Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

openclaw — Vulnerabilities & Security Advisories 350

All 350 CVE vulnerabilities found in openclaw, with AI-generated Chinese analysis, references, and POCs.

Vendor: OpenClaw

CVE IDTitleCVSSSeverityPublished
CVE-2026-34510 OpenClaw < 2026.3.22 - Remote File URL Acceptance in Windows Media Loaders CWE-41 5.3 Medium2026-04-01
CVE-2026-34504 OpenClaw < 2026.3.28 - Server-Side Request Forgery via Unguarded Image Download in fal Provider CWE-918 8.3 High2026-03-31
CVE-2026-34503 OpenClaw < 2026.3.28 - Incomplete WebSocket Session Termination on Device Removal and Token Revocation CWE-613 8.1 High2026-03-31
CVE-2026-33581 OpenClaw < 2026.3.24 - Arbitrary File Read via mediaUrl and fileUrl Parameters CWE-22 6.5 Medium2026-03-31
CVE-2026-33580 OpenClaw < 2026.3.28 - Brute Force Attack via Missing Rate Limiting on Webhook Shared Secret Authentication CWE-307 6.5 Medium2026-03-31
CVE-2026-33579 OpenClaw < 2026.3.28 - Privilege Escalation via Missing Caller Scope Validation in Device Pair Approval CWE-863 9.9 Critical2026-03-31
CVE-2026-33578 OpenClaw < 2026.3.28 - Sender Policy Allowlist Bypass via Policy Downgrade in Google Chat and Zalouser Extensions CWE-863 4.3 Medium2026-03-31
CVE-2026-33576 OpenClaw < 2026.3.28 - Unauthorized Media Download via Zalo Channel CWE-863 6.5 Medium2026-03-31
CVE-2026-33577 OpenClaw < 2026.3.28 - Insufficient Scope Validation in node.pair.approve CWE-863 8.1 High2026-03-31
CVE-2026-34506 OpenClaw < 2026.3.8 - Sender Allowlist Bypass in Microsoft Teams Plugin via Route Allowlist Configuration CWE-863 4.3 Medium2026-03-31
CVE-2026-34505 OpenClaw < 2026.3.12 - Webhook Rate Limiting Bypass via Pre-Authentication Secret Validation CWE-307 6.5 Medium2026-03-31
CVE-2026-32988 OpenClaw < 2026.3.11 - Sandbox Boundary Bypass via Unvalidated Temporary File Creation CWE-367 7.5 High2026-03-31
CVE-2026-32982 OpenClaw < 2026.3.13 - Telegram Bot Token Exposure in Media Fetch Error Logs CWE-532 7.5 High2026-03-31
CVE-2026-32977 OpenClaw < 2026.3.11 - Sandbox Boundary Bypass via Unanchored writeFile Commit Path CWE-367 6.3 Medium2026-03-31
CVE-2026-32976 OpenClaw < 2026.3.11 - Account-Scoped configWrites Policy Bypass via Channel Commands CWE-639 6.5 Medium2026-03-31
CVE-2026-32970 OpenClaw < 2026.3.11 - Credential Fallback Logic Bypass via Unavailable Local Auth SecretRefs CWE-636 2.5 Low2026-03-31
CVE-2026-32971 OpenClaw < 2026.3.11 - Node-Host Approval UI Mismatch Allows Execution of Unintended Commands CWE-451 7.1 High2026-03-31
CVE-2026-32921 OpenClaw < 2026.3.8 - Script Content Modification via Mutable Operand Binding in system.run CWE-367 6.3 Medium2026-03-31
CVE-2026-32920 OpenClaw < 2026.3.12 - Arbitrary Code Execution via Auto-Discovery of Workspace Plugins CWE-829 8.4 High2026-03-31
CVE-2026-32917 OpenClaw < 2026.3.13 - Remote Command Injection via Unsanitized iMessage Attachment Paths in SCP CWE-78 9.8 Critical2026-03-31
CVE-2026-32916 OpenClaw 2026.3.7 < 2026.3.11 - Authorization Bypass in Plugin Subagent Routes via Synthetic Admin Scopes CWE-266 9.4 Critical2026-03-31
CVE-2026-33575 OpenClaw < 2026.3.12 - Long-lived Credential Exposure in Pairing Setup Codes CWE-522 7.5 High2026-03-29
CVE-2026-33574 OpenClaw < 2026.3.8 - Path Traversal via Tools Root Rebinding in Skills Download CWE-367 6.2 Medium2026-03-29
CVE-2026-33573 OpenClaw < 2026.3.11 - Workspace Boundary Bypass via Agent RPC Parameters CWE-668 8.8 High2026-03-29
CVE-2026-33572 OpenClaw < 2026.2.17 - Insufficient File Permissions in Session Transcript Files CWE-378 8.4 High2026-03-29
CVE-2026-32987 OpenClaw < 2026.3.13 - Bootstrap Setup Code Replay via Device Pairing CWE-294 9.8 Critical2026-03-29
CVE-2026-32980 OpenClaw < 2026.3.13 - Resource Exhaustion via Unauthenticated Telegram Webhook Request CWE-770 7.5 High2026-03-29
CVE-2026-32979 OpenClaw < 2026.3.11 - Unbound Interpreter and Runtime Commands Bypass in node-host Approval CWE-367 7.3 High2026-03-29
CVE-2026-32978 OpenClaw < 2026.3.11 - Approval Bypass via Unrecognized Script Runners CWE-863 8.0 High2026-03-29
CVE-2026-32975 OpenClaw < 2026.3.12 - Weak Authorization via Mutable Group Names in Zalouser Allowlist CWE-807 9.8 Critical2026-03-29

All 350 known CVE vulnerabilities affecting openclaw with full Chinese analysis, references, and POCs where available.