Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

OpenClaw — Vulnerabilities & Security Advisories 338

Browse all 338 CVE security advisories affecting OpenClaw. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Top products by OpenClaw:OpenClawnextcloud-talkvoice-call
CVE IDTitleCVSSSeverityPublished
CVE-2026-28479 OpenClaw < 2026.2.15 - Cache Poisoning via Deprecated SHA-1 Hash in Sandbox Configuration — OpenClawCWE-327 7.5 High2026-03-05
CVE-2026-28478 OpenClaw < 2026.2.13 - Denial of Service via Unbounded Webhook Request Body Buffering — OpenClawCWE-770 7.5 High2026-03-05
CVE-2026-28477 OpenClaw < 2026.2.14 - OAuth State Validation Bypass in Manual Chutes Login Flow — OpenClawCWE-352 7.1 High2026-03-05
CVE-2026-28476 OpenClaw < 2026.2.14 - Server-Side Request Forgery in Tlon Extension Authentication — OpenClawCWE-918 8.3 High2026-03-05
CVE-2026-28475 OpenClaw < 2026.2.13 - Timing Attack via Hook Token Comparison — OpenClawCWE-208 4.8 Medium2026-03-05
CVE-2026-28474 OpenClaw Nextcloud Talk < 2026.2.6 - Allowlist Bypass via actor.name Display Name Spoofing — nextcloud-talkCWE-863 9.8 Critical2026-03-05
CVE-2026-28473 OpenClaw < 2026.2.2 - Authorization Bypass via /approve Chat Command — OpenClawCWE-863 8.1 High2026-03-05
CVE-2026-28472 OpenClaw < 2026.2.2 - Device Identity Check Bypass in Gateway WebSocket Connect Handshake — OpenClawCWE-306 8.1 High2026-03-05
CVE-2026-28470 OpenClaw < 2026.2.2 - Exec Allowlist Bypass via Command Substitution in Double Quotes — OpenClawCWE-78 9.8 Critical2026-03-05
CVE-2026-28471 OpenClaw 2026.1.14-1 < 2026.2.2 - Allowlist Bypass via displayName and Cross-Homeserver localpart Matching in Matrix Plugin — OpenClawCWE-287 5.3 Medium2026-03-05
CVE-2026-28469 OpenClaw < 2026.2.14 - Cross-Account Policy Context Misrouting via Shared Webhook Path Ambiguity — OpenClawCWE-639 7.5 High2026-03-05
CVE-2026-28468 OpenClaw 2026.1.29-beta.1 < 2026.2.14 - Authentication Bypass in Sandbox Browser Bridge Server — OpenClawCWE-306 7.7 High2026-03-05
CVE-2026-28467 OpenClaw < 2026.2.2 - SSRF via Attachment Media URL Hydration — OpenClawCWE-918 6.5 Medium2026-03-05
CVE-2026-28466 OpenClaw < 2026.2.14 - Remote Code Execution via Node Invoke Approval Bypass — OpenClawCWE-863 9.9 Critical2026-03-05
CVE-2026-28465 OpenClaw voice-call < 2026.2.3 - Webhook Verification Bypass via Forwarded Headers — voice-callCWE-290 5.9 Medium2026-03-05
CVE-2026-28464 OpenClaw < 2026.2.12 - Timing Attack in Hooks Token Authentication — OpenClawCWE-208 5.9 Medium2026-03-05
CVE-2026-28463 OpenClaw < 2026.2.14 - Arbitrary File Read via Shell Expansion in Safe Bins Allowlist — OpenClawCWE-78 8.4 High2026-03-05
CVE-2026-28462 OpenClaw < 2026.2.13 - Path Traversal in Trace and Download Output Paths — OpenClawCWE-22 7.5 High2026-03-05
CVE-2026-28459 OpenClaw < 2026.2.12 - Arbitrary File Write via Untrusted sessionFile Path — OpenClawCWE-73 7.1 High2026-03-05
CVE-2026-28458 OpenClaw 2026.1.20 < 2026.2.1 - Missing Authentication in Browser Relay /cdp WebSocket Endpoint — OpenClawCWE-306 8.1 High2026-03-05
CVE-2026-28457 OpenClaw < 2026.2.14 - Path Traversal in Sandbox Skill Mirroring via Name Parameter — OpenClawCWE-22 6.1 Medium2026-03-05
CVE-2026-28456 OpenClaw 2026.1.5 < 2026.2.14 - Arbitrary Code Execution via Unsafe Hook Module Path Handling — OpenClawCWE-427 7.2 High2026-03-05
CVE-2026-28454 OpenClaw < 2026.2.2 - Authorization Bypass via Unauthenticated Telegram Webhook — OpenClawCWE-345 7.5 High2026-03-05
CVE-2026-28453 OpenClaw < 2026.2.14 - Zip Slip Path Traversal in TAR Archive Extraction — OpenClawCWE-22 7.5 High2026-03-05
CVE-2026-28452 OpenClaw < 2026.2.14 - Denial of Service via Unguarded Archive Extraction in extractArchive — OpenClawCWE-770 5.5 Medium2026-03-05
CVE-2026-28451 OpenClaw < 2026.2.14 - SSRF via Feishu Extension Media Fetching — OpenClaw 8.3 High2026-03-05
CVE-2026-28450 OpenClaw < 2026.2.12 - Unauthenticated Profile Tampering via Nostr Plugin HTTP Endpoints — OpenClaw 6.8 Medium2026-03-05
CVE-2026-28448 OpenClaw 2026.1.29 < 2026.2.1 - Authorization Bypass in Twitch Plugin allowFrom Access Control — OpenClawCWE-285 7.3 High2026-03-05
CVE-2026-28447 OpenClaw 2026.1.29-beta.1 < 2026.2.1 - Path Traversal in Plugin Installation via Package Name — OpenClawCWE-22 8.1 High2026-03-05
CVE-2026-28446 OpenClaw < 2026.2.1 - Inbound Allowlist Policy Bypass in voice-call Extension via Empty Caller ID and Suffix Matching — OpenClaw 9.4 Critical2026-03-05

This page lists every published CVE security advisory associated with OpenClaw. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.