026-22168 OpenClaw < 2026.2.21 - Command Injection via cmd.exe /c Trailing Arguments in system.run CWE-88 6.5 Medium2026-03-18
CVE-2026-32302 OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode CWE-346 8.1 High2026-03-12
CVE-2026-4040 OpenClaw File Existence tools.exec.safeBins information exposure CWE-203 3.3 Low2026-03-12
CVE-2026-4039 OpenClaw Skill Env applySkillConfigenvOverrides code injection CWE-94 6.3 Medium2026-03-12
CVE-2026-32063 OpenClaw 2026.2.19-2 < 2026.2.21 - Command Injection via Newline in systemd Unit Generation CWE-77 7.1 High2026-03-11
CVE-2026-32062 OpenClaw 2026.2.21-2 < 2026.2.22 - Unauthenticated WebSocket Resource Exhaustion via Media Stream CWE-770 7.5 High2026-03-11

All 350 known CVE vulnerabilities affecting openclaw with full Chinese analysis, references, and POCs where available.