Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

OpenClaw — Vulnerabilities & Security Advisories 338

Browse all 338 CVE security advisories affecting OpenClaw. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Top products by OpenClaw:OpenClawnextcloud-talkvoice-call
CVE IDTitleCVSSSeverityPublished
CVE-2026-41361 OpenClaw < 2026.3.28 - SSRF Guard Bypass via IPv6 Special-Use Ranges — OpenClawCWE-184 7.1 High2026-04-23
CVE-2026-41359 OpenClaw < 2026.3.28 - Privilege Escalation via operator.write to Admin-Class Telegram Config and Cron Persistence — OpenClawCWE-269 7.1 High2026-04-23
CVE-2026-41360 OpenClaw < 2026.4.2 - Approval Integrity Bypass in pnpm dlx Local Script Binding — OpenClawCWE-367 6.7 Medium2026-04-23
CVE-2026-41358 OpenClaw < 2026.4.2 - Sender Allowlist Bypass via Slack Thread Context — OpenClawCWE-346 5.4 Medium2026-04-23
CVE-2026-41357 OpenClaw < 2026.3.31 - Unsanitized Environment Variable Leakage in SSH Sandbox Backends — OpenClawCWE-214 3.3 Low2026-04-23
CVE-2026-41355 OpenShell < 2026.3.28 - Arbitrary Code Execution via Mirror Mode Sandbox File Conversion — OpenClawCWE-829 7.3 High2026-04-23
CVE-2026-41356 OpenClaw < 2026.3.31 - Incomplete WebSocket Session Termination in device.token.rotate — OpenClawCWE-613 5.4 Medium2026-04-23
CVE-2026-41354 OpenClaw < 2026.4.2 - Insufficient Scope in Zalo Webhook Replay Dedupe Keys — OpenClawCWE-706 3.7 Low2026-04-23
CVE-2026-41353 OpenClaw < 2026.3.22 - allowProfiles Bypass via Profile Mutation and Runtime Selection — OpenClawCWE-472 8.1 High2026-04-23
CVE-2026-41352 OpenClaw < 2026.3.31 - Remote Code Execution via Node Scope Gate Bypass — OpenClawCWE-862 8.8 High2026-04-23
CVE-2026-41350 OpenClaw < 2026.3.31 - Session Visibility Bypass via session_status in Unsandboxed Invocations — OpenClawCWE-863 4.3 Medium2026-04-23
CVE-2026-41351 OpenClaw < 2026.3.31 - Webhook Replay Detection Bypass via Base64 Signature Re-encoding — OpenClawCWE-294 5.3 Medium2026-04-23
CVE-2026-41349 OpenClaw < 2026.3.28 - Agentic Consent Bypass via config.patch — OpenClawCWE-862 8.8 High2026-04-23
CVE-2026-41348 OpenClaw < 2026.3.31 - Group DM Channel Allowlist Bypass via Discord Slash Commands — OpenClawCWE-863 5.4 Medium2026-04-23
CVE-2026-41347 OpenClaw < 2026.3.31 - Cross-Site Request Forgery via Missing Browser-Origin Validation in HTTP Operator Endpoints — OpenClawCWE-352 7.1 High2026-04-23
CVE-2026-41346 OpenClaw 2026.2.26 < 2026.3.31 - Denial of Service via Improper Pending Pairing Request Cap Enforcement — OpenClawCWE-799 5.3 Medium2026-04-23
CVE-2026-41345 OpenClaw < 2026.3.31 - Authorization Header Leak via Cross-Origin Redirect in Media Download — OpenClawCWE-522 5.3 Medium2026-04-23
CVE-2026-41344 OpenClaw < 2026.3.28 - Privilege Escalation via chat.send /verbose Parameter — OpenClawCWE-863 5.4 Medium2026-04-23
CVE-2026-41343 OpenClaw < 2026.3.31 - Denial of Service via LINE Webhook Handler Pre-Auth Concurrency — OpenClawCWE-799 5.3 Medium2026-04-23
CVE-2026-41342 OpenClaw < 2026.3.28 - Unauthenticated Discovery Endpoint Credential Exfiltration via Remote Onboarding — OpenClawCWE-346 7.3 High2026-04-23
CVE-2026-41341 OpenClaw < 2026.3.31 - Component Interaction Misclassification in Discord Extension — OpenClawCWE-351 5.4 Medium2026-04-23
CVE-2026-41340 OpenClaw < 2026.3.31 - Authentication Boundary Bypass via Telegram Legacy allowFrom Migration — OpenClawCWE-372 6.5 Medium2026-04-23
CVE-2026-41339 OpenClaw < 2026.4.2 - Information Disclosure via Gateway Connect Snapshot — OpenClawCWE-497 4.3 Medium2026-04-23
CVE-2026-41338 OpenClaw < 2026.3.31 - Time-of-Check-Time-of-Use (TOCTOU) Vulnerability in Sandbox File Operations — OpenClawCWE-367 5.0 Medium2026-04-23
CVE-2026-41337 OpenClaw < 2026.3.31 - Callback Origin Mutation in Plivo Voice-call Replay — OpenClawCWE-367 5.3 Medium2026-04-23
CVE-2026-41336 OpenClaw < 2026.3.31 - Arbitrary Hook Code Execution via OPENCLAW_BUNDLED_HOOKS_DIR Environment Variable Override — OpenClawCWE-829 7.8 High2026-04-23
CVE-2026-41334 OpenClaw < 2026.3.31 - Decompression Bomb Denial of Service via Image Pixel-Limit Guard Bypass — OpenClawCWE-636 6.5 Medium2026-04-23
CVE-2026-41335 OpenClaw < 2026.3.31 - Information Disclosure via Control UI Bootstrap JSON — OpenClawCWE-497 5.3 Medium2026-04-23
CVE-2026-41333 OpenClaw < 2026.3.31 - Authentication Rate Limiting Bypass via Fake DeviceToken — OpenClawCWE-799 3.7 Low2026-04-23
CVE-2026-41332 OpenClaw < 2026.3.28 - Code Execution via Missing Environment Variable Blocklist — OpenClawCWE-184 5.3 Medium2026-04-23

This page lists every published CVE security advisory associated with OpenClaw. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.