Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

openclaw — Vulnerabilities & Security Advisories 350

All 350 CVE vulnerabilities found in openclaw, with AI-generated Chinese analysis, references, and POCs.

Vendor: OpenClaw

CVE IDTitleCVSSSeverityPublished
CVE-2026-27001 OpenClaw: Unsanitized CWD path injection into LLM prompts CWE-77 7.6 -2026-02-19
CVE-2026-26972 OpenClaw has a Path Traversal in Browser Download Functionality CWE-22 6.7 Medium2026-02-19
CVE-2026-26329 OpenClaw has a path traversal in browser upload allows local file read CWE-22 6.5 -2026-02-19
CVE-2026-26328 OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities CWE-284 6.5 Medium2026-02-19
CVE-2026-26327 OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning CWE-345 9.3 -2026-02-19
CVE-2026-26326 OpenClaw skills.status could leak secrets to operator.read clients CWE-200 6.5 -2026-02-19
CVE-2026-26325 OpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals CWE-284 7.2 High2026-02-19
CVE-2026-26324 OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reachable) CWE-918 7.5 High2026-02-19
CVE-2026-26323 OpenClaw has a command injection in maintainer clawtributors updater CWE-78 8.8 -2026-02-19
CVE-2026-26322 OpenClaw Gateway tool allowed unrestricted gatewayUrl override CWE-918 7.6 High2026-02-19
CVE-2026-26321 OpenClaw has a local file disclosure via sendMediaFeishu in Feishu extension CWE-22 7.5 High2026-02-19
CVE-2026-26320 OpenClaw macOS deep link confirmation truncation can conceal executed agent message CWE-451 4.3 -2026-02-19
CVE-2026-26319 OpenClaw has Missing Webhook Authentication in Telnyx Provider Allowing Unauthenticated Requests CWE-306 7.5 High2026-02-19
CVE-2026-26317 OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints CWE-352 7.1 High2026-02-19
CVE-2026-26316 OpenClaw has BlueBubbles webhook auth bypass via loopback proxy trust CWE-863 7.5 High2026-02-19
CVE-2026-25474 OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass CWE-345 7.5 High2026-02-19
CVE-2026-25593 OpenClaw Affected by Unauthenticated Local RCE via WebSocket config.apply CWE-78 8.4 High2026-02-06
CVE-2026-25157 OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand CWE-78 7.8 High2026-02-04
CVE-2026-25475 OpenClaw Vulnerable to Local File Inclusion via MEDIA: Path Extraction CWE-200 6.5 Medium2026-02-04
CVE-2026-25253 OpenClaw 安全漏洞 CWE-669 8.8 High2026-02-01

All 350 known CVE vulnerabilities affecting openclaw with full Chinese analysis, references, and POCs where available.