Support Us — Your donation helps us keep running

Goal: 1000 CNY,Raised: 1000 CNY

100.0%
Donate Now

openclaw — Vulnerabilities & Security Advisories 338

Browse all 338 CVE security advisories affecting openclaw. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Top 10 Products openclaw:OpenClawnextcloud-talkvoice-call
CVE IDTitleCVSSSeverityPaused
CVE-2026-28395 OpenClaw 2026.1.14-1 < 2026.2.12 - Unintended Public Binding of Chrome Extension Relay via Wildcard cdpUrl — OpenClawCWE-1327 6.5 Medium2026-03-05
CVE-2026-28394 OpenClaw < 2026.2.15 - Denial of Service via Unbounded Response Parsing in web_fetch Tool — OpenClawCWE-770 6.5 Medium2026-03-05
CVE-2026-28393 OpenClaw 2.0.0-beta3 < 2026.2.14 - Arbitrary JavaScript Module Loading via Hook Transform Path Traversal — OpenClawCWE-22 7.7 High2026-03-05
CVE-2026-28392 OpenClaw < 2026.2.14 - Privilege Escalation in Slack Slash Command Handler via Direct Messages — OpenClaw 7.5 High2026-03-05
CVE-2026-28391 OpenClaw < 2026.2.2 - Command Injection via cmd.exe Parsing Bypass in Allowlist Enforcement — OpenClaw 9.8 Critical2026-03-05
CVE-2026-28363 OpenClaw 安全漏洞 — OpenClawCWE-184 9.9 Critical2026-02-27
CVE-2026-27576 OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs — openclawCWE-400 3.3 -2026-02-21
CVE-2026-27488 OpenClaw hardened cron webhook delivery against SSRF — openclawCWE-918 7.1 -2026-02-21
CVE-2026-27487 OpenClaw: Prevent shell injection in macOS keychain credential write — openclawCWE-78 7.6 High2026-02-21
CVE-2026-27486 OpenClaw: Process Safety - Unvalidated PID Kill via SIGKILL in Process Cleanup — openclawCWE-283 6.5AIMediumAI2026-02-21
CVE-2026-27485 OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection — openclawCWE-61 5.5 -2026-02-21
CVE-2026-27484 OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows — openclawCWE-862 6.5 -2026-02-21
CVE-2026-27009 OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection — openclawCWE-79 5.8 Medium2026-02-19
CVE-2026-27008 OpenClaw hardened the skill download target directory validation — openclawCWE-73 7.7 -2026-02-19
CVE-2026-27007 OpenClaw's sandbox config hash sorted primitive arrays and suppressed needed container recreation — openclawCWE-1254 7.1 -2026-02-19
CVE-2026-27004 OpenClaw session tool visibility hardening and Telegram webhook secret fallback — openclawCWE-209 6.5 -2026-02-19
CVE-2026-27003 OpenClaw: Telegram bot token exposure via logs — openclawCWE-522 9.8 -2026-02-19
CVE-2026-27002 OpenClaw: Docker container escape via unvalidated bind mount config injection — openclawCWE-250 9.6 -2026-02-19
CVE-2026-27001 OpenClaw: Unsanitized CWD path injection into LLM prompts — openclawCWE-77 7.6 -2026-02-19
CVE-2026-26972 OpenClaw has a Path Traversal in Browser Download Functionality — openclawCWE-22 6.7 Medium2026-02-19
CVE-2026-26329 OpenClaw has a path traversal in browser upload allows local file read — openclawCWE-22 6.5 -2026-02-19
CVE-2026-26328 OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities — openclawCWE-284 6.5 Medium2026-02-19
CVE-2026-26327 OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning — openclawCWE-345 9.3 -2026-02-19
CVE-2026-26326 OpenClaw skills.status could leak secrets to operator.read clients — openclawCWE-200 6.5 -2026-02-19
CVE-2026-26325 OpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals — openclawCWE-284 7.2 High2026-02-19
CVE-2026-26324 OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reachable) — openclawCWE-918 7.5 High2026-02-19
CVE-2026-26323 OpenClaw has a command injection in maintainer clawtributors updater — openclawCWE-78 8.8 -2026-02-19
CVE-2026-26322 OpenClaw Gateway tool allowed unrestricted gatewayUrl override — openclawCWE-918 7.6 High2026-02-19
CVE-2026-26321 OpenClaw has a local file disclosure via sendMediaFeishu in Feishu extension — openclawCWE-22 7.5 High2026-02-19
CVE-2026-26320 OpenClaw macOS deep link confirmation truncation can conceal executed agent message — openclawCWE-451 4.3 -2026-02-19

This page lists every published CVE security advisory associated with openclaw. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.